Monday, January 19, 2009

Pentester trick #7: re-enabling CMD & REGEDIT

There are 2 settings that are commonly used by system administrators in "restricted", kiosk-like environments: DisableCMD and DisableRegistryTools, which are both to be found under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

As their names imply, those settings disable the use of CMD.EXE and REGEDIT.EXE.

Those settings are enforced by CMD and REGEDIT themselves. Therefore, alternatives such as Console and Registry Workshop will still run fine. However, it might not always be handy to bring new applications on the target system. So, how do we recover CMD and REGEDIT applications locally ?

It would be easy to find binary checks inside both applications and to patch them, but a good pentester is lazier than that.

After making a copy of both applications, it is enough to replace a single character within "DisableCMD" or "DisableRegistryTools" strings. I really love those stupid tricks :) The question is "how ?" ... and surprisingly, the answer is not obvious.
  • DEBUG/EDLIN: they won't handle files over 64KB.
  • ".COM" application written in pure assembly using DEBUG: cool, but a bit tedious.
  • QBASIC application: there is no QBASIC shipped with Windows any more :(
  • Notepad/Wordpad: they mess up binary files on write back.
  • VBScript: is poor at handling binary files.
  • VBA inside an Office application: cool, but you need to have Office installed beforehand.
  • NTSD: does not support the .readmem/.writemem commands.
In most cases, the best course of action is to run CMD inside NTSD (hint: you can drag-and-drop CMD over NTSD, which is sometimes handy in very restricted "kiosk" modes):

C:\> ntsd cmd.exe
(...)
0:000> lm
start end module name
4ad00000 4ad64000 cmd (deferred)
77be0000 77c38000 msvcrt (deferred)
77ef0000 77f37000 gdi32 (deferred)
7c800000 7c905000 kernel32 (deferred)
7c910000 7c9c7000 ntdll (export symbols) ntdll.dll
7e390000 7e420000 user32 (deferred)

0:000> s 4ad00000 L 64000 44 00 69 00 73 00 61 00 62 00 6C 00 65 00 43 00 4D 00

4ad14944 44 00 69 00 73 00 61 00-62 00 6c 00 65 00 43 00 D.i.s.a.b.l.e.C.


0:000> e 4ad14944 41


0:000> g

(...)
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\temp>


I'll be glad if someone comes with another solution :)

Note: surprisingly, the "DisableCMD" string lies within the code (".text") section.

Note for kiosk designers: to prevent users from running arbitrary applications, Software Restriction Policies would scale more easily.

15 comments:

Anonymous said...

Remember your MS-DOS skills...

An (more) easy way to obtain a command prompt is to use the 16-bit command line interpreter "COMMAND.COM" which is not restricted by group policy "DisableCMD".

Even if DisableCMD is set to 2 (ie Users cannot running Cmd.exe, and the system cannot run batch files), it is still possible to run commands and batch files using "COMMAND.COM /K instruction".

But I agree that, normally, in a good kiosk-like environment, COMMAND.COM or NTVDM (Virtual DOS Machine 16 bits) components must be removed.

newsoft said...

@(not so) anonymous: you are perfectly right :)

Both CMD.EXE and COMMAND.COM tricks are nice to know, because COMMAND.COM might exhibit a slightly different behaviour in some cases (e.g. drag-n-drop support).

Anonymous said...

Bonjour,
J'ai essayé l'astuce pour avoir l'accès à Regedit mais je ne comprend pas à quoi correspond 4ad14944. 14944, c'est la taille de quoi?
Merci
@+

newsoft said...

@anonymous:

La commande "lm" donne l'adresse de début et de fin du module "cmd.exe":

start |end |module name
4ad00000 |4ad64000 |cmd (deferred)

Ensuite je cherche dans cette zone la chaine "DisableCMD" avec la commande "s".

Il suffit de faire de même avec "regedit.exe".

Bonne chance.

Anonymous said...

Merci beaucoup pour ta réponse!
@+

Anonymous said...

Re,

En fait, j'avais mal interprété les lignes de commande...

http://msdn.microsoft.com/en-us/library/ms171369(VS.80).aspx m'a aussi aidé.

Pour info, avec regedit.exe, il faut rechercher "regedit" (non regedit.exe) et prendre comme adresse la première occurrence.

Merci encore, @+

Anonymous said...

Great Site. Was added to mybookmarks. Greetings From USA.

Anonymous said...

Good brief and this post helped me alot in my college assignement. Say thank you you on your information.

newsoft said...

Si quelqu'un sait pourquoi je reçois des tonnes de commentaires comme le précédent, je suis preneur.

Anonymous said...

Oooh, this ntsd stuff is neat! Debug's inability to handle large files makes it less and less relevant today, so I guess I should learn more about ntsd.

The boneheaded restrictions on my work machine leave me unable to do basic things like change volume labels on my USB flash drives, and until today, unable to access a command prompt. Thank you for making my workday a little more productive! I'm not a pen-tester (I work in vehicle infotainment) but I sure appreciate learning new tricks. Thanks for the post!

Anonymous said...

Hi,

I have a message for the webmaster/admin here at www.blogger.com.

Can I use some of the information from your blog post right above if I give a link back to this website?

Thanks,
Harry

Anonymous said...

Hello there,

This is a question for the webmaster/admin here at www.blogger.com.

May I use part of the information from your post above if I provide a link back to your site?

Thanks,
Oliver

Anonymous said...

Thanks for sharing this link, but unfortunately it seems to be down... Does anybody have a mirror or another source? Please reply to my message if you do!

I would appreciate if someone here at www.blogger.com could post it.

Thanks,
Charlie

Anonymous said...

Thanks for sharing the link, but unfortunately it seems to be down... Does anybody have a mirror or another source? Please answer to my post if you do!

I would appreciate if a staff member here at www.blogger.com could repost it.

Thanks,
Jack

newsoft said...

@Harry, @Oliver, @Charlie, @Jack: now I know you are a spambot :)

But I wonder what kind of spam scheme is this ???