Hi. I'm guessing that you're already familiar with what Group Policy actually is, however, assumption is the mother of all... so keeping with habits, here is a Wikipedia definition.
"Group Policy is a feature of Microsoft Windows NT family of operating systems. It is what provides the centralized management and configuration of computers and remote users in an Active Directory environment. In other words, it controls what users can and can't do on a computer network. Although Group Policy is usually used in enterprise environments, its usage is also common in schools, businesses, and other small organizations to restrict certain actions that may pose potential security risks: for instance, blocking the Windows Task Manager, restricting access to certain folders, disabling downloaded executable files and so on."
The full Wikipedia entry can be found here.
Now that's out of the way... lets think why we would want to circumvent Group Policy? Well purely from an assurance point of view we want to know if we have any 'gaps' in our machine lock downs. When I say 'gaps' I mean gap analysis - does the paper policy document differ from what is actually implemented? And furthermore, are these gaps a result of implementation/misconfiguration? From a malicious user's point of view, its to do things we're explicitly been told we shouldn't be able to do; break out of the environment, execute applications, browse directories, etc. Get me? Now on with the show...
For my next trick ladies and gentlemen, I will make a Command Prompt (or Shell...) appear right before your very eyes...
To understand how we are going to circumvent Group Policy, lets first take a trip down memory lane to see the method in which it is disabled. In an OU group policy, via the Group Policy Editor (gpedit.msc), "Prevent access to the command prompt" can be enabled.
Alternatively, you can do this directly in the registry (regedit) by changing the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD
DisableCMD dword 0x00000001 = disable command prompt and batch files
DisableCMD dword 0x00000002 = disable command prompt but not batch files
Obviously a value of 0x00000000 (or no key at all) means it is enabled.
The tell tell sign that it has been disabled via the registry / GPO is:
"The command prompt has been disabled by your administrator.
Press any key to continue . . ."
Now that we understand how we disabled it, we can move on and use this knowledge to circumvent it.
The interesting (or dumb) thing (I guess it depends from which perspective you're at...) about a Command Prompt is that when its executed, it actually checks the registry to see if it is allowed to run or not. To me that sounds too much like client side security (trust?), and we all know how that ends up - Cinderella never gets to go to the ball. This insecurity is what allows us to to get funky and circumvent GPO.
We could code up our own version of a Command Prompt without this check, of course, using debug.exe - but that's another story. Lets assume (just for fun) that our target system explicitly disallows debug.exe through software restriction policies or isn't running Windows 2000. What if we could start a Command Prompt, pause it, search through memory for this string that it will check the value for (before it if referenced), change it and resume the Command Prompt. Sounds like a damn good idea if you ask me...
Introducing the Basic Process Manipulation Tool Kit (or BPMTK for short...) This little badboy allows you to do all sorts of sexy things like injecting .dlls, but for this trick I'll use a dummy .dll as I'm just interested in the 'start, pause, search, change, resume' goodness. We load this tool onto the system and specify it to start cmd.exe with the following script:
start cmd.exe
search-and-write module:. unicode:DisableCMD hex:41
inject-dll dummy.dll
pause
This changes the "D" from the "DisableCMD" key to an "A" (hexadecimal 41) which creates "AisableCMD". We then resume and it and just like magic, the Command Prompt now works! It does this because it searches for the "AisableCMD" key in the registry to determine if it should run or not... and since that key doesn't exist, we're all gravy baby.
We must thank the CreateProcess function for this as it allows us to create a new process with its main thread in a suspended coma-like state. We then run about hacking up strings in memory before the program gets a chance to read 'em.
I told you security was amazing.
Download BPMTK here.