I Pwnd MyselfSeriously, how does this stuff happen? It all started as me preparing for teaching next week. I found out that the students would not have admin rights on their computers. Part of the class is installing Apache, PHP, and MySQL, and then being able to write to those directories, start and stop services, etc. Since I've coded a few programs, I decided I would write something that the students could use to elevate their privileges.
I thought about writing a .NET app, but then realized that I can't count on the .NET runtime being on these machines. I needed something natively supported by Windows. The network admin in me shouted "vbscript". Ok, this should be easy enough. I started by trying to get WMI to auth using my credentials, but after much frustration decided that wasn't the right path. Then I thought, I could just make the script do a runas and feed in my password. Insecure, possibly, but I would use the vbscript encoder to make sure the file was unreadable. The linux admin in me wanted to feed the password on the command line. Unfortunately the runas command doesn't allow for that. So I thought I could do something like this:
echo "password" | runas /user:domain\kevin "msiexec /i apache.msi"No dice. I wasn't about to give up, so I needed to find another way of feeding information to the command as if I had typed it myself in the console. I stumbled upon the wscript.shell.sendkeys() method, which does just that. So I coded everything up and started testing it out. It was working. Now I just needed to make it do the same for four separate install files. Easy enough.
Now, I was at work at the time of this testing. I had just kicked off the script when I received an instant message from a co-worker. That's when all hell broke loose. The IM took focus on my machine (of course) but it also received the focus of my script. So into the IM window went my runas command, then my password, then another runas command, then my password, three times total. I had just given my network password to my co-worker on a silver platter.
I'm pretty sure the reason the focus of my script got lost was because when I started it from the command line I just called the file instead of "cscript file.vbs". I have since put a check in the file to make sure it was called by cscript.
Needless to say, I changed my network password about a minute after that happened. It's a good thing that my passwords are randomly generated strings of letters, numbers, and special characters. ;)