exe that
an admin might run. This is interesting even if you can??™t modify the .exe itself. You??™ll see
why in the demonstration section later.
The most likely untrusted or semi-trusted SID-granted access right is probably
BUILTIN\Users. You might also want to look at directories granting write disposition to
Everyone, INTERACTIVE, and Anonymous as well. Here??™s the command line to recursively
enumerate all directories granting write access to BUILTIN\Users:
C:\tools>accesschk.exe -w -d -q -s users c:\ > weak-dacl-directories.txt
On my test system, this command took about five minutes to run and then returned
lots of writable directories. At first glance, the directories in the list shown next appear to
be worth investigating.
RW c:\cygwin
RW c:\Debuggers
RW c:\Inetpub
RW c:\Perl
RW c:\tools
RW c:\cygwin\bin
RW c:\cygwin\lib
RW c:\Documents and Settings\All Users\Application Data\Apple Computer
RW c:\Documents and Settings\All Users\Application Data\River Past G4
RW c:\Documents and Settings\All Users\Application Data\Skype
RW c:\Perl\bin
RW c:\Perl\lib
RW c:\WINDOWS\system32\spool\PRINTERS
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
429
PART IV
???Write??? Disposition Permissions of a Directory
FILE_ADD_FILE Depending on directory, possible elevation of privilege.
Pages:
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759