Vulnerability Development mailing list archives
AUTORUN Vul still work.
From: Nelson Brito <nelson () SECUNET COM BR>
Date: Wed, 14 Feb 2001 06:49:15 -0300
Yeah, I know it's not a new BUG, but still work. I've read the BID 933, and I saw that there isn't a away to exploit this, so... Step by Step: 1 - find a admin's mount point(a.k.a. home directory); 2 - place the autorun.inf and autorun2.exe on there; 3 - drop the admin's connection(use your prefered DoS tool); 4 - try to connect as user nelson and password nelson; 5 - BINDO, you are now a member of "Administrators" group(Stand Alone Servers) or "Domain Admins" gourp(PDC Servers). If you get a look in code, it's possible to make it more usefull making some teste, like findo PDC in domain or some others decision, easy and automatic. PS: It still works in some of Penetration Testes I have made, so it's possible usefull for all of you, I hope. PPS: It's not just a "Privilege Escalation", it's possible to create a new account with "Administrator/Domain Admin" privilege, obscurity. Sem mais, -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", página 93
Attachment:
autorun2.cpp
Description:
Attachment:
autorun.ini
Description:
Current thread:
- AUTORUN Vul still work. Nelson Brito (Feb 19)
- Re: AUTORUN Vul still work. Nelson Brito (Feb 16)
- Re: AUTORUN Vul still work. Nelson Brito (Feb 19)