SRP - basic user hacka-lacka

Discussion in 'other software & services' started by Sully, Jan 23, 2009.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    In interest of just being strange, I have been playing around with using SRP in different ways. Here is something I came up with, maybe not original, but it works none-the-less.

    Can someone with more knowledge than I give some feedback on wether or not this is 'secure'?

    Start by enbling the secondary logon service and starting it.

    Next, create the file BasicUser.reg and paste this into it. Save it and merge it.
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "Levels"=dword:00020000
    Go to c:\windows\system32 and make a copy of explorer.exe, naming it uexplorer.exe, making the copy also in system32.

    Next, create the basic SRP policies (I used secpol.msc).
    In the Enforcement Properties of the SRP, choose to apply the policy to All Users.
    In additional rules, make a path rule (with no path) for uexplorer.exe. Set the permission for this rule to Basic User.

    Log off, log on. Policy should now be active. You can check it (assuming you are an admin) by starting uexplorer.exe, and then attempting to delete a file/folder from c:. It should pause and then tell you there are no permissions to do this. Good. Moving on.

    Go and get this program, cpau from here
    http://www.joeware.net/freetools/tools/cpau/index.htm

    Now you need to make a project folder. I just used root c: for mine, but you can make one. Extract the file cpau.exe to your project directory.

    Next you need to make some files (in the project directory). Name them as below and put the correct text in each one.

    Admin_Shell.reg
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    
    "Shell"="Explorer.exe"
    User_Shell.reg
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    
    "Shell"="Uexplorer.exe"
    Admin_Shell.bat
    Code:
    taskkill /F /IM uexplorer.exe
    reg import Admin_shell.reg
    start explorer.exe
    User_Shell.bat
    Code:
    taskkill /F /IM explorer.exe
    reg import User_shell.reg
    start uexplorer.exe
    aShell.bat
    Code:
    cpau -dec -file Admin_shell.job -wait -c -lwp
    
    exit
    uShell.bat
    Code:
    cpau -dec -file User_shell.job -wait -c -lwp
    
    exit
    Crypt_Shells.bat
    Code:
    cpau -u username -p password -ex Admin_shell.bat -enc -file Admin_shell.job
    
    cpau -u username -p password -ex User_shell.bat -enc -file User_shell.job
    Once you have made these, run Crypt_Shells.bat. This will create 2 .job files, which are just encrypted runas statements for the 2 bat files.

    ** be sure to put your username and password in the Crypt_Shells.bat file or it will not work **

    Now, run uShell.bat. If it works correctly it should close explorer.exe, and open uexplorer.exe, only it will be open as a Basic User. Then the reverse can be done by running aShell.bat, where uexplorer.exe is closed and explorer.exe is opened, giving back admin privelages.

    What I am not sure of here is just what inherits the shells permissions. I know file and directory operations do. I am hoping drivers that are loaded etc, will remain with thier started credentials, thus using this one could easily drop into a standard USER account without having to have a seperate profile made for each admin and user. Not that most of us don't have more than one profile anyway. But the thing is, using SuRun, I run into apps like unlocker or rivatuner, where they need admin privelages, and I don't really want to go without them.

    The other bonus of this, if it is deemed 'secure', is that it is pretty easy to do. Other methods might be more robust, but this is just playing around anyway.

    Any thoughts?

    Sul.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hi Sully

    I must admit you come up with some really DIFFERENT formulations for SRP that is UNIQUE indeed.

    BTW, i always manually go to the registry in Local_Machine, Policies, Windows, Safer, Code Identifiers and always create the "Basic User" as your reg file can do.

    What is unique is the pattern you are using then reviewing the results of it.

    Keep it up, i like your imagination and the ideas that spring from it.

    EASTER
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, different at the least lol.

    The thing is, using LUA is not going to work for everyone, and not because it is difficult or cumbersome. It has been shown that apps like SuRun can make LUA very much available for everyone.

    No, the problem is the software and drivers that are made based of the default security settings for XP machines, which we all know is admin. Granted that perhaps some require admin rights because of low level functions.

    So I personally struggle to find a way to exist in a LUA environment, while not breaking certain functionality that I don't want to lose.

    I have looked for a way to start drivers with alternate credentials, especially with SuRun, but found no way. Short of logging into an admin account first, then logging into the LUA, as the only way to make it work.

