I know that James 'trick' works (very nice) and will have to try Harlan's suggestion too. Now is the AT trick using the same method that Nicholas was pointing out with regards to the native API and the win32 API being slightly different?
-----Original Message----- From: James D. Stallard [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 18, 2007 1:30 AM To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown' Cc: [email protected] Subject: RE: Help with Exploit Harlan, et al To access the security regkeys in HKLM you don't need to change the ACLs. This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM privs on anything that allows you to run an AT job: . Get the current time. . From CMD line run "AT <time+1 minute> /interactive CMD.EXE". . Wait for a minute. . CMD window opens in LOCALSYSTEM context. . Run REGEDIT from new CMD window. . Navigate to HKLM\SECURITY. . Marvel at now visible security keys: Cache, Policy, RXACT, SAM. This particular trick is the basis for a deal of trivial priv escalation attacks on windows, so if you can, you should secure the Task Scheduler with a non-priv'ed user or disable it. Another good reason for not giving users local admin rights. Cheers James James D. Stallard, MIoD Microsoft and Networks Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard Skype: JamesDStallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harlan Carvey Sent: 17 April 2007 14:40 To: Nicolas RUFF; Murda Mcloud; 'Vic Brown' Cc: [email protected] Subject: Re: Help with Exploit > > I've done some googling and am finding that the > new RR version checks the > > security hive(which I believe to be 'invisible' to > regedit-can someone > > correct me if I'm wrong?). On a live system, the Security hive is not accessible by default. You need to change the ACLs so that the Admin has the ability to read the hive. > I know I am coming late on this one, but registry keys that contain > NULL characters cannot be accessed through REGEDIT. You have to rely > on the low-level NTDLL API to access them. It is known "copy > protection" trick :) What? ------------------------------------------ Harlan Carvey, CISSP author: "Windows Forensic Analysis" http://windowsir.blogspot.com ------------------------------------------
