Murda <can't sleep>
The AT job trick will give you LOCALSYSTEM privs, and access to just about anything. As Thor HoG points out, the AT job submit tool is only allowed to local Admins by default. I suspect that if you used XCACLS to alter the permissions on \WINDOWS\TASKS you could probably alter this behaviour. However, the reason for the REGEDIT 'hidden' keys is different, so doesn't help you: REGEDIT and REGEDT32 both use the WIN32 API, as does just about every other windows app out there. For the 20+ API calls that it presents, the WIN32 API is essentially a wrapper for the KERNEL, with added checks for data integrity etc. The KERNEL actually provides around 200 API calls, but MS chose not to document these calls in detail (there is information out there if you choose to look) and does not encourage developers to use them for a number of excellent reasons (you might remember that badly written KERNEL mode printer drivers used to regularly crash clustered file and print servers). For whatever reason, the WIN32 API stops processing a key (end of line marker) when it encounters a "\" (NULL is actually "\0") and the rest of the keyname and any sub keys are not processed and remain hidden. WIN32 continues to process the next key in the hive, so the feature is useful for writing hidden regkeys. The "feature" is often used in copy protection, as mentioned previously (although not by Microsoft, AFAIK) and occasionally in RootKits as part of their obfuscation code. Other than invisible keys there does not seem to be any adverse effects on the OS caused by the simple existance of hidden regkeys. The KERNEL does not treat the "\" or "\0" character string as a NULL or end of line, so keys can be written and read using this method. The REGHIDE tool uses the KERNEL, hence it's ability to hide keys from REGEDIT and REGEDT32. </can't sleep> Hope this helps Cheers James James D. Stallard, MIoD Microsoft and Networks Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard Skype: JamesDStallard -----Original Message----- From: Murda Mcloud [mailto:[EMAIL PROTECTED] Sent: 17 April 2007 23:46 To: 'James D. Stallard'; 'Harlan Carvey'; 'Nicolas RUFF'; 'Vic Brown' Cc: [email protected] Subject: RE: Help with Exploit I know that James 'trick' works (very nice) and will have to try Harlan's suggestion too. Now is the AT trick using the same method that Nicholas was pointing out with regards to the native API and the win32 API being slightly different? -----Original Message----- From: James D. Stallard [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 18, 2007 1:30 AM To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown' Cc: [email protected] Subject: RE: Help with Exploit Harlan, et al To access the security regkeys in HKLM you don't need to change the ACLs. This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM privs on anything that allows you to run an AT job: . Get the current time. . From CMD line run "AT <time+1 minute> /interactive CMD.EXE". . Wait for a minute. . CMD window opens in LOCALSYSTEM context. . Run REGEDIT from new CMD window. . Navigate to HKLM\SECURITY. . Marvel at now visible security keys: Cache, Policy, RXACT, SAM. This particular trick is the basis for a deal of trivial priv escalation attacks on windows, so if you can, you should secure the Task Scheduler with a non-priv'ed user or disable it. Another good reason for not giving users local admin rights. Cheers James James D. Stallard, MIoD Microsoft and Networks Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard Skype: JamesDStallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harlan Carvey Sent: 17 April 2007 14:40 To: Nicolas RUFF; Murda Mcloud; 'Vic Brown' Cc: [email protected] Subject: Re: Help with Exploit > > I've done some googling and am finding that the > new RR version checks the > > security hive(which I believe to be 'invisible' to > regedit-can someone > > correct me if I'm wrong?). On a live system, the Security hive is not accessible by default. You need to change the ACLs so that the Admin has the ability to read the hive. > I know I am coming late on this one, but registry keys that contain > NULL characters cannot be accessed through REGEDIT. You have to rely > on the low-level NTDLL API to access them. It is known "copy > protection" trick :) What? ------------------------------------------ Harlan Carvey, CISSP author: "Windows Forensic Analysis" http://windowsir.blogspot.com ------------------------------------------
