Hacking Microsoft Remote Desktop Services for Fun and Profit


Published on

Presentation from RECon 2011

Published in: Technology
1 Comment
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hacking Microsoft Remote Desktop Services for Fun and Profit

  1. 1. Hacking Microsoft Remote Desktop Services for Fun and Profit<br />Alisa Esage<br />
  2. 2. Who am I?<br />Reverse engineer since … <br />Founder, CEO, Esage Lab<br />operating in Russia<br />cyber incident response, software security auditing, technical training<br />(soon) MALWAS.com<br />Co-founder, sponsor, {neйron}<br />Moscow’s hackerspace<br />Ex malware analyst, major AV vendor<br />
  3. 3. Why %subj?<br />Trending: professional cyber robbery based on remote desktop access<br />Illicit money transfers via a remote banking application<br />An attacker wants to operate within the active user’s session, while not intercepting with the user<br />VNC module for Zeus<br />Costs $$$ <br />Based on GPL uVNC<br />What about Microsoft Terminal Services?<br />
  4. 4. Microsoft Terminal Services<br />A powerful remote access technology <br />Available since NT4<br />Two fundamental applications:<br />Remote Desktop<br />Remote Assistance<br />
  5. 5. Remote Desktop<br />Allows users to log in remotely<br />Pre-installed in almost any Windows<br />Stable, easy, powerful, clients exists for any OS<br />Full-featured only on Servers<br />Restricted on Workstations <br /><ul><li>only one user at a time can be logged in, either at the console or remotely</li></li></ul><li>Remote Assistance<br />Allows to share a console user’s desktop with an authorized helper<br />Allows to “interact” (control) <br />Msra.exe (sessmgr.exe previously)<br />User-initiated assistance<br />Via tickets<br />Dynamic port<br />Offered assistance <br />msra.exe /offerra<br />RPC request to port 135<br />Domain environment only<br />
  6. 6. Challenges<br />Allow multiple user sessions<br />Allow concurrent terminal session for the active console user<br />Bypass logon auth<br />Monitor/control the console session<br />
  7. 7. Basic assumptions<br />We already have code execution on the target<br />Too many RCE exploits in the wild today to consider it a challenge<br />We already have local admin privilege on the target<br />Never been a problem for malware developers (says ex AV employee)<br />Plenty of buggy system-level software to develop an EoP exploit<br />Speaking about architecture, I am meaning Windows 7, if not stated otherwise<br />
  8. 8. State of the %subj<br />Previous research<br />Remote Desktop functionality enhancement patches for workstation users<br />Cw2k, RemkoWeijnenand others<br />Limited OS support<br />No auth bypass, no control over the console session<br />Malware based on Remote Desktop Services<br />Just launch the service, then login via an added user account<br />
  9. 9. Key modules: Terminal Services <br />Termsrv.dll <br />service binary, RPC provider<br />hosted by svchost.exe <br />Termdd.sys<br />core device driver, network listener<br />wrapped by icaapi.dll<br />End-user executables<br />msra.exe – remote assistance<br />mstsc.exe – RDP client<br />
  10. 10. Key modules: RDP protocol stack <br />Rdpwd.sys<br />Tunnel remote user’s mouse and keyboard<br />Wrapped by rdpwsx.dll<br />Configured by rdpcfgex.dll<br />Rdpdd.dll <br />Graphics redirection to the remote user<br />Tdtcp.sys<br />Package RDP data into TCP/IP<br />
  11. 11. ChallengeS#1-2<br />Allow multiple user sessions; allow concurrent terminal session for the active console user<br />
  12. 12. Remote Desktop connection details<br />Termdd.sys accepts a network connection on port 3389, creates a per-connection instance of RDP protocol stack <br />New smss.exe and csrss.exe are spawned<br />Per-session win32k.sys window manager<br />Winlogon.exe to display logon prompt<br />On successful logon, userinit.exe and explorer.exe are started (or their registry-defined substitutes)<br />
