Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AUTORUN Vul still work.

From: Nelson Brito <nelson () SECUNET COM BR>
Date: Thu, 15 Feb 2001 11:50:18 -0300
Just a few words to clarification:

Nelson Brito wrote:

[...]


I've read the BID 933, and I saw that there isn't a away to exploit
this, so...


Like I mencionated on my last post, the right BugTraq ID is 993, the 933
BID points you to a BIND's bug(jezzzz):
http://www.securityfocus.com/bid/993


Step by Step:
1 - find a admin's mount point(a.k.a. home directory);


Forgive-me once more again. If you already have wrote access at Admin's
Home Directory, you are a Admin, so only you could be do is test the
potencial vulnerability.


2 - place the autorun.inf and autorun2.exe on there;


When I said "place" I just want to say: If the "root directory" is
writable to you, put the files there. It's mean that is possible to
exploit this using all of shares, example:
ADMIN$ -> %SystemRoot%
C$     -> %SystemDrive%

By default ordinary users have write access on those shares.

How you will do the initial penetration, think about Penetration
Test(sorry, but it's my first goal when I sent the original post), try
the folowing commands:
C:\> qtip -u <target> 1> users.txt
C:\>FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i
/u:%i


3 - drop the admin's connection(use your prefered DoS tool);
4 - try to connect as user nelson and password nelson;
5 - BINDO, you are now a member of "Administrators" group(Stand Alone
Servers) or
"Domain Admins" gourp(PDC Servers).


You could define this in pre processor(/d "_PDC_SRV").


If you get a look in code, it's possible to make it more usefull making
some teste, like findo PDC in domain or some others decision, easy and
automatic.

PS: It still works in some of Penetration Testes I have made, so it's
possible usefull for all of you, I hope.


I don't know why the correction from this problem still remain as
default setings in Windows NT's Registry as default when you install it.

Did anybody read the solution for this BUGFEATURE in some "Windows NT
Checklist"?


"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."

(Ryan, thanks a lot for talk about it in your BOOK. ;) It's a great BOOK
to read.)

Sem mais,
--
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
              Trecho do livro "Hack Proofing your Network", página 93
Previous By Date Next
Previous By Thread Next

Current thread: