______ Y ______
My own personal time capsule.
Tag Archives: windows
DLL Alghoritm Hijack Privilage Escalation
Posted by on December 24, 2012
So lately I’ve heard a lot about how you can use the DLL search algorithm to hijack the library during the loading time (KB2269637) and execute your own code. I found this to be rather curious way to exploit the system as in simple terms we can just replace one of the libraries listed by this script to execute our own code. Simple yet very effective ;D
Here is how the exploitation can happen:
1) Login onto the box
2) Find the DLL’s outside of the MS protection zone (check this for some details)
3) Replace the DLL with your version with i.e. remote connection shell stored in the same folder as the executable we want to attack
4) Wait for the execution via user interaction or execute the program yourself if you got sufficient rights
5) Enjoy the shell
Here is the binary distribution (of course remove .png from file name ending and do wget on the following link) :
https://waitfordebug.wordpress.com/wp-content/uploads/2012/12/windows-dll-search-privesc-zip.png
Here is the sourcecode:
print "[+] DLL Search Algorithm Privesc Check by Y"
print "[+] contact : If you know me then give me a shout"
print "\n"
### Imports
import win32com.client
import sys
from ctypes import *
from ctypes.wintypes import *
import sys
import os
from optparse import OptionParser
### Define System DLL's
kernel32 = windll.kernel32
advapi32 = windll.advapi32
class TOKEN_PRIVS(Structure):
_fields_ = (
("PrivilegeCount", ULONG),
("Privileges", ULONG * 3)
)
def getDrives():
print "[+] Enumerating current partitions"
drivebits=k.GetLogicalDrives()
partition_list = list_unsafecalls()
for drives in range(1,26):
mask=1 << drives
if drivebits & mask:
drive_letter='%c:\\' % chr(ord('A')+drives)
partition_list.append(drive_letter)
print "\t[+]Found drive: %s" % drive_letter
return partition_list
def get_debug_privs():
try:
print "[+] Danger Will Robinson, We are elevating ourself to god level!"
token = HANDLE()
advapi32.OpenProcessToken(kernel32.GetCurrentProcess(), 0x00000020, byref(token))
privs = TOKEN_PRIVS()
privs.PrivilegeCount = 1
privs.Privileges = (0x14, 0, 2)
advapi32.AdjustTokenPrivileges(token, 0, byref(privs), 0, 0, 0)
print "\t [+] Privilege Adjusted Successfully"
kernel32.CloseHandle(token)
except:
print "\t [-]Unable to elevate. Exiting ..."
sys.exit()
def get_win32_product():
try:
objWMIService = win32com.client.Dispatch("WbemScripting.SWbemLocator")
objSWbemServices = objWMIService.ConnectServer(".","root\cimv2")
colItems = objSWbemServices.ExecQuery("Select * from Win32_Product")
installed_soft = {}
for objItem in colItems:
installed_soft[objItem.Caption] = {'InstallLocation':objItem.InstallLocation,
'InstallName':objItem.InstallSource,
'InstallState':objItem.InstallState,
'InstallSoftware':objItem.Caption,
'InstallID':objItem.IdentifyingNumber,
'InstallDate':objItem.InstallDate,
'InstallLocalPackage':objItem.LocalPackage
}
print "\t[+] We Have The 'List'!"
return installed_soft
except:
print "\t[-] Could not acquire software list"
return None
def find_dlls_in_folder(location):
list_dlls = []
for folder in location:
for dirname, dirnames, filenames in os.walk(folder):
for dirfolder in dirnames:
# we need to be able to write to the folder (inherited permissions)
if os.access(os.path.join(dirname,folder),os.W_OK):
for nm in filenames:
if str(nm).lower().endswith(".dll"):
list_dlls.append(os.path.join(dirname, nm))
else:
# Can't write to the folder = can't do anything
pass
return list_dlls
def get_partitions():
print "[+] The following partitions exists:"
drivebits=kernel32.GetLogicalDrives()
partition_list = list()
for drives in range(1,26):
mask=1 << drives
if drivebits & mask:
drive_letter='%c:\\' % chr(ord('A')+drives)
# need only network and fixed drives
if kernel32.GetDriveTypeA(drive_letter) == 3 or kernel32.GetDriveTypeA(drive_letter) == 4:
partition_list.append(drive_letter)
print "\t[+]Found static, readable drive: %s" % drive_letter
else:
pass
return partition_list
def find_all_dll():
list_dlls = []
partitions = get_partitions()
print "[+] Searching for elevation points"
for drive in partitions:
for dirname, dirnames, filenames in os.walk(drive):
for dirfolder in dirnames:
# we need to be able to write to the folder (inherited permissions)
if os.access(os.path.join(dirname,dirfolder),os.W_OK):
for nm in filenames:
if str(nm).lower().endswith(".dll"):
list_dlls.append(os.path.join(dirname, nm))
return list_dlls
def find_vulnerable_in_system(system_dll):
loc = []
for location in system_dll:
# The original author 'forgot' to mention that you can't write to program files or windows
# because its protected resource so only admin can append resources in there! DLL's outside of the 'protection' zone are free to be played with.
