Your SlideShare is downloading. ×
0
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hacking Microsoft Remote Desktop Services for Fun and Profit

90,975

Published on

Presentation from RECon 2011

Presentation from RECon 2011

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
90,975
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
255
Comments
1
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Hacking Microsoft Remote Desktop Services for Fun and Profit<br />Alisa Esage<br />
  • 2. Who am I?<br />Reverse engineer since … <br />Founder, CEO, Esage Lab<br />operating in Russia<br />cyber incident response, software security auditing, technical training<br />(soon) MALWAS.com<br />Co-founder, sponsor, {neйron}<br />Moscow’s hackerspace<br />Ex malware analyst, major AV vendor<br />
  • 3. Why %subj?<br />Trending: professional cyber robbery based on remote desktop access<br />Illicit money transfers via a remote banking application<br />An attacker wants to operate within the active user’s session, while not intercepting with the user<br />VNC module for Zeus<br />Costs $$$ <br />Based on GPL uVNC<br />What about Microsoft Terminal Services?<br />
  • 4. Microsoft Terminal Services<br />A powerful remote access technology <br />Available since NT4<br />Two fundamental applications:<br />Remote Desktop<br />Remote Assistance<br />
  • 5. Remote Desktop<br />Allows users to log in remotely<br />Pre-installed in almost any Windows<br />Stable, easy, powerful, clients exists for any OS<br />Full-featured only on Servers<br />Restricted on Workstations <br /><ul><li>only one user at a time can be logged in, either at the console or remotely</li></li></ul><li>Remote Assistance<br />Allows to share a console user’s desktop with an authorized helper<br />Allows to “interact” (control) <br />Msra.exe (sessmgr.exe previously)<br />User-initiated assistance<br />Via tickets<br />Dynamic port<br />Offered assistance <br />msra.exe /offerra<br />RPC request to port 135<br />Domain environment only<br />
  • 6. Challenges<br />Allow multiple user sessions<br />Allow concurrent terminal session for the active console user<br />Bypass logon auth<br />Monitor/control the console session<br />
  • 7. Basic assumptions<br />We already have code execution on the target<br />Too many RCE exploits in the wild today to consider it a challenge<br />We already have local admin privilege on the target<br />Never been a problem for malware developers (says ex AV employee)<br />Plenty of buggy system-level software to develop an EoP exploit<br />Speaking about architecture, I am meaning Windows 7, if not stated otherwise<br />
  • 8. State of the %subj<br />Previous research<br />Remote Desktop functionality enhancement patches for workstation users<br />Cw2k, RemkoWeijnenand others<br />Limited OS support<br />No auth bypass, no control over the console session<br />Malware based on Remote Desktop Services<br />Just launch the service, then login via an added user account<br />
  • 9. Key modules: Terminal Services <br />Termsrv.dll <br />service binary, RPC provider<br />hosted by svchost.exe <br />Termdd.sys<br />core device driver, network listener<br />wrapped by icaapi.dll<br />End-user executables<br />msra.exe – remote assistance<br />mstsc.exe – RDP client<br />
  • 10. Key modules: RDP protocol stack <br />Rdpwd.sys<br />Tunnel remote user’s mouse and keyboard<br />Wrapped by rdpwsx.dll<br />Configured by rdpcfgex.dll<br />Rdpdd.dll <br />Graphics redirection to the remote user<br />Tdtcp.sys<br />Package RDP data into TCP/IP<br />
  • 11. ChallengeS#1-2<br />Allow multiple user sessions; allow concurrent terminal session for the active console user<br />
