[dencorso]

That's the best way of doing it. The oldest one is: at xx:xx /interactive %sysdir%\cmd.exe, where xx:xx is, say, one minute hence. This I bet doesn't work on Win 7, especially the x64 version, but I may be wrong.

We're after getting total control of the system, for the rare occasions on which that's handy, IMHO.

[joakim]

The "NT AUTHORITY\SYSTEM" account is by itself not enough to modify stuff inside the WRP protected areas. For instance the winsxs folder (and sub folders) are blocked, and if you run cmd.exe as just "NT AUTHORITY\SYSTEM", then you get access denied. You need more, ie similar to what the token of the trustedinstaller has. That's why I showed the command with session0cmd and how it can give you the right privileges. For some unknown reason, it seems not possible to just switch into an interactive session with anything running with trustedinstaller privs (something you easily can if just "NT AUTHORITY\SYSTEM" is granted and nothing more). But despite not being totally inetractive with session0cmd, at least we can issue commands/start other programs from there.. But still, it would be interesting to create something inetractive as can possibly be done with ipc accross sessions.

[jaclaz]

@dencorso
JFYI, and on XP (and NOT - I think - on newer NT systems):
http://www.grubletra...ftwareList.aspx
http://www.grubletra...app=PowerPrompt

jaclaz

[joakim]

Are you sure this tool is able to replicate the privs of the trustedinstaller? Can someone verify in Windows 7?

This post has been edited by joakim: 20 March 2012 - 04:01 AM

[jaclaz]

joakim, on 20 March 2012 - 03:44 AM, said:

Are you sure this tool is able to replicate the privs of the trustedinstaller? Can someone verify in Windows 7?

You talkin' to me?
http://en.wikipedia.org/wiki/You_talkin'_to_me%3F

jaclaz, on 20 March 2012 - 02:27 AM, said:

JFYI, and on XP (and NOT - I think - on newer NT systems):

jaclaz

[joakim]

Never mind. I am fairly sure the right way to go is by duplicating the token of the TrustedInstaller and expand on that as already described.

For instance spot the difference in output from cacls;

c:\windows\winsxs

NT SERVICE\TrustedInstaller:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)R
BUILTIN\Users:(OI)(CI)R

c:\windows\system32\config

NT SERVICE\TrustedInstaller:(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F

[joakim]

I quickly compiled a lame server communicating over tcp/ip and accepting commands over port 6666. All good and well as the commands sent by the client was in fact executed if valid. Ie, the server was started by having Session0Cmd injecting it into the TrustedInstaller.exe process. But it was probably the lamest server/client application created this century..

I then realized what the best solution actually is. Grab a copy of good old netcat and inject it with Session0Cmd. Then use netcat and connect it to your localhost. And guess what. A running and interactive cmd.exe in sessionX that has all the privileges you could ever dream of. You don't get more privs than that! So the commands I used;

Session0Cmd 2003 "nc -l -p 6789 -d -e cmd"

Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command;

nc localhost 6789

Good luck hacking your system Hope you know what you're doing.

[dencorso]

Awesome, joakim!

A strike of genius!

You do rock!

[fdv]

Okay. For those of you just tuning in, Joakim has actually managed to do what several folks including myself had said was not possible -- open a CMD prompt with TrustedInstaller permissions.

Life happens fast, and so did this thread. Here's how to do it in one post. Thanks to all of you who contributed your wisdom. Like CoffeeFiend I'm also kind of lost as to how we managed to get here

------------
How to open a CMD prompt with TrustedInstaller permissions

Install PSList - http://technet.micro...ernals/bb896682
or
Install Procexp - http://technet.micro...ernals/bb896653

Install Session0Injectors from Payload Execution Tools v.2 - http://reboot.pro/fi...xecution-tools/

Install netcat - http://www.securityfocus.com/tools/139

You must do the next part fairly quickly, because once you start the TrustedInstaller service, it's not going to run all day... it stays running for a short while and stops.

Run services.msc
Scroll to Windows Modules Installer
Right click, select 'start'

Open a command prompt and type pslist trustedinstaller and get the PID or launch ProcExp and get the PID

Let's call that number '4321' (of course it will be different on your system)

Let's also pick a port to run netcat on -- say '6789'

"Now run netcat as a daemon serving cmd.exe for you on port 6789 by typing the following"

Session0Cmd 4321 "nc -l -p 6789 -d -e cmd"

(By the way, that -l is the letter l not the digit one. If your system is 64 bit Windows, you'll use Session0Cmd_x64 here))

If you got an error about an invalid PID, it means that the TrustedInstaller service stopped again. Go restart it. (When you do it will have yet another PID).

"Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command"

nc localhost 6789

Thanks again to Joakim for this bit of cleverness!

(I'm sure you'll all let me know if I need to make edits...)

This post has been edited by fdv: 21 March 2012 - 01:07 AM

[joakim]

I forgot to explain properly that the reason why session separation is not blocking our shell, is because the process itself (the cmd window that we type the commands in) is not running inside session0. It is the other part of the network connection that is session0, and obviously is "invisible". We therefore communicate of TCP/IP into our session0 TI-privileged server. For that reson no GUI can be launched during such a session, and we are limited to command line utilities (but who cares..).