    This way, while I am still experimenting, lets me log in as normal, all things load that need to, then using SRP my account is basically switched to a LUA. But, I am not tested enough yet to see how deep the inheritance goes. Because the shell (uexplorer in this case) is loaded as Basic User, how deep is that?

    That is the purpose of this thread. Hopefully for those that do a lot of malware type testing, to find out how it fares.

    Thanks for the reply Easter.

    Sul.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Some more testing. I wanted to try some generic tests, like the eicar virus one. But without anything other than this contorted version of SRP. I found these two items
    http://www.misec.net/trojansimulator/

    http://www.filetransit.com/download.php?id=61632

    I don't know just how accurate they are, but they do represent and easy way to test. Anyone with better tests, please do post some links or pm me.

    Anyway, within a vmWare XP SP2 box, I performed the SRP mod as listed above. I disabled the nic. I switched over to the uExplorer.exe shell. I tried to delete/rename a file on root using windows explorer and cmd prompt. Access was denied in both cases.

    Next I started cmd using secondary logon (runas), and deleted and renamed files on root. In runas I used my account I logged on with, believe that or not.

    Next, I ran the trojan simulator. It failed. Then I ran trojan simulator with a runas, and it succeeded.

    Next I tried to install the SecurityTest but failed. I installed it with a runas. I ran the SecurityTest, not running the hacking portion. The virus tests all failed (meaning good). I ran the spyware test, and 2 of 3 succeeded exploit. Not good.

    Next I ran the same SecurityTest but with a runas. It all succeeded. Not good, not good at all.

    In interest of using something simple to catch the issues that were getting through on the spyware end of things, I installed CyberHawk 1113. Rebooted and ran SecurityTest again. This time, the virus tests were failed again, but no prompts from CH at all. When the spyware tests were ran, 2 prompts were reported. CH actually terminated the test completely when I chose deny as the option. When choosing deny only for the second prompt, the test did not terminate, but all spyware exploits failed. Meaning.. good. I think anyway.

    So, it would appear, that one can have an existing admin account, and use my method above. Log in to your desktop as normal. Run the batch file above and start the shell with demoted rights. Still using the same login. Run anything (so far) and it is all inheriting the Basic User rights. You can still use a RunAs, with the existing account you logged in with (hard to believe), and now you have admin rights on that process again.

    I don't honestly know quite what to make of it yet. Whether it is robust enough to actually use, and whether or not it is really secure. Simple testing thus far indicates that it is.

    Next, I will mess with drivers that need admin mode to properly start, and see if they stay in an admin state when dropping to a shell with only Basic User rights.

    Sul.
     
  5. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    Interesting thread (and hack) Sully. :thumb:
    Looking forward to your next set of test results :D
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Sully?

    Because of the foot dragging on TF via PCTools aka former Novatix CyberHawk it left me with no other alternative. Now CyberHawl 1.1.1.3 is a vicious DLL catcher and terminator but because it was one of the early models it is limited in scope of just what it can round up as a Behavoral Blocker. That's why i like to use it though for strickly if nothing else to catch DLL injections because it is lighning quick to grab them. One other note: 1.1.1.3 if it ever fails at all to alert as normal, use the ch installeR (NOT ADD/REMOVE PROGRAM APPLET), and do a CH REPAIR to fix it, and it will regain it's functions again. A small glitch i discovered while teaming it with EQS and other security apps. Doesn't happen often, but can happen nonetheless, so just a heads up there on that.

    EASTER
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks for the interest zopzop. You will like what I have done now.

    Easter, thanks for that tip with CH. I have not seen that, but then again, it is so rare it pops up anyway. Usually does when I am testing a new script or such stuff.

    I decided to make this a bit more painless. I have made a program to do all the functions the batch files were doing. I will explain that in a sec.

    Now, testing shows that apps like Unlocker are still not going to be usable with this hack. Unlocker, in this case, requires debug rights for the user. Admins have that, users do not. It defeats the purpose of being a user, because debug rights introduce a vector of possible exploit.

    I have tested more areas, like the registry and many directories. I have tested inheritance towards child processes. So far, everything inherits the shells rights. Command prompt inherits it as well. I have yet to test it with drivers that require admin mode, like RivaTuner. I will do that next.