  13. 13. Solution<br />Surprise: Terminal Services module is full-featured on ALL Windows!<br />Feature restrictions are caused by explicit version checks:<br />Winlogon.exe:<br />IsProfessionalTerminalServer() { GetVersionExW() … }<br />Termsrv.dll XP: <br />gbServer, g_bPersonalTS<br />Termsrv.dll Vista+:<br />CSessionArbitrationHelper::IsSingleSessionPerUserEnabled()<br />
  14. 14. Solution (contd.)<br />So we fool Windows into thinking that she is a server<br />Inline patching in real-time (no file modifications):<br />Hook GetVersionExW() in the context of winlogon.exe to return the proper value<br />Set global variables in termsrv.dll<br />Some more patches in termsrv.dll<br />
  15. 15. Solution (contd.)<br />Configure the terminal server<br />SYSTEMCurrentControlSetControlTerminal Server:<br />fDenyTSConnections = 0, TSAppCompat = 0, TSEnabled = 1<br />Licensing Core:<br />EnableConcurrentSessions = 0<br />WinStationsRDP-Tcp:<br />fEnableWinStation = 1, MaxInstanceCount = 0xFFFFFFFF<br />SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon: <br />AllowMultipleTSSessions = 1<br />SYSTEMCurrentControlSetControlLsa:<br />LimitBlankPasswordUse = 0<br />
  16. 16. Solution (contd.)<br />Add local users to “Remote Desktop Users” group<br />GetGroupNameBySid(L"S-1-5-32-555");<br />NetLocalGroupAddMembers();<br />Allow Terminal Services through the firewall <br />WindowsFirewallPortAdd(...3389...);<br />Done<br />
  17. 17. Challenge #3<br />Bypass logon auth<br />
  18. 18. Solution<br />Msv1_0.dll (Microsoft Authentication Package)<br />LsaApLogonUserEx2():<br />call MsvpPasswordValidate(x,x,x,x,x,x,x)<br /> test al, al<br />jz@@STATUS_WRONG_PASSWORD<br />Patch it!<br />
  19. 19. Challenge #4<br />Monitor/control console session<br />
  20. 20. Solution #1<br />Remote Assistance (msra.exe) relies upon rdpencom.dll (RdpComApi 1.0 Type Library)<br />API is documented!<br />IRDPSRAPISharingSession, IRDPSRAPIViewer<br /> <br />m_pRdpSession = new RDPSession();<br />m_pRdpSession.OnAttendeeConnected += new _IRDPSessionEvents_OnAttendeeConnectedEventHandler(OnAttendeeConnected);<br />m_pRdpSession.Open();<br />Available since Vista only, so we are not happy yet…<br />
  21. 21. Shadow.exe<br />Exists in all Windows since NT4!<br />Only works for Server targets<br />Must be launched from within a terminal session<br />Needs target user’s permission to connect<br />
  22. 22. Connection request details<br />Shadow.exe:<br />WinStationShadow() @winsta.dll<br />RpcShadow() @termsrv.dll<br />termsrv.dll:<br />CShadowTarget::ShadowTargetWorker()CDefaultSessionArbitrationHelper::Sessions_SendRequestToSession() <br />CDefaultSessionArbitrationHelper::GetRequestDialogObject()<br />… <br />ShadowTargetWorker():<br />cmp [ebp+var_528], IDYES<br />jz short @@OK_DOSHADOW<br />movesi, 0D00A002Ah<br />jmp @@ACCESS_DENIED<br />
  23. 23. Solution #2<br />We’ve already tuned a workstation into a server!<br />So shadow.exe just works<br />Patch the dialog box that requests user’s permission:<br />Hook MessageBoxTimeoutW() @csrss.exe:<br />If (!wcsncmp(MsgText+ i, GetComputerNameW()…))<br />{ // don't display the dialog box<br /> M_FREE(Text);<br /> return IDYES; }<br />
  24. 24. So…<br />2 hooks + 3-4 inline patches <br />vs. xxx xxx KB of custom heavy code<br />Seemingly complicated problems may have trivial solutions<br />Operating systems have plenty of code and functionality which can be re-used for offensive purpose with minimum mess<br />
  25. 25. PoC limitations<br />Requires Local Administrator privilege<br />Auth bypass trick fails on Vista SP0 only<br />Shadow.exe trick fails on Vista<br />Auth bypass affects local logon<br />
  26. 26. THANK YOU<br />Questions?<br />