Failed to compile: x86_64-w64-mingw32-g++

[enty8080]

Hello, @KaLendsi

I faced an error while compiling your PoC exploit for Win32k Local Privilege Escalation.

• OS: macOS Big Sur

• CC: x86_64-w64-mingw32-g++

• uname: Darwin Ivans-MacBook-Air.local 20.1.0 Darwin Kernel Version 20.1.0: Sat Oct 31 00:07:10 PDT 2020; root:xnu-7195.50.7~2/RELEASE_ARM64_T8101 arm64

• Command: x86_64-w64-mingw32-g++ ExploitTest.cpp

• Error log:

ExploitTest.cpp: In function 'BOOL FindHMValidateHandle()':
ExploitTest.cpp:84:32: error: cast from 'BYTE*' {aka 'unsigned char*'} to 'unsigned int' loses precision [-fpermissive]
   84 |         unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr;
      |                                ^~~~~~~~~~~~~~~~~~~~~
ExploitTest.cpp:84:56: error: cast from 'HMODULE' {aka 'HINSTANCE__*'} to 'unsigned int' loses precision [-fpermissive]
   84 |         unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr;
      |                                                        ^~~~~~~~~~~~~~~~~~~~~
ExploitTest.cpp: In function 'HWND__* GuessHwnd(QWORD*, DWORD)':
ExploitTest.cpp:131:35: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
  131 |                 hwndMagicWindow = (HWND)*(DWORD*)(qwBaseAddress - 0xc8);
      |                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ExploitTest.cpp: In function 'int main(int, _TCHAR**)':
ExploitTest.cpp:509:17: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
  509 |                 (LPCWSTR)g_lpWcxMagic,
      |                 ^~~~~~~~~~~~~~~~~~~~~
ExploitTest.cpp:663:24: warning: ISO C++ forbids converting a string constant to 'LPWSTR' {aka 'wchar_t*'} [-Wwrite-strings]
  663 |         si.lpDesktop = L"WinSta0\\Default";
      |                        ^~~~~~~~~~~~~~~~~~~
ExploitTest.cpp:666:29: error: cannot convert '_TCHAR*' {aka 'char*'} to 'LPCWSTR' {aka 'const wchar_t*'}
  666 |         lstrcpyW(cmd, argv[1]);
      |                       ~~~~~~^
      |                             |
      |                             _TCHAR* {aka char*}
In file included from /usr/local/Cellar/mingw-w64/9.0.0_2/toolchain-x86_64/x86_64-w64-mingw32/include/windows.h:70,
                 from ExploitTest.cpp:6:
/usr/local/Cellar/mingw-w64/9.0.0_2/toolchain-x86_64/x86_64-w64-mingw32/include/winbase.h:1446:64: note:   initializing argument 2 of WCHAR* lstrcpyW(LPWSTR, LPCWSTR)'
 1446 |   WINBASEAPI LPWSTR WINAPI lstrcpyW (LPWSTR lpString1, LPCWSTR lpString2);
      |                                                        ~~~~~~~~^~~~~~~~~
ExploitTest.cpp: In function 'DWORD64 g_newxxxClientFreeWindowClassExtraBytes(DWORD64*)':
ExploitTest.cpp:164:1: warning: control reaches end of non-void function [-Wreturn-type]
  164 | }
      | ^

[dgiancaspro]

Hello ,
I was having the same issues until I ran the project in Microsoft Visual Studio 2022 Community Edition. After installing the Desktop C++ packages I opened up the project file (ExploitTest.vcxproj). If you are asked to re-target the project accept the defaults and click OK.

Once the project loads make sure you are set for x64 in the debug drop down. If you are set for x86 you will get a compile error for an unknown symbol r10.

Click Build --> Build Solution there will be some warnings but a successful build will be found in the \x64\Debug directory.

Note if the system has the January updates this Exploit will hang and not complete. Once you remove those updates it will run perfectly.