Administrator to System privilege escallation

Windows XP. There comes a time in every Windows users life when he wants more. Administrator access isn't enough. He wants to have the same level of access that the System has.

Maybe it's to kill a stubborn process which looks like a virus but actually turns out to be a critical System process, or maybe it's just so they can laugh maniacally.

Whatever the reason, I have created a script to give Administrator users SYSTEM level access to their Windows XP computers:


@echo off
echo.
at>nul
if "%errorlevel%"=="1" (
  echo You do not have sufficient priviliges to execute this command.
  echo You MUST be running as an administrator ^(with access to "at.exe"^).
  goto end
)
echo WARNING: This command will be executed with SYSTEM priviliges!
echo.
set /P cmd=Enter command to run (eg,"cmd", "taskmgr"): 

set rnd=r%random%n%random%d
echo.|time>%rnd%
set /P time=<%rnd%
del /F /Q %rnd%
for /F "usebackq tokens=5,6,7 delims=:. " %%i in ('%time%') do (
  set our=%%i
  set min=%%j
  set sec=%%k
)
set /A tot=%min%+1
set /A dif=60-%sec%
at %our%:%tot% /interactive %cmd% >nul
if "%errorlevel%"=="0" (
  echo The command will be executed in %dif% seconds.
) else (
  echo An unknown error has occured.
)

:end
echo Press any key to exit.
pause>nul
Save the code as a .bat file, and run!

This script uses the old at.exe trick to escalate your privs but it fills in the parameters automatically, so all you need to do is say what command you want to execute with your system privs.

PS: You DO need administrator access to run this script, so it's useless to most baddies. This is only useful if you want to increase from administrator to system.
No comments:
Labels: , , , , , ,

This blog

This blog is meant as more of a storage area for me to keep bits of code I found useful and not really intended as an enlightening step-by-step instructional piece. But hopefully once Google picks it up, some of these things which I had trouble with will be available to all.

If you understand it, sweet, but if not, I'd probably be happy to help you.
1 comment:
Labels: , , ,

Batch script port scanner

Sometimes you're on a network, on a machine with no tools and you need to scan the network.

If I truely have no access to tools such as nmap, I'll open up the command prompt and type in this little script to scan the network for live machines:
for /L %i in (1,1,254) do @ping -n1 -w1 192.168.0.%i |find "time="
(Where 192 168 and 0 are the first 3 octets of the local /24 IP address.)

This is a very simple ping-sweet script which will ping every host in the 192.168.0.0/24 (192.168.0.1-192.168.0.254) range and display replies.

So one day I was a little frustrated how long this script takes to scan 254 hosts, so I decided to create a multithreaded version, also in batch script. Because I'm cool like that.

Hold onto your socks...


@echo off

:: Number of scanning threads
set NUMTH=8

set ipfile=t%random%m%random%p
set scanfx=s%random%c%random%n
set /A thinc=256/%NUMTH% >nul

ping -4 -n 1 -w 1 %computername% |find "statistics" >%ipfile%
for /F "tokens=4,5,6,7 delims=:. " %%i in (%ipfile%) do (
  if not "%%i"=="" (
    echo Local IP address: %%i.%%j.%%k.%%l
    echo Scanning range  : %%i.%%j.%%k.0/24

    echo for /L %%%%a in ^(1,1,32^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%1.bat
    echo for /L %%%%a in ^(33,1,64^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%2.bat
    echo for /L %%%%a in ^(65,1,96^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%3.bat
    echo for /L %%%%a in ^(97,1,128^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%4.bat
    echo for /L %%%%a in ^(129,1,160^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%5.bat
    echo for /L %%%%a in ^(161,1,192^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%6.bat
    echo for /L %%%%a in ^(193,1,224^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%7.bat
    echo for /L %%%%a in ^(225,1,254^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%8.bat


  )
)

for /L %%i in (1,1,%NUMTH%) do echo @echo 1 ^>%%0.txt ^&exit >>%scanfx%%%i.bat

for /L %%i in (1,1,%NUMTH%) do start /MIN %scanfx%%%i.bat
echo Scanning...

:: Wait for all threads to finish
:waitthread
ping -n 2 127.0.0.1 >nul
for /L %%i in (1,1,%NUMTH%) do if not exist %scanfx%%%i.bat.txt goto waitthread

:: Copy the scan logs to a single file
copy %scanfx%*.bat.log %scanfx%.scan.log >nul

:: Clean up, delete temp files
del /F /Q %ipfile%
for /L %%i in (1,1,%NUMTH%) do @del /F /Q %scanfx%%%i.bat
for /L %%i in (1,1,%NUMTH%) do @del /F /Q %scanfx%%%i.bat.txt
for /L %%i in (1,1,%NUMTH%) do @del /F /Q %scanfx%%%i.bat.log

start "" %windir%\notepad.exe %scanfx%.scan.log
::type %scanfx%.scan.log |more

:: Wait for notepad to open before killing the file
:waitnotepad
ping -n 2 127.0.0.1 >nul
tasklist /FI "WINDOWTITLE eq %scanfx%.scan.log*" |find "notepad.exe" >nul
if not "%errorlevel%"=="0" goto waitnotepad

del /F /Q %scanfx%.scan.log

Oh shit, he didn't. Oh yes I did.

