Bugtraq mailing list archives
Re: AUTORUN Vul still work.
From: Nelson Brito <nelson () SECUNET COM BR>
Date: Thu, 15 Feb 2001 11:50:18 -0300
Just a few words to clarification: Nelson Brito wrote: [...]
I've read the BID 933, and I saw that there isn't a away to exploit this, so...
Like I mencionated on my last post, the right BugTraq ID is 993, the 933 BID points you to a BIND's bug(jezzzz): http://www.securityfocus.com/bid/993
Step by Step: 1 - find a admin's mount point(a.k.a. home directory);
Forgive-me once more again. If you already have wrote access at Admin's Home Directory, you are a Admin, so only you could be do is test the potencial vulnerability.
2 - place the autorun.inf and autorun2.exe on there;
When I said "place" I just want to say: If the "root directory" is writable to you, put the files there. It's mean that is possible to exploit this using all of shares, example: ADMIN$ -> %SystemRoot% C$ -> %SystemDrive% By default ordinary users have write access on those shares. How you will do the initial penetration, think about Penetration Test(sorry, but it's my first goal when I sent the original post), try the folowing commands: C:\> qtip -u <target> 1> users.txt C:\>FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i /u:%i
3 - drop the admin's connection(use your prefered DoS tool); 4 - try to connect as user nelson and password nelson; 5 - BINDO, you are now a member of "Administrators" group(Stand Alone Servers) or "Domain Admins" gourp(PDC Servers).
You could define this in pre processor(/d "_PDC_SRV").
If you get a look in code, it's possible to make it more usefull making some teste, like findo PDC in domain or some others decision, easy and automatic. PS: It still works in some of Penetration Testes I have made, so it's possible usefull for all of you, I hope.
I don't know why the correction from this problem still remain as default setings in Windows NT's Registry as default when you install it. Did anybody read the solution for this BUGFEATURE in some "Windows NT Checklist"?
"Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..."
(Ryan, thanks a lot for talk about it in your BOOK. ;) It's a great BOOK to read.) Sem mais, -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", página 93
Current thread:
- AUTORUN Vul still work. Nelson Brito (Feb 15)
- Re: AUTORUN Vul still work. Nelson Brito (Feb 15)
- Re: AUTORUN Vul still work. Nelson Brito (Feb 16)
- Re: AUTORUN Vul still work. Gossi The Dog (Feb 16)
- Re: AUTORUN Vul still work. Jesper M. Johansson (Feb 16)
- Re: AUTORUN Vul still work. Nelson Brito (Feb 16)
- Re: AUTORUN Vul still work. Jesper M. Johansson (Feb 16)
- Re: AUTORUN Vul still work. Nelson Brito (Feb 16)