Breaking cpau, a dummies guide

2011-07-31 22:33:26

By Tim Brown

So recently I had a penetration test where the client had a requirement to allow normal users to execute a specific command as a local admin. Normally, when I hear such a requirement my eyes light up as it can often be a quick way to get SYSTEM and then the domain. However in this instance, the client proudly told me about his underhanded method. Rather than use something like psexec, he'd discovered a nifty little utility called cpau which purported to encode the credentials to make it safe for use by normal users. Red rag to a bull, I decided to take a look, perhaps the encoding was weak and I could retrieve those all important credentials.

I wasn't sure what I'd find and whether I'd have time to fully reverse the encoding algorithm but I started off my attack by loading cpau into OllyDbg. OllyDbg has a useful function where it will show you the functions a binary has imported and I was hoping for a tell as to how the job file used by cpau was encrypted. I navigated to the list of imports and began scanning for function I recognised and low and behold spotted it was using CreateProcessWithLogonW:

Now at this point I could have put a breakpoint on the function and extracted the username and password from the running memory but I wanted to try a different trick. I'd recently downloaded API Monitor and wanted to give that a shot. I loaded it up and configured it to hook the process as follows:

• Process: C:\Documents and Settings\tmb\Desktop\CPAU.exe
• Arguments: -dec -file "C:\Documents and Settings\tmb\Desktop\test.job" -lwp
• Start in: C:\Documents and Settings\tmb\Desktop
• Hook Using: Remote Thread

This yielded the following results:

Mood: Tired

Music: Dave - Mock The Week

You are unknown, comment