Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Help with Exploit

from [James D. Stallard] Network Security [Permanent Link]
Subject: RE: Help with Exploit
Date: Wed, 18 Apr 2007 01:46:34 +0100 
Murda

<can't sleep>

The AT job trick will give you LOCALSYSTEM privs, and access to just about
anything. As Thor HoG points out, the AT job submit tool is only allowed to
local Admins by default. I suspect that if you used XCACLS to alter the
permissions on \WINDOWS\TASKS you could probably alter this behaviour.

However, the reason for the REGEDIT 'hidden' keys is different, so doesn't
help you:

REGEDIT and REGEDT32 both use the WIN32 API, as does just about every other
windows app out there.

For the 20+ API calls that it presents, the WIN32 API is essentially a
wrapper for the KERNEL, with added checks for data integrity etc. The KERNEL
actually provides around 200 API calls, but MS chose not to document these
calls in detail (there is information out there if you choose to look) and
does not encourage developers to use them for a number of excellent reasons
(you might remember that badly written KERNEL mode printer drivers used to
regularly crash clustered file and print servers).

For whatever reason, the WIN32 API stops processing a key (end of line
marker) when it encounters a "\" (NULL is actually "\0") and the rest of the
keyname and any sub keys are not processed and remain hidden. WIN32
continues to process the next key in the hive, so the feature is useful for
writing hidden regkeys. The "feature" is often used in copy protection, as
mentioned previously (although not by Microsoft, AFAIK) and occasionally in
RootKits as part of their obfuscation code.

Other than invisible keys there does not seem to be any adverse effects on
the OS caused by the simple existance of hidden regkeys.

The KERNEL does not treat the "\" or "\0" character string as a NULL or end
of line, so keys can be written and read using this method.

The REGHIDE tool uses the KERNEL, hence it's ability to hide keys from
REGEDIT and REGEDT32.

</can't sleep>

Hope this helps
Cheers

James


James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Skype: JamesDStallard


-----Original Message-----
From: Murda Mcloud [mailto:murdamcloud@bigpond.com] 
Sent: 17 April 2007 23:46
To: 'James D. Stallard'; 'Harlan Carvey'; 'Nicolas RUFF'; 'Vic Brown'
Cc: focus-ms@securityfocus.com
Subject: RE: Help with Exploit

I know that James 'trick' works (very nice) and will have to try Harlan's
suggestion too. 
Now is the AT trick using the same method that Nicholas was pointing out
with regards to the native API and the win32 API being slightly different?  


-----Original Message-----
From: James D. Stallard [mailto:james@leafgrove.com]
Sent: Wednesday, April 18, 2007 1:30 AM
To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown'
Cc: focus-ms@securityfocus.com
Subject: RE: Help with Exploit

Harlan, et al

To access the security regkeys in HKLM you don't need to change the ACLs.

This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
privs on anything that allows you to run an AT job:

. Get the current time.
. From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
. Wait for a minute.
. CMD window opens in LOCALSYSTEM context.
. Run REGEDIT from new CMD window.
. Navigate to HKLM\SECURITY.
. Marvel at now visible security keys: Cache, Policy, RXACT, SAM.

This particular trick is the basis for a deal of trivial priv escalation
attacks on windows, so if you can, you should secure the Task Scheduler with
a non-priv'ed user or disable it. Another good reason for not giving users
local admin rights.

Cheers

James

James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Skype: JamesDStallard






-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Harlan Carvey
Sent: 17 April 2007 14:40
To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
Cc: focus-ms@securityfocus.com
Subject: Re: Help with Exploit



I've done some googling and am finding that the

new RR version  checks the

security hive(which I believe to be 'invisible' to

regedit-can someone

correct me if I'm wrong?).


On a live system, the Security hive is not accessible by default.  You need
to change the ACLs so that the Admin has the ability to read the hive.


I know I am coming late on this one, but registry keys that contain 
NULL characters cannot be accessed through REGEDIT. You have to rely 
on the low-level NTDLL API to access them. It is known "copy 
protection" trick :)


What?


------------------------------------------
Harlan Carvey, CISSP
author: "Windows Forensic Analysis"
http://windowsir.blogspot.com
------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Help with Exploit, Thor (Hammer of God)
Next by Date:  RE: Help with Exploit, Murda Mcloud
Previous by Thread:  RE: Help with Exploit, Murda Mcloud
Next by Thread:  Re: Help with Exploit, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]