  • 12. Remote Desktop connection details<br />Termdd.sys accepts a network connection on port 3389, creates a per-connection instance of RDP protocol stack <br />New smss.exe and csrss.exe are spawned<br />Per-session win32k.sys window manager<br />Winlogon.exe to display logon prompt<br />On successful logon, userinit.exe and explorer.exe are started (or their registry-defined substitutes)<br />
  • 13. Solution<br />Surprise: Terminal Services module is full-featured on ALL Windows!<br />Feature restrictions are caused by explicit version checks:<br />Winlogon.exe:<br />IsProfessionalTerminalServer() { GetVersionExW() … }<br />Termsrv.dll XP: <br />gbServer, g_bPersonalTS<br />Termsrv.dll Vista+:<br />CSessionArbitrationHelper::IsSingleSessionPerUserEnabled()<br />
  • 14. Solution (contd.)<br />So we fool Windows into thinking that she is a server<br />Inline patching in real-time (no file modifications):<br />Hook GetVersionExW() in the context of winlogon.exe to return the proper value<br />Set global variables in termsrv.dll<br />Some more patches in termsrv.dll<br />
  • 15. Solution (contd.)<br />Configure the terminal server<br />SYSTEMCurrentControlSetControlTerminal Server:<br />fDenyTSConnections = 0, TSAppCompat = 0, TSEnabled = 1<br />Licensing Core:<br />EnableConcurrentSessions = 0<br />WinStationsRDP-Tcp:<br />fEnableWinStation = 1, MaxInstanceCount = 0xFFFFFFFF<br />SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon: <br />AllowMultipleTSSessions = 1<br />SYSTEMCurrentControlSetControlLsa:<br />LimitBlankPasswordUse = 0<br />
  • 16. Solution (contd.)<br />Add local users to “Remote Desktop Users” group<br />GetGroupNameBySid(L&quot;S-1-5-32-555&quot;);<br />NetLocalGroupAddMembers();<br />Allow Terminal Services through the firewall <br />WindowsFirewallPortAdd(...3389...);<br />Done<br />
  • 17. Challenge #3<br />Bypass logon auth<br />
  • 18. Solution<br />Msv1_0.dll (Microsoft Authentication Package)<br />LsaApLogonUserEx2():<br />call MsvpPasswordValidate(x,x,x,x,x,x,x)<br /> test al, al<br />jz@@STATUS_WRONG_PASSWORD<br />Patch it!<br />
  • 19. Challenge #4<br />Monitor/control console session<br />
  • 20. Solution #1<br />Remote Assistance (msra.exe) relies upon rdpencom.dll (RdpComApi 1.0 Type Library)<br />API is documented!<br />IRDPSRAPISharingSession, IRDPSRAPIViewer<br /> <br />m_pRdpSession = new RDPSession();<br />m_pRdpSession.OnAttendeeConnected += new _IRDPSessionEvents_OnAttendeeConnectedEventHandler(OnAttendeeConnected);<br />m_pRdpSession.Open();<br />Available since Vista only, so we are not happy yet…<br />
  • 21. Shadow.exe<br />Exists in all Windows since NT4!<br />Only works for Server targets<br />Must be launched from within a terminal session<br />Needs target user’s permission to connect<br />
  • 22. Connection request details<br />Shadow.exe:<br />WinStationShadow() @winsta.dll<br />RpcShadow() @termsrv.dll<br />termsrv.dll:<br />CShadowTarget::ShadowTargetWorker()CDefaultSessionArbitrationHelper::Sessions_SendRequestToSession() <br />CDefaultSessionArbitrationHelper::GetRequestDialogObject()<br />… <br />ShadowTargetWorker():<br />cmp [ebp+var_528], IDYES<br />jz short @@OK_DOSHADOW<br />movesi, 0D00A002Ah<br />jmp @@ACCESS_DENIED<br />
  • 23. Solution #2<br />We’ve already tuned a workstation into a server!<br />So shadow.exe just works<br />Patch the dialog box that requests user’s permission:<br />Hook MessageBoxTimeoutW() @csrss.exe:<br />If (!wcsncmp(MsgText+ i, GetComputerNameW()…))<br />{ // don&apos;t display the dialog box<br /> M_FREE(Text);<br /> return IDYES; }<br />
  • 24. So…<br />2 hooks + 3-4 inline patches <br />vs. xxx xxx KB of custom heavy code<br />Seemingly complicated problems may have trivial solutions<br />Operating systems have plenty of code and functionality which can be re-used for offensive purpose with minimum mess<br />
  • 25. PoC limitations<br />Requires Local Administrator privilege<br />Auth bypass trick fails on Vista SP0 only<br />Shadow.exe trick fails on Vista<br />Auth bypass affects local logon<br />
  • 26. THANK YOU<br />Questions?<br />

×