超越ADMINISTRATOR

cnangel

[这个帖子最后由俊儿在 2003/11/30 02:03pm 第 1 次编辑]

出处：http://lu0.126.com
NT的安全组件里有一个叫Local Security Authority Protected Subsystem.当我们以ADMINISTRATOR登陆时,系统根据缺省的授权,赋予ADMINISTRATOR16个授权.下面乃是详细的清单.

SeChangeNotifyPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege

其中 SeChangeNotifyPrivilege是缺省打开的.其他则需要调整TOKEN来打开.拥有了这么多的权限后,ADMIN真可谓强大,没有任何其他用户拥有这么多的权限了.但是,仍然有几个更有威力的权限没有赋予ADMIN.那就是SeTcbPrivilege和SeCreateTokenPrivilege. SeTcbPrivilege表示当前用户的操作代表了系统的操作,SeCreateTokenPrivilege更可赤裸裸地为任意令牌创建权限.乃是无上的特权.如果任何人拥有了这两个权限,在NT世界的权利就太夸张了.所以,NT根本就不给任何用户以这两个权限.
出于对权利的渴望,通常病毒,HACKER都会想法获取最高权限.现在,由于NT的保护,直接地获取这2个权限是不行了.那么就需要饶个弯子了.
由于没有直接的API可以增加TOKEN的特权,我们只好通过LSA POLICY库调整用户权限.因为用户权限在LSA POLICY库里被提取出来.当LSA POLICY库里增加了一个特权,用户可以在下一个进程里打开该特权.HEHE... ADMIN组对LSA POLICY库有写权.DD ADMIN没有超级特权,LSA对用户的特权从POLICY库里提取... 真是个可爱的连环套啊.
下面是陆麟写的程序,打开ADMINISTRATOR的SeTcbPrivilege特权.尽管我在程序里面设置了ADMIN检查,但是通过少量的改写就可以时普通用户获取一些超级权限.里面的小技巧大家自己通常可以动出脑筋的.当然并不是通过删除ADMINISTRATOR检验就可以完成的.
当然,这里有编译好的版本供下载.

