Python Backdoor – Privilege Escalation

Howdy!

Today we’re gonna be using a classic method to escalate privileges on a fully patched Windows box. Of course, we’ll be using no other than the Python server & shell for the whole process. The reason for demonstrating this sole method is simple: privilege escalation methods/exploits vary from time to time and although some operating systems (especially the no longer supported ones) have specific exploits that work, current operating systems are constantly being patched… which leads security researchers to develop new exploits, which leads to new patches, etc… on that note,

Introduction

If you’re wondering why we need go through such hassle, it has been mentioned previously: in order to enhance the shell’s functionality, sometimes system access is needed. Be it to install applications, browse through restricted directories, etc. certain things just can’t be accomplished under a standard user.

For further insight, read the following excerpt from wikipedia:

“Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.” (wikipedia)

Privilege Escalation

The method I am gonna be demonstrating will work in a standard Windows 7 installation, so long as the user is an administrator. We will be using the BypassUAC executable, courtesy of David Kennedy and Kevin Mitnick; credits go out to them on the awesome work. If you have the Metasploit Framework, you can issue the following command to locate it:

locate bypass*.exe

If you don’t have the framework, you’re definitely missing out, but download the executable from TrustedSec.

After bypassing User Access Control, it’s simply a matter of creating a service and starting it. I browsed a bit searching for the original author of this method, however, I was unable to find it. If anybody knows who originally discovered it, let me know and I will update it here with the well-deserved credits.

I was able to find other methods to escalate from a non-administrator user here, which clearly illustrates the same concept along with a nice writeup. Must read.

Check out the video in high quality & enjoy!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s