A few weeks ago, I managed to connect to a patched Windows 7 and with a limited user account (let's call him « limited_user »). Of course, the goal was to obtain an admin/system shell.
After doing all the normal checks, something caught my attention…
.... Can all the users edit the Trend Micro OfficeScan directory ? Meh, that looks cool. We need to investigate !
Which version is it ?
Which services are running by Trend ?
Which processes are actually running ?
Okay, so the PccNTMon.exe is the Office ScanGUI that is running with my "limited_user"'s rights, but the other processes are running on SYSTEM. At this point in time, i guessed that it could be cool to create a malicious payload and to place it, in the place of a legit Trend process, no ? But the main problem we are facing is that Office Scan is launched at startup, and we obviously can't modify/replace a running system process.
If we look closer to the list of Trend's processes, we can see something that's quite interesting : a process called « CNTAoSMgr.exe » has got « TMlisten » as a parent proces and it starts about 30 sec AFTER TMListen. 30 sec ? Could it be enough to open a session before the process «CNTAoSMgr.exe » starts and … put our payload here ?
First, we need to create a payload that will add a user to the system and also add him to the « Administrateurs » group. However, the payload will be somewhere on the computer, and the anti-virus can catch it. We'll use the Veil Framework to obfuscate it. (please remember : never send theses payloads to an online scanner !)
Then, i use an up-to-date LOCAL AV to test the file ...
Scheduled that !
Second, we'll create a scheduled task to replace C:Program Files (x86)Trend MicroOfficeScan ClientCNTAoSMgr.exe with our payload. We're a limited user, so we can't schedule it when the computer's start. However, we can create a task that'll run at the session startup
# Command to schedule (copy payload from desktop to Office Scan Dir) xcopy "C:Userslimited_userDesktopCNTAoSMgr.exe" "C:Program Files (x86)Trend MicroOfficeScan Client" /Y
If we try to run the tasks, it will fail because the process CNRAoSMgr.exe is running. There's no « admin_user » at this moment.
Pwn time !
Time to reboot, and see what happen !
Before rebooting, the legit CNTAoSMgr.exe looks like that :
After rebooting …
After few seconds …
I tried to do this against an OfficeScan 11, but it failed because the agent checks the digital signature before executing the « .exe ». If someone has a trick to bypass this check, please contact me =)