在Win2000中提升权限的实例及心得#define SZDEPENDENCIES _T("") typedef struct DLGPARAM{ UINT numOfHit; TCHAR *msg; } DlgParam; // internal function prototypes static BOOL CALLBACK DialogProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam); // SimpleService.cpp : Defines the entry point for the application. // HINSTANCE hAppInstance; DlgParam m_dlgParam; int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { ...... } void WINAPI service_main() { ...... } VOID WINAPI service_ctrl(DWORD dwCtrlCode) { ...... } BOOL WINAPI ControlHandler ( DWORD dwCtrlType ) { ...... } HANDLE hServerStopEvent = NULL; VOID ServiceStart () { ...... ...... hPipe = CreateNamedPipe( lpszPipeName , // name of pipe FILE_FLAG_OVERLAPPED | PIPE_ACCESS_DUPLEX, // pipe open mode PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, // pipe IO type 1, // number of instances 0, // size of outbuf //(0 == allocate as necessary) 0, // size of inbuf 1000, // default time-out value &sa); // security attributes ...... ...... while ( 1 ) { ...... ...... ConnectNamedPipe(hPipe, &os); ...... ...... bRet = ReadFile( hPipe, // file to read from szIn, // address of input buffer sizeof(szIn), // number of bytes to read &cbRead, // number of bytes read &os); // overlapped stuff, not needed ...... ...... _stprintf(szOut, _T("Please check the Dialog Box")); _stprintf(szOut1, _T("Eacho Back! [%s]"), szIn); ...... ...... bRet = WriteFile( hPipe, // file to write to szOut, // address of output buffer sizeof(szOut), // number of bytes to write &cbWritten, // number of bytes written &os); // overlapped stuff, not needed ...... ...... DisconnectNamedPipe(hPipe); m_dlgParam.numOfHit++; m_dlgParam.msg = szOut1; /* 在登录用户的Desktop上创建一个窗口 */ int result = DialogBoxParam(hAppInstance, MAKEINTRESOURCE(IDD_SVCMSG), NULL, (DLGPROC) DialogProc, (LPARAM) &m_dlgParam); } cleanup: ...... ...... } VOID ServiceStop() { if ( hServerStopEvent ) SetEvent(hServerStopEvent); } #define SIZEOFBUF 40 /* Window的Message Handler */ BOOL CALLBACK DialogProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) { DlgParam* l_pDlgParam = (DlgParam*) lParam; CHAR tempBuf[SIZEOFBUF]; switch (uMsg) { case WM_INITDIALOG: { HWND hNumVisit = GetDlgItem(hwnd, IDC_NUMHIT); /*限定Edit Control的尺寸(Size)为3*/ SendMessage( hNumVisit, EM_LIMITTEXT, (WPARAM) 3, (LPARAM)0); _itoa(l_pDlgParam->numOfHit, tempBuf,10); SendMessage(hNumVisit, WM_SETTEXT, (WPARAM) 0,(LPARAM)tempBuf); HWND hMsg = GetDlgItem(hwnd, IDC_MSG); /*限定Edit Control的尺寸(Size)为40*/ SendMessage( hMsg, EM_LIMITTEXT, (WPARAM) SIZEOFBUF, (LPARAM)0); SendMessage( hMsg, WM_SETTEXT, (WPARAM) 0, (LPARAM) l_pDlgParam->msg ); SetForegroundWindow(hwnd); return FALSE; } case WM_COMMAND: { switch (LOWORD(wParam)) { case IDC_OK: EndDialog(hwnd, IDC_OK); return FALSE; default: return FALSE; } } } return FALSE; } <==============================================================> 下面是程序Client.c,非常简单,它的功能仅仅是向“\\.\pipe\simple”发送几个字节: <==========================Client==============================> // client.cpp : Defines the entry point for the console application. // #include #include #include #include int main(int argc, char* argv[]) { char inbuf[80]; char outbuf[80]; DWORD bytesRead; BOOL ret; LPSTR lpszPipeName = "\\\\.\\pipe\\simple"; LPSTR lpszString = "World"; strcpy( outbuf, lpszString ); ret = CallNamedPipeA(lpszPipeName, outbuf, sizeof(outbuf), inbuf, sizeof(inbuf), &bytesRead, NMPWAIT_WAIT_FOREVER); if (!ret) { printf("client: CallNamedPipe failed for %d\n", GetLastError()); exit(1); } printf("client: received: %s\n", inbuf); return 0; } <==============================================================> FOON编写了一个攻击工具Shatter,大家可以参考他的文章来使用这个工具,而且他的网站上还有Shatter的源程序。这个程序专门攻击象SimpleService这样会创建Window的服务进程,它首先把Window中Edit Control的尺寸(Size)扩大,然后把可执行的黑客码沾贴到Edit中,这样就把黑客码拷贝到这个Window进程的内存中了----很Cool吧!接下来我们就要寻找黑客码在内存中的地址,FOON是用Windbg去寻找这个地址的,详情请参考他的文章。最后Shatter向Window进程发送一个定时执行Message----“WM_TIMER”,迫使Window进程执行刚才拷贝进去的黑客码。这个黑客码是根据jill的黑客码改编而成,它产生一个远程的cmd shell联结回到Client机器上,所以我们可以用鼎鼎有名的netcat程序与它联络。 上一篇: 自动安装Windows2000系统 下一篇: 怎么样让Win2000系统达到最佳性能 更多相关文章
|
推荐文章
精彩文章
|
