From lkcl@samba.org Sat May 20 04:42:40 2000 Date: Wed, 17 May 2000 23:56:00 +1000 From: Luke Kenneth Casson Leighton To: Russ Cc: Peter Samuelson Subject: RE: worm fix (was Re: ILOVEYOU) (fwd) thx peter. russ, peter is aware that you cannot actually update HKCU you have to go to HKU\S-1-5-xxx-yyy-zzz which will work even with multiple-simultaneous-logged-in terminal server clients. also, peter, the syntax is -Uuser%pass -W domainname On Wed, 17 May 2000, Peter Samuelson wrote: [Russ Cooper] > > Scripts to get rid of that one worm are too old news now. However, > > a script that runs from Unix that can access registries on MS boxen > > is definitely valuable, and something I'd like to see on NTBugtraq. [Luke Kenneth Casson Leighton ] > peter, could you possibly send the latest ily script you wrote, and > if i forward you an NTBUGTRAQ post, could you write one that does the > active-script job, too? The original script, in all its kludged glory, is at http://samba.org/listproc/samba-ntdom/May2000/0198.html http://samba.org/listproc/samba-ntdom/May2000/0228.html (the second URL is a fix for an embarrassing bug). [Boris Pavalec ] > [HKCU\SW\MS\Windows\CV\Internet Settings\Zones\4] > 1400=03 (DWORD) > 1405=03 (DWORD) > > and > > [HKCU\SW\MS\Office\9.0\Outlook\Options\General] > Security Zone=4 (DWORD) OK, if this is for publication in such a place as NTBUGTRAQ, I suppose my code had better be on its best behavior. (Meaning no Linux-isms or POSIX-shell-isms; there were a few.) So I've cleaned it up some. It still seems to work, wonder of wonders. But it got me thinking about two things Samba-TNG *really* needs: (1) A command-line regedit program, perhaps with control-flow primitives like "foreach %key HKEY_USERS\S-* { frob %key... }" or "ifdef HKLM\SW\xxx { ... }", but in any case it should be able to import/export REGEDIT4 files directly, since that's what NT admins work with. (2) Some way of accessing a hive straight from a file (I seem to remember that this has been done, somewhere). This would allow you to edit roaming profiles right on the server. Ideally, (1) and (2) should be the same program. I'm not exactly volunteering to write it, but if I ever get *really* bored and feel like it, I might take a stab at (1) at least. Peter #!/bin/sh # # copyright abandoned, Peter Samuelson # # HOW TO RUN: run this with computer names on the command line. # If your administrator account isn't called WORKGROUP\Administrator, # you will need to use "-U DOMAIN/User" or "-U DOMAIN/User%password". # # Requires: # - NT clients (i.e. not Win95/Win98) # - rpcclient from Samba-TNG # (ftp://ftp.samba.org/pub/samba/alpha/samba-tng-alpha.2.5.3.tar.bz2) # NOT the regular, released version of Samba. # # Also requires that your target user is logged in. We're not so # sophisticated as to be able to mount NTUSER.DAT onto the registry by # ourselves, remotely. (That'd be nice!) NT POLEDIT.EXE can't either, # so I think we can assume it's a protocol limitation. # defaults, to be overridden below domain=WORKGROUP user=Administrator usage () { echo >&2 "usage: $0 [-U [domain/]user[%password]] machine1 machine2 ..." exit 1 } # "echo without newline" madness n=-n; c=; if [ -n "`echo -n`" ]; then n=; c=\\c; fi # command line arguments for authentication: # -U {USER} # -U {USER}%{PASSWORD} # -U {DOMAIN}/{USER}%{PASSWORD} set -- `getopt U:W:N "$@"` while [ ! x"$1" = x-- ]; do case "$1" in -N) havepass=1 ;; # undocumented, see smbclient -W) domain=$2; shift ;; # undocumented, see smbclient -U) user=$2; shift ;; esac shift; done; shift; # no machine names? if [ -z "$1" ]; then usage; fi # extract domain and/or password from username... case $user in *[/\\]*) domain=${user%%[/\\]*}; user=${user#*[/\\]} ;; esac case $user in *%*) pass=${user#*%}; user=%{user%%%*}; havepass=1 ;; esac # put domain in uppercase, people expect these kinds of things domain=`echo $domain | tr '[a-z]' '[A-Z]'` # read password (putting terminal in no-echo mode, of course!) if [ -z "$havepass" ]; then stty -echo; echo $n "$domain\\$user password: "$c; read pass; echo '' stty echo fi # log all "interesting" output exec 4> /tmp/`basename $0`.log ###################################################################### # Here the fun begins # loop on machine names given on command line for machine; do # We can't use HKEY_CURRENT_USER directly, because, well, we just can't. # I think because we're not logging in as the same user as on console. # We *can* go through HKEY_USERS. Here we enumerate it.... echo $n "$machine: getting current user(s) ... "$c sids=`rpcclient -S $machine -W $domain -U ${user}%${pass} \ -c 'regenum hkey_users; quit;' | awk '/S-1-5-21/ { print $1 }'` echo $sids echo $n "$machine: frobbing registry ... "$c # Here's where having multiple users in HKEY_USERS gets annoying. # I'm not sure why you sometimes have multiple SIDs, but you do. # Here we have to loop through each SID, adding relevant regedit # commands to a string that we will pass on to rpcclient. # # The `regcreateval' command takes three parameters: # name, type, value. type=4 is DWORD. regcmd=; for sid in $sids; do regcmd="$regcmd regcreateval \"hkey_users\\$sid\\software\\microsoft\\windows\\current version\\internet settings\\zones\\4\\1400\" 4 3; regcreateval \"hkey_users\\$sid\\software\\microsoft\\windows\\current version\\internet settings\\zones\\4\\1405\" 4 3; regcreateval \"hkey_users\\$sid\\software\\microsoft\\office\\9.0\\outlook\\options\\general\\security zone\" 4 4;" done rpcclient -S $machine -W $domain -U ${user}%${pass} -c "$regcmd quit;" >&4 2>&4 echo "done." done Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals