Refectoring Driver & Exploit

Driver/Source/Common.h

@@ -67,10 +67,10 @@ Module Name:
     NTSTATUS    FreeUaFObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    TypeConfusionIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    StackOverflowIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
-    NTSTATUS    CreateUaFObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    IntegerOverflowIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    StackOverflowGSIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
-    NTSTATUS    CreateFakeObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
+    NTSTATUS    AllocateUaFObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
+    NTSTATUS    AllocateFakeObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    ArbitraryOverwriteIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    NullPointerDereferenceIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);
     NTSTATUS    UninitializedHeapVariableIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp);

Driver/Source/HackSysExtremeVulnerableDriver.c

@@ -241,10 +241,10 @@ NTSTATUS IrpDeviceIoCtlHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
                 Status = PoolOverflowIoctlHandler(Irp, IrpSp);
                 DbgPrint("****** HACKSYS_EVD_IOCTL_POOL_OVERFLOW ******\n");
                 break;
-            case HACKSYS_EVD_IOCTL_CREATE_UAF_OBJECT:
-                DbgPrint("****** HACKSYS_EVD_IOCTL_CREATE_UAF_OBJECT ******\n");
-                Status = CreateUaFObjectIoctlHandler(Irp, IrpSp);
-                DbgPrint("****** HACKSYS_EVD_IOCTL_CREATE_UAF_OBJECT ******\n");
+            case HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT:
+                DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******\n");
+                Status = AllocateUaFObjectIoctlHandler(Irp, IrpSp);
+                DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******\n");
                 break;
             case HACKSYS_EVD_IOCTL_USE_UAF_OBJECT:
                 DbgPrint("****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******\n");
@@ -256,10 +256,10 @@ NTSTATUS IrpDeviceIoCtlHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
                 Status = FreeUaFObjectIoctlHandler(Irp, IrpSp);
                 DbgPrint("****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******\n");
                 break;
-            case HACKSYS_EVD_IOCTL_CREATE_FAKE_OBJECT:
-                DbgPrint("****** HACKSYS_EVD_IOCTL_CREATE_FAKE_OBJECT ******\n");
-                Status = CreateFakeObjectIoctlHandler(Irp, IrpSp);
-                DbgPrint("****** HACKSYS_EVD_IOCTL_CREATE_FAKE_OBJECT ******\n");
+            case HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT:
+                DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******\n");
+                Status = AllocateFakeObjectIoctlHandler(Irp, IrpSp);
+                DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******\n");
                 break;
             case HACKSYS_EVD_IOCTL_TYPE_CONFUSION:
                 DbgPrint("****** HACKSYS_EVD_IOCTL_TYPE_CONFUSION ******\n");

Driver/Source/HackSysExtremeVulnerableDriver.h

@@ -58,10 +58,10 @@ Module Name:
     #define HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS               CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE             CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_POOL_OVERFLOW                   CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_NEITHER, FILE_ANY_ACCESS)
-    #define HACKSYS_EVD_IOCTL_CREATE_UAF_OBJECT               CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_NEITHER, FILE_ANY_ACCESS)
+    #define HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT             CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_USE_UAF_OBJECT                  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT                 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_NEITHER, FILE_ANY_ACCESS)
-    #define HACKSYS_EVD_IOCTL_CREATE_FAKE_OBJECT              CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_NEITHER, FILE_ANY_ACCESS)
+    #define HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT            CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_TYPE_CONFUSION                  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x808, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW                CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE        CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80A, METHOD_NEITHER, FILE_ANY_ACCESS)

Driver/Source/UninitializedHeapVariable.c

@@ -87,7 +87,7 @@ NTSTATUS TriggerUninitializedHeapVariable(IN PVOID UserBuffer) {
 
         // Allocate Pool chunk
         UninitializedHeapVariable = (PUNINITIALIZED_HEAP_VARIABLE)
-                                     ExAllocatePoolWithTag(NonPagedPool,
+                                     ExAllocatePoolWithTag(PagedPool,
                                                            sizeof(UNINITIALIZED_HEAP_VARIABLE),
                                                            (ULONG)POOL_TAG);
 
