Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Privilege Scalation in Windows

Privilege Scalation in Windows

Ratings: (0)|Views: 134 |Likes:
Published by elabir

More info:

Published by: elabir on Jun 03, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Thursday, June 4, 2009
Whilst assessing vulnerabilities in the PC build I have I found the following. Now Ialways get pissed off when I hear people rattle on about the AT command and using thatto get a SYSTEM shell. In my experience after XP SP2 you’re required to be an adminto run AT, so what’s the point really?So rather than just focussing on holes in the Microsoft system, which frankly I'm notreally talented enough to find much there, I decided to look at the configuration andimplementation. In my opinion I would have much better luck looking for mistakesmade by people not necessarily trying to secure a system but more trying to get a systemto work.In this post I'll focus a common mistake made by the guys who build the system whichallows a standard user to escalate to have full system privileges.
Looking at Services
It would be nice to use WMIC to look for services that are in a directory that I can writeto and that start automatically:wmic service get name,startmode,pathname | find /i "auto"However, when trying to run WMIC I get an error telling me that I need to be a member of the Administrators group. I could just go to the Services.msc but this means that Ihave to go through each service to get that path to the executable. A better tool I foundfor this is MSInfo32.exeAs can be seen in the screenshot I can quickly scan down the autostarted services for ones that have paths that I can write to. I also need the service to be running with anaccount with some decent privileges.OK, VNC looks pretty good.I go to the directory that VNC runs from and rename the executable. I copyTaskmgr.exe from System32 to the VNC directory and rename it as the VNCexecutable.
After a restart I see that I have no VNC in the system tray, so I go to the Services.mscand start it. Task Manager starts up for about a minute and then closes. Ok, that’s good.I start the service again and quickly launch a command shell before it closes, great nowI have my system command shell. From here I can add accounts, change settings, installsoftware etc... But maybe I want my full desktop. I launch Taskmgr.exe from thecommand shell, kill explorer from the process list and the launch explorer from Filemenu. Fantastic, I have a whole desktop running as System, now I really am closer togod!Posted by SynJunkieLabels:Privilege Escalation 
Rob Fuller (mubix)said...This method is actually going to be a part of my ToorCamp talk. And as far asWMIC not working. That's only a XP problem. Vista and 7 allows you to run it.Does it still give you that error if WMIC has been installed on XP by an admin?I know it autoinstalls after the first run.June 10, 2009 4:44 PMSynJunkiesaid...Hey Rob.The PC i was testing on was an XP SP2 PC. I was testing it with a user accountthat was a member of Power Users but not Local Administrators. WMIC had previously been run on that PC.I never tested any further as I was just looking at my standard build and nothingelse.Hope that helps.Good luck with the talk. Hopefully you'll make it available from Room362.
June 10, 2009 6:54 PMRob Fuller (mubix)said...If they record it, I will definitely make it available. Might just take my ownvcam just in case since you made me think of it.So testing on Vista and Windows 7, standard user can't alter anything inProgram Files, so you would have to do that offline, but at that point you woulddo better just to copy cmd.exe to and overwriting utilman.exe in system32.Backing up of course the original.But, doing that doesn't apply to a remote privilege escalation very well.However there are ways of making windows do things after boot. ;-)June 10, 2009 8:27 PMSynJunkiesaid...Sounds like your talk is going to be pretty good. I'll keep an eye out for it.I'll be looking into other implementation failures in the PC build when I'mfinished getting to grips with some SQL Injection for A Web App I'm looking at.June 10, 2009 8:55 PMAnonymous said...hey Syn,don't know if it's any interesting but I thought, it could be useful too as you aretalking about xp sp2. Andres Tarasco from www.haxorcitos.com releasedsrvcheck which makes use of service implementation failureshttp://www.haxorcitos.com/ficheros.html#SRVCHECK2By the way, I often see things like xampp on windows web developmentmachines. xampp is always running under LocalSystem, so it's xampp which letsyou add another user to the local admin group through php.greetz, MarkusJune 13, 2009 4:36 PMmneissaid...hey Syn,not sure if it helps, but with a little commandline kungfu you can get what youneed

Activity (9)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
alfersugo00 liked this
danyel 2009 liked this
pureton liked this
_halos_ liked this
userg liked this
salalma6634 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->