Skip to content

Commit 6306b4d

Browse files
AscotbeAscotbe
committed
update
1 parent bb95b34 commit 6306b4d

File tree

121 files changed

+38245
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

121 files changed

+38245
-0
lines changed

CVE-2005-1983/CVE-2005-1983.exe

11 KB
Binary file not shown.

CVE-2005-1983/PnP_Service.c

+436
Large diffs are not rendered by default.

CVE-2008-1084/CVE-2008-1084.exe

32 KB
Binary file not shown.

CVE-2008-1084/CVE-2008-1084/kartolib.h

+196
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,196 @@
1+
2+
3+
//////////////////////////////
4+
////
5+
//// Driver defines
6+
////
7+
//////////////////////////////
8+
9+
#define KARTOFFEL_TYPE 50000
10+
11+
#define IOCTL_KARTOFFEL_ALLOCATE_BUFFER \
12+
CTL_CODE( KARTOFFEL_TYPE, 0x807, METHOD_BUFFERED, FILE_ANY_ACCESS )
13+
14+
#define IOCTL_KARTOFFEL_RETURN_BUFFER \
15+
CTL_CODE( KARTOFFEL_TYPE, 0x808, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
16+
17+
#define IOCTL_KARTOFFEL_RETURN_DRIVER_OBJECT \
18+
CTL_CODE( KARTOFFEL_TYPE, 0x809, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
19+
20+
#define IOCTL_KARTOFFEL_RETURN_OBJECT_BY_NAME \
21+
CTL_CODE( KARTOFFEL_TYPE, 0x830, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
22+
23+
#define IOCTL_KARTOFFEL_RETURN_MEMORY_BLOCK \
24+
CTL_CODE( KARTOFFEL_TYPE, 0x80A, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
25+
26+
#define IOCTL_KARTOFFEL_API_ALLOCATE_POOL \
27+
CTL_CODE( KARTOFFEL_TYPE, 0x80B, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
28+
29+
#define IOCTL_KARTOFFEL_API_FREE_POOL \
30+
CTL_CODE( KARTOFFEL_TYPE, 0x80C, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
31+
32+
#define IOCTL_KARTOFFEL_API_FREE_MEMORY \
33+
CTL_CODE( KARTOFFEL_TYPE, 0x80D, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
34+
35+
#define IOCTL_KARTOFFEL_API_READ_POOL \
36+
CTL_CODE( KARTOFFEL_TYPE, 0x80E, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
37+
38+
#define IOCTL_KARTOFFEL_API_WRITE_POOL \
39+
CTL_CODE( KARTOFFEL_TYPE, 0x80F, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
40+
41+
#define IOCTL_KARTOFFEL_API_QUERY_POOL_SIZE \
42+
CTL_CODE( KARTOFFEL_TYPE, 0x810, METHOD_OUT_DIRECT, FILE_ANY_ACCESS )
43+
44+
/////// LOADDRIVER MODULE
45+
46+
47+
#define DRIVER_NAME "Kartoffeldriver"
48+
#define FREE 0xF00;
49+
#define ALLOCATED 0xA00
50+
51+
//////////////////////////////
52+
////
53+
//// Kartoffel structures
54+
////
55+
//////////////////////////////
56+
57+
typedef struct _IOCTL_CODE
58+
{
59+
60+
DWORD Device;
61+
DWORD Access;
62+
DWORD Function;
63+
DWORD Method;
64+
DWORD dwIoctl;
65+
66+
}IOCTL_CODE;
67+
68+
69+
typedef struct _FUZZIOCTL
70+
{
71+
DWORD Max;
72+
DWORD Min;
73+
DWORD dwCurrent;
74+
} FUZZIOCTL;
75+
76+
77+
typedef struct _FUZZSIZE
78+
{
79+
DWORD Max;
80+
DWORD Min;
81+
DWORD dwCurrent;
82+
} FUZZSIZE;
83+
84+
85+
typedef struct _INOUT_PLUGIN
86+
{
87+
void *lpBuffAddr;