@@ -115,7 +115,14 @@ NTSTATUS TriggerUninitializedHeapVariable(IN PVOID UserBuffer) {
         if (UserValue == MagicValue) {
             UninitializedHeapVariable->Value = UserValue;
             UninitializedHeapVariable->Callback = &UninitializedHeapVariableObjectCallback;
+
+            // Fill the buffer with ASCII 'A'
+            RtlFillMemory((PVOID)UninitializedHeapVariable->Buffer, sizeof(UninitializedHeapVariable->Buffer), 0x41);
+
+            // Null terminate the char buffer
+            UninitializedHeapVariable->Buffer[(sizeof(UninitializedHeapVariable->Buffer) / sizeof(ULONG)) - 1] = '\0';
         }
+#ifdef SECURE
         else {
             DbgPrint("[+] Freeing UninitializedHeapVariable Object\n");
             DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG));
@@ -124,19 +131,18 @@ NTSTATUS TriggerUninitializedHeapVariable(IN PVOID UserBuffer) {
             // Free the allocated Pool chunk
             ExFreePoolWithTag((PVOID)UninitializedHeapVariable, (ULONG)POOL_TAG);
 
-#ifdef SECURE
             // Secure Note: This is secure because the developer is setting 'UninitializedHeapVariable'
             // to NULL and checks for NULL pointer before calling the callback
 
             // Set to NULL to avoid dangling pointer
             UninitializedHeapVariable = NULL;
+        }
 #else
             // Vulnerability Note: This is a vanilla Uninitialized Heap Variable vulnerability
-            // because the developer is not setting 'UninitializedHeapVariable' to NULL when
-            // 'MagicValue' does not match 'UserValue'
+            // because the developer is not setting 'Value' & 'Callback' to definite known value
+            // before calling the 'Callback'
             DbgPrint("[+] Triggering Uninitialized Heap Variable Vulnerability\n");
 #endif
-        }
 
         // Call the callback function
         if (UninitializedHeapVariable) {

Driver/Source/UseAfterFree.c

@@ -52,13 +52,13 @@ Module Name:
 #ifdef ALLOC_PRAGMA
     #pragma alloc_text(PAGE, UseUaFObject)
     #pragma alloc_text(PAGE, FreeUaFObject)
-    #pragma alloc_text(PAGE, CreateUaFObject)
-    #pragma alloc_text(PAGE, CreateFakeObject)
     #pragma alloc_text(PAGE, UaFObjectCallback)
+    #pragma alloc_text(PAGE, AllocateUaFObject)
+    #pragma alloc_text(PAGE, AllocateFakeObject)
     #pragma alloc_text(PAGE, UseUaFObjectIoctlHandler)
     #pragma alloc_text(PAGE, FreeUaFObjectIoctlHandler)
-    #pragma alloc_text(PAGE, CreateUaFObjectIoctlHandler)
-    #pragma alloc_text(PAGE, CreateFakeObjectIoctlHandler)
+    #pragma alloc_text(PAGE, AllocateUaFObjectIoctlHandler)
+    #pragma alloc_text(PAGE, AllocateFakeObjectIoctlHandler)
 #endif // ALLOC_PRAGMA
 
 #pragma auto_inline(off)
@@ -75,17 +75,17 @@ VOID UaFObjectCallback() {
 }
 
 /// <summary>
-/// Create and store the UaF object
+/// Allocate the UaF object
 /// </summary>
 /// <returns>NTSTATUS</returns>
-NTSTATUS CreateUaFObject() {
+NTSTATUS AllocateUaFObject() {
     NTSTATUS Status = STATUS_SUCCESS;
     PUSE_AFTER_FREE UseAfterFree = NULL;
 
     PAGED_CODE();
 
     __try {
-        DbgPrint("[+] Creating UaF Object\n");
+        DbgPrint("[+] Allocating UaF Object\n");
 
         // Allocate Pool chunk
         UseAfterFree = (PUSE_AFTER_FREE)ExAllocatePoolWithTag(NonPagedPool,
@@ -202,11 +202,11 @@ NTSTATUS FreeUaFObject() {
 }
 
 /// <summary>
-/// Create and store the Fake object
+/// Allocate the Fake object
 /// </summary>
 /// <param name="UserFakeObject">The pointer to FAKE_OBJECT structure</param>
 /// <returns>NTSTATUS</returns>
-NTSTATUS CreateFakeObject(IN PFAKE_OBJECT UserFakeObject) {
+NTSTATUS AllocateFakeObject(IN PFAKE_OBJECT UserFakeObject) {
     NTSTATUS Status = STATUS_SUCCESS;
     PFAKE_OBJECT KernelFakeObject = NULL;
 
@@ -254,19 +254,19 @@ NTSTATUS CreateFakeObject(IN PFAKE_OBJECT UserFakeObject) {
 }
 
