Introduction to out-of-star Elevation of Privilege

As we all know, to successfully escalate the permission to an off-star host, we need to find the writable executable directory. Recently, the directory settings of off-star hosts are getting increasingly BT, and there is almost no writable executable directory. So another "Elevation of Privilege" emerged. Permission escalation. After my tests, I found that the permissions of some common software files on the following servers are everyone, that is, all user permissions. They can be modified and uploaded to replace or delete the files with the same file name, the most important thing is that it can be executed. The first is our lovely 360 anti-virus service. C: \ Program Files \ 360 \ 360safe \ antisection \ mutex. DB 360 antivirus database file c: \ Program Files \ 360 \ 360safe \ deepscan \ section \ mutex. DB 360 antivirus database file c: \ Program Files \ 360 \ 360sd \ section \ mutex. DB 360 antivirus database file c: \ Program Files \ 360 \ 360safe \ deepscan \ section \ mutex. if the file dB is installed with 360 antivirus, it must exist and have the everyone permission. The other two files are not necessarily. C: \ Program Files \ helicon \ isapi_rewrite3 \ error. log pseudo static settings software ISAPI rewrite log file c: \ Program Files \ helicon \ isapi_rewrite3 \ rewrite. log pseudo static settings software ISAPI rewrite log file c: \ Program Files \ helicon \ isapi_rewrite3 \ httpd. the conf pseudo-static setting software ISAPI rewrite configuration file is mainly because the ISAPI rewrite 3.0 version has permission issues, and this type of problem is not found in earlier versions. C: \ Program Files \ common files \ symantec shared \ persist. bak Norton Antivirus Event Log File c: \ Program Files \ common files \ symantec shared \ validate. dat Norton Antivirus Event Log File c: \ Program Files \ common files \ symantec shared \ persist. the dat Norton Antivirus Event Log File, Norton AntiVirus, may be limited to the version. I did not find the above files on the XP machine. Below are the last two replaceable files: C: \ WINDOWS \ hchiblis. IBL Alibaba Cloud security server management expert file license C: \ Documents ents and Settings \ All Users \ Application Data \ Hagel technologies \ du meter \ log.csv du meter traffic statistics log file currently known above The File Permission is everyone. Note that even if you do not have access to the directory where the file can be replaced, the file can still be replaced and executed. For example, D: \ Program Files \ 360 \ 360safe \ deepscan \ section \ mutex. DB, which can be D: \ Program Files \ 360 \ 360safe \ deepscan \ section directory without access permission. Use aspx horse of bin cattle to access D: \ Program Files \ 360 \ 360safe \ deepscan \ sectiodisplay rejection. The mutex.dbfile is stored in the directory. You can upload the mutex file after the name of cmd.exe. replace the DB file. In this way, when the writable executable directory is not found, you can check whether the above software is installed on the server. If yes, you can upload the same file name to replace the original file with your elevation of permission file. In this way, the execution can be successful. ========================================================== ========================================================= Directory or File Permissions an error in setting can cause intrusion! To fundamentally solve the problem, we recommend that all users upgrade the controlled terminal installation package to version 2011-3-15, and click Set "Asp.net strict security model ", all users with strict Asp.net security are not affected. for anti-virus software on the server, we recommend that you Install McAfee. Do not reinstall 360. In many versions, 360 has permission escalation issues. the new version of the out-of-the-stars scanning tool (available for downloading in group sharing or out-of-the-stars background) was released on February 8,. In the scan results, we found that the following problems existed in a large number of servers. file: C: \ WINDOWS \ TAPI \ tsec. INI solution: directly Delete this file (do not keep it in the recycle bin) 360 file: C: \ Program Files \ 360 \ 360sd \ section \ mutex. DB file: C: \ Program Files \ 360 \ 360safe \ deepscan \ section \ mutex. DB file: C: \ Program Files \ 360 \ 360safe \ antisection \ mutex. DB solution: directly Delete 360. All files left after the 360 light is deleted must be deleted. Flash: file: c: \ windows \ system32 \ macromed \ Flash \ flash10q. OCX solution: directly delete the file (do not keep it in the recycle bin). Do not install the iisrewrite3 file: C: \ Program Files \ helicon \ isapi_rewrite3 \ rewrite on the server. log File: C: \ Program Files \ helicon \ isapi_rewrite3 \ httpd. CONF file: C: \ Program Files \ helicon \ isapi_rewrite3 \ error. log solution: Change the permissions of the three files to the read-only permissions of erveryone (no write permission). log file C: \ Documents and Settings \ All Users \ Application Data \ Hagel technologies \ du meter \ log.csv solution: delete it Norton c: \ Program Files \ common files \ symantec shared \ persist. BAKC: \ Program Files \ common files \ symantec shared \ validate. datc: \ Program Files \ common files \ symantec shared \ persist. dat solution: directly Delete the Alibaba Cloud security file c: \ windows \ hchiblis. IBL solution: directly Delete the filtering software. If you cannot delete the software for other reasons, you can change the permission to everyone for reading and writing. You cannot have the permission to run everyone. first-class filter: file: C: \ 7i24.com \ iissafe \ log \ startandiischeck.txt file: C: \ 7i24.com \ iissafe \ log \ scanlog.htm