Monday, November 9, 2009

Owning Windows 7 - Double hack (physical access required)

Hi all, i finished my Windows 7 upgrade and i decided to check and old trick that worked on XP and Vista, no foo required, it's an easy one:

If you have access to a Windows 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by your favourite backdoor (you can insert the same binary with the meterpreter embedded) and trigger it pressing 5 times the shift key on the login screen. Also the trick works by replacing c:\windows\system32\utilman.exe, and pressing WIN-U in the login screen. (you must boot with a live CD in order to replace the binaries)

I know, i know.. if someone have access to your machine it's game over, but hey this it's still there and this could have been improved and avoid the direct calling of two binaries by a key combination.

You can see the double cmd.exe popping one for sethc.exe and the other for utilman.exe, both with "nt authority\system" privileges.

If you don't have your disk encrypted you should do it... if you have it encrypted, beware with the Evil Maid.



No comments:

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...