COMThanasia是一款针对COM对象的安全审计工具,可以帮助广大研究人员轻松检测COM对象中的各种安全问题。
1、检测COM对象(LaunchPermission、AccessPermission)中不正确的访问控制问题;
2、COM对象中不正确的注册表权限;
3、找到新的Elevation Moniker - UAC Bypass;
4、获取有关特定 CLSID 的详细信息;
5、检查低权限用户跨会话问题;
当前版本的COMThanasia由以下几个组件组成:
PermissionHunter
ComDiver
MonikerHound
ClsidExplorer
ComTraveller
广大研究人员可以直接使用下列命令将该项目源码克隆至本地:
git clone https://github.com/CICADA8-Research/COMThanasia.git
PermissionHunter
PermissionHunter 是一个工具,它允许您检查系统上所有 COM 对象上的 LaunchPermission 和 ActivatePermission:
PS A:mzhmo> .PermissionHunter.exe -h
,
`-. .-'
,-"`````""-__ | /
'-.._ _.-'` '-o,
_>--:{{< ) |)
.-'' '-.__.-o`
'-._____..-/` |
,-' / `-.
`
PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
PermissionHunter.exe
Small tool that allows you to find vulnerable COM objects with incorrect LaunchPermission and ActivatePermission
[OPTIONS]
-outfile : output filename
-outformat : output format. Accepted 'csv' and 'xlsx'
-h/--help : shows this windows
使用样例:
PS A:mzhmo> .PermissionHunter -outfile result -outformat xlsx
,
`-. .-'
,-"`````""-__ | /
'-.._ _.-'` '-o,
_>--:{{< ) |)
.-'' '-.__.-o`
'-._____..-/` |
,-' / `-.
`
PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
[+] Result will be in result, format xlsx
[+] Success
输出内容如下:
ComDiver
此工具可让您检测此类漏洞,并根据搜索 COM 对象时查看的键的优先级扫描注册表。通过这种方式,您甚至可以找到 Shadow COM Hijacking:
PS A:ssdgitrepoCOMThanasiaComDiverx64Debug> .ComDiver.exe -h
/
o ^ o /
( ) /
____________(%%%%%%%)____________
( / / )%%%%%%%( )
(___/___/__/ ________)
( / /(%%%%%%%) )
(__/___/ (%%%%%%%) _____)
/( )
/ (%%%%%)
(%%%)
!
----------- COM DIVER --------------
[?] Small tool to check insecure registry and disk permissions on com objects
[?] ARGS
-h/--help <- show this message
--from <CLSID> <- analyze CLSIDs from this clsid
--target <CLSID> <- analyze one target clsid
--no-context <- dont check another COM-server context. Only registry analyzing.
--no-create <- dont create target COM object. This is the fastest mode
使用样例:
.ComDiver.exe --no-create
MonikerHound
MonikerHound允许我们检测UAC绕过问题:
PS A:ssdgitrepoCOMThanasiaMonikerHoundx64Debug> .MonikerHound.exe
_ _,
o-o/
,(.-.),
|) (| _
/ =
=/ |,
| / _
_!_/
MonikerHound - find your own UAC Bypass!
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
Potential COM server for elevation moniker found!
Name: CEIPLuaElevationHelper
CLSID: {01D0A625-782D-4777-8D4E-547E6457FAD5}
LocalizedString: @%systemroot%system32werconcpl.dll,-351
Enabled: 1
IconReference: @%systemroot%system32werconcpl.dll,-6
Activate: Success
PID: 15800
DllHost.exe
[+]........................[+]
Potential COM server for elevation moniker found!
Name: CTapiLuaLib Class
CLSID: {03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}
LocalizedString: @%systemroot%system32tapiui.dll,-1
Enabled: 1
IconReference: @%systemroot%system32tapiui.dll,-201
Activate: Success
PID: 440
DllHost.exe
[+]........................[+]
ClsidExplorer
ClsidExplorer 允许您检索有关特定 CLSID 的信息:
PS A:ssdgitrepoCOMThanasiaClsidExplorerx64Debug> .CLSIDExplorer.exe -h
CLSIDExplorer.exe - identify all info by clsid
Usage:
.CLSIDExplorer.exe --clsid "{00000618-0000-0010-8000-00aa006d2ea4}"
使用样例:
PS A:ssdgitrepoCOMThanasiaClsidExplorerx64Debug> .CLSIDExplorer.exe --clsid "{00000618-0000-0010-8000-00aa006d2ea4}"
[{00000618-0000-0010-8000-00aa006d2ea4}]
AppID: Unknown
ProgID: Unknown
PID: 1572
Process Name: CLSIDExplorer.exe
Username: WINPC\Michael
Methods:
[0] __stdcall void QueryInterface(IN GUID*, OUT void**)
[1] __stdcall unsigned long AddRef()
[2] __stdcall unsigned long Release()
[3] __stdcall void GetTypeInfoCount(OUT unsigned int*)
[4] __stdcall void GetTypeInfo(IN unsigned int, IN unsigned long, OUT void**)
[5] __stdcall void GetIDsOfNames(IN GUID*, IN char**, IN unsigned int, IN unsigned long, OUT long*)
[6] __stdcall void Invoke(IN long, IN GUID*, IN unsigned long, IN unsigned short, IN DISPPARAMS*, OUT VARIANT*, OUT EXCEPINFO*, OUT unsigned int*)
[7] __stdcall BSTR Name()
[8] __stdcall void Name(IN BSTR)
[9] __stdcall RightsEnum GetPermissions(IN VARIANT, IN ObjectTypeEnum, IN VARIANT)
[10] __stdcall void SetPermissions(IN VARIANT, IN ObjectTypeEnum, IN ActionEnum, IN RightsEnum, IN InheritTypeEnum, IN VARIANT)
[11] __stdcall void ChangePassword(IN BSTR, IN BSTR)
[12] __stdcall Groups* Groups()
[13] __stdcall Properties* Properties()
[14] __stdcall _Catalog* ParentCatalog()
[15] __stdcall void ParentCatalog(IN _Catalog*)
[16] __stdcall void ParentCatalog(IN _Catalog*)
[END]
ComTraveller
此工具允许您探索所有可用的 COM 对:
PS A:SSDgitrepoCOMThanasiaComTravellerx64Debug> .ComTraveller.exe -h
,,_
zd$$??=
z$$P? F:`c, _
d$$, `c'cc$$i ,cd$?R
$$$$ cud$,?$$$i ,=P"2?z "
$" " ?$$$,?$$$. ,-''`>, bzP
'cLdb,?$$,?$$$ ,h' "I$'J$P
... `?$$$,"$$,`$$h $$PxrF'd$"
d$PP""?-,"?$$,?$h`$$,,$$'$F44"
?,,_`=4c,?=,"?hu?$`?L4$'? '
`""?==""=-"" `""-`'_,,,,
.ccu?m?e?JC,-,"=?
"""=='?"
ComTraveller - small tool to parse and extract information about all registered CLSIDs on the system
Usage:
--file <output> - output filename. Default: output.csv
--from <clsid> - start exploring clsids from this clsid. (for ex. default enum from 1 to 9. with --from 4 will be from 4 to 9)
--session <session> - use if you want to check Cross-Session Activation in a specific session. Useful only with 'Run as interactive user COM objects'
--target <CLSID> - analyze this CLSID
-h/--help - shows this screen
使用样例:
.ComTraveller.exe --file rep.csv --session 1
COMThanasia:
https://github.com/CICADA8-Research/COMThanasia
原文始发于微信公众号(FreeBuf):如何使用COMThanasia对COM对象执行安全审计
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论