RE: add a local admin user without a pop-up ?

["Jason M Frey" <jmfrey () jcpenney com>]

Try the "start" command.   It has options to start commands minimized
and without a new window created.  It might be able to do what you need.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of me
Sent: Friday, December 01, 2006 5:44 PM
To: pen-test () securityfocus com
Subject: add a local admin user without a pop-up ?

We are conducting a pen test that allows social
engineering emails sent out that may allow us to take
over the the user who opens one of them.  I created an
email hack but am now wondering how to add a local
admin user WITHOUT HAVING A DOS PROMPT POP UP WHEN THE
EMAIL IS OPENED.

I cannot transport any files (of any sort - no wscript
file or vbs or any file!!) to the victim and I am
limited to the native XP commands and processes that
are on the victim machine.  If I catch a victim (catch
& release) I will be able to reach the victim machine
with native XP means (net use - nc to ports etc..).
The victim then gets scolded about opening
inappropriate emails...


The victim is almost always an administrator or power
user so almost any command or process can be used.  I
tried many/many variants of invoking the "Cmd.exe"
shell but so far it always creates a momentary DOS
screen pop-up.

tired many variants similar to below:

CMD.EXE /Q /C net user testx password /add
or
start /B /wait cmd /Q /C c:\windows\system32\net.exe
user testx password /add

pop-ups in either case

I have used rundll32.exe in the past to avoid pop-ups
(in most cases) so I tried:

rundll32.exe netapi32.dll,NetUserAdd
(%COMPUTERNAME%,1,(NEWUSER,PASSWORD),0) (wrapped)

I tried many variants of the above but I always get a
pop up "An Exception occurred while trying to run
netapi32.dll.."

OK

I plugged netapi32.dll into Olly and saw the dll entry
NetUserAdd takes 4 parms -but the 3rd parm
is a LBYTE pointer to the input buffer.  I wonder if
rundll32.exe can construct such a pointer for me?

Using only the programs and API calls available from
what is essentially an XP DOS shell - does anyone have
a better way to do this without creating a DOS pop-up
?

I have already figured out how to write the "net user
Username PSWD /add" & "net localgroup administrators
Username /add" cmds to the registry (the run key) -
without creating a pop-up! (Silently..)

However, the problem with the above is that it
requires a logon/logoff or re-boot to occur before the
user is added. Thus my quest for a silent (no pop-up)
but immediate means to do this.

Since the email interface can call a winapi - I may
have to try to call netapi32.dll/NetUserAdd - I hope
that I do not have to do that - the test may be over -
before I can decipher the correct syntax between my
email system and the STDCALL Winapi

Thanks





________________________________________________________________________
____________
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?campp16
00000008bOW
------------------------------------------------------------------------

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?campp1600000008bOW
------------------------------------------------------------------------