    I made a quick context menu to use runas, and it works as expected. I coded up a quick drop box to drop .exe's to, for instance games that require admin rights. It works this way too.

    Now for my program. Rather than use all those reg and bat files, and use a 3rd party tool for using runas with encryption, I did it myself.

    A single .exe, that makes copies of explorer.exe, creates the reg values for SRP's 'Basic User' and changes the default shell to one of the 2 copies I made. I made aExplorer.exe for admin use, and uExplorer.exe for user use. I could have input the SRP rules, but decided against it, as I cannot guarantee I can make a GUID that will not be in use on another computer.

    I needed a way to garner the user's administrator username and password, in order that the user shell might be able to get back to being an admin. A reg modification in a restricted area is required for that. Rather than use something like cpau, I wrote my own. Initially it was set into an .ini file, but I got to thinking, maybe it would be nice to have it as an environment variable. So I gave the option. Setting the encrypted username and password as an environment variable does require a logoff to reset the environment.

    You can change the username and password by starting the .exe and passing the parameter /pass or -pass. This will delete either the .ini or environment variables, and make a new one, depending on your choise.

    I also included the option to uninstall, using the /remove or -remove parameter. These parameters do need to be passed from runbox or command prompt BTW. The uninstall removes the ini and environment variables, replaces the reg value so that explorer.exe is the default shell, restarts to the default shell, and removes the 2 copies of explorer.

    One little bug, when removing, a logoff is required to reset the environment. However, when you choose to logoff, it starts logoff but stops with the background visible. A quick three finger salute (Ctrl+Alt+Del) and then choosing logoff finishes the job. I have not tracked down yet what is occuring there.

    One other thing. In order for this to work, the service SecondaryLogon must be running. The program checks for this service and informs you if it is not running.

    That is it. Download it and try it out. I have it running now on a TeamSpeak server, using only this, IPSec and windows firewall. Behind a router too. So far, I cannot breach it with brute force scanners even from inside the local network. Not that that means much lol.

    Here is the link
    http://www.filesend.net/download.php?f=c76f9602753d0d4202823a802b9fe83f

    What I like about this method is that you just run my app, set up a quick SRP rule, and then toggle between user and admin shell mode. No new profiles to create, and as a bonus, when in user mode, you can still runas yourself. Go figure.

    Good luck to any testers. Consider this beta v1. And please do bear in mind, as you pause for 3 seconds between shells, that this could be much quicker, but I wanted the beta to visually indicate what is happening.

    Sul.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    To any who try my program, let me know what you think about running with aExplorer.exe as your shell instead of explorer.exe. I have seen a few minor inconveniences with it. I wonder if other programs will give wierd issues because they expect explorer.exe. I don't remember now why I chose to rename the default shell to aExplorer. I will examine it again and see if I can't just use explorer and uexplorer.

    Sul.

    EDIT: I remembered why I chose not to use explorer.exe as the admin shell. When switching shells, it is needed to end process explorer.exe. Since I know of no way to get the correct explorer process if more than one is open, it was either close them all or look for a specific. So I used aExplorer instead, to ensure the shell closes without closing other instances of explorer, which are windows explorer instances.
     
    Last edited: Jan 27, 2009
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I spent a little more time coding up a drop box for items when running as a basic user. This seems to work in my SRP hack, SuRun, or pretty much anywhere that you are a restricted user, as long as you have an admin account. In this beta version, you pass the admin username and password again this time only into an .ini and it is encrypted there. Then you run the program, drop a shortcut or .exe onto the drop zone, and it runs it with the elevated privelages of your admin account.

    I also put in a context menu on the title bar. You can add to the registry, context menu items for all files, folders, control panel and cmd prompt. Be sure you set those from your admin account because a users' rights do not grant chaning those registry areas. This context menu is also how you set your username and password into the .ini file.

    This is beta, but seems to work well so far.

    Preliminary tests on driver mode items with the SRP hack seem to work. As an admin logging on, in this case RivaTuner's driver is loaded. Running the shell then as a user does not appear to unload the driver, as the environment is not changed underneath the shell. More tests need to be done. I did notice that it is possible to toggle to the user shell, and then try to shutdown. A default install, the user only has the option of logging off. If you Ctrl+Alt+Del then you can choose to shutdown. When rebooting, SRP appears to start the shell as a user still. Just using the button to shutdown or the Alt+F4 key only allows a logoff, so it seems to be a good indicator that you should toggle back to admin shell. I will have to play yet and see what happens to drivers that start like this, to see how they are affected.