# Go and play with http://msdn.microsoft.com/en-us/library/bb762204%28VS.85%29.aspx and http://msdn.microsoft.com/en-us/library/bb762494%28v=vs.85%29.aspx
if not location.startswith(os.environ['ProgramFiles']):
if not location.startswith(os.environ['windir']):
loc.append(location)
return loc
def find_vulnerable(prod_list):
loc = []
for elems in prod_list.keys():
location = prod_list[elems].get('InstallLocation')
if location != None:
# The original author 'forgot' to mention that you can't write to program files or windows
# because its protected resource so only admin can append resources in there! DLL's outside of the 'protection' zone are free to be played with.
# Go and play with http://msdn.microsoft.com/en-us/library/bb762204%28VS.85%29.aspx and http://msdn.microsoft.com/en-us/library/bb762494%28v=vs.85%29.aspx
if not location.startswith(os.environ['ProgramFiles']):
if not location.startswith(os.environ['windir']):
loc.append(location)
else:
# This will have to be checked, not all installs give you the list of locations
pass
return find_dlls_in_folder(loc)
def main():
usage = """
This script will find all of the DLL libraries which can be exploited to
perform DLL code injection.
Reference: KB2269637
"""
parser = OptionParser(usage)
parser.add_option("-s","--scan",action="store_true", dest="scann_flag",default=False,
help="Scan the file system for DLL's instead of querying WMI")
(options, args) = parser.parse_args()
if options.scann_flag == True:
print "[+] Elevating first"
# This is probably not necessary
get_debug_privs()
print "[+] Finding details"
dll_list = find_all_dll()
print "[+] Finding Vulnerable DLL Load Software"
dll_list = find_vulnerable_in_system(dll_list)
if dll_list != None:
print "[+] List of vulnerable DLL's"
for dlls in dll_list:
if os.access(dlls,os.W_OK):
print "\t[+] " , dlls
else:
print "[+] Elevating first"
# This is probably not necessary
get_debug_privs()
print "[+] Getting Software List"
prod_list = get_win32_product() # Will have to rewrite this to be API-only based
print "[+] Finding Vulnerable DLL Load Software"
dll_list = find_vulnerable(prod_list)
if dll_list != None:
print "[+] List of vulnerable DLL's"
for dlls in dll_list:
if os.access(dlls,os.W_OK):
print "\t[+] " , dlls
else:
print "[+] No Vulnerable DDL's could be identified"
print "[+] Done"
if __name__ == '__main__':
main()
Port forwarding on Windows
Posted by on August 22, 2012
Sometimes almost a magical task but turns out that there is a way to easily forward the ports on windows by executing this command:
> netsh > interface portproxy add v4tov4 listenport=445 listenaddress=192.168.0.1 connectport=445 connectaddress=192.168.0.2
This will forward port 445 from 192.168.0.1 to 192.168.0.2 on windows.
As per Linux:
> iptables -A PREROUTING -t nat -i eth1 -p tcp --source 192.168.0.5 --dport 8080 -j DNAT --to 192.168.0.2:8080
If neither is accessible, then netcat can be used to send content of the stream to specific port:
nc -L -p 6555 | nc 192.168.0.2:8080
Universal Process Privilage Escalation
Posted by on January 29, 2012
By adjusting process token its possible to elevate your current process privileges to enable certain functionality not available otherwise.
Basically steps we follow are :
1) Get current process handle
2) Get current process token
3) Resolve SeDebugPrivilege value
4) Created new Token with the resolved value from step 3
5) Adjust the token of the current process with new privilege
6) Close process handle
Following code demonstrates the principle.