That right there is a multithreaded BATCH ping scanner. Not only that but it automatically detects the local IP address and uses that to determine the scan range.

Everything happens automatically, you just run it and it'll ping 254 addresses, and show you the results in a notepad window.

Save the code as a .bat file, and run!

Now, to figure out how to probe ports using batch script...
3 comments:
Labels: , , , , , , , ,

VBS: Download a file from the Internet

Scenario:
* I have only got remote command line access to a Windows computer. Great.
* And now I want to upload a file to that computer. Not so great.

I've been looking some time for a way to download a file to a default Windows installation using only the command line and tools available in the default installation of windows.

This is quite a bit trickier than it may sound, at least in Windows XP, where the only tools I have at my disposal are VB Script and the command prompt (batch scripting).

I pride myself as being a bit of a batch scripting guru, and from what I know, this wouldn't be possible in pure batch scripting. Until I explored my VBS/VBA options a bit more:

This is a VB script to download a file from the internet and save it to disk:


strFileURL = "http://www.google.com/intl/en_ALL/images/logo.gif"
strHDLocation = "C:\GoogleLogo.gif"

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.Open "GET", strFileURL, False
objXMLHTTP.send

' 200 is HTTP-talk for 'success'
If objXMLHTTP.Status = 200 Then
    Set objADOStream = CreateObject("ADODB.Stream")
    objADOStream.Open
    objADOStream.Type = 1
    
    objADOStream.Write objXMLHTTP.ResponseBody
    objADOStream.Position = 0
    
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    
    ' If the file exists, delete it
    If objFSO.Fileexists(strHDLocation) Then
        objFSO.DeleteFile strHDLocation
    End If
    
    Set objFSO = Nothing
    
    ' Save the file
    objADOStream.SaveToFile strHDLocation
    
    objADOStream.Close
    Set objADOStream = Nothing
End If

Set objXMLHTTP = Nothing

Unmodified, this code will download the default Google logo to c:\GoogleLogo.gif, assuming the script is executed with write permissions to the C drive.

But this isn't much use with only command line access, so I created a batch script to do the work, and at the same time compressed the code:


@echo off

set fileurl="http://www.google.com/intl/en_ALL/images/logo.gif"
set savepath="C:\GoogleLogo.gif"
set script="%random%s%random%c%random%p%random%.vbs"

echo Set o=CreateObject^("MSXML2.XMLHTTP"^):Set a=CreateObject^("ADODB.Stream"^):Set f=Createobject^("Scripting.FileSystemObject"^):o.open "GET", %fileurl%, 0:o.send^(^):If o.Status=200 Then >%script%
echo a.Open:a.Type=1:a.Write o.ResponseBody:a.Position=0:If f.Fileexists^(%savepath%^) Then f.DeleteFile %savepath% >>%script%
echo a.SaveToFile %savepath% >>%script%
echo End if >>%script%

cscript //B %script%

del /F /Q %script%

That's a batch script which generates the VBS script to download the file and then executes it.


Aaaaand, now on one line:

echo Set o=CreateObject^("MSXML2.XMLHTTP"^):Set a=CreateObject^("ADODB.Stream"^):Set f=Createobject^("Scripting.FileSystemObject"^):o.open "GET", "http://www.google.com/intl/en_ALL/images/logo.gif", 0:o.send^(^):If o.Status=200 Then >"%temp%\.vbs" &echo a.Open:a.Type=1:a.Write o.ResponseBody:a.Position=0:If f.Fileexists^("%temp%\GoogleLogo.gif"^) Then f.DeleteFile "%temp%\GoogleLogo.gif" >>"%temp%\.vbs" &echo a.SaveToFile "%temp%\GoogleLogo.gif" >>"%temp%\.vbs" &echo End if >>"%temp%\.vbs" &cscript //B "%temp%\.vbs" &del /F /Q "%temp%\.vbs" &start "" "%temp%\GoogleLogo.gif"

Put THAT in your command prompt and execute it.

That one saves the Google logo to the temp directory instead, and opens it as well.


So now I can enter that batch script line by line into the command line and download the Google logo to that remote computer. Sweet.

Why would someone want to do that, you ask? Well, a network administrator may have lost his computer physically, but still know where it is on the network. This will allow him to upload an MP3 and play music loudly so that he can locate the machine.

There's many legitimate reasons. As with all knowledge, what you do with it is up to you.
No comments:
Labels: , , , , , , , , , , , ,
Subscribe to: Posts (Atom)