 /// <summary>
-/// Create UaF Object Ioctl Handler
+/// Allocate UaF Object Ioctl Handler
 /// </summary>
 /// <param name="Irp">The pointer to IRP.</param>
 /// <param name="IrpSp">The pointer to IO_STACK_LOCATION structure</param>
 /// <returns>NTSTATUS</returns>
-NTSTATUS CreateUaFObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp) {
+NTSTATUS AllocateUaFObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp) {
     NTSTATUS Status = STATUS_UNSUCCESSFUL;
 
     UNREFERENCED_PARAMETER(Irp);
     UNREFERENCED_PARAMETER(IrpSp);
     PAGED_CODE();
 
-    Status = CreateUaFObject();
+    Status = AllocateUaFObject();
 
     return Status;
 }
@@ -308,12 +308,12 @@ NTSTATUS FreeUaFObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp) {
 }
 
 /// <summary>
-/// Create Fake Object Ioctl Handler
+/// Allocate Fake Object Ioctl Handler
 /// </summary>
 /// <param name="Irp">The pointer to IRP</param>
 /// <param name="IrpSp">The pointer to IO_STACK_LOCATION structure</param>
 /// <returns>NTSTATUS</returns>
-NTSTATUS CreateFakeObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp) {
+NTSTATUS AllocateFakeObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp) {
     PFAKE_OBJECT UserFakeObject = NULL;
     NTSTATUS Status = STATUS_UNSUCCESSFUL;
 
@@ -323,7 +323,7 @@ NTSTATUS CreateFakeObjectIoctlHandler(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp)
     UserFakeObject = (PFAKE_OBJECT)IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
 
     if (UserFakeObject) {
-        Status = CreateFakeObject(UserFakeObject);
+        Status = AllocateFakeObject(UserFakeObject);
     }
 
     return Status;

Driver/Source/UseAfterFree.h

@@ -65,8 +65,8 @@ Module Name:
 
     NTSTATUS    UseUaFObject();
     NTSTATUS    FreeUaFObject();
-    NTSTATUS    CreateUaFObject();
+    NTSTATUS    AllocateUaFObject();
     VOID        UaFObjectCallback();
-    NTSTATUS    CreateFakeObject(IN PFAKE_OBJECT UserFakeObject);
+    NTSTATUS    AllocateFakeObject(IN PFAKE_OBJECT UserFakeObject);
 
 #endif  //__USE_AFTER_FREE_H__

Exploit/Source/Common.h

@@ -93,10 +93,10 @@ Module Name:
     #define HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS               CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE             CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_POOL_OVERFLOW                   CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_NEITHER, FILE_ANY_ACCESS)
-    #define HACKSYS_EVD_IOCTL_CREATE_UAF_OBJECT               CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_NEITHER, FILE_ANY_ACCESS)
+    #define HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT             CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_USE_UAF_OBJECT                  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT                 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_NEITHER, FILE_ANY_ACCESS)
-    #define HACKSYS_EVD_IOCTL_CREATE_FAKE_OBJECT              CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_NEITHER, FILE_ANY_ACCESS)
+    #define HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT            CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_TYPE_CONFUSION                  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x808, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW                CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_NEITHER, FILE_ANY_ACCESS)
     #define HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE        CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80A, METHOD_NEITHER, FILE_ANY_ACCESS)

Exploit/Source/UseAfterFree.c

@@ -199,7 +199,7 @@ DWORD WINAPI UseAfterFreeThread(LPVOID Parameter) {
         OutputDebugString("****************Kernel Mode****************\n");
 
         DeviceIoControl(hFile,
-                        HACKSYS_EVD_IOCTL_CREATE_UAF_OBJECT,
+                        HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT,
                         NULL,
                         0,
                         NULL,
@@ -224,14 +224,14 @@ DWORD WINAPI UseAfterFreeThread(LPVOID Parameter) {
 
         OutputDebugString("****************Kernel Mode****************\n");
 
-        // Create the FAKE_OBJECT multiple times to take up the freed memory chunk
+        // Allocate the FAKE_OBJECT multiple times to take up the freed memory chunk
         DEBUG_INFO("\t\t\t[+] Filling Freed Chunks\n");
 
         OutputDebugString("****************Kernel Mode****************\n");
 
         for (i = 0; i < 0x1000; i++) {
             DeviceIoControl(hFile,
-                            HACKSYS_EVD_IOCTL_CREATE_FAKE_OBJECT,
+                            HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT,
                             (LPVOID)FakeObject,
                             0,
                             NULL,