Question about startup files in windows

General technological topics without their own forum go here

Question about startup files in windows

Post by mia_ on Tue Mar 25, 2014 2:07 am
([msg=80025]see Question about startup files in windows[/msg])

Hi,


A couple months back I was involved in a PT project, and I ended up finding an activeX function that downloads arbitrary files from the web to a fixed location, and mixed that up with a stored XSS to compromise most of the employee's machines.
At first, we only showed that theoretically it was possible but our client was so inclined for us to actually "show" that an XSS and file download(overwrite) would actually harm their company's security.
So I thought a bit and ended up overwriting the a startup file created by one of the company's internal programs that exists on pretty much every employee's desktop and gets executed on startup.
I was pretty satisfied, but after a few months, it kept me wondering.

What if there aren't any startup files created by the company's program? What executable would be the best to overwrite that exists on virtually every version of windows?

I could probably just write on every single file that I can think of, but that is not reliable and it might generate errors which might alert the users.

I could think of a few candidates.

    UpdaterStartupUtility.exe (adobe updater)
    IMEKLMG.exe (microsoft office ime. But the location differs between office versions, so unreliable)
    adobearm.exe (Adobe Reader And Acrobat Manager)
    notepad.exe (which execute malware on startup and then passes execution to the original notepad.exe. requires the user to execute notepad at least once)
    jusched.exe (java updater)

I can be pretty sure that one, or a mixture of these combinations would work, but would there be a more stealthy, reliable method? Such as an OS startup executable that exists on the vanilla installation of every version of windows, and which doesn't disturb the integrity of the OS(acts stealthily).

Any suggestions are welcome. ;) Thanks.
mia_
New User
New User
 
Posts: 2
Joined: Tue Mar 25, 2014 1:43 am
Blog: View Blog (0)


Re: Question about startup files in windows

Post by e3cb on Tue Mar 25, 2014 12:36 pm
([msg=80027]see Re: Question about startup files in windows[/msg])

Well, it depends on what you want your code to do and how large is it. If it's just a small 300 byte payload you could easily carve out a code cave; if it's larger you could just write up an egghunter and store it somewhere arbitrarily. Personally I prefer to exploit a 3rd party app for initial exploitation and move from there as every system is different and you want to keep things small. It would also depend on how much access you have to the system and who you're running as. If you're running as Admin, by all means head to system32 replace stickykeys or cmd16, hell, even inject a dll (my fave). If you're an average user you could even write into the 3rd party as you mentioned and reflectively inject into explorer.exe. Long story short, they sky's the limit once you have basic code execution; also, try to work with 3rd party apps at initial exploitation. Reason being, if you fuck up the user only has to reinstall Firefox and nothing looks too fishy. Once in memory try to work with system executables like explorer, but make sure your payload is sound so you don't crash it. Lastly, beware of writing to disk because of AVs and make sure to update your sigs. Teehee. :ugeek:
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Poster
Poster
 
Posts: 104
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)


Re: Question about startup files in windows

Post by mia_ on Tue Mar 25, 2014 8:09 pm
([msg=80031]see Re: Question about startup files in windows[/msg])

Yeah, I kind of tested on different windows versions and decided to settle on to "jusched.exe".
I'm pretty sure that virtually every windows desktop will have java installed, and jusched.exe will be executed at least once every day, which makes it a perfect target. 8-) From there on, I could spawn an invisible calc/notepad an migrate to there, and do the rest of my deeds.
I tried at first to overwrite files in system32, but the files keep getting reverted to the original version. Codecaves or injecting code in the TLS directory callback on core dll files(kernel32.dll) would be the best, but unless I figure out how to stop the self detection integrated in windows, I guess I'll have to stick with third party programs.

Thanks for the advice! :D
mia_
New User
New User
 
Posts: 2
Joined: Tue Mar 25, 2014 1:43 am
Blog: View Blog (0)


Re: Question about startup files in windows

Post by e3cb on Tue Mar 25, 2014 9:52 pm
([msg=80033]see Re: Question about startup files in windows[/msg])

If you want help with any windows exploitation techniques/priv escalation feel free to message me; it's kinda my thing. Don't even ever kernel32.dll or ntdl.dll unless you want to bomb your target's machine. Glad things worked out with jusched, also look into bypassuac on >Vista, open source and you can easily modify it and kill sigs.

[edit]Don't even spawn your own processes to hide in, that's soooooo 2005[/edit]
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Poster
Poster
 
Posts: 104
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)


Re: Question about startup files in windows

Post by Tentra on Wed Mar 26, 2014 1:26 am
([msg=80035]see Re: Question about startup files in windows[/msg])

I feel like you are overthinking this. If you can download a file to an arbitrary location, why not just C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup or C:\%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup?
User avatar
Tentra
Poster
Poster
 
Posts: 161
Joined: Wed Apr 30, 2008 4:52 pm
Blog: View Blog (0)


Re: Question about startup files in windows

Post by e3cb on Wed Mar 26, 2014 10:23 am
([msg=80036]see Re: Question about startup files in windows[/msg])

Because where do you think AVs will scan most heavily? Yea, it will work with proper encoding but after a while that will expire and you'll be booted.
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Poster
Poster
 
Posts: 104
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)


Re: Question about startup files in windows

Post by cyberdrain on Thu Mar 27, 2014 1:36 pm
([msg=80042]see Re: Question about startup files in windows[/msg])

Actually, I did this once to escalate privileges using a simple bat file and another program. Was not that hard and worked perfectly. Just let the code remove the programs after it's done and you have the credentials you need.
Edit: I'll agree that for maintaining access it's usually not the best place to put it...
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests