Académique Documents
Professionnel Documents
Culture Documents
Whilst assessing vulnerabilities in the PC build I have I found the following. Now I
always get pissed off when I hear people rattle on about the AT command and using that
to get a SYSTEM shell. In my experience after XP SP2 you’re required to be an admin
to run AT, so what’s the point really?
So rather than just focussing on holes in the Microsoft system, which frankly I'm not
really talented enough to find much there, I decided to look at the configuration and
implementation. In my opinion I would have much better luck looking for mistakes
made by people not necessarily trying to secure a system but more trying to get a system
to work.
In this post I'll focus a common mistake made by the guys who build the system which
allows a standard user to escalate to have full system privileges.
Looking at Services
It would be nice to use WMIC to look for services that are in a directory that I can write
to and that start automatically:
However, when trying to run WMIC I get an error telling me that I need to be a member
of the Administrators group. I could just go to the Services.msc but this means that I
have to go through each service to get that path to the executable. A better tool I found
for this is MSInfo32.exe
As can be seen in the screenshot I can quickly scan down the autostarted services for
ones that have paths that I can write to. I also need the service to be running with an
account with some decent privileges.
I go to the directory that VNC runs from and rename the executable. I copy
Taskmgr.exe from System32 to the VNC directory and rename it as the VNC
executable.
After a restart I see that I have no VNC in the system tray, so I go to the Services.msc
and start it. Task Manager starts up for about a minute and then closes. Ok, that’s good.
I start the service again and quickly launch a command shell before it closes, great now
I have my system command shell. From here I can add accounts, change settings, install
software etc... But maybe I want my full desktop. I launch Taskmgr.exe from the
command shell, kill explorer from the process list and the launch explorer from File
menu. Fantastic, I have a whole desktop running as System, now I really am closer to
god!
Posted by SynJunkie
Labels: Privilege Escalation
9 comments:
SynJunkie said...
Hey Rob.
The PC i was testing on was an XP SP2 PC. I was testing it with a user account
that was a member of Power Users but not Local Administrators. WMIC had
previously been run on that PC.
I never tested any further as I was just looking at my standard build and nothing
else.
Good luck with the talk. Hopefully you'll make it available from Room362.
June 10, 2009 6:54 PM
If they record it, I will definitely make it available. Might just take my own
vcam just in case since you made me think of it.
But, doing that doesn't apply to a remote privilege escalation very well.
However there are ways of making windows do things after boot. ;-)
SynJunkie said...
Sounds like your talk is going to be pretty good. I'll keep an eye out for it.
I'll be looking into other implementation failures in the PC build when I'm
finished getting to grips with some SQL Injection for A Web App I'm looking at.
Anonymous said...
hey Syn,
don't know if it's any interesting but I thought, it could be useful too as you are
talking about xp sp2. Andres Tarasco from www.haxorcitos.com released
srvcheck which makes use of service implementation failures
http://www.haxorcitos.com/ficheros.html#SRVCHECK2
By the way, I often see things like xampp on windows web development
machines. xampp is always running under LocalSystem, so it's xampp which lets
you add another user to the local admin group through php.
greetz, Markus
mneis said...
hey Syn,
not sure if it helps, but with a little commandline kungfu you can get what you
need
(sc query state= all | findstr /i "service_name" > f:\enum\services & for /f
"tokens=2,3" %i in (f:\enum\services) do @sc qc %i | findstr /i "service_name
auto_start binary_path_name") & del f:\enum\services
By the way, for privilege escalation is still a tool out there from Andres Tarasco
http://www.haxorcitos.com/ficheros.html#SRVCHECK2
Markus
SynJunkie said...
Hey Markus
Thanks for the comments. I did try to use SC for getting the detail on services
but I couldn't get to what I wanted with it. I'll be sure to give your suggestion a
try.
Cheers
Syn
mneis said...
Hey Syn,
while browsing in my tools for some access enumeration I found this:
Sysinternals accesschk.exe
Option -c =
Name is a Windows Service e.g. ssdpsrv. Specify '*' as the
name to show all services and 'scmanager' to check the security
Regards,
Markus
SynJunkie said...
Fantastic tip, cheers mate. I'll look into that. I love sysinternals tools.
Post a Comment