Tuesday, October 30, 2012

Getting System the Lazy Way

We know all too well that many users are local administrators. We also know we can send or drop binaries to these users and they will run whatever we want them to. The attack vector can be anything really phishing, social engineering, flash drives, CD-ROMs or anything else you can imagine.  The problem lies in when they run the binary if they don’t run it as admin we may not be able to get system level access. To be honest that is the level I want and prefer to have. Take the following scenario:

We deliver our malicious binary and we disguise it as an upgrade the file is named ‘upgrade.exe’. The victim runs the upgrade and we get our shell. But it’s just a user shell. While I will take a user shell over no shell, I want system level access. 

You may be able to get system a bunch of different ways in addition to the ‘getsytem’ command. Such as the bypass UAC (user account control) and some other nice post modules.

We can easily force a user to run a file as admin by simply altering the filename. If we change ‘upgrade.exe’ to ‘update.exe’ windows automatically makes you run it as administrator. Which is you can tell by the UAC logo now on top of the executable.

If the user decided to run it now we will be able to get system level access without much more effort as seen below.

What’s interesting is the filename can be many different things and it only has to contain the words the format doesn't matter. Meaning it could be local_update.exe or test-update. There are also other keywords such as:
  • install
  • instal
  • installer
  • setup
  • patch
  • update

I am sure there are others but I will leave it up to you to find them. The other interesting thing is these keywords don’t have to exist in the file name they can be in the details page of the file.

The only downside is if the user is not an administrator this will prompt for administrator credentials, and that may result in you not getting any shell. But as I said in the beginning many users already run as local admin.