Description:
The Group Policy feature in the Windows NT family of Operating Systems, is nothing less than a joke! The intention behind the Group Policy (GPO) is to provide centralized management and configuration of operating systems, applications and user's settings in an Active Directory environment. In other words, group policy in part controls what users can and can't do on a computer system. Although group policy is more often seen in use in enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, CMD.exe, Regedit, restrict access to certain folders, disable the downloading of executable files and so on.
However, here comes the funny part, many of the above restrictions can be easily subverted using a simple binary edit. In this example we will look at CMD.exe - the command shell on windows. Lets say the Admin has disabled usage of the CMD.exe using a Group Policy. When the user executes CMD.exe in this restricted environment, he gets a nasty looking "The command prompt has been disabled by your administrator" message. In this video, we will learn how to break out of this supposed "no execution jail" and run CMD.exe on the system. The way this works, is that CMD.exe checks a registry key called DisableCMD (Software\Policies\Microsoft\Windows\System) to decide whether it should run or not. So, the hack is actually to analyze a copy of CMD.exe in a binary editor, do a quick strings search for "DisableCMD" and change it to something else, which does not exist in the registry such as "DisableXYZ". Now when this modified CMD.exe is run, it is unable to find this new key and thus continued to function :) wow! talk about lame protections!
Thanks for Max Moser for creating this video.
You can download the VBA Macro he uses to do the job, from his blog.
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments: