Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Nelson Brito (nelsonSECUNET.COM.BR)
Date: Wed Feb 14 2001 - 03:49:15 CST
Yeah, I know it's not a new BUG, but still work.
I've read the BID 933, and I saw that there isn't a away to exploit
Step by Step:
1 - find a admin's mount point(a.k.a. home directory);
2 - place the autorun.inf and autorun2.exe on there;
3 - drop the admin's connection(use your prefered DoS tool);
4 - try to connect as user nelson and password nelson;
5 - BINDO, you are now a member of "Administrators" group(Stand Alone
"Domain Admins" gourp(PDC Servers).
If you get a look in code, it's possible to make it more usefull making
some teste, like findo PDC in domain or some others decision, easy and
PS: It still works in some of Penetration Testes I have made, so it's
possible usefull for all of you, I hope.
PPS: It's not just a "Privilege Escalation", it's possible to create a
new account with "Administrator/Domain Admin" privilege, obscurity.
-- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", página 93
- application/x-unknown-content-type-CPP_auto_file attachment: autorun2.cpp
- application/x-unknown-content-type-inifile attachment: autorun.ini