Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[PEN-TEST] AUTORUN Vulnerability - Round 2

From: Nelson Brito <nelson () SECUNET COM BR>
Date: Thu, 15 Feb 2001 17:35:19 -0300
Well, like Ben told me, people are confused.

OK, I'll try to make myself more clear.

1 - When I said ordinary users have *WRITE ACCESS* on C$(C:\ ==
%SystemDrive%) and ADMIN$(C:\WINNT == %SystemRoot%) by default, I meant
ordinary(malicious) users have write access on their own C$ and ADMIN$,
by default.

The ordinary(maybe, malicious) users can place both files(once again
AUTORUN2.EXE and AUTORUN.INF, INF instead INI) in those "ROOT
DIRECTORIES"(SHARED).

When Domain Admin mount the user's shared then he'll execute the
"arbitary code".

2 - Like I said: "If you already have write access at Admin's
Home Directory, you are a Admin, so, the only thing you could do is:
test the
potencial vulnerability."

It was a BIG mistake to do HOME DIRECTORY as a example, excuse me,
again.

3 - If you found a *WRITE SHARED* like \\MACHINE\Users or
\\MACHINE\Application or \\MACHINE\Backup, on the network, you can do
the folowing command I already posted:
C:\> qtip -u <target> 1> users.txt
C:\>FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i
/u:%i

So, you can put the files there and wait for the Admin mount those
SHARES to do "things".

4 - There are a lot of scenarios that we could explain and exploit, but
it's not my main goal, so you can get your won ideas. ;)

5 - I never saw this problem listed in "Windows NT's Checklists", did
you?

PS: Thanks to Ben to let me explain my own ideas.

PPS: If someone still confused about this vulnerability, please read the
Eric Stevens' original post at:
http://www.securityfocus.com/archive/1/47338

PPPS: The point was missundertood, the code, I can do a lot of "things"
to test, to penetrate, to escale privileges, to send messages to you
when the code was executed, etc... Focus...

Ohhh... don't forget, change the "autorun.ini" to "autorun.inf".

Thanks in Advanced.

Sem mais,(in English "No More" :)))
--
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
              Trecho do livro "Hack Proofing your Network", página 93
Previous By Date Next
Previous By Thread Next

Current thread: