COM组件相关的武器化开发技术
由于网上关于直接调用windows内建com组件的编程技术比较稀少(至少我找了几天没找到),该文会简要介绍如何通过已知clsid在自定可执行文件中调用windows com接口,实现部分武器化技术。
文旨在简单介绍调用windows本身com组件的相关编程技术,由于本人非职业开发,理解可能存在一定偏差,如发现有明显错误,请务必直接联系本人(防止误人子弟略略略略略)。
阅读本文的朋友很大概率经常使用诸如atexec、wmiexec之类的横向移动工具,该类技术其实质也是对dcom(分布式com)组件的调用。
com本身是一种开发理念,旨在跨应用和语言共享二进制代码,其理念类似dll,但dll仅能被C/C++理解或遵循C调用规范的语言使用,com通过指明二进制模块必须编译成约定的结构解决了这个问题,其实现方式与c++的类相似,所以通常使用c++来实现一个com组件。
就windows中实现来看,com组件本身仍旧是标准的pe结构(dll/exe),只不过其内部包含了coclass,以及在注册表中注册了相关键值,以便我们找到并使用它。
通常windows内建com已经在注册表内存储着相关信息,而自定义com需要创建注册表入口点告诉windows com组件服务器在上面位置,这个过程称之为注册(Registration),我们可以在HKEY_CLASSES_ROOT\CLSID\{clsid}位置找到所有windows已注册的com组件。
注册后com通过GUID(globally unique identifier)唯一标识符来寻找并使用这个com组件,理论上每一个GUID(有时也称UUID)都是唯一的,GUID在标识不同的对象时会有不同的称呼,标识类对象时称之为CLSID(类标识符)、标识接口时被称为IID(接口标识符)。
在每一个注册的clsid表项中都包含一个名为InprocServer32的子项,该子项内存有映射到该com二进制文件的键值对,操作系统通过该键值对将com组件载入进程或另起进程。(进程内组件和进程外组件,二进制代码的表现形式为dll(内)和exe(外))。
我们可以通过以下powershell代码遍历所有com组件和它导出的方法。
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCRGet-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > clsids.txt$Position = 1$Filename = "win10-clsid-members.txt"$inputFilename = "clsids.txt"ForEach($CLSID in Get-Content $inputFilename) {Write-Output "$($Position) - $($CLSID)"Write-Output "------------------------" | Out-File $Filename -AppendWrite-Output $($CLSID) | Out-File $Filename -Append$handle = [activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))$handle | Get-Member | Out-File $Filename -Append$Position += 1}
通常对com组件的利用很多文章都直接使用powershell代码调用接口,代码如下:
$handle = [activator]::CreateInstance([type]::GetTypeFromCLSID("xxx"))$handle.shellxec('cmd.exe /c')
在这里我会介绍一种通过c++调用的方法,在介绍之前,先看一个简单的powershell案例,Charles Hamilton发现prchauto.dll拥有一个ProcessChain的类,该类公开的start方法和commdline属性。
接下来我们通过部分工具将这个简单案例使用c艹实现,我们先使用oleview打开这个com组件的实现文件。
可以看到processchain类导出了一个名为iprocesschain的接口,我们使用这个工具将这个类导出为IDL文件,然后使用MIDL工具将这个IDL文件转换成我们需要的C++的头文件,这个文件会定义这个类和接口的使用方法。
使用MIDL,生成的processchain.h就是我们需要的。
部分代码:
EXTERN_C const IID IID_IProcessChain;#if defined(__cplusplus) && !defined(CINTERFACE)MIDL_INTERFACE("79ED9CB4-3A01-4ABA-AD3C-A985EE298B20")IProcessChain : public IDispatch{public:virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_ExecutablePath(/* [retval][out] */ BSTR *ExecutablePath) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_ExecutablePath(/* [in] */ BSTR ExecutablePath) = 0;virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_CommandLine(/* [retval][out] */ BSTR *CommandLine) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_CommandLine(/* [in] */ BSTR CommandLine) = 0;virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_NonBlocking(/* [retval][out] */ VARIANT_BOOL *NonBlocking) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_NonBlocking(/* [in] */ VARIANT_BOOL NonBlocking) = 0;virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_TimeoutPeriod(/* [retval][out] */ long *TimeoutPeriod) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_TimeoutPeriod(/* [in] */ long TimeoutPeriod) = 0;virtual /* [id] */ HRESULT STDMETHODCALLTYPE Start(/* [out] */ VARIANT_BOOL *TimerFired) = 0;virtual /* [id] */ HRESULT STDMETHODCALLTYPE CancelWait( void) = 0;virtual /* [id] */ HRESULT STDMETHODCALLTYPE Terminate( void) = 0;};
接下来就是简单的编程实现了,如果我们能找到一个支持提权且能执行命令的com组件,那我们就又获得了一个新的bypassuac的方法。
先贴实现效果:
/* this ALWAYS GENERATED file contains the definitions for the interfaces *//* File created by MIDL compiler version 8.01.0622 *//* at Tue Jan 19 11:14:07 2038*//* Compiler settings for .\prchauto.IDL:Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0622protocol : dce , ms_ext, c_ext, robusterror checks: allocation ref bounds_check enum stub_dataVC __declspec() decoration level:__declspec(uuid()), __declspec(selectany), __declspec(novtable)DECLSPEC_UUID(), MIDL_INTERFACE()*//* @@MIDL_FILE_HEADING( ) *#pragma warning( disable: 4049 ) /* more than 64k source lines *//* verify that the <rpcndr.h> version is high enough to compile this file*/#ifndef __REQUIRED_RPCNDR_H_VERSION__#define __REQUIRED_RPCNDR_H_VERSION__ 475#endif#include "rpc.h"#include "rpcndr.h"#ifndef __RPCNDR_H_VERSION__#error this stub requires an updated version of <rpcndr.h>#endif /* __RPCNDR_H_VERSION__ */#ifndef __processchain_h__#define __processchain_h__#if defined(_MSC_VER) && (_MSC_VER >= 1020)#pragma once#endif/* Forward Declarations */#ifndef ___IProcessChainEvents_FWD_DEFINED__#define ___IProcessChainEvents_FWD_DEFINED__typedef interface _IProcessChainEvents _IProcessChainEvents;#endif /* ___IProcessChainEvents_FWD_DEFINED__ */#ifndef __IProcessChain_FWD_DEFINED__#define __IProcessChain_FWD_DEFINED__typedef interface IProcessChain IProcessChain;#endif /* __IProcessChain_FWD_DEFINED__ */#ifndef __ProcessChain_FWD_DEFINED__#define __ProcessChain_FWD_DEFINED__#ifdef __cplusplustypedef class ProcessChain ProcessChain;#elsetypedef struct ProcessChain ProcessChain;#endif /* __cplusplus */#endif /* __ProcessChain_FWD_DEFINED__ */#ifdef __cplusplusextern "C"{#endif#ifndef __ProcessChainLib_LIBRARY_DEFINED__#define __ProcessChainLib_LIBRARY_DEFINED__/* library ProcessChainLib *//* [version][uuid] */EXTERN_C const IID LIBID_ProcessChainLib;#ifndef ___IProcessChainEvents_DISPINTERFACE_DEFINED__#define ___IProcessChainEvents_DISPINTERFACE_DEFINED__/* dispinterface _IProcessChainEvents *//* [uuid] */EXTERN_C const IID DIID__IProcessChainEvents;#if defined(__cplusplus) && !defined(CINTERFACE)MIDL_INTERFACE("85C4AF17-4C7A-4EF0-9BE7-39B06351AFA6")_IProcessChainEvents : public IDispatch{};#else /* C style interface */typedef struct _IProcessChainEventsVtbl{BEGIN_INTERFACEHRESULT ( STDMETHODCALLTYPE *QueryInterface )(_IProcessChainEvents * This,/* [in] */ REFIID riid,/* [annotation][iid_is][out] */_COM_Outptr_ void **ppvObject);ULONG ( STDMETHODCALLTYPE *AddRef )(_IProcessChainEvents * This);ULONG ( STDMETHODCALLTYPE *Release )(_IProcessChainEvents * This);HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(_IProcessChainEvents * This,/* [out] */ UINT *pctinfo);HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(_IProcessChainEvents * This,/* [in] */ UINT iTInfo,/* [in] */ LCID lcid,/* [out] */ ITypeInfo **ppTInfo);HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(_IProcessChainEvents * This,/* [in] */ REFIID riid,/* [size_is][in] */ LPOLESTR *rgszNames,/* [range][in] */ UINT cNames,/* [in] */ LCID lcid,/* [size_is][out] */ DISPID *rgDispId);/* [local] */ HRESULT ( STDMETHODCALLTYPE *Invoke )(_IProcessChainEvents * This,/* [annotation][in] */_In_ DISPID dispIdMember,/* [annotation][in] */_In_ REFIID riid,/* [annotation][in] */_In_ LCID lcid,/* [annotation][in] */_In_ WORD wFlags,/* [annotation][out][in] */_In_ DISPPARAMS *pDispParams,/* [annotation][out] */_Out_opt_ VARIANT *pVarResult,/* [annotation][out] */_Out_opt_ EXCEPINFO *pExcepInfo,/* [annotation][out] */_Out_opt_ UINT *puArgErr);END_INTERFACE} _IProcessChainEventsVtbl;interface _IProcessChainEvents{CONST_VTBL struct _IProcessChainEventsVtbl *lpVtbl;};#ifdef COBJMACROS#define _IProcessChainEvents_QueryInterface(This,riid,ppvObject) \( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) )#define _IProcessChainEvents_AddRef(This) \( (This)->lpVtbl -> AddRef(This) )#define _IProcessChainEvents_Release(This) \( (This)->lpVtbl -> Release(This) )#define _IProcessChainEvents_GetTypeInfoCount(This,pctinfo) \( (This)->lpVtbl -> GetTypeInfoCount(This,pctinfo) )#define _IProcessChainEvents_GetTypeInfo(This,iTInfo,lcid,ppTInfo) \( (This)->lpVtbl -> GetTypeInfo(This,iTInfo,lcid,ppTInfo) )#define _IProcessChainEvents_GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) \( (This)->lpVtbl -> GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) )#define _IProcessChainEvents_Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) \( (This)->lpVtbl -> Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) )#endif /* COBJMACROS */#endif /* C style interface */#endif /* ___IProcessChainEvents_DISPINTERFACE_DEFINED__ */#ifndef __IProcessChain_INTERFACE_DEFINED__#define __IProcessChain_INTERFACE_DEFINED__/* interface IProcessChain *//* [object][oleautomation][nonextensible][dual][uuid] */EXTERN_C const IID IID_IProcessChain;#if defined(__cplusplus) && !defined(CINTERFACE)MIDL_INTERFACE("79ED9CB4-3A01-4ABA-AD3C-A985EE298B20")IProcessChain : public IDispatch{public:virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_ExecutablePath(/* [retval][out] */ BSTR *ExecutablePath) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_ExecutablePath(/* [in] */ BSTR ExecutablePath) = 0;virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_CommandLine(/* [retval][out] */ BSTR *CommandLine) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_CommandLine(/* [in] */ BSTR CommandLine) = 0;virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_NonBlocking(/* [retval][out] */ VARIANT_BOOL *NonBlocking) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_NonBlocking(/* [in] */ VARIANT_BOOL NonBlocking) = 0;virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_TimeoutPeriod(/* [retval][out] */ long *TimeoutPeriod) = 0;virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_TimeoutPeriod(/* [in] */ long TimeoutPeriod) = 0;virtual /* [id] */ HRESULT STDMETHODCALLTYPE Start(/* [out] */ VARIANT_BOOL *TimerFired) = 0;virtual /* [id] */ HRESULT STDMETHODCALLTYPE CancelWait( void) = 0;virtual /* [id] */ HRESULT STDMETHODCALLTYPE Terminate( void) = 0;};#else /* C style interface */typedef struct IProcessChainVtbl{BEGIN_INTERFACEHRESULT ( STDMETHODCALLTYPE *QueryInterface )(IProcessChain * This,/* [in] */ REFIID riid,/* [annotation][iid_is][out] */_COM_Outptr_ void **ppvObject);ULONG ( STDMETHODCALLTYPE *AddRef )(IProcessChain * This);ULONG ( STDMETHODCALLTYPE *Release )(IProcessChain * This);HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(IProcessChain * This,/* [out] */ UINT *pctinfo);HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(IProcessChain * This,/* [in] */ UINT iTInfo,/* [in] */ LCID lcid,/* [out] */ ITypeInfo **ppTInfo);HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(IProcessChain * This,/* [in] */ REFIID riid,/* [size_is][in] */ LPOLESTR *rgszNames,/* [range][in] */ UINT cNames,/* [in] */ LCID lcid,/* [size_is][out] */ DISPID *rgDispId);/* [local] */ HRESULT ( STDMETHODCALLTYPE *Invoke )(IProcessChain * This,/* [annotation][in] */_In_ DISPID dispIdMember,/* [annotation][in] */_In_ REFIID riid,/* [annotation][in] */_In_ LCID lcid,/* [annotation][in] */_In_ WORD wFlags,/* [annotation][out][in] */_In_ DISPPARAMS *pDispParams,/* [annotation][out] */_Out_opt_ VARIANT *pVarResult,/* [annotation][out] */_Out_opt_ EXCEPINFO *pExcepInfo,/* [annotation][out] */_Out_opt_ UINT *puArgErr);/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_ExecutablePath )(IProcessChain * This,/* [retval][out] */ BSTR *ExecutablePath);/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_ExecutablePath )(IProcessChain * This,/* [in] */ BSTR ExecutablePath);/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_CommandLine )(IProcessChain * This,/* [retval][out] */ BSTR *CommandLine);/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_CommandLine )(IProcessChain * This,/* [in] */ BSTR CommandLine);/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_NonBlocking )(IProcessChain * This,/* [retval][out] */ VARIANT_BOOL *NonBlocking);/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_NonBlocking )(IProcessChain * This,/* [in] */ VARIANT_BOOL NonBlocking);/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_TimeoutPeriod )(IProcessChain * This,/* [retval][out] */ long *TimeoutPeriod);/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_TimeoutPeriod )(IProcessChain * This,/* [in] */ long TimeoutPeriod);/* [id] */ HRESULT ( STDMETHODCALLTYPE *Start )(IProcessChain * This,/* [out] */ VARIANT_BOOL *TimerFired);/* [id] */ HRESULT ( STDMETHODCALLTYPE *CancelWait )(IProcessChain * This);/* [id] */ HRESULT ( STDMETHODCALLTYPE *Terminate )(IProcessChain * This);END_INTERFACE} IProcessChainVtbl;interface IProcessChain{CONST_VTBL struct IProcessChainVtbl *lpVtbl;};#ifdef COBJMACROS#define IProcessChain_QueryInterface(This,riid,ppvObject) \( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) )#define IProcessChain_AddRef(This) \( (This)->lpVtbl -> AddRef(This) )#define IProcessChain_Release(This) \( (This)->lpVtbl -> Release(This) )#define IProcessChain_GetTypeInfoCount(This,pctinfo) \( (This)->lpVtbl -> GetTypeInfoCount(This,pctinfo) )#define IProcessChain_GetTypeInfo(This,iTInfo,lcid,ppTInfo) \( (This)->lpVtbl -> GetTypeInfo(This,iTInfo,lcid,ppTInfo) )#define IProcessChain_GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) \( (This)->lpVtbl -> GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) )#define IProcessChain_Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) \( (This)->lpVtbl -> Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) )#define IProcessChain_get_ExecutablePath(This,ExecutablePath) \( (This)->lpVtbl -> get_ExecutablePath(This,ExecutablePath) )#define IProcessChain_put_ExecutablePath(This,ExecutablePath) \( (This)->lpVtbl -> put_ExecutablePath(This,ExecutablePath) )#define IProcessChain_get_CommandLine(This,CommandLine) \( (This)->lpVtbl -> get_CommandLine(This,CommandLine) )#define IProcessChain_put_CommandLine(This,CommandLine) \( (This)->lpVtbl -> put_CommandLine(This,CommandLine) )#define IProcessChain_get_NonBlocking(This,NonBlocking) \( (This)->lpVtbl -> get_NonBlocking(This,NonBlocking) )#define IProcessChain_put_NonBlocking(This,NonBlocking) \( (This)->lpVtbl -> put_NonBlocking(This,NonBlocking) )#define IProcessChain_get_TimeoutPeriod(This,TimeoutPeriod) \( (This)->lpVtbl -> get_TimeoutPeriod(This,TimeoutPeriod) )#define IProcessChain_put_TimeoutPeriod(This,TimeoutPeriod) \( (This)->lpVtbl -> put_TimeoutPeriod(This,TimeoutPeriod) )#define IProcessChain_Start(This,TimerFired) \( (This)->lpVtbl -> Start(This,TimerFired) )#define IProcessChain_CancelWait(This) \( (This)->lpVtbl -> CancelWait(This) )#define IProcessChain_Terminate(This) \( (This)->lpVtbl -> Terminate(This) )#endif /* COBJMACROS */#endif /* C style interface */#endif /* __IProcessChain_INTERFACE_DEFINED__ */EXTERN_C const CLSID CLSID_ProcessChain;#ifdef __cplusplusclass DECLSPEC_UUID("E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E")ProcessChain;#endif#endif /* __ProcessChainLib_LIBRARY_DEFINED__ *//* Additional Prototypes for ALL interfaces *//* end of Additional Prototypes */#ifdef __cplusplus}#endif#endif
#include <Windows.h>#include "processchain.h"#include <objbase.h>#include <stdio.h>#include <strsafe.h>//定义com组件使用的bool值,其实质是一个二short类型。typedef short VARIANT_BOOL;#define VARIANT_TRUE ((VARIANT_BOOL)-1)#define VARIANT_FALSE ((VARIANT_BOOL)0)#define CLSID_ProcessChain L"{E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}"#define IID_IProcessChain L"{79ED9CB4-3A01-4ABA-AD3C-A985EE298B20}"int main(int argc, TCHAR* argv[]){HRESULT hr = 0;CLSID clsidIProcessChain = { 0 };IID iidIProcessChain = { 0 };IProcessChain* ProcessChain = NULL;BOOL bRet = FALSE;CoInitialize(NULL);//初始化com环境CLSIDFromString(CLSID_ProcessChain, &clsidIProcessChain);IIDFromString(IID_IProcessChain, &iidIProcessChain);//创建接口hr = CoCreateInstance(clsidIProcessChain, NULL, CLSCTX_INPROC_SERVER, iidIProcessChain, (LPVOID*)&ProcessChain);TCHAR cmd[] = L"C:\\WINDOWS\\system32\\calc.exe";VARIANT_BOOL b= VARIANT_TRUE;//设置参数ProcessChain->put_CommandLine((BSTR)cmd);//调用方法hr = ProcessChain->Start(&b);//释放CoUninitialize();return 0;}
https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf
最近更新 10 months ago