Out-of-the-stars Privilege Escalation "New Ideas"

Author: constanding
First Release: www.t00ls.net

Statement: this is not an off-star 0DAY. At best, this is just an idea of Elevation of Privilege that cannot find the writable executable directory. I dare not say it was the first one I found. Some other people may have discovered it and are using it.
In fact, numerous instances prove that the statements of lcx predecessors, the Details determine success or failure. This is just a matter of detail in intrusion penetration. I just noticed it. The text below begins.

As we all know, to successfully escalate the permission to an off-star host, we need to find the writable executable directory. Recently, the directory settings of off-star hosts are getting increasingly BT, and there is almost no writable executable directory. So another "Elevation of Privilege" emerged. Permission escalation. After my tests, I found that the permissions of some common software files on the following servers are Everyone, that is, all user permissions. They can be modified and uploaded to replace or delete the files with the same file name, the most important thing is that it can be executed.

The first is our lovely 360 anti-virus service.

C: Program Files360360SafeAntiSectionmutex. db 360 antivirus database file
C: Program Files360360SafedeepscanSectionmutex. db 360 antivirus database file
C: Program Files360360sdSectionmutex. db 360 antivirus database file

C: The Program Files360360SafedeepscanSectionmutex. db file must exist as long as 360 Anti-Virus is installed and has the Everyone permission. The other two files are not necessarily.

C: Program FilesHeliconISAPI_Rewrite3error.log pseudo static setting software ISAPI Rewrite Log File
C: Program FilesHeliconISAPI_Rewrite3Rewrite.log pseudo static setting software ISAPI Rewrite Log File
C: Program FilesHeliconISAPI_Rewrite3httpd.conf pseudo static setting software ISAPI Rewrite configuration file

This is mainly because the ISAPI Rewrite 3.0 has a permission issue, which is not found in earlier versions.

C: Program FilesCommon FilesSymantec SharedPersist. bak Norton Antivirus Event Log File

C: Program FilesCommon FilesSymantec SharedValidate. dat Norton Antivirus Event Log File

C: Program FilesCommon FilesSymantec SharedPersist. Dat Norton Antivirus Event Log File

Norton AntiVirus may be limited to versions. I have not found any of the above files on the XP Server.

The last two replaceable files are as follows:
C: windowshchiblis. ibl Alibaba Cloud security server management expert file license

C: Documents and SettingsAll UsersApplication DataHagel policiesdu Meterlog.csv

Traffic Statistics log file of DU Meter

Currently, the permission for the above files is Everyone. Note that even if you do not have the permission to access the directory where the file can be replaced, you can replace the file for execution. For example, D: Program Files360360SafedeepscanSectionmutex. db, but the D: Program Files360360SafedeepscanSection directory has no access permission. Use the aspx horse of BIN to access D: The mutex. db file after the Program transform name.

In this way, when the writable executable directory is not found, you can check whether the above software is installed on the server. If yes, you can upload the same file name to replace the original file with your elevation of permission file. In this way, the execution can be successful.