Tuesday, August 28, 2012

ActFax Local Privilege Escalation Exploit

ActFax 4.31 Build 0225 has a local privilege escalation exploit in the user/group import function. ActFax installs as LOCALSYSTEM by default, hence the escalation.

My exploit creates the file that you can import into ActFax. After the file is imported you'll be presented with a command prompt, running as SYSTEM. This was all tested on XP SP3.

The exploit is here:

Here is a demo of the exploit in action:

The vulnerable functionality is here:

From an exploit perspective, this one was a bit tricky. At first, it seemed very straight forward. Overwritten EIP and ESP pointing to a huge buffer. However, there were only a few JMP ESP or CALL ESPs available in the system executable. The problem was, some of the bytes were being converted from lower case to upper case. This broke all the valid JMPs and CALLs.

There are other alternatives to get to your shellcode, such as PUSH ESP RET etc. But those were not available either. So, I consulted Corelan again and noticed a different strategy I've never tried before, the "Blind Return."

Basically I had to find a RET that didn't get mangled, and I did. The RET actually sends us back to the very front of the shellcode so space isn't an issue.