Re: Running Ring3 command from Ring0 in Windows?

On Wed, 03 Jun 2009 11:39:32 -0500, Jun Koi <junkoi2004@xxxxxxxxx> wrote:

Hi,

I am looking for a way to execute Ring3 command (for ex, "net user
passwd" to change password of an user) from Ring0 of Windows.

The motivation of this is that I can exploit Windows kernel, and can
execute my code there. So far so good. But I am not content with
executing in Ring0 only, and want to run some code in Ring3, too. The
code can be injected by me, or I just simply run an existent command
tool (like cmd.exe)

Could anybody recommend any technique to achieve this?

This is what skape's kernel-to-userland injection code does (now part of metasploit). It installs a hook, uses this to find a target process, and copies the userland shellcode into the target process. We use this to run userland payloads through exploited wireless drivers.

Ring0-Ring3 staging:
http://metasploit.com/svn/framework3/trunk/lib/rex/payloads/win32/kernel/stager.rb

Kernel symbol resolution:
http://uninformed.org/index.cgi?v=3&a=4&p=10
http://metasploit.com/svn/framework3/trunk/lib/rex/payloads/win32/common.rb

To run a command, just export a shellcode buffer from msfpayload windows/exec CMD="cmd.exe /c something", and append this to the userland stub.

-HD

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Relevant Pages

  • Re: Executing command with Runtime.getRuntime.exec() fails
    ... More portable, since on my windows system at least, there is an ls. ... command at the command line. ... The appropriate command interpreter for each os could be found through ... be sure, and programming is about certainty, is to explicitly execute the ...
    (comp.lang.java.programmer)
  • Re: working w/ windows-only CDs in Virtual; PC 6.1
    ... I think if you hold down the fn key and press F10 then the ... > sometimes interactive CD's and they are typicaly windows only. ... > HAVE to be able to execute this one command on this one CD. ...
    (microsoft.public.mac.otherproducts)
  • MS04-012 breaks AT command when managing NT 4.0 scheduler from XP PC
    ... Since installing the patch for MS04-012 on my Windows XP machine, ... I get the following error when using the AT command to manage scheduled jobs ... Another workaround is to execute the AT command from the remote server (or ... I was interested to notice that the three DLLs in question, ...
    (NT-Bugtraq)
  • Running Ring3 command from Ring0 in Windows?
    ... I am looking for a way to execute Ring3 command (for ex, "net user ... The motivation of this is that I can exploit Windows kernel, ... executing in Ring0 only, and want to run some code in Ring3, too. ...
    (Pen-Test)
  • [Full-Disclosure] Advanced usage of system() function.
    ... and call its arguments as a command for shell. ... as we can see we still didnt get what we want (typing exit ... Connection closed by foreign host. ... think what we want to execute. ...
    (Full-Disclosure)