如何使用COMThanasia对COM对象执行安全审计

admin 2024年10月31日21:05:49评论12 views字数 5042阅读16分48秒阅读模式

关于COMThanasia

COMThanasia是一款针对COM对象的安全审计工具,可以帮助广大研究人员轻松检测COM对象中的各种安全问题。

功能介绍

1、检测COM对象(LaunchPermission、AccessPermission)中不正确的访问控制问题;

2、COM对象中不正确的注册表权限;

3、找到新的Elevation Moniker - UAC Bypass;

4、获取有关特定 CLSID 的详细信息;

5、检查低权限用户跨会话问题;

工具组成

当前版本的COMThanasia由以下几个组件组成:

PermissionHunter

ComDiver

MonikerHound

ClsidExplorer

ComTraveller

工具安装

广大研究人员可以直接使用下列命令将该项目源码克隆至本地:

git clone https://github.com/CICADA8-Research/COMThanasia.git
工具使用

PermissionHunter

PermissionHunter 是一个工具,它允许您检查系统上所有 COM 对象上的 LaunchPermission 和 ActivatePermission:

PS A:mzhmo> .PermissionHunter.exe -h                     ,                `-.       .-'        ,-"`````""-__ |  /         '-.._    _.-'` '-o,             _>--:{{<   ) |)         .-''      '-.__.-o`        '-._____..-/`  |                  ,-'   /    `-.                      `  PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission        CICADA8 Research Team        From Michael Zhmaylo (MzHmO)PermissionHunter.exeSmall tool that allows you to find vulnerable COM objects with incorrect LaunchPermission and ActivatePermission[OPTIONS]-outfile : output filename-outformat : output format. Accepted 'csv' and 'xlsx'-h/--help : shows this windows

使用样例:

PS A:mzhmo> .PermissionHunter -outfile result -outformat xlsx                     ,                `-.       .-'        ,-"`````""-__ |  /         '-.._    _.-'` '-o,             _>--:{{<   ) |)         .-''      '-.__.-o`        '-._____..-/`  |                  ,-'   /    `-.                      `  PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission        CICADA8 Research Team        From Michael Zhmaylo (MzHmO)[+] Result will be in result, format xlsx[+] Success

输出内容如下:

如何使用COMThanasia对COM对象执行安全审计

ComDiver

此工具可让您检测此类漏洞,并根据搜索 COM 对象时查看的键的优先级扫描注册表。通过这种方式,您甚至可以找到 Shadow COM Hijacking:

PS A:ssdgitrepoCOMThanasiaComDiverx64Debug> .ComDiver.exe -h

/

o ^ o    /

(     ) /

____________(%%%%%%%)____________

(     /   /  )%%%%%%%(          )

(___/___/__/           ________)

(     /  /(%%%%%%%)       )

(__/___/ (%%%%%%%) _____)

/(       )

/   (%%%%%)

(%%%)

!

----------- COM DIVER --------------

[?] Small tool to check insecure registry and disk permissions on com objects

[?] ARGS

-h/--help <- show this message

--from <CLSID> <- analyze CLSIDs from this clsid

--target <CLSID> <- analyze one target clsid

--no-context <- dont check another COM-server context. Only registry analyzing.

--no-create <- dont create target COM object. This is the fastest mode


使用样例:

.ComDiver.exe --no-create

如何使用COMThanasia对COM对象执行安全审计

MonikerHound

MonikerHound允许我们检测UAC绕过问题:

PS A:ssdgitrepoCOMThanasiaMonikerHoundx64Debug> .MonikerHound.exe          ,_  _  _,            o-o/           ,(.-.),         _/ |) (| _           /=-=/          ,| =/ |,        _/   |  / _            _!_/ MonikerHound - find your own UAC Bypass!         CICADA8 Research Team         From Michael Zhmaylo (MzHmO)[+] Potential COM server for elevation moniker found!Name: CEIPLuaElevationHelperCLSID: {01D0A625-782D-4777-8D4E-547E6457FAD5}LocalizedString: @%systemroot%system32werconcpl.dll,-351Enabled: 1IconReference: @%systemroot%system32werconcpl.dll,-6Activate: SuccessPID: 15800DllHost.exe[+]........................[+][+] Potential COM server for elevation moniker found!Name: CTapiLuaLib ClassCLSID: {03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}LocalizedString: @%systemroot%system32tapiui.dll,-1Enabled: 1IconReference: @%systemroot%system32tapiui.dll,-201Activate: SuccessPID: 440DllHost.exe[+]........................[+]

