Hello everyone, this time I came to demonstrate how to replace system service improvement permissions. Here, we upgrade web privileges, if you have other identical permissions, or the same conditions, you can imagine the right right.
Let's take a look at the environment! I use it is the transformed ocean Trojan!
Note the red part, the part of your Trojari process.
Kvsrvxp_1
C: /kv2004/kvsrvxp_1.exe -service
MSSearch Microsoft Search
"C: / program files / compon files / system / mssearch / bin / mssearch.exe"
MSSQLSERVER MSSQLServer
D: /Micros ~ 1/mssql/binn/sqlservr.exe
MSSQLSERVERADHELPER MSSQLSERVERADHELPER
C: / Program Files / Microsoft SQL Server / 80 / Tools / Binn / SQLADHLP.EXE
RMServer RMServer
C: / program files / real / realserver / bin / rmserver.exe
RPCAPD Remote Packet Capture Protocol V.0 (Experimental)
"C: / Program files / winpcap / rpcapd.exe" -D -f "c: / program files / winpcap / rpcapd.ini"
RscCenter Rising Process Communication Center
D: / program files / rising / rav / ccenter.exe
Rsravmon Rsravmon Service
D: / program files / rising / rav / ravmond.exe
R_Server Remote Administrator Service
"C: /winnt/system32/r_server.exe" / service
SQLServerAgent SQLServerAgent
D: /Micros ~ 1/mssql/binn/sqlagent.exe
Look, this administrator is not in the system catalog, we have write permissions by default ~~~~~~
Let's see if you can execute the command, you can't change your name ~~~
Hey, it's half ~~! !
You can execute the command. Ok, see how we replace it!
I don't like Trojans (people are stupid, will not be used, here still batch!, Haha!) See it, add a user, add an administrator, you can also add the back door, I will not say it!
Convert to EXE, run directly ~~
Take a look at the server!
D: / program files / rising / rav / ravmond.exe Damn Rising, not in the system directory, let him die!
Halo, is this problem? ? ? Last time, I have been there, sweat, the procedure for the last time I have passed, the name can't repeat, I am sorry, I am delayed!
Look again
OK, let our EXE files go up, excited! Just wait for him to restart then 3389, haha! ! ! !
Just for fun
By sword