    Here is the drop zone program
    http://www.filesend.net/download.php?f=d3f95a51fa9fa8cda93cd7ba35bf443e

    Next I think I will try my hand at some exe to service integration. I know I can do it with srvany.exe, but I think there are a couple other ways to try out. It may work that by starting certain things as a service, you can pass system or admin credentials, and bypass the issue with running as a basic user. We shall see.

    Sul.

    EDIT: I forgot to mention, not everything dropped will run. I believe it is only if there is a known file type extention for the file in question will it run. In other words, if you drop a .exe,.bat, .txt etc, it is known by the OS what app to actually start the file with. If you drop a .geek file onto it, if the file type is not registered, it does not know what to start it with. Still playing with the routines to garner all known filetypes.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    While there are many commercial tools that can run a program as a service, I have been playing with 2 free ones. One is srvany, which is a MS tool from the resource kits. I already know how to use this one. I have been playing with how to use sc.exe to create a service that has no 'external' applications running as well (like srvany.exe). Not too successful. Digging into WMI allows me to create the service, basically like using sc.exe, but still, without resorting to a wrapper like srvany.exe, service control just does not always work. I have found a c snippet to cipher out next, hopefully that will produce some better results.

    At this point, for those interested, it might be enough to just use a few tools I found to change the security descriptors of services that are non-compliant in a basic user environment. I will research this and try it out on Unlocker. As I can locate it's driver, perhaps I can modify it so it starts with admin credentials even though it is started/loaded from a user account. Not exactly the direction I thought I was taking.

    RivaTuner has proved difficult to properly integrate into a user environment. the driver itself appears to load properly, but the 2 applications to interface me to the driver do not. I have it working as a service now, but it does not quit work right yet. That is what got me started on possible service security descriptor changes. Actually I even found a tool to set folder and file descriptors, very much like modifying something in the security template to allow users to write/modify to a normally protected directory.

    More to come as time allows. Been running with aExplorer.exe with no problems. The only issue I can report is that Cyberhawk now asks more questions than I have ever seen it do, and all of them revolve around aExplorer.exe doing normal things. Explorer.exe must be hardcoded into it somehow. I wonder if using a renamed shell like this, in normal admin mode without the whole Basic User/SRP thing, could be a way to test different security programs and see what they are made of.

    Sul.
     
  11. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi,

    Greetings for Sully: this thread is awesome!

    For our collection of test softwares:

    System Shutdown Simulator: http://zeroday-software.110mb.com/

    And from site Kay's Mustard ( see thread SuRun ...): demo IAT Hook "(download) blue ...

    Yours PROROOTECT:thumb:
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks for the link PROROOTECT. I will try them out tonight hopefully.

    On continued testing (got sidetracked by AppGuard, intersting tool), services continue to require a lot of study. I have a couple methods for running apps as services now, and seem to work for the most part. Still looking at a few aspects.

    But, I found a new little tools that is a dream to use for services so far. Tools like srvany require a 'wrapper' for each .exe started as service. For example, say I started notepad.exe as a service with srvany. Process list would show notepad.exe and srvany.exe (srvany is the wrapper). My progress so far shows that if I had 2 apps, notepad and calc.exe starting as services with srvany, that there would be 2 instances of srvany.exe exising in the process list. I don't exactly like that.

    So I found a new little tool, that only runs one wrapper. I got it to work with 3 apps as services, and the best part, it has a timer setting so that if a service is opted to, it will restart if the .exe is shut down. That is something I could never hack the regsitry to do.

    I will play more with it, and probably start a new thread devoted to that aspect.

    Sul.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That is a neat test. Using runas from my SRP user shell, it does what it is supposed to, get my admin password used in the runas.

    Intersting, that my little Runas drop zone tool, it does not gather it at all. So my tool passes it's first test!

    Sul.
     
  14. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  15. Infinite Luta

    Infinite Luta Registered Member

    Joined:
    Mar 26, 2008
    Posts:
    19
    Location:
    Illinois, USA
    Interesting concept, but you're making it a bit more complicated than it needs to be.