88+
void *lpDupAddr;
89+
DWORD dwSize;
90+
DWORD dwBytesReceived;
91+
DWORD id;
92+
FUZZSIZE dwFuzzSize;
93+
FUZZIOCTL fzIoctl;
94+
BOOL FlagInPlugin;
95+
BOOL FlagOutPlugin;
96+
BOOL Filed;
97+
char Device[MAX_PATH]; // exploit it :)
98+
char report[MAX_PATH];
99+
}INOUT_PLUGIN;
100+
101+
typedef struct _EASY_SID {
102+
103+
CHAR **lpAccounts;
104+
DWORD *AccessMask;
105+
} EASY_SID, *PEASY_SID;
106+
107+
108+
109+
110+
typedef struct _PLUGIN_BUFFER {
111+
DWORD *lpBuff;
112+
DWORD size;
113+
} PLUGIN_BUFFER;
114+
115+
typedef struct _KARTO_DIRS {
116+
char LOGS_PATH[MAX_PATH];
117+
char PLUGINS_PATH[MAX_PATH];
118+
char KARTO_PATH[MAX_PATH];
119+
} KARTO_DIRS;
120+
121+
#define IRP_MJ_MAXIMUM_FUNCTION 0x1b
122+
123+
124+
typedef struct _DRIVER_OBJECT {
125+
WORD Type;
126+
WORD Size;
127+
PVOID DeviceObject;
128+
ULONG Flags;
129+
PVOID DriverStart;
130+
ULONG DriverSize;
131+
PVOID DriverSection;
132+
PVOID DriverExtension;
133+
UNICODE_STRING DriverName;
134+
PUNICODE_STRING HardwareDatabase;
135+
PVOID *FastIoDispatch;
136+
PVOID DriverInit;
137+
PVOID DriverStartIo;
138+
PVOID DriverUnload;
139+
PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
140+
} DRIVER_OBJECT,*PDRIVER_OBJECT;
141+
142+
143+
144+
#ifdef __cplusplus
145+
extern "C" {
146+
#endif
147+
148+
int InjectBuffer(PLUGIN_BUFFER *lpBuff,INOUT_PLUGIN *lpDestBuffer);
149+
int LogBuffer(PLUGIN_BUFFER *lpBuff,INOUT_PLUGIN *lpDestBuffer);
150+
void InitializePaths(KARTO_DIRS *lpKartoDirs);
151+
int ReadKernelMemory(PVOID pBuffer, PVOID pKaddr, ULONG size);
152+
PVOID kalloc(ULONG size, ULONG tID);
153+
int kfree( PVOID pAddr, ULONG tID);
154+
int kglobalfree( );
155+
int kread(PVOID pBuffer, PVOID pKaddr, ULONG size, BOOL FlagAllocate);
156+
int kwrite(PVOID pKaddr,PVOID pBuffer, ULONG size);
157+
int ksize( PVOID pKaddr );
158+
int EnumDrivers(WCHAR** lpDrivers);
159+
int EnumDevices(WCHAR** lpDevices);
160+
int EnumSymbolics(WCHAR** lpDevices);
161+
int GetEasySid(WCHAR *lpDevice,PEASY_SID lpEasySid);
162+
int GetDriverObjectByName(WCHAR *lcDevice, PDRIVER_OBJECT lpDriverObject);
163+
int UnloadDriver( char *lpSrvName );
164+
int LoadDriver( char *lpName, char *lpSrvName);
165+
int GetDriverInfoByName(char *lpDriver, char *lpPath, LPVOID lpDrvAddress);
166+
VOID DecodeCTL(IOCTL_CODE *lpStr, DWORD dwCtl );
167+
HANDLE OpenDevice(WCHAR *lcDevice,
168+
BOOL FlagSynchronous,
169+
BOOL FlagFsctl,
170+
BOOL FlagWriteFile,
171+
ACCESS_MASK dwAccess,
172+
DWORD dwShare);
173+
HANDLE OpenKDevice();
174+
int CloseKDevice(HANDLE hDevice);
175+
176+
177+
178+
179+
180+
#ifdef __cplusplus
181+
} /* End Of Extern */
182+
#endif
183+
184+
185+
///////////////////////////////////////
186+
////
187+
//// Windows Internal structures
188+
////
189+
///////////////////////////////////////
190+
191+
192+
193+
194+
195+
196+

CVE-2008-1084/CVE-2008-1084/kartolib.lib

329 KB
Binary file not shown.

0 commit comments

Comments
 (0)