利用服务创建SYSTEM权限的CMD

//使用sc安装...然后sc start ServiceName "whoami"

//就可以看到效果了...呵呵

//Code by dahubaobao
#define DEBUGMSG

#include
#include

#pragma comment (lib,"advapi32.lib")

#define erron GetLastError()

#define Debug(x) OutputDebugString(x)

TCHAR MsgError[50]={0};

SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;

VOID WINAPI ServiceMain (DWORD dwArgc,TCHAR *lpArgv[]);

VOID WINAPI ServiceHandle (DWORD dwFlags);

BOOL ServiceTest (TCHAR *Command);

int main (int argc,TCHAR *argv[])
{
    SERVICE_TABLE_ENTRY ServiceTableEntry[2]=
    {
        {TEXT("dahubaobao"),ServiceMain},
        {NULL,NULL}
    };

    StartServiceCtrlDispatcher(ServiceTableEntry);

    return 0;
}

VOID WINAPI ServiceMain (DWORD dwArgc,TCHAR *lpArgv[])
{
     TCHAR SysDir[MAX_PATH]={0};
     TCHAR Command[MAX_PATH]={0};

     ServiceStatus.dwServiceType=SERVICE_WIN32;
     ServiceStatus.dwCurrentState=SERVICE_START_PENDING;
     ServiceStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP;
     ServiceStatus.dwServiceSpecificExitCode=0;
     ServiceStatus.dwWin32ExitCode=0;
     ServiceStatus.dwCheckPoint=0;
     ServiceStatus.dwWaitHint=0;

     if ((ServiceStatusHandle=RegisterServiceCtrlHandler(TEXT("dahubaobao"),ServiceHandle))==0)
     {
         #ifdef DEBUGMSG
                sprintf(MsgError,TEXT("RegisterServiceCtrlHandler() GetLastError reports %d "),erron);
                Debug(MsgError);
         #endif
         return ;
     }

     ServiceStatus.dwCurrentState=SERVICE_RUNNING;
     ServiceStatus.dwCheckPoint=0;
     ServiceStatus.dwWaitHint=0;

     if (SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
     {
         #ifdef DEBUGMSG
                sprintf(MsgError,TEXT("SetServiceStatus() GetLastError reports %d "),erron);
                Debug(MsgError);
         #endif
         return ;
     }

     GetSystemDirectory(SysDir,MAX_PATH-1);
     sprintf(Command,TEXT("%s\cmd.exe /k %s%c"),SysDir,(char *)lpArgv[1],0);

     ServiceTest(Command);

     return ;
}

VOID WINAPI ServiceHandle (DWORD ControlCode)
{
     switch (ControlCode)
     {
             case SERVICE_CONTROL_STOP:
                  ServiceStatus.dwCurrentState=SERVICE_STOPPED;
                  ServiceStatus.dwWin32ExitCode=0;
                  ServiceStatus.dwCheckPoint=0;
                  ServiceStatus.dwWaitHint=0;
                  break;

             default:
                  break;
     }

     if (SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
     {
         #ifdef DEBUGMSG
                sprintf(MsgError,TEXT("SetServiceStatus() GetLastError reports %d "),erron);
                Debug(MsgError);
         #endif
         return ;
     }

     return ;
}

BOOL ServiceTest (TCHAR *Command)
{
     STARTUPINFO si={0};
     PROCESS_INFORMATION pi;
     si.cb=sizeof (STARTUPINFO);
     si.lpDesktop=TEXT("WinSta0\Default");

     if (!(CreateProcess(NULL,Command,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)))
     {
         #ifdef DEBUGMSG
                sprintf(MsgError,TEXT("CreateProcess() GetLastError reports %d "),erron);
                Debug(MsgError);
         #endif
         return FALSE;
     }

     return TRUE;
}

补充：综合编程 , 安全编程 ,

上一个：超强:bat写的exploit
下一个：JSP安全编程实例浅析