Local Privilege Escalation 2 (Windows)

This week I’m going to point you to an excellent Defcon 2010 talk given by Cesar Cerrudo from Argeniss, called Token Kidnapping’s Revenge.

Cesar goes through a deep explanation of how he used simple tools like Process Monitor and Process Explorer to find services that spawn multiple threads with impersonation permissions.  He used that information by enabling the debugging function of the service and opening a named pipe back to the local host running as the System account.  It’s a very interesting talk if you have the time to listen to it completely.

The exploit code is hosted on Exploit-DB.

The vulnerability was patched by Microsoft in MS10-059.

No Comments

Local Privilege Escalation (Windows)

I figure that my first post will be about local privilege escalation.  It sounds like a good place to start.  So where do we go first to find a current local exploit?  The wonderful Exploit-DB, maintained by Offensive Security.

The top exploit as of today was written by webDEViL and exploits Windows Task Scheduler:


Just copy the text to a file with a “wsf” extension and run it using cscript:

c:\cscript.exe exploit.wsf

As written, the script creates a user “test123” with the password “test123” in the local Administrators group.  Easy huh?

The vulnerability is still currently under CVE review at CVE-2010-3888.  It was identified by Kaspersky Labs and other researchers and was apparently found in the wild being used by the Stuxnet Virus that was found in July of this year.

So, what’s the takeaway from this post?  Exploit-DB is the first place to go for your exploitation needs.

This exploit was recently added to Metasploit and cleverly named Schelevator.  The vulnerability was also patched by Microsoft in MS10-092.

No Comments