Monday, January 4, 2010

fun with Explorer.exe running under SYSTEM account.

In windows xp it is possible to obtain an process of explorer.exe running as the SYSTEM account.

--==[ Obtaining Explorer.exe Running as SYSTEM ]==--

To obtain our shell we will use the command line and the "at" command. Once you have the shell open type the following command:

at {Time_in_military_format_plus_one_min} /interactive cmd.exe

Example if time were 5:45 PM: at 17:46 /interactive cmd.exe

This will give us a command prompt in one min. The interesting thing about this command prompt is the title. The title should read something like "C:\windows\system32\svchost.exe". That allow is interesting! Check your taskmanager, This process of CMD.EXE will be running under the user SYSTEM!

With That being said, anything spawned via this shell should run under the context of the SYSTEM account. Try it out, run notepad.exe from under that shell and check your taskmanager.

Now it's time to get that Explorer Running under SYSTEM. Use the task manager to kill the process of explorer.exe that is running under your account and then run explorer.exe in the command shell that is running as system, It's that easy!

With our Explorer running as SYSTEM anything that you launch with a double-click runs as SYSTEM as well. Now the fun starts. What to do? What to do?

--==[ Abusing Explorer.exe as SYSTEM ]==--

I'm sure there are more things then listed here. But here are the two I like ;-).

1) Ignore local file permissions. Even with a users Documents and Settings set as private, as SYSTEM you can still travel through it. I used to use this when looking through a hard drive that was pulled from another PC and the user needed files from under there documents and settings.

2) Change the password on a local account without knowing the old password! How cool is that! that includes local admin accounts!

Now have fun, figure out what else you can do with it and don't use this for anything illegal.