Input Method Vulnerability reproduction Windows 8 exploitation of QQ pinyin pure edition for Elevation of Privilege

When I found this vulnerability, I was attending classes in the IDC. When I tried to use Remote Desktop 3389 to control the dormitory computer, I scanned the computer with port 3389 enabled in the IP segment because the redo system forgot its IP address. I did not expect to scan a Win8 system at will, and the system was also installed with the pure version of QQ Input Method Win8.

At that time, I remembered the vulnerability in junior high school and tested it. I did not expect that seven or eight years later, the extremely secure Win8 system has such a large vulnerability. Here we will repeat the process of Elevation of Privilege.

Process

First, confirm that the QQ Pinyin input method is installed.

CTRL + space to call up the tray, find this option

Enable IE

The security of IE and Win8 is indeed improved a lot.

Enter D: \ file: // D: in the address bar to open the folder.

I thought that I only needed to upload a bat batch, write the command for permission escalation, and then download and run it with IE,

I did not expect various prompts, such as system requirements to verify your user password, and cannot be downloaded at all. It can be seen that the conventional method really does not work.

Microsoft is still fixing these vulnerabilities. However, after many attempts by the author, it finally finds that one vulnerability has not been filled.

That is, the "-save as" option in the File menu. Save the webpage file as a folder to open the folder dialog box.

At this time, I feel that it is almost close to victory. However, after more than half a lesson, I have never been able to make a substantial breakthrough.

Folder tab has been limited to several MNT, TXT and other formats

I can even use Notepad and other programs to open the Elevation of Privilege command editing, but the key is always restricted by Microsoft

It cannot be displayed or opened normally, whether it is saved as bat or opened by other programs.

Even if the file is saved as BAT, the generated file cannot be viewed even if the currently limited MNT, txt, and other files are available.

After many attempts, even folder sharing cannot take effect.

It can be seen that Win8 has greatly improved security.

At this time, I think of the days and nights of junior high school, and think of a solution.

That's right. It's just a shortcut vulnerability.

When the key Elevation of Privilege program net.exe is included, you can create a shortcut directly.

Directly assign parameters to run the shortcut. Create a shortcut and change the target to the net file in the system directory with a space attached to the parameter.

Create user helper

Add users to the Management Group to obtain the highest Permissions

Well, the exciting time is up.

OK. The login is successful. It takes a course time.

Only QQ Pinyin input methods have been tested this time. If other input methods can call up ie directly, the same method can also be used to directly escalate permissions. I hope Microsoft can fix this vulnerability as soon as possible.

Statement

Reprinted please mark the source:

Author: maybreath

Blog: http://www.cnblogs.com/maybreath/

Email: liu85520@foxmail.com