1. /*++
2. sec.cpp
4.   Written by Lu Lin. 2000.1.30
6.   A security program demo.
7.   Show Administrator's SID, and privileges.
8.   At last we add SE_TCB_NAME right to administrator.
9.   Of course, this right is almost useless to administrator,
10.   but you can port it for other users. :)
11.   You should logon as administrator for run this program
12.   though ADMIN group's authority is enough.
13.   Tip: We may get a authority beyound admin for a normal
14.   user through this demo by a small trick. Think about it
15.   yourself.:)
16. --*/
18. #define UNICODE
19. #include <windows.h>
20. #include <iostream.h>
21. #include <stdio.h>
22. #include <ntsecapi.h>
24. //
25. //Global vars
26. //
27. LSA_HANDLE PolicyHandle;
28. PSID Sid=0;
29. DWORD cbSid=0;
30. LPTSTR ReferencedDomainName=0;
31. DWORD cbReferencedDomainName=0;
32. SID_NAME_USE peUse;
33. PUNICODE_STRING UserRights=0; //UnicodeString Pointer to PRIVILEGE
34. ULONG Count=0; //
35. WCHAR textSid[200];
36. HANDLE token=0;
37. PTOKEN_PRIVILEGES TokenInformation=0;
38. BOOL owned=0;
40. //
41. //quit
42. //
43. void quit(int err){
44. if (Sid) delete Sid;
45. if (ReferencedDomainName) delete ReferencedDomainName;
46. if (UserRights) delete UserRights;
47. if (TokenInformation) delete TokenInformation;
48. if (token) CloseHandle(token);
49. if (PolicyHandle) LsaClose(PolicyHandle);
51. wprintf(L"\n\nWritten by Lu Lin. 2000.1.30\nLicence: Freeware.\n");
53. if (err){
54.   exit(0xc0000000);
55. }
56. else {
57.   exit(0);
58. }
59. }
61. void printprivilege(LUID_AND_ATTRIBUTES* luid){
62. WCHAR dispname[100];
63. ULONG cb=100;
65. if (!LookupPrivilegeName(
66.   0,
67.   &(luid->Luid),
68.   dispname,
69.   &cb)){
70.   wprintf(L"I can't translate SOME LUID to privilege!\n");
71.   exit(1);
72. }
74. wprintf(L"\tPrivilege: %s\n",dispname);
76. if (!_wcsicmp(dispname,L"SeTcbPrivilege")) owned=1;
78. switch (luid->Attributes){
79. case SE_PRIVILEGE_ENABLED_BY_DEFAULT:
80.   wprintf(L"\t\tThis privilege is enabled by default\n");
81.   break;
82. case SE_PRIVILEGE_ENABLED:
83.   wprintf(L"\t\tThis privilege is enabled.\n");
84.   break;
85. case SE_PRIVILEGE_USED_FOR_ACCESS:
86.   wprintf(L"\t\tThis privilege is used for access.\n");
87.   break;
88. case 3:
89.   wprintf(L"\t\tThis privilege is always on for you.\n");
90.   break;
91. case 0:
92.   wprintf(L"\t\tThis privilege you owned has not been enabled yet.\n");
93. }
94. }
96. void init(){
97. WCHAR username[30];
98. ULONG cb;
99. OSVERSIONINFO osv;
101. //if nt?
102. ZeroMemory(&osv,sizeof(osv));
103. osv.dwOSVersionInfoSize=sizeof(osv);
104. GetVersionEx(&osv);
105. if (!osv.dwPlatformId&VER_PLATFORM_WIN32_NT){
106.   wprintf(L"This program only runs on NT");
107.   quit(1);
108. }
110. //
111. //Check if this thread is executed inside administrator's context.
112. //
113. cb=30;
114. GetUserName(username,&cb);
115. if (_wcsicmp(username,L"administrator")){
116.   wprintf(L"Logon as administrator first!\n");
117.   quit(1);
118. }
120. wprintf(L"WINDOWS NT %i.%i Build %i %s\n\n",
121.   osv.dwMajorVersion,
122.   osv.dwMinorVersion,
123.   osv.dwBuildNumber,
124.   osv.szCSDVersion);
125. }
127. BOOL GetTextualSid(
128.     PSID pSid,            // binary Sid
129.     LPTSTR TextualSid,    // buffer for Textual representation of Sid
130.     DWORD dwBufferLen // required/provided TextualSid buffersize
131.     )
132. {
133.     PSID_IDENTIFIER_AUTHORITY psia;
134.     DWORD dwSubAuthorities;
135.     DWORD dwSidRev=SID_REVISION;
136.     DWORD dwCounter;
137.     DWORD dwSidSize;
139.     // Validate the binary SID.
141.     if(!IsValidSid(pSid)) return FALSE;
143.     // Get the identifier authority value from the SID.
145.     psia = GetSidIdentifierAuthority(pSid);
147.     // Get the number of subauthorities in the SID.
149.     dwSubAuthorities = *GetSidSubAuthorityCount(pSid);
151.     // Compute the buffer length.
152.     // S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL
154.     dwSidSize=(15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR);
156.     // Check input buffer length.
157.     // If too small, indicate the proper size and set last error.
159.     if (dwBufferLen < dwSidSize)
160.     {
161.         SetLastError(ERROR_INSUFFICIENT_BUFFER);
162.         return FALSE;
