Added support for 2003, streamlined some code, added the ntdll.lib library, and finally supported running under webshell.
Even if the original code is compiled into a 2003-compatible format, it cannot be executed on 03, because the system below win7 does not export user32!gSharedInfo, and can only parse pdb or search for the feature code to locate it; In addition, the EPROCESS->Token offset varies from system to system, and these modifications have been added within the project.
The project is the source code of VS2010 and can be compiled directly. Two compiled exps were included in the project, which were successfully tested on both 64-bit and 32-bit in 2003. The virtual machine version I used for testing is sp2, and other versions are not guaranteed.
If you find that a certain version is not usable, tell me the version number, and I will modify it again (it would be best to have the download address of the corresponding version of the system image).
This vulnerability does not affect win8 and above, so it can only be done.
Note: If you execute the exe in the attachment with a kitchen knife, you will not get the echo, but the command has actually been executed (if the pid is output).
There is no problem with executing in aspxspy, and the asp horse of the kitchen knife can use the following script:
|
Posted on 1/25/2016 6:49:44 PM
|
|
|
Posted on 4/20/2016 6:35:25 PM