It would thus not surprise me if MS added some memory protection to the TrustedInstaller service at some time in the future.

[jaclaz]

Usual semi-random idea.
Doeesn't 7 has the tasklist command?
http://technet.micro...y/bb491010.aspx

Something along the lines of:

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
SET Process_Name=trustedinstaller
FOR /F "tokens=1,2" %%A IN ('tasklist ^|FIND /i %Process_Name%') DO ECHO %%B
PAUSE

might do.

jaclaz

[dencorso]

Of course it has!
But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it...

[jaclaz]

dencorso, on 21 March 2012 - 10:35 AM, said:

Of course it has!
But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it...

But I have no handy 7 system, so I cannot check if it works, if the strings are correct, etc.

If someone verifies that

Quote

tasklist |FIND /i "trustedinstaller"

Finds the taks and roduces the right PID, and which actual name the "Windows Modules Installer" service has, and that the commands:

sc query <name_of_Windows_Modules_Installer>

and

sc start <name_of_Windows_Modules_Installer>

or

net start <name_of_Windows_Modules_Installer>

work
and
that the output for the running service is similar to this:

Quote

sc query wuauserv

SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

I guess it can be done allright .

jaclaz

[joakim]

On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com...e/devxexec.html

It is based on token duplication and not remote threads as I described.

[dencorso]

Great find, joakin! Thanks a lot!

Yet I do ask myself whether your original solution, although much more complicated, does not, in fact, yield a more complete impersonation of TI...
Of course, that can only be answered by time and good testing.

[joakim]

I think the impersonation is complete, but because of the session separation it is not possible to interact with the process. That was the reason for using tcp/ip for the communication. what is that you can't do, except interacting with a GUI?

The process in my solution originates from a remote thread inside the TI process, and for that reason it should be identical in terms of privs and rights. The other solution is different in that the created and duplicated token has its session id modified, which means you can interact with it directly (including GUI's I presume).

[dencorso]

At first sight both solutions should be equivalent, in most relevant cases, that's true. In any case, the most obvious use is to modify the registry unhampered. And, what's more wonderful is that, when fdv started this thread, we had no solution to the problem, and now, thanks to you, we actually have *two*! :

[RobW]

Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller.

The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example:

C:>@echo test
@echo test
test

The script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps".

runasti.cmd - Has to be run as administrator

:: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083
:: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64
:: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ...
:: Run as ADMINISTRATOR

:: Pick a random port between 10000 and 42767 and assume that it's free.
@SET /A PORT=%random% + 10000
@SET Session0Cmd=%~dp0deps\Session0Cmd.exe
@SET NETCAT=%~dp0deps\ncat.exe
@SET EXECUTE=%~dp0init.cmd
@echo off
IF NOT EXIST "%Session0Cmd%" (
    echo Session0Injector is required.
    echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/
    goto:eof
)
IF NOT EXIST "%NETCAT%" (
    echo Ncat is required.
    echo Get it from http://nmap.org/ncat/
    goto:eof
)

echo Starting TrustedInstaller if not started...
SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstaller

SETLOCAL EnableDelayedExpansion
echo Getting PID for TrustedInstaller.exe...
FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%P

IF "%PID%"=="" (
    echo Pid not found. Cannot continue.
) ELSE (
    echo Starting server (logging messages at %%tmp%%\runasti.log
    "%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log"
    
    echo Connecting server...
    "%NETCAT%" localhost %PORT%
)
ENDLOCAL

init.cmd - This script will be injected in the process, and spawn a new cmd.

:: Set token file. When this file is deleted, all childs should terminate
@set token=%tmp%\ti_shell_%random%
@type nul > "%token%"
:keepalive
@cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1
:: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted.
@if exist "%token%" @goto:keepalive

subshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit".

@echo off
:: This script should never run without parent
@if not "%~1"=="token" goto:eof
@setlocal EnableDelayedExpansion
@for /f "tokens=*" %%u in ('whoami') do echo Running as %%u
@set Path=%path%;%~fd0

:repeat
@if not exist "%~f2" goto:eof
:: Get user input
@set command=
@set /p command=*%cd%^>
:: When command is "exit", delete token file and exit
@if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof
:: Execute command, and repeat
@for /f "tokens=*" %%C in ('echo %command%') do @%%C
@goto:repeat

Attached File(s)

•  runasti.cmd (1.42K)
  Number of downloads: 9
•  init.cmd (333bytes)
  Number of downloads: 7
•  subshell.cmd (521bytes)
  Number of downloads: 7

[dencorso]

That's great news!
And welcome to MSFN!

[jaclaz]

Very good work RobW .
OT , and only "marginally" related, but still *somehow* connected:
http://p-nand-q.com/...grootshell.html
Still "up to XP only", but maybe it can be tweaked/used/adapted for later NT based OS's.

jaclaz