Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Taking back the Registry from TrustedInstaller


  • Please log in to reply
59 replies to this topic

#26
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Never mind. I am fairly sure the right way to go is by duplicating the token of the TrustedInstaller and expand on that as already described.

For instance spot the difference in output from cacls;

c:\windows\winsxs
NT SERVICE\TrustedInstaller:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)R
BUILTIN\Users:(OI)(CI)R

c:\windows\system32\config
NT SERVICE\TrustedInstaller:(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F



How to remove advertisement from MSFN

#27
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
I quickly compiled a lame server communicating over tcp/ip and accepting commands over port 6666. All good and well as the commands sent by the client was in fact executed if valid. Ie, the server was started by having Session0Cmd injecting it into the TrustedInstaller.exe process. But it was probably the lamest server/client application created this century..

I then realized what the best solution actually is. Grab a copy of good old netcat and inject it with Session0Cmd. Then use netcat and connect it to your localhost. And guess what. A running and interactive cmd.exe in sessionX that has all the privileges you could ever dream of. You don't get more privs than that! So the commands I used;

Session0Cmd 2003 "nc -l -p 6789 -d -e cmd"

Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command;

nc localhost 6789

Good luck hacking your system :D Hope you know what you're doing.

#28
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

:blink: Awesome, joakim!

A strike of genius! :thumbup

You do rock! Posted Image

#29
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag
Okay. For those of you just tuning in, Joakim has actually managed to do what several folks including myself had said was not possible -- open a CMD prompt with TrustedInstaller permissions.

Life happens fast, and so did this thread. Here's how to do it in one post. Thanks to all of you who contributed your wisdom. Like CoffeeFiend I'm also kind of lost as to how we managed to get here :lol:

------------
How to open a CMD prompt with TrustedInstaller permissions

Install PSList - http://technet.micro...ernals/bb896682
or
Install Procexp - http://technet.micro...ernals/bb896653

Install Session0Injectors from Payload Execution Tools v.2 - http://reboot.pro/fi...xecution-tools/

Install netcat - http://www.securityfocus.com/tools/139

You must do the next part fairly quickly, because once you start the TrustedInstaller service, it's not going to run all day... it stays running for a short while and stops.

Run services.msc
Scroll to Windows Modules Installer
Right click, select 'start'

Open a command prompt and type pslist trustedinstaller and get the PID or launch ProcExp and get the PID

Let's call that number '4321' (of course it will be different on your system)

Let's also pick a port to run netcat on -- say '6789'

"Now run netcat as a daemon serving cmd.exe for you on port 6789 by typing the following"

Session0Cmd 4321 "nc -l -p 6789 -d -e cmd"

(By the way, that -l is the letter l not the digit one. If your system is 64 bit Windows, you'll use Session0Cmd_x64 here))

If you got an error about an invalid PID, it means that the TrustedInstaller service stopped again. Go restart it. (When you do it will have yet another PID).

"Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command"

nc localhost 6789

Thanks again to Joakim for this bit of cleverness! :thumbup

(I'm sure you'll all let me know if I need to make edits...)

Edited by fdv, 21 March 2012 - 01:07 AM.


#30
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
I forgot to explain properly that the reason why session separation is not blocking our shell, is because the process itself (the cmd window that we type the commands in) is not running inside session0. It is the other part of the network connection that is session0, and obviously is "invisible". We therefore communicate of TCP/IP into our session0 TI-privileged server. For that reson no GUI can be launched during such a session, and we are limited to command line utilities (but who cares..).

It would thus not surprise me if MS added some memory protection to the TrustedInstaller service at some time in the future.

#31
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,417 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Usual semi-random idea.
Doeesn't 7 has the tasklist command?
http://technet.micro...y/bb491010.aspx
:yes:
Something along the lines of:
@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
SET Process_Name=trustedinstaller
FOR /F "tokens=1,2" %%A IN ('tasklist ^|FIND /i %Process_Name%') DO ECHO %%B
PAUSE
might do. :unsure:

jaclaz

#32
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Of course it has! :yes:
But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... :angel

#33
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,417 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Of course it has! :yes:
But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... :angel

But I have no handy 7 system, so I cannot check if it works, if the strings are correct, etc.

If someone verifies that

tasklist |FIND /i "trustedinstaller"

Finds the taks and roduces the right PID, and which actual name the "Windows Modules Installer" service has, and that the commands:
sc query <name_of_Windows_Modules_Installer>
and
sc start <name_of_Windows_Modules_Installer>
or
net start <name_of_Windows_Modules_Installer>
work
and
that the output for the running service is similar to this:

sc query wuauserv

SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

I guess it can be done allright .

jaclaz

#34
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com...e/devxexec.html

It is based on token duplication and not remote threads as I described.

#35
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Great find, joakin! Thanks a lot! :thumbup

Yet I do ask myself whether your original solution, although much more complicated, does not, in fact, yield a more complete impersonation of TI... Posted Image
Of course, that can only be answered by time and good testing. :yes:

#36
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
I think the impersonation is complete, but because of the session separation it is not possible to interact with the process. That was the reason for using tcp/ip for the communication. what is that you can't do, except interacting with a GUI?

The process in my solution originates from a remote thread inside the TI process, and for that reason it should be identical in terms of privs and rights. The other solution is different in that the created and duplicated token has its session id modified, which means you can interact with it directly (including GUI's I presume).

#37
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

At first sight both solutions should be equivalent, in most relevant cases, that's true. In any case, the most obvious use is to modify the registry unhampered. And, what's more wonderful is that, when fdv started this thread, we had no solution to the problem, and now, thanks to you, we actually have *two*! :thumbup:

#38
RobW

RobW
  • Member
  • 1 posts
  • Joined 27-June 12
  • OS:none specified
  • Country: Country Flag
Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller.

The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example:

C:>@echo test
@echo test
test

The script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps".

runasti.cmd - Has to be run as administrator
:: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083
:: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64
:: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ...
:: Run as ADMINISTRATOR

:: Pick a random port between 10000 and 42767 and assume that it's free.
@SET /A PORT=%random% + 10000
@SET Session0Cmd=%~dp0deps\Session0Cmd.exe
@SET NETCAT=%~dp0deps\ncat.exe
@SET EXECUTE=%~dp0init.cmd
@echo off
IF NOT EXIST "%Session0Cmd%" (
    echo Session0Injector is required.
    echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/
    goto:eof
)
IF NOT EXIST "%NETCAT%" (
    echo Ncat is required.
    echo Get it from http://nmap.org/ncat/
    goto:eof
)

echo Starting TrustedInstaller if not started...
SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstaller

SETLOCAL EnableDelayedExpansion
echo Getting PID for TrustedInstaller.exe...
FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%P

IF "%PID%"=="" (
    echo Pid not found. Cannot continue.
) ELSE (
    echo Starting server (logging messages at %%tmp%%\runasti.log
    "%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log"
    
    echo Connecting server...
    "%NETCAT%" localhost %PORT%
)
ENDLOCAL

init.cmd - This script will be injected in the process, and spawn a new cmd.
:: Set token file. When this file is deleted, all childs should terminate
@set token=%tmp%\ti_shell_%random%
@type nul > "%token%"
:keepalive
@cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1
:: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted.
@if exist "%token%" @goto:keepalive

subshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit".
@echo off
:: This script should never run without parent
@if not "%~1"=="token" goto:eof
@setlocal EnableDelayedExpansion
@for /f "tokens=*" %%u in ('whoami') do echo Running as %%u
@set Path=%path%;%~fd0

:repeat
@if not exist "%~f2" goto:eof
:: Get user input
@set command=
@set /p command=*%cd%^>
:: When command is "exit", delete token file and exit
@if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof
:: Execute command, and repeat
@for /f "tokens=*" %%C in ('echo %command%') do @%%C
@goto:repeat

Attached Files



#39
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

That's great news! :thumbup
And welcome to MSFN! :hello:

#40
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,417 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Very good work RobW :thumbup .
OT :ph34r: , and only "marginally" related, but still *somehow* connected:
http://p-nand-q.com/...grootshell.html
Still "up to XP only", but maybe it can be tweaked/used/adapted for later NT based OS's. :unsure:

jaclaz

#41
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,360 posts
  • Joined 21-April 05
  • OS:none specified
  • Country: Country Flag

On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com...e/devxexec.html

It is based on token duplication and not remote threads as I described.

Devxexec works very well. :thumbup It can launch cmd.exe or regedit.exe as Trusted Installer or as System. I don't really need anything more for my sabotages against the system. :ph34r:

GL

Edited by GrofLuigi, 24 July 2012 - 08:42 AM.


#42
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,360 posts
  • Joined 21-April 05
  • OS:none specified
  • Country: Country Flag
Wouldn't the simplest solution be to grant ourselves full privileges under the key:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-645709764-2570854657-2333822770-500\Privilgs

or whatever the SID of our account is? But one has to figure out first what the format of the key is, or, if brave enough, to copy the registry value from another overprivileged account.

I imagine it as a quick guerilla operation: Change permissions, get in, change value, get out, restore permissions. :ph34r:

What do you guys think about that?

GL

Edited by GrofLuigi, 03 August 2012 - 03:41 AM.


#43
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,871 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! :yes:
joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".
Thanks joakim, you do rock! :thumbup

#44
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! :yes:
joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".
Thanks joakim, you do rock! :thumbup

Thanks for the tip!

... Let him who hath understanding reckon the Number Of The Beast ...


#45
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,360 posts
  • Joined 21-April 05
  • OS:none specified
  • Country: Country Flag
(just theoretical, haven't tried it yet)

On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:

net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"
With that command shell you have rather extreme control. Now go crazy on your system.


Would this help some more (with any of the tools mentioned):
net start UI0Detect
net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"
?

(Don't know about others, but I have set UI0Detect to manual).

And thanks joakim for the tools. :thumbup

GL

#46
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,680 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
The runassystem utility looks like it will save tons of time with a little win7 slipstream/reduction program I've been working on. I can't seem to get it to work right. My CMD prompt is always administrator and I'm in a CMD box in the working directory of the utility. I've run an example command on v1.0.0.2:
runassystem_x64 regedit
The resulting output is:
Running in session: 1
Host PID: 872
CreateProcessAsUserW / CreateProcessWithTokenW: A required privilege is not held by the client.
Am I supposed to be doing something different? FWIW, I'm running win7/x64.
Posted Image

#47
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,417 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

Check the release topic on reboot.pro:
http://reboot.pro/17501/

Another user has the same or similar problem and Joakim is working on it, there is already a new versionposted, but not yet feedback from the OP.

jaclaz

#48
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Yes feedback would be nice in order to solve it.. Did the test version work better for instance?

#49
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,680 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
The test runassystemtoken version isn't the same as the runassystem. I can say that I did try the token program out, and quite honestly, I'm not too sure how to use that one for my specific need. In order to test out your program, I'd be more than happy to try out any commands you like, and I can plop the output here.
Posted Image

#50
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
There is only a test version of RunFromToken because that one require certain privileges enabled on its process. That's why I was hoping for some feedback on how the test version behaved in regards to that. As already explained at reboot.pro there is a chance that the right/privilege is not added your account, which will prevent you from enabling it if it does not exist in the first place. That too, I already have a version for, but I'm awaiting some feedback :)




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users



How to remove advertisement from MSFN