-
Notifications
You must be signed in to change notification settings - Fork 0
/
SCT.cpp
95 lines (81 loc) · 3.81 KB
/
SCT.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
SCT.cpp
Elias Augusto 3/26/2019
A simple SH3 shellcode tester created for the HP Jornada 680/690 running Windows CE 2.11
Part of an ongoing series on exploit development, find out more on my Medium:
https://medium.com/@eaugusto/windows-ce-superh3-exploit-development-part-4-buffer-overflows-take-two-heap-spritzing-and-674298766a3b
Functionality:
Currently all it does is execute the nop sled and exit with an illegal operation error
It puts a few nop sleds on the heap, but they're nonfunctional as of now
Eventually will test a custom made omlette egghunter
In the meantime, feel free to use this if you're interested
Compiler notes:
This program must be compiled with Embedded Visual C++ from Embedded Visual Tools 3.0
Stdafx.h is the standard library for CE, and as such it comes with the tool suite
*/
#include "stdafx.h"
//Functional stack based shellcode
unsigned char mainsc[]="\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61";
//Shellcode loaded onto the heap for egghunter
unsigned char scptone[]="\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61";
unsigned char scpttwo[]="\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61";
unsigned char scptthree[]="\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61"
"\x13\x61\x13\x61\x13\x61\x13\x61\x13\x61";
unsigned char *scone = (unsigned char *) malloc((sizeof(scptone)/sizeof(scptone[0])));
unsigned char *sctwo = (unsigned char *) malloc((sizeof(scpttwo)/sizeof(scpttwo[0])));
unsigned char *scthree = (unsigned char *) malloc((sizeof(scptthree)/sizeof(scptthree[0])));
int sconheap(){
//Puts shellcode onto the heap in three chunks
memcpy(scone, scptone, (sizeof(scptone)/sizeof(scptone[0])));
memcpy(sctwo, scpttwo, (sizeof(scpttwo)/sizeof(scpttwo[0])));
memcpy(scthree, scptthree, (sizeof(scptthree)/sizeof(scptthree[0])));
return (0);
}
int WINAPI WinMain( HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
int tester = sconheap();
int (*func)() = (int(*)())&mainsc;
func(); //execute functional nop sled
free(scone);
free(sctwo);
free(scthree);
return 0;
}