talson ripp3rdoc

## MaxPayne3 - EOP.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ripp3rdoc
                / MaxPayne3 - EOP.md
            
            
              Last active
              April 2, 2024 15:49
            
          
    Max Payne 3 is vulnerable to Insecure File Permissions. Allowing low-privilege user to overwrite the service binary to execute code as Administrator (NT Authority\SYSTEM).
Querying 'Rockstar Service'; we can see that the service path is as follows: "E:\XBox Games\MP3\RockstarService.exe"
C:\Program Files\Sysinternals>sc qc "Rockstar Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Rockstar Service

  
## Token-Stealing Shellcode.cpp
#include <Windows.h>

/*
Original payload:
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Exploit/Payloads.c
*/

#define KTHREAD_OFFSET     0x124  // nt!_KPCR.PcrbData.CurrentThread
#define EPROCESS_OFFSET    0x050  // nt!_KTHREAD.ApcState.Process
#define PID_OFFSET         0x0B4  // nt!_EPROCESS.UniqueProcessId

## simple-kernel-driver.cpp
#include <ntddk.h>

void ProcessPowerUnload(PDRIVER_OBJECT);

NTSTATUS ProcessPowerCreateClose(PDEVICE_OBJECT, PIRP);
NTSTATUS ProcessPowerDeviceControl(PDEVICE_OBJECT, PIRP);

extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
    KdPrint(("ProcessPower: DriverEntry\n"));

## HEVD_StackOverflow1.cpp
#include <windows.h>
#include <winioctl.h>
#include <stdio.h>
#include <stdint.h>
#define _CRT_SECURE_NO_WARNINGS

#define DRIVER_PATH "\\\\.\\HackSysExtremeVulnerableDriver"
#define IOCTL_HEVD_STACK_OVERFLOW 0x222003

/* More exploits: https://github.com/mgeeky/HEVD_Kernel_Exploit */

## CVE-2019-18935.yaml
id: CVE-2019-18935
info:
  name: Deserialization Vulnerability in Telerik UI for ASP.NET AJAX.
  author: Talson
  severity: critical
  description: |
    Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.
  remediation: |
    As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.
  reference:
	#include <Windows.h>

	/*
	Original payload:
	https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Exploit/Payloads.c
	*/

	#define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread
	#define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process
	#define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId
	#include <ntddk.h>

	void ProcessPowerUnload(PDRIVER_OBJECT);

	NTSTATUS ProcessPowerCreateClose(PDEVICE_OBJECT, PIRP);
	NTSTATUS ProcessPowerDeviceControl(PDEVICE_OBJECT, PIRP);

	extern "C"
	NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
	KdPrint(("ProcessPower: DriverEntry\n"));
	#include <windows.h>
	#include <winioctl.h>
	#include <stdio.h>
	#include <stdint.h>
	#define _CRT_SECURE_NO_WARNINGS

	#define DRIVER_PATH "\\\\.\\HackSysExtremeVulnerableDriver"
	#define IOCTL_HEVD_STACK_OVERFLOW 0x222003

	/* More exploits: https://github.com/mgeeky/HEVD_Kernel_Exploit */
	id: CVE-2019-18935
	info:
	name: Deserialization Vulnerability in Telerik UI for ASP.NET AJAX.
	author: Talson
	severity: critical
	description: \|
	Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.
	remediation: \|
	As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.
	reference: