Unfortunately, on W7 and any other box with proper restrictions, you need to run that command as admin to get the full result set.
If you are an unprivileged user looking for a process to escalate to: tasklist /v /fi "USERNAME ne %USERNAME%" or tasklist /v| find "Unknown N/A" Will give you a good place to start looking. On Tue, Sep 27, 2011 at 1:25 AM, Gary Slavin <[email protected]> wrote: > the trick is to find one that is writable while logged in as a less > priveleged user and then overwrite the executable. Anti virus executables > are typically a good place to start :) > > tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM” > Image Name PID Session Name Session# Mem Usage > ========================= ====== ================ ======== ============ > System Idle Process 0 Console 0 28 K > System 4 Console 0 236 K > smss.exe 704 Console 0 388 K > csrss.exe 752 Console 0 4,032 K > winlogon.exe 776 Console 0 2,904 K > services.exe 820 Console 0 4,612 K > lsass.exe 832 Console 0 1,724 K > ati2evxx.exe 980 Console 0 2,676 K > svchost.exe 1020 Console 0 5,948 K > svchost.exe 1200 Console 0 23,100 K > DLService.exe 1484 Console 0 7,856 K > spoolsv.exe 1848 Console 0 6,992 K > schedul2.exe 2028 Console 0 2,036 K > inetinfo.exe 228 Console 0 10,484 K > mnmsrvc.exe 364 Console 0 3,436 K > rundll32.exe 352 Console 0 3,168 K > *SAVAdminService.exe 356 Console 0 2,548 K** > *ManagementAgentNT.exe 580 Console 0 4,624 K > ALsvc.exe 748 Console 0 944 K > RouterNT.exe 1004 Console 0 4,884 K > vsAOD.Exe 1868 Console 0 4,224 K > C:\Documents and Settings\pentest> > > ________________________________________ > From: Steve Syfuhs [[email protected]] > Sent: 26 September 2011 19:09 > To: Madhur Ahuja; [email protected]; > [email protected] > Subject: RE: [Full-disclosure] Privilege escalation on Windows using > Binary Planting > > > Well yeah, if the system that's designed to protect you isn't functioning, > then you aren't protected and all sorts of bad things can happen. > > When services starts up, the root service executable looks through a > registry key to find all the services that should be run. It then executes > the value in the key relative to each service based on which account is > specified. There is no signature checking or anything funky like that going > on. If the path stored in the registry entry is a valid executable, it will > get executed. > > It is up to the installer to make sure that the service cannot be replaced. > This is done by storing it in Program Files, or one of the other recommended > locations, which only administrators can access by default. If the > executable is stored in another location, it is still up to the installer to > set up proper file permissions. Further, only an administrator should be > able to start or stop the service. > > All of this is up to the installer, and the service itself to handle. > > If a service or installer deviates from the prescribed design set out by > Microsoft, is it really Windows' fault that it happened? Not really. So, yes > you could escalate privilege through this method, but really the failure is > by the developer of the service, or by the developer of the installer. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Madhur Ahuja > Sent: Sunday, September 25, 2011 2:31 PM > To: [email protected]; [email protected] > Subject: [Full-disclosure] Privilege escalation on Windows using Binary > Planting > > Imagine a situation where I have a Windows system with the restricted user > access and want to get the Administrator access. > > There are many services in Windows which run with SYSTEM account. > > If there exists even one such service whose executable is not protected by > Windows File Protection, isn't it possible to execute malicious code (such > as gaining Administrator access) simply by replacing the service executable > with malicious one and then restarting the service. > > As a restricted user, what's stopping me to do this ? > > Is there any integrity check performed by services.msc or service itself > before executing with SYSTEM account ? > > Madhur > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate In this guide we > examine the importance of Apache-SSL and who needs an SSL certificate. We > look at how SSL works, how it benefits your company and how your customers > can tell if a site is secure. You will find out how to test, purchase, > install and use a thawte Digital Certificate on your Apache web server. > Throughout, best practices for set-up are highlighted to help you ensure > efficient ongoing management of your encryption keys and digital > certificates. > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL > certificate. We look at how SSL works, how it benefits your company and how > your customers can tell if a site is secure. You will find out how to test, > purchase, install and use a thawte Digital Certificate on your Apache web > server. Throughout, best practices for set-up are highlighted to help you > ensure efficient ongoing management of your encryption keys and digital > certificates. > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > Sec-1 disclaimer****** > > This e-mail and any attached files are confidential and may also be legally > privileged. They are intended solely for the intended addressee. If you are > not the addressee please e-mail it back to the sender and then immediately, > permanently delete it. Do not read, print, re-transmit, store or act in > reliance on it. This e-mail may be monitored by Sec-1 Ltd in accordance with > current regulations. This footnote also confirms that this e-mail message > has been swept for the presence of computer viruses currently known to Sec-1 > Ltd. However, the recipient is responsible for virus-checking before opening > this message and any attachment. Unless expressly stated to the contrary, > any views expressed in this message are those of the individual sender and > may not necessarily reflect the views of Sec-1 Ltd.**** > > ** ** > > Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered in > England & Wales, Registered Office Address: Unit 4, Spring Valley Park, > Butler Way, Stanningley, Leeds, LS28 6EA.**** > ------------------------------ > > Scanned by *MailMarshal* - M86 Security's comprehensive email content > security solution. For details on purchasing MailMarshal or alternative Mail > Security products please contact our Sales Team on 0113 257 8955 Option 1 > > ** > ------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