163.     }
165.     // Add 'S' prefix and revision number to the string.
167.     dwSidSize=wsprintf(TextualSid, TEXT("S-%lu-"), dwSidRev );
169.     // Add SID identifier authority to the string.
171.     if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) )
172.     {
173.         dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),
174.                     TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"),
175.                     (USHORT)psia->Value[0],
176.                     (USHORT)psia->Value[1],
177.                     (USHORT)psia->Value[2],
178.                     (USHORT)psia->Value[3],
179.                     (USHORT)psia->Value[4],
180.                     (USHORT)psia->Value[5]);
181.     }
182.     else
183.     {
184.         dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),
185.                     TEXT("%lu"),
186.                     (ULONG)(psia->Value[5]      )   +
187.                     (ULONG)(psia->Value[4] <<  8)   +
188.                     (ULONG)(psia->Value[3] << 16)   +
189.                     (ULONG)(psia->Value[2] << 24)   );
190.     }
192.     // Add SID subauthorities to the string.
193.     //
194.     for (dwCounter=0 ; dwCounter < dwSubAuthorities ; dwCounter++)
195.     {
196.         dwSidSize+=wsprintf(TextualSid + dwSidSize, TEXT("-%lu"),
197.                     *GetSidSubAuthority(pSid, dwCounter) );
198.     }
200.     return TRUE;
201. }
203. void main(){
204. LSA_OBJECT_ATTRIBUTES ObjectAttributes;
205. ZeroMemory(&ObjectAttributes,sizeof(ObjectAttributes));
207. init();
208. //
209. //First open LSA policy database
210. //the call returns a NTSTATUS. NTSTATUS 0 means everything is OK.
211. //
212. if (LsaOpenPolicy(
213.                 0,
214.                 &ObjectAttributes,
215.                 GENERIC_EXECUTE|GENERIC_READ|GENERIC_WRITE,
216.                 &PolicyHandle
217.                 )){
218.   wprintf(L"Open Policy error!\n");
219. }
220. else {
221.   Sid=new char[500];
222.   ReferencedDomainName=new WCHAR[100];
223.   cbSid=500;
224.   cbReferencedDomainName=100;
226.   //
227.   //Show Administrator SID
228.   //
229.   if (!LookupAccountName(
230.    0,
231.    L"Administrator",
232.    Sid,
233.    &cbSid,
234.    ReferencedDomainName,
235.    &cbReferencedDomainName,
236.    &peUse
237.    )){
238.    wprintf(L"Damn, I can't find out the account looking for!\n");
239.    quit(1);
240.   }
241.   if (!GetTextualSid(Sid,textSid,200)){
242.    wprintf(L"Damn, Get textual SID error! Maybe a bug in this program.\n");
243.    quit(1);
244.   }
246.   wprintf(L"The SID of administrator is: %s \n",textSid);
247.   wprintf(L"\tOn the server: %s\n",ReferencedDomainName);
249.   //
250.   //Check current privilege
251.   //
252.   if (!OpenProcessToken(
253.    GetCurrentProcess(),
254.    TOKEN_QUERY,
255.    &token)){
256.    wprintf(L"Can't open process token! What's happened?\n");
257.    quit(1);
258.   }
260.   TokenInformation=(PTOKEN_PRIVILEGES)(new char[2000]);
262.   if (!GetTokenInformation(
263.    token,
264.    TokenPrivileges,
265.    (void*)TokenInformation,
266.    2000,
267.    &cbSid //Note, Returned lenght of token information.
268.    )){
269.    wprintf(L"Can't get token information\n");
270.    quit(1);
271.   }
272.   else{
273.    LUID_AND_ATTRIBUTES *luid;
274.    luid=(LUID_AND_ATTRIBUTES *)&TokenInformation->Privileges;
276.    wprintf(L"\nTotal privilege count: %i\n\n",TokenInformation->PrivilegeCount);
277.    for (Count=0;Count<TokenInformation->PrivilegeCount;
278.     Count++,luid++){
279.     printprivilege(luid);
280.    }
281.   }
283.   //
284.   //Add SeTchPrivilege to Administrator if not owned yet!
285.   //
286.   if (!owned){
287.    UserRights=new LSA_UNICODE_STRING;
288.    UserRights->Buffer=L"SeTcbPrivilege";
289.    UserRights->MaximumLength=28;
290.    UserRights->Length=28;
292.    if (LsaAddAccountRights(
293.     PolicyHandle,
294.     Sid,
295.     UserRights,
296.     1
297.     )){
298.     wprintf(L"Damn! Add right failed! :(\n");
299.     quit(1);
300.    }
301.    else wprintf(L"\nAdd SeTcbPrivilege successfully!\n");
303.    quit(0);
304.   }
305.   else {
306.    wprintf(L"\nYou own SeTcbPrivilege. I don't add it for you.\n");
307.   }
308. }
309. }

复制代码