Scribd Logo
Unggah

Selamat datang di Scribd!

  • How To Bypass UAC Using DLL Hijacking Null Byte

    Diunggah oleh

    Mateus Pimentel
    188 tayangan5 halaman
    This is a description on how tricky windows to bypass UAC using the DLL Hijacking method to execute a payload with admnin priveleges of a legit windows program.

    Judul Asli

    How to Bypass UAC Using DLL Hijacking « Null Byte

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    This is a description on how tricky windows to bypass UAC using the DLL Hijacking method to execute a payload with admnin priveleges of a legit windows program.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    188 tayangan5 halaman

    How To Bypass UAC Using DLL Hijacking Null Byte

    Diunggah oleh

    Mateus Pimentel
    This is a description on how tricky windows to bypass UAC using the DLL Hijacking method to execute a payload with admnin priveleges of a legit windows program.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 5

    03/04/2016

    HowtoBypassUACUsingDLLHijacking

    HowtoBypassUACUsingDLLHijacking

    ThistutorialwaswrittenwithWindows7inmind,buttheprincipleappliestoallversionsstartingfrom
    7.

    UserAccountControl(UAC)
    ProcessesinWindowsrunatdifferentlevelsofintegrity,representingthedifferentamountsof"trust"
    theyhavetointeractwiththecomputer.Thelevelsareasfollows:
    1.SystemSystemlevelofintegrity
    2.AdministratorHighlevel
    3.AuthenticatedUserMediumlevel
    4.EveryoneLowlevel
    5.AnonymousUntrusted
    IfUserAccountControlisenabled,programsrunatmedium(Orlower)integrity,eveniftheuser
    startingthemhasAdministratorrights.Thislimitsdamagemalwarecandotothecomputer,asitcan
    onlyinteractwithuserfiles.Whenaprogramneedstorunonahigherintegritylevel,ithastoprompt
    theusertogiveitadminrights.
    UAChas4differentlevels:
    Alwaysnotify:Userisnotifiedanytimeanythingneedselevatedprivileges.
    Notifymeonlywhenprogramstrytomakechangestomycomputer:Userispromptedwhena
    programneedselevatedprivileges
    Notifymeonlywhenprogramstrytomakechangestomycomputer(Don'tdimthedesktop):
    Doesn'tdimthedesktopwhenshowingaprompt.Lesssecurethanabovelevel.
    http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/

    1/5

    03/04/2016

    HowtoBypassUACUsingDLLHijacking

    Nevernotify:Userisnevernotifiedaboutchangestothecomputer.

    Ifauserisanadministrator,theycanpress"Yes"togivetheaskingprocesshigherintegrity,or,if
    theyarenotanadmin,theyhavetotypeintheadministratorpassword.
    Ourgoalhereistogetaprocesstostartwithhighintegritywithoutinteractingwiththeuser.This
    techniquewillworkonlyiftheyareanadministrator,andUACisnotat"Alwaysnotify"level.

    DLLHijacking
    DLLhijackingisatechniqueusedtoforceprogramstoloadmaliciousDLLs.Aprogramnormally
    shouldsearchforDLLslikethis:
    0.1IfDLLisalreadyloaded,useit.
    0.2IfDLLisonthelistofknownDLLs,storedinregistry,loaditfromthepathonthelist.
    1.Hardcodedpath
    2.Systemdirectory
    3.16bitsystemdirectory
    4.Windowsdirectory
    5.Currentdirectory
    6.PATHenvironmentvariable
    However,someprogramslookintothecurrentdirectoryfirst,allowingustohijackthesearchand
    makeitloadourDLL.

    AutoElevation
    Foraprogramtobeabletoelevatewithoutuserconsentithasto:
    BesignedwithacertificatefromMicrosoft.
    Beinasecuredirectory.
    http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/

    2/5

    03/04/2016

    HowtoBypassUACUsingDLLHijacking

    Havethe"AutoElevate"propertyinit'smanifest.
    Aprogramwhichmeetsthoseconditionscanelevatewithoutapromptonthedefaultsettings.

    BypassingUAC
    Torecap,thesearetheconditionsthatallowbypassingUAC:
    ExecutablemustbevulnerabletoDLLhijacking.
    Executablemusthavetheabilitytoautoelevate.
    Wehavetoberunningamediumintegrityprocess.
    Usermustbeintheadministratorsgroup.
    UACsettingsmustbeleftondefaultvalues,orlower.
    Ifallofthesearefulfilled,theprocessofbypassingUACisasfollows:
    1.CopyourmaliciousDLLtoavulnerableprogram'sdirectory.
    2.Executetheprogram,soitloadsourmaliciousDLL.
    Thefirststepmightseemimpossible,seeingasweneedtohaveadminprivilegestocopyfilesto
    protectedlocations,suchasC:\Windows\System32.Butquiteconveniently,wecanusetheWindows
    UpdateStandaloneInstaller(wusa.exe)tounpackcabinetfilesintosecuredirectories.Thatis
    possiblebecausewusacanelevatetoadministratorwithoutpromptingtheuser.
    TheprogramwewillbeexploitingiscalledMcx2Prov.exe.ItislocatedinC:\Windows\ehome,andthe
    maliciouslibraryneedstobecalledcryptbase.dll.

    StepstoBypassUAC:
    1.CreateourmaliciousDLL.Wecanwriteoneourselves,orusemsfvenom.TheDLLIamgoingto
    loadwillopenCommandPrompt.(MakesuretheDLLhasthecorrectbitness,andusex64
    versionsofpayloadsifneeded.Usethecommand"systeminfo"toseesystembitness.)
    Syntax:msfvenomp<payload>fdllocryptbase.dll<payloadoptions>

    1.TurnourDLLintoacabinetfile.Thereisatoolonwindowscalledmakecabwhichwillcreatethe
    fileforus.
    Syntax:makecab<inputfile><outputfile>
    http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/

    3/5

    03/04/2016

    HowtoBypassUACUsingDLLHijacking

    1.Unpackthecabinetusingwusa:
    Syntax:wusa<inputfile>/extract:C:\Windows\ehome\
    Becarefultousetheabsolutepathtothecabinetfile.Youwon'tgetanerrorifextractingfails,so
    doublecheckeverythingworkedcorrectly.

    1.RunMcx2Prov.exe:

    Pwned!Thereisanotherwaytocopyfiles,usingcodeinjection,andvulnerableexecutablesvaryby
    http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/

    4/5

    03/04/2016

    HowtoBypassUACUsingDLLHijacking

    Windowsversion.Nevertheless,thisexploitisquitereliableandeasytoexecute.

    AdditionalInfo:
    Hereareexploitableprogramsavailable:
    OnWindows7:
    C:\windows\ehome\Mcx2Prov.exe
    CRYPTBASE.dll

    http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/

    5/5

    Anda mungkin juga menyukai