Jump to content


Photo

Windows 7 Privilege Escalation

Python metasploit smss.exe

  • Please log in to reply
10 replies to this topic

#1 satyricon11

satyricon11

    Initiate

  • Quark
  • 29 posts

Posted 30 September 2017 - 01:21 PM

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.

 

So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?

 

BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.

 



#2 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,338 posts

Posted 30 September 2017 - 03:03 PM

There's a shell extension called "Take ownership" which you might want to put in, it can be helpful at times.  OK, it's sufficiently small that I can just post it here.  There's an "add" and "remove" file.

It's not the sort of thing to mess with casually, you could potentially screw a system over royally by using it.

I've used it mainly on Win 7 when getting rid of folders/files remaining on old system drives but wanting to retain some stuff.

 

Not totally relevant to your need but might come in helpful.
As for forking new processes etc off system ones and getting inherited security attributes, not sure that'd work.

Also, the "not authorized" etc messages are usually pretty generic and the Task Manager and similar utilities stop you from killing certain things for your own protection.

 

Call this one "Take ownership - install.reg"

Windows Registry Editor Version 5.00



;Created by Vishal Gupta for AskVG.com



[HKEY_CLASSES_ROOT\*\shell\runas]

@="Take ownership"

"HasLUAShield"=""

"NoWorkingDirectory"=""



[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"



[HKEY_CLASSES_ROOT\Directory\shell\runas]

@="Take ownership"

"HasLUAShield"=""

"NoWorkingDirectory"=""



[HKEY_CLASSES_ROOT\Directory\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

Call this one "Take ownership - uninstall.reg"

Windows Registry Editor Version 5.00



;Created by Vishal Gupta for AskVG.com



[-HKEY_CLASSES_ROOT\*\shell\runas]



[HKEY_CLASSES_ROOT\*\shell\runas]

@=""

"HasLUAShield"=""



[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="\"%1\" %*"

"IsolatedCommand"="\"%1\" %*"



[-HKEY_CLASSES_ROOT\Directory\shell\runas]





#3 satyricon11

satyricon11

    Initiate

  • Quark
  • 29 posts

Posted 01 October 2017 - 01:49 PM

Thanks I appreciate it!



#4 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,473 posts
  • Location:Not Trump-Land

Posted 02 October 2017 - 04:59 PM

Makes me curious why one needs ring level 0 on Windows in the first place.


DOWN DOWN, the Dow Jones is DOWN.

DOWN DOWN, the ASX is DOWN.


#5 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,338 posts

Posted 02 October 2017 - 07:09 PM

Generally you don't.  Any self-respecting modern multitasking OS has system routines that perform high security functions on your behalf, and security definitions take care of controlling what users and groups can do what.



#6 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 18,004 posts

Posted 17 November 2017 - 09:34 AM

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.
 
So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?
 
BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.


Presuming you have disabled UAC?

With it enabled, it doesn't matter what account your session is identified with (yes, even SYSTEM), you don't have escalated privileges without invoking UAC.

Google "UAC split token".

Edit: OK, I re-read what you're asking a few more times.

Under normal conditions, the kernel will only allow digitally signed code to run in ring 0. This is by design.

You've reached the level where you need to use exploits to get your code executed. No normal mechanism is going to allow you to do this, short of, perhaps, disabling driver signing enforcement with BCDedit or similar, self-signing your payload, and deploying it as a kernel mode device driver.

Edited by SquallStrife, 17 November 2017 - 01:53 PM.

SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!

#7 ArchangelOfTheLamb

ArchangelOfTheLamb

    Learner

  • Quark
  • 39 posts

Posted 14 February 2018 - 03:43 PM

The registry entries suggested by Rybags should work and will likely persist across reboots (at least until your next malware scan or Windows update).

