HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
As their names imply, those settings disable the use of CMD.EXE and REGEDIT.EXE.
Those settings are enforced by CMD and REGEDIT themselves. Therefore, alternatives such as Console and Registry Workshop will still run fine. However, it might not always be handy to bring new applications on the target system. So, how do we recover CMD and REGEDIT applications locally ?
It would be easy to find binary checks inside both applications and to patch them, but a good pentester is lazier than that.
After making a copy of both applications, it is enough to replace a single character within "DisableCMD" or "DisableRegistryTools" strings. I really love those stupid tricks :) The question is "how ?" ... and surprisingly, the answer is not obvious.
- DEBUG/EDLIN: they won't handle files over 64KB.
- ".COM" application written in pure assembly using DEBUG: cool, but a bit tedious.
- QBASIC application: there is no QBASIC shipped with Windows any more :(
- Notepad/Wordpad: they mess up binary files on write back.
- VBScript: is poor at handling binary files.
- VBA inside an Office application: cool, but you need to have Office installed beforehand.
- NTSD: does not support the .readmem/.writemem commands.
C:\> ntsd cmd.exe
(...)
0:000> lm
start end module name
4ad00000 4ad64000 cmd (deferred)
77be0000 77c38000 msvcrt (deferred)
77ef0000 77f37000 gdi32 (deferred)
7c800000 7c905000 kernel32 (deferred)
7c910000 7c9c7000 ntdll (export symbols) ntdll.dll
7e390000 7e420000 user32 (deferred)
0:000> s 4ad00000 L 64000 44 00 69 00 73 00 61 00 62 00 6C 00 65 00 43 00 4D 00
4ad14944 44 00 69 00 73 00 61 00-62 00 6c 00 65 00 43 00 D.i.s.a.b.l.e.C.
0:000> e 4ad14944 41
0:000> g
(...)
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\temp>
I'll be glad if someone comes with another solution :)
Note: surprisingly, the "DisableCMD" string lies within the code (".text") section.
Note for kiosk designers: to prevent users from running arbitrary applications, Software Restriction Policies would scale more easily.
6 comments:
Remember your MS-DOS skills...
An (more) easy way to obtain a command prompt is to use the 16-bit command line interpreter "COMMAND.COM" which is not restricted by group policy "DisableCMD".
Even if DisableCMD is set to 2 (ie Users cannot running Cmd.exe, and the system cannot run batch files), it is still possible to run commands and batch files using "COMMAND.COM /K instruction".
But I agree that, normally, in a good kiosk-like environment, COMMAND.COM or NTVDM (Virtual DOS Machine 16 bits) components must be removed.
@(not so) anonymous: you are perfectly right :)
Both CMD.EXE and COMMAND.COM tricks are nice to know, because COMMAND.COM might exhibit a slightly different behaviour in some cases (e.g. drag-n-drop support).
Bonjour,
J'ai essayé l'astuce pour avoir l'accès à Regedit mais je ne comprend pas à quoi correspond 4ad14944. 14944, c'est la taille de quoi?
Merci
@+
@anonymous:
La commande "lm" donne l'adresse de début et de fin du module "cmd.exe":
start |end |module name
4ad00000 |4ad64000 |cmd (deferred)
Ensuite je cherche dans cette zone la chaine "DisableCMD" avec la commande "s".
Il suffit de faire de même avec "regedit.exe".
Bonne chance.
Merci beaucoup pour ta réponse!
@+
Re,
En fait, j'avais mal interprété les lignes de commande...
http://msdn.microsoft.com/en-us/library/ms171369(VS.80).aspx m'a aussi aidé.
Pour info, avec regedit.exe, il faut rechercher "regedit" (non regedit.exe) et prendre comme adresse la première occurrence.
Merci encore, @+
Post a Comment