Yeah, I know it's not a new BUG, but still work.

I've read the BID 933, and I saw that there isn't a away to exploit
this, so...

Step by Step:
1 - find a admin's mount point(a.k.a. home directory);
2 - place the autorun.inf and autorun2.exe on there;
3 - drop the admin's connection(use your prefered DoS tool);
4 - try to connect as user nelson and password nelson;
5 - BINDO, you are now a member of "Administrators" group(Stand Alone
Servers) or
"Domain Admins" gourp(PDC Servers).

If you get a look in code, it's possible to make it more usefull making
some teste, like findo PDC in domain or some others decision, easy and
automatic.

PS: It still works in some of Penetration Testes I have made, so it's
possible usefull for all of you, I hope.

PPS: It's not just a "Privilege Escalation", it's possible to create a
new account with "Administrator/Domain Admin" privilege, obscurity.

Sem mais,

--
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
              Trecho do livro "Hack Proofing your Network", página 93

• application/x-unknown-content-type-CPP_auto_file attachment: autorun2.cpp

• application/x-unknown-content-type-inifile attachment: autorun.ini

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]