Jump to content


Photo

Windows 7 Privilege Escalation

Python metasploit smss.exe

  • Please log in to reply
5 replies to this topic

#1 satyricon11

satyricon11

    Initiate

  • Quark
  • 29 posts

Posted 30 September 2017 - 01:21 PM

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.

 

So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?

 

BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.

 



#2 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,098 posts

Posted 30 September 2017 - 03:03 PM

There's a shell extension called "Take ownership" which you might want to put in, it can be helpful at times.  OK, it's sufficiently small that I can just post it here.  There's an "add" and "remove" file.

It's not the sort of thing to mess with casually, you could potentially screw a system over royally by using it.

I've used it mainly on Win 7 when getting rid of folders/files remaining on old system drives but wanting to retain some stuff.

 

Not totally relevant to your need but might come in helpful.
As for forking new processes etc off system ones and getting inherited security attributes, not sure that'd work.

Also, the "not authorized" etc messages are usually pretty generic and the Task Manager and similar utilities stop you from killing certain things for your own protection.

 

Call this one "Take ownership - install.reg"

Windows Registry Editor Version 5.00



;Created by Vishal Gupta for AskVG.com



[HKEY_CLASSES_ROOT\*\shell\runas]

@="Take ownership"

"HasLUAShield"=""

"NoWorkingDirectory"=""



[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"



[HKEY_CLASSES_ROOT\Directory\shell\runas]

@="Take ownership"

"HasLUAShield"=""

"NoWorkingDirectory"=""



[HKEY_CLASSES_ROOT\Directory\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

Call this one "Take ownership - uninstall.reg"

Windows Registry Editor Version 5.00



;Created by Vishal Gupta for AskVG.com



[-HKEY_CLASSES_ROOT\*\shell\runas]



[HKEY_CLASSES_ROOT\*\shell\runas]

@=""

"HasLUAShield"=""



[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="\"%1\" %*"

"IsolatedCommand"="\"%1\" %*"



[-HKEY_CLASSES_ROOT\Directory\shell\runas]





#3 satyricon11

satyricon11

    Initiate

  • Quark
  • 29 posts

Posted 01 October 2017 - 01:49 PM

Thanks I appreciate it!



#4 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,103 posts
  • Location:Not Trump-Land

Posted 02 October 2017 - 04:59 PM

Makes me curious why one needs ring level 0 on Windows in the first place.


MTM NBN with FTTP/FTTH, FTTN, FTTC/FTTdp, HFC and Satellite. Buffering included


#5 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,098 posts

Posted 02 October 2017 - 07:09 PM

Generally you don't.  Any self-respecting modern multitasking OS has system routines that perform high security functions on your behalf, and security definitions take care of controlling what users and groups can do what.



#6 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 17,939 posts

Posted 17 November 2017 - 09:34 AM

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.
 
So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?
 
BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.


Presuming you have disabled UAC?

With it enabled, it doesn't matter what account your session is identified with (yes, even SYSTEM), you don't have escalated privileges without invoking UAC.

Google "UAC split token".

Edit: OK, I re-read what you're asking a few more times.

Under normal conditions, the kernel will only allow digitally signed code to run in ring 0. This is by design.

You've reached the level where you need to use exploits to get your code executed. No normal mechanism is going to allow you to do this, short of, perhaps, disabling driver signing enforcement with BCDedit or similar, self-signing your payload, and deploying it as a kernel mode device driver.

Edited by SquallStrife, 17 November 2017 - 01:53 PM.

SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!





Also tagged with one or more of these keywords: Python, metasploit, smss.exe

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users