timwhitez starred DCOMPotato
2022-12-8 23:6:47 Author: github.com(查看原文) 阅读量:32 收藏

writeup

DCOM use RPC_C_IMP_LEVEL_IDENTIFY as default impersonation level, for the default out-bound IUnknown call, see https://learn.microsoft.com/en-us/windows/win32/com/com-security-defaults. Of course, COM Server can override by call CoInitializeSecurity explicitly.

We known most windows service register their DCOM Server to provide features, Shared Process Service was hosted by svchost, read the default impersonation level from registry.

If we pass a malicious IUnknown object as parameter at some DCOM call, service process will call IRemUnknown::RemQueryInterface/RemRelease/RemAddref on the ProxyObject, now we can got a SecurityImpersonation token by CoImpersonateClient because we are DCOM Server at this time.

Follow was the explicit setting ImpersonationLevel as RPC_C_IMP_LEVEL_IMPERSONATE in default installation:

#after 12r2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\[email protected]

#2022 only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\[email protected]

The services are PrinterNotify and McpManagementService, running as SYSTEM.

build

Note this code was supports x64 and NetFX 4.x only, but you can do a little change for FX2.0/x86 compatibility(IUnknown vtbl hook, see McpManagementPotato).

csc /unsafe PrinterNotifyPotato.cs
csc /unsafe McpManagementPotato.cs

usage

McpManagementPotato/PrinterNotifyPotato <command>

Thanks for UnmarshalPwn!

(and love my cat, Vanilla, can someone make it nekogirl?)


文章来源: https://github.com/zcgonvh/DCOMPotato
如有侵权请联系:admin#unsafe.sh