2010黑帽大会公布
http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html
源码:https://media.blackhat.com/bh-us-10/source/Cerrudo/Source.zip
文档:https://media.blackhat.com/bh-us-10/whitepapers/Cerrudo/BlackHat-USA-2010-Cerrudo-Toke-Kidnapping's-Revenge-wp.pdf
https://media.blackhat.com/bh-us-10/presentations/Cerrudo/BlackHat-USA-2010-Cerrudo-Toke-Kidnapping's-Revenge-slides.pdf
exploits:
Chimichurri:
exploits MS09-012 on Windows Vista, Windows 7 and Windows 2008.
Must be run by a user with impersonation and asgin primary token privileges, it can be used on IIS 7 & 7.5, SQL Server or other Windows services.
Churraskito:
exploits MS10-059 on Windows XP and Windows 2003 all versions
The IIS application pool identity should be Network Service (default) for this exploit to work
They exploit IIS and SQL Server for sure and could work with small modifications on other services too!
Tool:
Churraskito利用工具:
Windows管理规范(WMI)提供程序没有正确地隔离NetworkService或LocalService帐号下运行的进程,同一帐号下运行的两个独立进程可以完全访问对方的文件句柄、注册表项等资源。WMI提供程序主机进程在某些情况下会持有SYSTEM令牌,如果攻击者可以以 NetworkService或LocalService帐号访问计算机,攻击者就可以执行代码探索SYSTEM令牌的WMI提供程序主机进程。一旦找到了SYSTEM令牌,就可以获得SYSTEM级的权限提升。关键进程:w3wp
PR:网上流行常用版本
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Usage: xxoo.exe command
自己做的免杀的pr版本是KOOPie,免杀下一篇写
/xxoo/-->Build&&Change By KOOPie
/xxoo/-->Usage: xxoo.exe "command"
pr利用工具只是一个思路,这个漏洞利用很广,只要大家分析它的原理都可以做一个自己的pr。
Chimichurri利用工具
(1)Churrasco(巴西烤肉):
是win2003系统下的一个本地提权 防黑网day,通过此工具执行命令即可添加管理用户。
Elevation of privileges PoC exploit for Token Kidnapping on Windows 2003
(2)Churrasco2(iis7up):
是win2008系统下的一个本地提权 防黑网day,通过此工具执行命令即可添加管理用户。
Elevation of privileges PoC exploit for Token Kidnapping on Windows 2008
常用工具查询:
http://sectools.org/
http://www.dragoslungu.com/tag/tools/
http://packetstormsecurity.org
http://www.securitytoollist.com/
http://www.security-database.com