print "[+] Universal Process Escalation by Y"
print "[+] contact : If you know me then give me a shout"
from ctypes import windll
import ctypes
from ctypes import *
class TOKEN_PRIVS(ctypes.Structure):
_fields_ = (
("PrivilegeCount", ULONG),
("Privileges", ULONG * 3 )
)
def get_debug_privs():
# Adjust Current TOKEN
token = HANDLE()
print "\t[+] Getting Current Token"
flags = 40 # TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
windll.advapi32.OpenProcessToken(windll.kernel32.GetCurrentProcess(), 0x00000020, ctypes.byref(token))
print "\t[+] Calculating Local SeDebugPrivilege"
admin_priv_name = "SeDebugPrivilege" # we want this priv on the process
pBytesReturned = ctypes.c_ulong()
windll.advapi32.LookupPrivilegeValueA(None,admin_priv_name,ctypes.byref(pBytesReturned))
print "\t[+] Resolved SeDebugPrivilege as %d" % pBytesReturned.value
print "\t[+] Modifying TOKEN Structure to enable Debug"
privs = TOKEN_PRIVS()
privs.PrivilegeCount = 1
privs.Privileges = (pBytesReturned.value,0, 2)
print "\t[+] Adjusting Privileges of the current process"
windll.advapi32.AdjustTokenPrivileges(token, 0, ctypes.byref(privs),0,0,0)
print "\t[+] Closing current handle, almost done"
windll.kernel32.CloseHandle(token)
print "[+] Done, your process " , windll.kernel32.GetCurrentProcessId(), "has now admin privileges"
############ CURRENT TOKEN ADJUSTED ##################
get_debug_privs()
Privilage Escalation check on Drivers in Python
Posted by on January 27, 2012
This code will query the WMI service in order to retrieve information about current drivers, their status and access rights. As you might be aware if drivers are not locked down properly, it may be possible to create nice rootkit loaded by the kernel and execute any code you might find useful. Furthermore it can be possible to override driver with your custom made stuff to elevate privileges from there.
print "[+] List System driver and Check file access permissions "
print "[+] By Y "
print "[+] If you know me then give me a shout "
class driver():
def getSystemDrivers(self):
print "[+] Dumping System Drivers And Their Location"
# function reference : http://msdn.microsoft.com/en-us/library/windows/desktop/aa394472%28v=vs.85%29.aspx
strComputer = "."
WmiServiceConnector = win32com.client.Dispatch("WbemScripting.SWbemLocator")
objSWbemServices = WmiServiceConnector.ConnectServer(strComputer,"root\CIMV2")
listOfDrivers = objSWbemServices.ExecQuery("SELECT * FROM Win32_SystemDriver")
for objItem1 in listOfDrivers:
print "\t[+] Dumping info for driver : " , objItem1.PathName
if objItem1.PathName is not None:
print "\t\tDriver Path : " , objItem1.PathName
if objItem1.Description is not None:
print "\t\tDescription : " , objItem1.Description
if objItem1.InstallDate is not None:
print "\t\tInstallation Date : ", objItem1.InstallDate
if objItem1.ServiceType is not None:
print "\t\tService Type : ", objItem1.ServiceType
if objItem1.StartMode is not None:
print "\t\tStart Mode : ", objItem1.StartMode
if objItem1.DesktopInteract is not None:
print "\t\tDesktop Interaction : ", objItem1.DesktopInteract
if objItem1.Name is not None:
print "\t\tDriver Name : ", objItem1.Name
if objItem1.Started is not None:
print "\t\tDriver started :" , objItem1.Started
if objItem1.State is not None:
print "\t\tCurrent Driver State : ", objItem1.State
if objItem1.ErrorControl is not None:
print "\t\tErrorControl : ", objItem1.ErrorControl
fileChecks().checkPermission(objItem1.PathName)
fileChecks().getBasicInfo(objItem1.PathName)
class fileChecks():
def checkPermission(self,filePath):
# based on http://www.ibm.com/developerworks/aix/library/au-python/
mode=stat.S_IMODE(os.lstat(filePath)[stat.ST_MODE])
print "\t\t\t[+] Permissions for file ", filePath
for level in "USR", "GRP", "OTH":
for perm in "R", "W", "X":
if mode & getattr(stat,"S_I"+perm+level):
print "\t\t\t\t",level, " has ", perm, " permission"
else:
print "\t\t\t\t",level, " does NOT have ", perm, " permission"
def getBasicInfo(self,file_name):
time_format = "%m/%d/%Y %I:%M:%S %p"
file_stats = os.stat(file_name)
modification_time = time.strftime(time_format,time.localtime(file_stats[stat.ST_MTIME]))
access_time = time.strftime(time_format,time.localtime(file_stats[stat.ST_ATIME]))
creation_time = time.strftime(time_format,time.localtime(file_stats[stat.ST_CTIME]))
print "\t\t\t[+] Basic File Information "
print "\t\t\t\t Modification time: " , modification_time
print "\t\t\t\t Access time: " , access_time
print "\t\t\t\t Creation time: " , creation_time
print "\t\t\t\t Owner UID : ", file_stats[stat.ST_UID]
print "\t\t\t\t Owner GID : ", file_stats[stat.ST_GID]
drivers = driver()
drivers.getSystemDrivers()
______ Y ______ 