-
-
[讨论]windows内核学习 任务门提权进1环
-
发表于: 2024-10-27 19:16
-
实验:任务门提权进1环
准备好段环境 WINDBG修改
1 2 3 4 5 6 | eq 80b99060 00cfbb00`0000ffff //cseq 80b99068 00cfb300`0000ffff //sseq 80b99078 0040b300`00000fff //fseq 80b99048 0000e940`50381000 //任务段eq 80b99500 0000e500`00480000 //任务门 |
代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 | // 7.任务段.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include <Windows.h>struct _KiIoAccessMap{ UCHAR DirectionMap[32]; //0x0 UCHAR IoMap[8196]; //0x20}; typedef struct _KTSS{ USHORT Backlink; //0x0 USHORT Reserved0; //0x2 ULONG Esp0; //0x4 USHORT Ss0; //0x8 USHORT Reserved01; //0xa ULONG Esp1; //0xc USHORT Ss1; //0x10 USHORT Reserved02; //0x12 ULONG Esp2; //0x14 USHORT Ss2; //0x18 USHORT Reserved03; //0x1a ULONG CR3; //0x1c ULONG Eip; //0x20 ULONG EFlags; //0x24 ULONG Eax; //0x28 ULONG Ecx; //0x2c ULONG Edx; //0x30 ULONG Ebx; //0x34 ULONG Esp; //0x38 ULONG Ebp; //0x3c ULONG Esi; //0x40 ULONG Edi; //0x44 USHORT Es; //0x48 USHORT Reserved2; //0x4a USHORT Cs; //0x4c USHORT Reserved3; //0x4e USHORT Ss; //0x50 USHORT Reserved4; //0x52 USHORT Ds; //0x54 USHORT Reserved5; //0x56 USHORT Fs; //0x58 USHORT Reserved6; //0x5a USHORT Gs; //0x5c USHORT Reserved7; //0x5e USHORT LDT; //0x60 USHORT Reserved8; //0x62 USHORT Flags; //0x64 USHORT IoMapBase; //0x66 struct _KiIoAccessMap IoMaps[1]; //0x68 UCHAR IntDirectionMap[32]; //0x208c}KTSS; KTSS tss={0};char bufEsp1[0x2000]={0};char bufEsp[0x2000]={0};DWORD dwCS;void __declspec(naked) test(){ __asm { //int 3; mov ax, cs; mov word ptr [dwCS],ax; pushfd; pop eax; or eax,0x4000; push eax; popfd; iretd; }}int _tmain(int argc, _TCHAR* argv[]){ short trxx = 0; __asm { str trxx; //ltr trxx } //tss. memset(bufEsp1,0,0x2000); memset(bufEsp,0,0x2000); dwCS = 0; tss.Esp1 = (ULONG)bufEsp1 + 0x1FF0; tss.Esp = (ULONG)bufEsp + 0x1FF0; tss.Ss1 = 0x69; tss.Ss = 0x69; tss.Cs = 0x61; tss.Ds = 0x23; tss.Es = 0x23; tss.Fs = 0x79; tss.EFlags = 2; tss.Eip = (ULONG)test; tss.IoMapBase = 0x20ac; printf("siz = %x\r\n",sizeof(tss)); printf("base = %x\r\n",&tss); printf("请输入的你的CR3:"); DWORD dwCr3 = 0; scanf("%x",&dwCr3); tss.CR3 = dwCr3; printf("dwCr3 = %x\r\n",tss.CR3); system("pause"); char bufcode[]={0,0,0,0,0x48,0}; __asm { //call fword ptr bufcode int 32; } printf("CS=%x \r\n", dwCS); system("pause"); return 0;} |
注意:
在源代码中cr3赋值不成功?答:检查你的KTSS结构
fs段选择子不赋值可能蓝屏? 答:有部分人会遇到这个问题,赋值一下就好了
如遇到上面两幅图展示的情况,请参考下面win7 x86任务门进1环资料,核心在于跳转函数内部代码。这不影响提权成功。
- 跳转函数内部千万不要用int3!!!
参考博客:
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