    Rather than using multiple copies of explorer, changing the shell, and relying on SRP to strip the admin rights, couldn't you just use something similar to the DMR approach?

    If you were to use a batch, changing the shell from admin to user would be something like this...
    Code:
    taskkill /F /IM explorer.exe
    DropMyRights explorer.exe
    
    And to get admin rights back...
    Code:
    taskkill /F /IM explorer.exe
    runas /user:Username explorer.exe
    
    Or if you wanted to do it programmatically, instead of DMR you could call the SaferComputeTokenFromLevel() API and use the resulting token with CreateProcessAsUser(). Have a look at DMR's soruce code; It's not very hard to do. Then instead of runas or cpau you could call CreateProcessWithLogonW() directly.

    That way you wouldn't have to worry about how SRP is set or having to change the shell before relaunching explorer. As far as I can tell, it does about the same thing your method does but is a bit less involved so the chances of something going wrong is less.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hmm. Good food for thoughts here. Part of this started with wanting to let SRP handle it all, rather than a 3rd party app. Part of it to see what happens. Part of it is that the RunAs cannot have a piped password. Much less encrypted. I started with using explorer, but using srp precludes having one shell that is unrestricted and another shell that is restricted. I looked at some other shells, but decided to keep it basic.

    I played with DRM a bit with this. I have not yet finished playing with this long enough to examine DRM code. I know how to use API's somewhat, so it would be possible.

    I will have to digest your thoughts a little more. You gave some good points. Thanks.

    Sul.
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Sully, interesting - keep 'playing.' Some good advice there,..keep it simple. Btw what was the other little tool besides srvany?
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hmm. With a little inclusion of insurance that the SecLogon service is running, that would be a pretty light setup. Works well enough. One would still have to build a batch file or other script to ensure it is painless with only one icon to dblClick. Too, one could use encrypted password.

    I don't see it is any different that SRP method though. It strips same rights away that SRP does, being a User. The plus side of the DMR approach is the recycling of explorer.exe rather than changing shells. Short of that, a front end would be better than batch, to grab the password and to ensure service is started/enabled. Maybe the only downside is that you have to install it, but that is not a big deal.

    One reason I have been using SRP/Basic User rather than DMR is that with SRP I can set all rules in one place, and don't need any special shortcuts, especially considering the ability for hash rule. That is what turned me off initially. However, running with demoted shell means it does not matter. I will see if SRP rules still hold true while in DMR shell. Could bring up good possibilities, for example, if you needed a certain app to have admin rights, that within SRP you could set path/hash rule for ccleaner or instance to be unrestricted.

    Sul.
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It is XYNTService, from codeproject. It is a very nice tool. It makes up to 127 apps start as services with only 1 process extra, which is about 1.8mb in size. The file itself is 79kb. Cpp I think. Have not looked yet.

    I tried it a lot last night. The .ini file is fairly straight forward. It gives even the ability to have a pause time after it starts, so that you could load up dependencies first, pausing, then load main app. It has a pause time when stopping/unloading too, in case of cleanup operations. You can name your service, like MyTools. You have to set the startup to something other than Auto yourself, that is it's only mode I saw. You can what is called 'bounce' a service instance within the host by passing .exe -b 3, which in this case would stop then restart process3 in the .ini.

    I like it a lot actually. You can name the .exe something else, so my sample I named it MyTools,exe. Then you make .ini same name MyTools.ini. In the .ini you make the service name, again, MyTools. Then you fill up the processes ini style. Add in your pause values, add your preference for interactive, which is usually yes, add in if the 'service' will be restartable or not (a very big big feature IMO), and then you can set the time between service status checks. So after that amount of time, if the service is stopped, it will be restarted.

    You can pass command lines to it for any service
    MyTools.exe -k seclogon (kills)
    MyTools.exe -r seclogon (runs)
    MyTools.exe -b 3 (bounce 3rd process in mytools service)

    Install and unistall is superb.
    Mytools.exe -i
    MyTools.exe -u

    You can copy the exe and rename it and .ini, like this

    MyPubTools.exe
    MyPubTools.ini
    (service name in .ini changed to MyPubTools)
    And now you install
    MyPubTools.ini -i

    And you now have another service, running different processes as services.

    You can use net start xxx or sc start xxx on it.

