Running CMD.EXE as Local System-vulnerability warning-the black bar safety net

ID MYHACK58:62200922112
Type myhack58
Reporter 佚名
Modified 2009-02-09T00:00:00


Author: zerosoul

Before the evil eight to see the admin Account you can use plan the task execution program to obtain SYSTEM privileges.

Then yesterday saw someone Blog on a tool, saying that anyone perform can be give SYSTEM permissions to the CMD. I think he said that may is the permission to know is not particularly large, or if the User execution also can get SYSTEM permissions of the cmd, then get to the WebShell is substantially equal to get to the server, huh.

But now, if you say so, I still download down to try, in case be met a What good stuff yet. The test results of course is only from the admin account give SYSTEM permissions to the CMD to mention the right to nothing.

But don't know this gadget is by what to get SYSTEM permissions, it should not use plan task, thrown into the IDA inside with a little, found is by creating a service. Open the Service Manager, and sure enough found the newly added service. As shown in Figure:

! 1.jpg Size: 142.37 K Size: 5 0 0 x 3 0 6 Browse: 0 times Click to open a new window to browse the full map

The principle is clear, but I'm still to Google search, found two related articles. An article called the use of the service create the SYSTEM permissions CMD for, maybe it and of this gadget.

In addition an article is a abroad a large cattle in the MSDN Blog, it is called the Running CMD.EXE as Local System action.

This person says a direct use of the sc command to create a service to run the SYSTEM permissions of the CMD method, test the following, it really is very easy to use. I write it as a simple Batch, the same can get SYSTEM permissions CMD:

sc Create SuperCMD binPath= "cmd /K start" type= own type= interact sc start SuperCMD

The effect is as follows figure:

! 2.jpg Size: 44.82 K Size: 5 0 0 x 4 3 5 Browse: 0 times Click to open a new window to browse the full map

Note that the start of the service, the prompt fails to start, but CMD still POPs up.