ClsidExplorer

ClsidExplorer 允许您检索有关特定 CLSID 的信息:

PS A:ssdgitrepoCOMThanasiaClsidExplorerx64Debug> .CLSIDExplorer.exe -hCLSIDExplorer.exe - identify all info by clsidUsage:.CLSIDExplorer.exe --clsid "{00000618-0000-0010-8000-00aa006d2ea4}"

使用样例:

PS A:ssdgitrepoCOMThanasiaClsidExplorerx64Debug> .CLSIDExplorer.exe --clsid "{00000618-0000-0010-8000-00aa006d2ea4}"[{00000618-0000-0010-8000-00aa006d2ea4}]        AppID: Unknown        ProgID: Unknown        PID: 1572        Process Name: CLSIDExplorer.exe        Username: WINPC\Michael        Methods:        [0] __stdcall void QueryInterface(IN GUID*, OUT void**)        [1] __stdcall unsigned long AddRef()        [2] __stdcall unsigned long Release()        [3] __stdcall void GetTypeInfoCount(OUT unsigned int*)        [4] __stdcall void GetTypeInfo(IN unsigned int, IN unsigned long, OUT void**)        [5] __stdcall void GetIDsOfNames(IN GUID*, IN char**, IN unsigned int, IN unsigned long, OUT long*)        [6] __stdcall void Invoke(IN long, IN GUID*, IN unsigned long, IN unsigned short, IN DISPPARAMS*, OUT VARIANT*, OUT EXCEPINFO*, OUT unsigned int*)        [7] __stdcall BSTR Name()        [8] __stdcall void Name(IN BSTR)        [9] __stdcall RightsEnum GetPermissions(IN VARIANT, IN ObjectTypeEnum, IN VARIANT)        [10] __stdcall void SetPermissions(IN VARIANT, IN ObjectTypeEnum, IN ActionEnum, IN RightsEnum, IN InheritTypeEnum, IN VARIANT)        [11] __stdcall void ChangePassword(IN BSTR, IN BSTR)        [12] __stdcall Groups* Groups()        [13] __stdcall Properties* Properties()        [14] __stdcall _Catalog* ParentCatalog()        [15] __stdcall void ParentCatalog(IN _Catalog*)        [16] __stdcall void ParentCatalog(IN _Catalog*)[END]

ComTraveller

此工具允许您探索所有可用的 COM 对:

PS A:SSDgitrepoCOMThanasiaComTravellerx64Debug> .ComTraveller.exe -h        ,,_       zd$$??=     z$$P? F:`c,                _    d$$, `c'cc$$i           ,cd$?R   $$$$ cud$,?$$$i       ,=P"2?z "    $" " ?$$$,?$$$.    ,-''`>, bzP     'cLdb,?$$,?$$$   ,h' "I$'J$P  ... `?$$$,"$$,`$$h  $$PxrF'd$"d$PP""?-,"?$$,?$h`$$,,$$'$F44"?,,_`=4c,?=,"?hu?$`?L4$'? '   `""?==""=-"" `""-`'_,,,,           .ccu?m?e?JC,-,"=?                """=='?"ComTraveller - small tool to parse and extract information about all registered CLSIDs on the systemUsage:--file <output> - output filename. Default: output.csv--from <clsid> - start exploring clsids from this clsid. (for ex. default enum from 1 to 9. with --from 4 will be from 4 to 9)--session <session> - use if you want to check Cross-Session Activation in a specific session. Useful only with 'Run as interactive user COM objects'--target <CLSID> - analyze this CLSID-h/--help - shows this screen

使用样例:

.ComTraveller.exe --file rep.csv --session 1

如何使用COMThanasia对COM对象执行安全审计

如何使用COMThanasia对COM对象执行安全审计

项目地址

COMThanasia

https://github.com/CICADA8-Research/COMThanasia

原文始发于微信公众号(FreeBuf):如何使用COMThanasia对COM对象执行安全审计

 

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月31日21:05:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   如何使用COMThanasia对COM对象执行安全审计https://cn-sec.com/archives/3339874.html

发表评论

匿名网友 填写信息