    Now, there are some downsides to running a process as a service. Let me tell you lol. I take as a great example the superb program RivaTuner. I pipe everything sensor and temp wise into that. Speedfan, cpu, and gpu all show in OSD. I underclock my video card, so it runs cool as possible, yet have it ramp up if I feel the need to frag out. One of my fave apps.

    It however, does not like to run in a user environment. I tried LUA with SuRun, and it gave a lot of problems. I could get it to work by logging into admin first, then logging into LUA. but this was redundant. I stopped using LUA/SuRun because of it. Just something I could not give up. Been doing a lot of SRP/Basic User/Sandboxie stuff instead.

    So with XYNTservice, I got riva to start, but things do not operate correctly. Many apps do, and one very nice bonus of it is that you can use the timings to get your tray loaded in an order you like, at least on bootup.

    I ended up playing with a script that launches the mytools service manually, then waits for processes to exist, then loads rivatuner with just a Run statement. Riva works fine as long as an admin starts it. It stays loaded if you call it from a run statement. However, putting it in startup directory to start, when switching shells anyway, causes it to start again. This can be problematic so my script handles existing processes too.

    While the XYNTservice is something I will most definately be using from now on, it looks like unless I find a way around the rivatuner issue, I will be using this idea of demoting the shell. I like it better than 2 accounts anyway. I will have to see if DMR is any faster/more robust than SRP. So, yes, more playing.

    More than you wanted, but there you have it.

    Sul.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    After playing with DMR demoting shell in vmWare, looks like I will be building another tool for it. It is just too tempting to do away with the registry writes. I will build up something better for the password encryption though, as I don't really like using MS runas, and I don't want to type in my password. And, I just want one icon, not batch files, to execute.

    I have a new version of the drop zone tool, so I think I will make it use the same encrypted password as the new DMR tool. Might even get ambitious and build a front end for XYNTservice ini creation, who knows.

    All tests that I ran SRP shell through also seem to work for DMR. Have to see yet how other things work.

    Sul.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    An interesting test would be to see how your SRP setup would deal with the conficker/downadup exploit.

    As you know, one attack vector is via USB removable media using an autorun.inf file to launch rundll32.exe to load a DLL. You can simulate this attack by using a DLL not already on your computer, or an earlier version of one.

    I made this test to run on my laptop XP SP1:

    I copied my Win2K version of hmmapi.dll to my USB drive along with this Autorun.inf file:

    Code:
    [autorun]
    shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1
    
    I enable autorun and connect the drive to my WinXP SP1 laptop.

    If the autorun is successful, the Microsoft HTTP Mail Simple MAPI process is started and Internet Explorer will display:

    hmmapi-load.gif

    If your SRP setup blocks this unauthorized DLL, you will get some alert message. (I don't use SRP, so can't demonstrate)

    While exploits in the past have unpacked a DLL, this is the first that I have seen where the initial executable file itself is a DLL file.

    ----
    rich
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Very nice. I will try that tommorrow at work. Thanks.

    Sul.
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Trying my hand at building my own verion of DMR, with a twist of course. Almost done with my tool to use DMR, as it is much more simple than the alternate shell/ SRP method. Unfortunately, it would appear that an SRP path rule with 'unrestricted', is not unrestricted at all when the shell is only a user. I had hoped that making a rule for say ccleaner.exe in SRP with no restrictions would have meant that a user account starting ccleaner would find it in admin mode. Does not appear so. That would have been nice. I will find the other safer levels for SRP tommorrow and see if there is another that does grant elevated privelages.

    Sul.
     
  24. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I think I will learn some more c. I need more anyway. There are a number of tricks that can be employed in a custom version of DMR. Plus the size is much smaller.

    In the meantime, I have made a tool called DMR_Shell.exe. It uses an .ini file to encrypt ones password for admin, and then toggles the shell into user mode or admin mode, depending which one you are currently in. I also display for 1.5 seconds a small splash to remind you of which you are in.

    Also, I finished a revamp of my RunAs dropper tool. It also uses the same .ini password file. It can be ran as a small window to drop your items onto that will be ran as your admin account, when running in a user account. Right clicking on the small title bar gives the option to make the small window modal or not. In that context menu are also the option for some context menu items, so that you can right click on an item, and then run it as admin without having to drop it to the small window. You will see what I mean if you try it.

    To reset the password data, just delete the .ini, and it will ask for creation when you run it again. If you place both tools in the same directory, they will use the same .ini file.

    In the zip file is the DropMyRights.exe along with the eula.rtf. It would appear that it is legal to disribute it. I would appreciate it if anyone actually reads this, and they see it says otherwise, that they would inform me. Please place the dropmyrights.exe into either windir or sysdir (windows or system32).

    Here is the link.
    http://www.filesend.net/download.php?f=088fc0fcddeb44d875f67f238940a369
    Comments welcome. Please remember this is beta stuff, but it seems to work well in vmWare and my local machine so far.

    Sul.
     
    Last edited: Jan 31, 2009
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    After much playing, I have finally got my system working great. The tool Unlocker and RivaTuner, the main 2 reasons I started this, are very tricky to get working in a LUA environment. Even with SuRun.

    By using SRP with the Basic User option, one can tell any program to start as a user. My thought was since my 2 apps MUST start as an admin to work, that simply including the shell in the SRP list might work. That does not work that simple, as since there is a static rule in place, you cannot state that explorer.exe is a user. You must have an alternate shell, a renamed explorer.exe. This works. But you must set the shell in the registry when you want to switch.

    Infinate Luta gave very sound advice in recommending DropMyRights to do this. DMR uses the exact same method, called SAFER, to demote any process to a user. In this case, just killing the shell and then restarting it with DMR achieves the same thing. There are no registry values to change. The method of getting back to the admin shell does require a RunAs, the only inconvenience.

    Here is where it breaks down though. There are 4 different types of 'profiles' to use with RunAs. Without going into detail, each works a tad bit differently. The common way is just to use the credentials of an admin. You could refer to it as using his profile without actually loading it up. Not really easy concept to describe, yet alone fully understand.

    Regardless, what I have found happens, with no workaround, is this. As one stops the shell from admin, and using DMR starts it again as a user, there are no changes. Everything runs as normal. Some tray icons no longer show up, but the processes still run. It is when you need to use RunAs to get back into the admin shell that it breaks down. MS, in some sort of wisdom I have not yet been revealed, makes the users startup items launch. Because RunAs has no way of saying 'just use this name and pw', it starts things over again.

    Take for instance Speedfan. Great tool. Used it for years. It is in a startup folder or reg start key. Upon entering admin shell again, it dutifully starts up. It does not check for other existence. Some program do. RivaTuner does check it appears, but it does not operate correctly. Items like Intel AudioStudio exhibit similar behaviour.

    The solution is not hard, but I feel very unneeded. I now have speedfan running as a service, thus it loads one time and is not restarted. I made a script that launches RivaTuner if it is not running, and put that in my startup folder. However, this was not enough. I actually had to send a message to stop RivaTuner as I was leaving the user shell, and then when admin shell loaded, that startup script starts it back up. A few other such circumstances were overcome using this methodology.

    This is fine for me, and perhaps fine for many here at Wilders who have that knowledge. But for everyday users? Depending on what is installed on thier systems, it could be very easy to use, or very problematic.

    There are many reasons I started this. One big one was so that when I went to a LAN party, which I have been known to do on occasion, I could ensure I was in a limited environment. The first attempt was with SuRun, and that just did not work. The next attempt with be with this DMRshell method. It will work, but only because I have tweaked everything. Now, I am thinking of re-focusing efforts into making it configure itself for only a LAN party type use. I just don't see everyday peeps effectively using it. But with knowledge of common apps and scenarios used at a LAN party, it could be very effective at reducing one's exposure.

    The tool I have been using with this, originally built to use with LUA and SuRun, I called the drop zone. It is simple a runas drop point or reg vals to add runas context menus, so you don't have to put your username/password in all the time. That works really well. The combination of being able to drop into a user shell while still having the same user account (desktop icons, settings, etc) is a good one. The use of my drop zone tool means no need to create special shortcuts and such shortcomings.

    It is too bad really, as it was much easier than a full blown LUA. I guess you be the judge if you want to try it out. I have a few additions to make to the project, then I will post some semblance of a final version using DMR.

    Later. Thanks to those who replied. BTW, I will be trying my hand at making some sort of method in c++ as well, just to learn some more on the methods.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.