Another option is to try running a Meterpreter exe as an administrator, logging into the Meterpreter shell and using getsystem to privilege escalate to NT AUTHORITY\SYSTEM and then either migrate to smss.exe's PID or steal its token using steal_token. Superuser access should theoretically allow you to do all this. Then just drop back into a shell and do as you please. 😀

You might also want to try the StickyKeys hack - this is a cheap & dirty one but it works up to Windows 7. Get NT AUTHORITY and robocopy cmd.exe over sethc.exe in a CMD shell. Then reboot. Access the machine either physically or via RDP (make sure to enable it and open the port, etc). Then hit Shift 5 times quickly and voila - you will get a command prompt which is not constrained by the local security policy, which loads after login.

Have fun! 😁

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.
 
So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?
 
BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.

Presuming you have disabled UAC?

With it enabled, it doesn't matter what account your session is identified with (yes, even SYSTEM), you don't have escalated privileges without invoking UAC.

Google "UAC split token".

Edit: OK, I re-read what you're asking a few more times.

Under normal conditions, the kernel will only allow digitally signed code to run in ring 0. This is by design.

You've reached the level where you need to use exploits to get your code executed. No normal mechanism is going to allow you to do this, short of, perhaps, disabling driver signing enforcement with BCDedit or similar, self-signing your payload, and deploying it as a kernel mode device driver.

Yeah UAC is a bit like SELinux and other mandatory access control systems - your privileges are not solely dependent on your UID - you also need a valid token for the task you want to perform. As correctly noted, executing in Ring 0 requires signed code or an exploit as well as System. Having said that, tokens can be split and stolen - Google, DuckDuckGo, Metasploit Unleashed and ExploitsDB might be helpful.

However, I am pretty sure UAC doesn't kick in fully until after login, so the StickyKeys hack is not a bad one to try. I personally have not tried messing around with Ring-0-only system files using this hack (when pen testing the plan generally isn't to completely screw up the system), but if you do try it let me know how you go. I might even spin up some VMs and give it a go myself tomorrow!

"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2

"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6

"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14

"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16


#8 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,338 posts

Posted 14 February 2018 - 03:55 PM

The one I suggested is persistent.  It's sufficiently powerful and could easily make a system unusable by putting the wrong attributes on system files which is why the remove option is included.

Though Windows 10 in fact has very similar capability built in.



#9 ArchangelOfTheLamb

ArchangelOfTheLamb

    Learner

  • Quark
  • 39 posts

Posted 16 February 2018 - 10:53 AM

The one I suggested is persistent.  It's sufficiently powerful and could easily make a system unusable by putting the wrong attributes on system files which is why the remove option is included.
Though Windows 10 in fact has very similar capability built in.

Yeah it would be persistent across reboots, etc - what I meant though was that it might not persist across Windows updates or security software updates if said updates affect the registry. The particular keys you're altering are ones that could be relevant to MS's security updates; hence they are more likely to be overwritten during system updates than your average registry key. They might also be "fixed" if, say, the PC crashes and Windows does its auto repair thingy. ;-)

Edited by ArchangelOfTheLamb, 16 February 2018 - 10:55 AM.

"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2

"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6

"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14

"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16


#10 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,338 posts

Posted 16 February 2018 - 11:27 AM

It's just a shell extension so only making easier to do what you could by opening a CMD window.  Though I imagine that if you're not running as an admin it probably wouldn't work.



#11 ArchangelOfTheLamb

ArchangelOfTheLamb

    Learner

  • Quark
  • 39 posts

Posted 16 February 2018 - 11:49 AM

It's just a shell extension so only making easier to do what you could by opening a CMD window.  Though I imagine that if you're not running as an admin it probably wouldn't work.


It wouldn't - even Windows 7 only allows admins to change group memberships and use certain shell extensions.

Mind you from what I gather from the OP, he has already got NT AUTHORITY\SYSTEM, which has even more privileges than just any admin. ;-)

One thing I am interested in (which I am going to test when I get around to it) is whether you can privilege escalate your way to "TrustedInstaller" and what level of access that gives you. Just from looking at file permissions, it seems to me that TrustedInstaller might have even better tokens than SYSTEM!

"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2

"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6

"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14

"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16






Also tagged with one or more of these keywords: Python, metasploit, smss.exe

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users