We know all too well that many users are local
administrators. We also know we can send or drop binaries to these users and
they will run whatever we want them to. The attack vector can be anything
really phishing, social engineering, flash drives, CD-ROMs or anything else you
can imagine. The problem lies in when
they run the binary if they don’t run it as admin we may not be able to get
system level access. To be honest that is the level I want and prefer to have.
Take the following scenario:
We deliver our malicious binary and we disguise it as an upgrade
the file is named ‘upgrade.exe’. The victim runs the upgrade and we get our
shell. But it’s just a user shell. While I will take a user shell over no shell,
I want system level access.
You may be able to get system a bunch of different ways in
addition to the ‘getsytem’ command. Such as the bypass UAC (user account control) and some other nice
post modules.
We can easily force a user to run a file as admin by simply
altering the filename. If we change ‘upgrade.exe’ to ‘update.exe’ windows
automatically makes you run it as administrator. Which is you can tell by the
UAC logo now on top of the executable.
If the user decided to run it now we will be able to get
system level access without much more effort as seen below.
What’s interesting is the filename can be many different
things and it only has to contain the words the format doesn't matter. Meaning
it could be local_update.exe or test-update. There are also other keywords such
as:
- install
- instal
- installer
- setup
- patch
- update
I am sure there are others but I will leave it up to you to find them. The other interesting thing is these keywords don’t have to exist in the file name they can be in the details page of the file.
The only downside is if the user is not an administrator
this will prompt for administrator credentials, and that may result in you not
getting any shell. But as I said in the beginning many users already run as
local admin.
No comments:
Post a Comment