Thursday, May 3, 2012

--win 7 -- (still..) "good usage" for utilman.exe and sethc.exe


Physical access -> bootcd -> change .exe -> 0wned



If you have access to a Win 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by cmd.exe (or meterpreter) and trigger it pressing 5 times the shift key on the login screen. 


This also works by replacing c:\windows\system32\utilman.exe, and pressing WINKEY-U in the login screen. (boot from CD to change the files)

....
You can also achieve same results by setting executable of your choice as Debugger to sethc.exe under Image File Execution options in registry. So in a priv command shell, it would be

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

Same goes for Utilman.exe

....