• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
fdv

Taking back the Registry from TrustedInstaller

75 posts in this topic

Never mind. I am fairly sure the right way to go is by duplicating the token of the TrustedInstaller and expand on that as already described.

For instance spot the difference in output from cacls;

c:\windows\winsxs


NT SERVICE\TrustedInstaller:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)R
BUILTIN\Users:(OI)(CI)R

c:\windows\system32\config


NT SERVICE\TrustedInstaller:(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F

0

Share this post


Link to post
Share on other sites

I quickly compiled a lame server communicating over tcp/ip and accepting commands over port 6666. All good and well as the commands sent by the client was in fact executed if valid. Ie, the server was started by having Session0Cmd injecting it into the TrustedInstaller.exe process. But it was probably the lamest server/client application created this century..

I then realized what the best solution actually is. Grab a copy of good old netcat and inject it with Session0Cmd. Then use netcat and connect it to your localhost. And guess what. A running and interactive cmd.exe in sessionX that has all the privileges you could ever dream of. You don't get more privs than that! So the commands I used;


Session0Cmd 2003 "nc -l -p 6789 -d -e cmd"

Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command;


nc localhost 6789

Good luck hacking your system :D Hope you know what you're doing.

0

Share this post


Link to post
Share on other sites

:blink: Awesome, joakim!

A strike of genius! :thumbup

You do rock! worship.gif

0

Share this post


Link to post
Share on other sites

Okay. For those of you just tuning in, Joakim has actually managed to do what several folks including myself had said was not possible -- open a CMD prompt with TrustedInstaller permissions.

Life happens fast, and so did this thread. Here's how to do it in one post. Thanks to all of you who contributed your wisdom. Like CoffeeFiend I'm also kind of lost as to how we managed to get here :lol:

------------

How to open a CMD prompt with TrustedInstaller permissions

Install PSList - http://technet.microsoft.com/en-us/sysinternals/bb896682

or

Install Procexp - http://technet.microsoft.com/en-us/sysinternals/bb896653

Install Session0Injectors from Payload Execution Tools v.2 - http://reboot.pro/files/file/171-payload-execution-tools/

Install netcat - http://www.securityfocus.com/tools/139

You must do the next part fairly quickly, because once you start the TrustedInstaller service, it's not going to run all day... it stays running for a short while and stops.

Run services.msc

Scroll to Windows Modules Installer

Right click, select 'start'

Open a command prompt and type pslist trustedinstaller and get the PID or launch ProcExp and get the PID

Let's call that number '4321' (of course it will be different on your system)

Let's also pick a port to run netcat on -- say '6789'

"Now run netcat as a daemon serving cmd.exe for you on port 6789 by typing the following"


Session0Cmd 4321 "nc -l -p 6789 -d -e cmd"

(By the way, that -l is the letter l not the digit one. If your system is 64 bit Windows, you'll use Session0Cmd_x64 here))

If you got an error about an invalid PID, it means that the TrustedInstaller service stopped again. Go restart it. (When you do it will have yet another PID).

"Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command"


nc localhost 6789

Thanks again to Joakim for this bit of cleverness! :thumbup

(I'm sure you'll all let me know if I need to make edits...)

Edited by fdv
0

Share this post


Link to post
Share on other sites

I forgot to explain properly that the reason why session separation is not blocking our shell, is because the process itself (the cmd window that we type the commands in) is not running inside session0. It is the other part of the network connection that is session0, and obviously is "invisible". We therefore communicate of TCP/IP into our session0 TI-privileged server. For that reson no GUI can be launched during such a session, and we are limited to command line utilities (but who cares..).

It would thus not surprise me if MS added some memory protection to the TrustedInstaller service at some time in the future.

0

Share this post


Link to post
Share on other sites

Usual semi-random idea.

Doeesn't 7 has the tasklist command?

http://technet.microsoft.com/en-us/library/bb491010.aspx

:yes:

Something along the lines of:


@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
SET Process_Name=trustedinstaller
FOR /F "tokens=1,2" %%A IN ('tasklist ^|FIND /i %Process_Name%') DO ECHO %%B
PAUSE

might do. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

Of course it has! :yes:

But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... :angel

0

Share this post


Link to post
Share on other sites

Of course it has! :yes:

But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... :angel

But I have no handy 7 system, so I cannot check if it works, if the strings are correct, etc.

If someone verifies that

tasklist |FIND /i "trustedinstaller"

Finds the taks and roduces the right PID, and which actual name the "Windows Modules Installer" service has, and that the commands:

sc query <name_of_Windows_Modules_Installer>

and

sc start <name_of_Windows_Modules_Installer>

or

net start <name_of_Windows_Modules_Installer>

work

and

that the output for the running service is similar to this:

sc query wuauserv

SERVICE_NAME: wuauserv

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

I guess it can be done allright .

jaclaz

0

Share this post


Link to post
Share on other sites

Great find, joakin! Thanks a lot! :thumbup

Yet I do ask myself whether your original solution, although much more complicated, does not, in fact, yield a more complete impersonation of TI... dubbio.gif

Of course, that can only be answered by time and good testing. :yes:

0

Share this post


Link to post
Share on other sites

I think the impersonation is complete, but because of the session separation it is not possible to interact with the process. That was the reason for using tcp/ip for the communication. what is that you can't do, except interacting with a GUI?

The process in my solution originates from a remote thread inside the TI process, and for that reason it should be identical in terms of privs and rights. The other solution is different in that the created and duplicated token has its session id modified, which means you can interact with it directly (including GUI's I presume).

