Today I am going to show you a clever little trick that can be used on Windows 7 machines, this type of exploit only works if you have physical access to the computer you are trying to compromise. It requires knowledge of a few basic Linux commands and just a minute or two of time.
- Backtrack 5 DVD or Thumbdrive
- Windows 7 Workstation
To begin I will explain what makes this exploit possible, Windows 7 has a feature that comes installed called “Ease of Access” this utility can be used by pressing the Windows Key + U. The utility works and can be activated on the computer even if a user is not logged in or has locked their workstation. (Shown Below)
First you will need to power down the workstation and insert your Backtrack DVD or Thumbdrive and get into the boot menu of the computer almost always the F12 Key. Once we are booted up inside of Backtrack let’s open up a terminal and take a look at the Windows directories on the local machine. type “fdisk -l” without quotes and press enter. (Shown Below)
This will give us a list of all of our disks for this demo we are focusing on the NTFS file system since this is a Windows 7 Machine it is shown as “hda1”. Let’s go into our mount folder type “cd /mnt” without quotes and press enter. After that, in our mount folder we are going to make a directory called hda1 just to keep things simple. Type “mkdir hda1” without quotes and press enter.
Now we want to mount the /dev/hda1 drive into the newly created directory. Type “mount /dev/hda1 /mnt/hda1” without quotes and press enter. It will then copy the files over to our new directory if we type “ls” without quotes and we will have all of the windows files in that directory (Shown Below)
The Ease of Access utility is called “Utilman.exe” and it resides in the system32 folder. Type “cd system32” without quotes and press enter. Now that we are in the system 32 directory we need to type “mv Utilman.exe Utilman.old” without quotes and press enter.
The command prompt is also in this same directory so we are going to copy it over essentially replacing the Utilman.exe with cmd.exe. Type “cp cmd.exe Utilman.exe” without quotes and press enter.
Alright all of our commands have been executed hopefully successfully, all we need to do now is reboot the workstation type “reboot” without quotes and press enter. Now the fun part comes when we are presented back with the Windows 7 Login screen.
All we need to do is press Windows Key + U and we are greeted with a command prompt running as “SYSTEM” which has NT Authority. This also means we can run explorer.exe, and when we run it we get a fully functional task bar. (Shown Below)
That’s it, I hope you enjoyed this blog, and as always don’t be evil! ** Note I had to take a picture of the desktop at a client’s when I was testing the exploit**