Token kidnapping returns! You may remember back in 2009 a token kidnapping issue was discovered and exploited by Cesar Cerrudo. This allowed you to impersonate a service in use running as a higher service account (network service to system) and compromise the server. This was patched by Microsoft in April 2009 – MS09-012.

Cesar is back with a new token kidnapping exploit. He presented his findings at Black Hat 2010 USA.

This works in a slightly different way, but the end result is any server for instance running IIS as “network service” can be exploited and you can gain a “system” shell back.

There are 2 versions of the exploit:

Churraskito This version exploits Windows XP and Windows 2003 all versions. There currently is not patch for this from Microsoft.

Chimichurri This version exploits Windows Vista, Windows 7 and Windows 2008 all versions. A patch was released for this 10th August 2010 MS10-059.

MS10-059 bulletin from Microsoft states that Xp, 2003 R2 are not vulnerable. Well if you run the correct exploit they are. I have exploited Windows 2003 R2 SP2 fully patched today and it works perfect.

If you are able to upload a shell and files to a remote web server and execute code then it is game over. Providing the IIS is running as “network service” you simply call the exploit and point it back to the attacker IP address and port number (where you have a listener running such as metasploit or netcat). This will exploit the service and fire back a System level shell to the attacker machine.

All credit to Cesar for his great work on this.

You can download the files direct from this site below pre-compiled. Or visit Cesar’s Twitter page for the source code download