0

Share this post


Link to post
Share on other sites

At first sight both solutions should be equivalent, in most relevant cases, that's true. In any case, the most obvious use is to modify the registry unhampered. And, what's more wonderful is that, when fdv started this thread, we had no solution to the problem, and now, thanks to you, we actually have *two*! :thumbup:

0

Share this post


Link to post
Share on other sites

Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller.

The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example:

C:>@echo test
@echo test
test

The script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps".

runasti.cmd - Has to be run as administrator

:: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083
:: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64
:: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ...
:: Run as ADMINISTRATOR

:: Pick a random port between 10000 and 42767 and assume that it's free.
@SET /A PORT=%random% + 10000
@SET Session0Cmd=%~dp0deps\Session0Cmd.exe
@SET NETCAT=%~dp0deps\ncat.exe
@SET EXECUTE=%~dp0init.cmd
@echo off
IF NOT EXIST "%Session0Cmd%" (
echo Session0Injector is required.
echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/
goto:eof
)
IF NOT EXIST "%NETCAT%" (
echo Ncat is required.
echo Get it from http://nmap.org/ncat/
goto:eof
)

echo Starting TrustedInstaller if not started...
SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstaller

SETLOCAL EnableDelayedExpansion
echo Getting PID for TrustedInstaller.exe...
FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%P

IF "%PID%"=="" (
echo Pid not found. Cannot continue.
) ELSE (
echo Starting server (logging messages at %%tmp%%\runasti.log
"%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log"

echo Connecting server...
"%NETCAT%" localhost %PORT%
)
ENDLOCAL

init.cmd - This script will be injected in the process, and spawn a new cmd.

:: Set token file. When this file is deleted, all childs should terminate
@set token=%tmp%\ti_shell_%random%
@type nul > "%token%"
:keepalive
@cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1
:: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted.
@if exist "%token%" @goto:keepalive

subshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit".

@echo off
:: This script should never run without parent
@if not "%~1"=="token" goto:eof
@setlocal EnableDelayedExpansion
@for /f "tokens=*" %%u in ('whoami') do echo Running as %%u
@set Path=%path%;%~fd0

:repeat
@if not exist "%~f2" goto:eof
:: Get user input
@set command=
@set /p command=*%cd%^>
:: When command is "exit", delete token file and exit
@if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof
:: Execute command, and repeat
@for /f "tokens=*" %%C in ('echo %command%') do @%%C
@goto:repeat

runasti.cmd

init.cmd

subshell.cmd

0

Share this post


Link to post
Share on other sites

That's great news! :thumbup

And welcome to MSFN! :hello:

0

Share this post


Link to post
Share on other sites

Very good work RobW :thumbup .

OT :ph34r: , and only "marginally" related, but still *somehow* connected:

http://p-nand-q.com/gtools/grootshell.html

Still "up to XP only", but maybe it can be tweaked/used/adapted for later NT based OS's. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com/custom-software/devxexec.html

It is based on token duplication and not remote threads as I described.

Devxexec works very well. :thumbup It can launch cmd.exe or regedit.exe as Trusted Installer or as System. I don't really need anything more for my sabotages against the system. :ph34r:

GL

Edited by GrofLuigi
0

Share this post


Link to post
Share on other sites

Wouldn't the simplest solution be to grant ourselves full privileges under the key:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-645709764-2570854657-2333822770-500\Privilgs

or whatever the SID of our account is? But one has to figure out first what the format of the key is, or, if brave enough, to copy the registry value from another overprivileged account.

I imagine it as a quick guerilla operation: Change permissions, get in, change value, get out, restore permissions. :ph34r:

What do you guys think about that?

GL

Edited by GrofLuigi
0

Share this post


Link to post
Share on other sites

This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! :yes:

joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".

Thanks joakim, you do rock! :thumbup

0

Share this post


Link to post
Share on other sites
This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! :yes:

joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".

Thanks joakim, you do rock! :thumbup

Thanks for the tip!

0

Share this post


Link to post
Share on other sites

(just theoretical, haven't tried it yet)

On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:

net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

With that command shell you have rather extreme control. Now go crazy on your system.

Would this help some more (with any of the tools mentioned):

net start UI0Detect
net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

?

(Don't know about others, but I have set UI0Detect to manual).

And thanks joakim for the tools. :thumbup

GL

0

Share this post


Link to post
Share on other sites

The runassystem utility looks like it will save tons of time with a little win7 slipstream/reduction program I've been working on. I can't seem to get it to work right. My CMD prompt is always administrator and I'm in a CMD box in the working directory of the utility. I've run an example command on v1.0.0.2:

runassystem_x64 regedit

The resulting output is:

Running in session: 1
Host PID: 872
CreateProcessAsUserW / CreateProcessWithTokenW: A required privilege is not held by the client.

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

0

Share this post


Link to post
Share on other sites

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

Check the release topic on reboot.pro:

http://reboot.pro/17501/

Another user has the same or similar problem and Joakim is working on it, there is already a new versionposted, but not yet feedback from the OP.

jaclaz

0

Share this post


Link to post
Share on other sites

Yes feedback would be nice in order to solve it.. Did the test version work better for instance?

0

Share this post


Link to post
Share on other sites

The test runassystemtoken version isn't the same as the runassystem. I can say that I did try the token program out, and quite honestly, I'm not too sure how to use that one for my specific need. In order to test out your program, I'd be more than happy to try out any commands you like, and I can plop the output here.

0

Share this post


Link to post
Share on other sites

There is only a test version of RunFromToken because that one require certain privileges enabled on its process. That's why I was hoping for some feedback on how the test version behaved in regards to that. As already explained at reboot.pro there is a chance that the right/privilege is not added your account, which will prevent you from enabling it if it does not exist in the first place. That too, I already have a version for, but I'm awaiting some feedback :)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.