Getting System the Lazy Way

Wednesday, October 31, 2012

f8lerror

71d85bb5d111973cb65dfee3d2a7e6c9

We know all too well that many users are local administrators. We also know we can send or drop binaries to these users and they will run whatever we want them to. The attack vector can be anything really phishing, social engineering, flash drives, CD-ROMs or anything else you can imagine.  The problem lies in when they run the binary if they don’t run it as admin we may not be able to get system level access. To be honest that is the level I want and prefer to have. Take the following scenario:

We deliver our malicious binary and we disguise it as an upgrade the file is named ‘upgrade.exe’. The victim runs the upgrade and we get our shell. But it’s just a user shell. While I will take a user shell over no shell, I want system level access.   

image

You may be able to get system a bunch of different ways in addition to the ‘getsytem’ command. Such as the bypass UAC (user account control) and some other nice post modules.  

We can easily force a user to run a file as admin by simply altering the filename. If we change ‘upgrade.exe’ to ‘update.exe’ windows automatically makes you run it as administrator. Which is you can tell by the UAC logo now on top of the executable.


  image

If the user decided to run it now we will be able to get system level access without much more effort as seen below.  

image

What’s interesting is the filename can be many different things and it only has to contain the words the format doesn't matter. Meaning it could be local_update.exe or test-update. There are also other keywords such as:

  • install
  • instal
  • installer
  • setup
  • patch
  • update

I am sure there are others but I will leave it up to you to find them. The other interesting thing is these keywords don’t have to exist in the file name they can be in the details page of the file.


image

The only downside is, if the user is not an administrator this will prompt for administrator credentials and that may result in you not getting any shell. But as I said in the beginning many users already run as local administrator.   

Cross posted from infosecsee.com

Possibly Related Articles:
9469
Operating Systems Viruses & Malware Security Awareness General Impersonation Phishing Phreaking
Information Security
Hacking Penetration Testing Network Security SysAdmin
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.