RE: Help with Exploit

Miha Pihler Tue, 17 Apr 2007 12:10:46 -0700

Hi,

You can also use psexec from
http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx to do
this...


psexec -i -d -s c:\windows\regedit.exe
(Run Regedit interactively in the System account to view the contents of the
SAM and SECURITY keys)

Vista will not allow you to run "at" with "/interactive"...

Miha

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of James D. Stallard
Sent: Tuesday, April 17, 2007 5:30 PM
To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown'
Cc: [email protected]
Subject: RE: Help with Exploit

Harlan, et al

To access the security regkeys in HKLM you don't need to change the ACLs.

This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
privs on anything that allows you to run an AT job:

. Get the current time.
. From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
. Wait for a minute.
. CMD window opens in LOCALSYSTEM context.
. Run REGEDIT from new CMD window.
. Navigate to HKLM\SECURITY.
. Marvel at now visible security keys: Cache, Policy, RXACT, SAM.

This particular trick is the basis for a deal of trivial priv escalation
attacks on windows, so if you can, you should secure the Task Scheduler with
a non-priv'ed user or disable it. Another good reason for not giving users
local admin rights.

Cheers

James

James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Skype: JamesDStallard






-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Harlan Carvey
Sent: 17 April 2007 14:40
To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
Cc: [email protected]
Subject: Re: Help with Exploit


> > I've done some googling and am finding that the
> new RR version  checks the
> > security hive(which I believe to be 'invisible' to
> regedit-can someone
> > correct me if I'm wrong?).

On a live system, the Security hive is not accessible by default.  You need
to change the ACLs so that the Admin has the ability to read the hive.

> I know I am coming late on this one, but registry keys that contain 
> NULL characters cannot be accessed through REGEDIT. You have to rely 
> on the low-level NTDLL API to access them. It is known "copy 
> protection" trick :)

What?


------------------------------------------
Harlan Carvey, CISSP
author: "Windows Forensic Analysis"
http://windowsir.blogspot.com
------------------------------------------

smime.p7s
Description: S/MIME cryptographic signature

RE: Help with Exploit

Reply via email to