Re: Help with ExploitApr 17 2007 07:24PM Thor (Hammer of God) (thor hammerofgod com)
But you have to be an administrator in the first place to run this. If you
are "normal user," you'll get "Access Denied."
t
----- Original Message -----
From: "James D. Stallard" <james (at) leafgrove (dot) com [email concealed]>
To: "'Harlan Carvey'" <keydet89 (at) yahoo (dot) com [email concealed]>; "'Nicolas RUFF'"
<nicolas.ruff (at) gmail (dot) com [email concealed]>; "'Murda Mcloud'" <murdamcloud (at) bigpond (dot) com [email concealed]>; "'Vic
Brown'" <vabrown (at) mailer.fsu (dot) edu [email concealed]>
Cc: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, April 17, 2007 8:29 AM
Subject: RE: Help with Exploit
> Harlan, et al
>
> To access the security regkeys in HKLM you don't need to change the ACLs.
>
> This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
> privs on anything that allows you to run an AT job:
>
> . Get the current time.
> . From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
> . Wait for a minute.
> . CMD window opens in LOCALSYSTEM context.
> . Run REGEDIT from new CMD window.
> . Navigate to HKLM\SECURITY.
> . Marvel at now visible security keys: Cache, Policy, RXACT, SAM.
>
> This particular trick is the basis for a deal of trivial priv escalation
> attacks on windows, so if you can, you should secure the Task Scheduler
> with
> a non-priv'ed user or disable it. Another good reason for not giving users
> local admin rights.
>
> Cheers
>
> James
>
> James D. Stallard, MIoD
> Microsoft and Networks Infrastructure Technical Architect
> Web: www.leafgrove.com
> LinkedIn: www.linkedin.com/in/jamesdstallard
> Skype: JamesDStallard
>
>
>
>
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On
> Behalf Of Harlan Carvey
> Sent: 17 April 2007 14:40
> To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: Help with Exploit
>
>
>> > I've done some googling and am finding that the
>> new RR version checks the
>> > security hive(which I believe to be 'invisible' to
>> regedit-can someone
>> > correct me if I'm wrong?).
>
> On a live system, the Security hive is not accessible by default. You
> need
> to change the ACLs so that the Admin has the ability to read the hive.
>
>> I know I am coming late on this one, but registry keys that contain
>> NULL characters cannot be accessed through REGEDIT. You have to rely
>> on the low-level NTDLL API to access them. It is known "copy
>> protection" trick :)
>
> What?
>
>
> ------------------------------------------
> Harlan Carvey, CISSP
> author: "Windows Forensic Analysis"
> http://windowsir.blogspot.com
> ------------------------------------------
>
>
>
>
>
are "normal user," you'll get "Access Denied."
t
----- Original Message -----
From: "James D. Stallard" <james (at) leafgrove (dot) com [email concealed]>
To: "'Harlan Carvey'" <keydet89 (at) yahoo (dot) com [email concealed]>; "'Nicolas RUFF'"
<nicolas.ruff (at) gmail (dot) com [email concealed]>; "'Murda Mcloud'" <murdamcloud (at) bigpond (dot) com [email concealed]>; "'Vic
Brown'" <vabrown (at) mailer.fsu (dot) edu [email concealed]>
Cc: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, April 17, 2007 8:29 AM
Subject: RE: Help with Exploit
> Harlan, et al
>
> To access the security regkeys in HKLM you don't need to change the ACLs.
>
> This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
> privs on anything that allows you to run an AT job:
>
> . Get the current time.
> . From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
> . Wait for a minute.
> . CMD window opens in LOCALSYSTEM context.
> . Run REGEDIT from new CMD window.
> . Navigate to HKLM\SECURITY.
> . Marvel at now visible security keys: Cache, Policy, RXACT, SAM.
>
> This particular trick is the basis for a deal of trivial priv escalation
> attacks on windows, so if you can, you should secure the Task Scheduler
> with
> a non-priv'ed user or disable it. Another good reason for not giving users
> local admin rights.
>
> Cheers
>
> James
>
> James D. Stallard, MIoD
> Microsoft and Networks Infrastructure Technical Architect
> Web: www.leafgrove.com
> LinkedIn: www.linkedin.com/in/jamesdstallard
> Skype: JamesDStallard
>
>
>
>
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On
> Behalf Of Harlan Carvey
> Sent: 17 April 2007 14:40
> To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: Help with Exploit
>
>
>> > I've done some googling and am finding that the
>> new RR version checks the
>> > security hive(which I believe to be 'invisible' to
>> regedit-can someone
>> > correct me if I'm wrong?).
>
> On a live system, the Security hive is not accessible by default. You
> need
> to change the ACLs so that the Admin has the ability to read the hive.
>
>> I know I am coming late on this one, but registry keys that contain
>> NULL characters cannot be accessed through REGEDIT. You have to rely
>> on the low-level NTDLL API to access them. It is known "copy
>> protection" trick :)
>
> What?
>
>
> ------------------------------------------
> Harlan Carvey, CISSP
> author: "Windows Forensic Analysis"
> http://windowsir.blogspot.com
> ------------------------------------------
>
>
>
>
>
[ reply ]