Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → nccgroup → Accomplice

nccgroup / Accomplice

Licence: other

Tools for discovery and abuse of COM hijacks

Programming Languages

powershell

5483 projects

acCOMplice

Your COM hijacking accomplice

Author: David Tulis (@kafkaesqu3)

Overview

This repository contains code samples and proofs-of-concept for exploring COM hijacking. COM hijacking is a Windows post exploitation technique, which can be used for persistence or defense evasion.

For more information on the COM interface, how to find hijacks, and techniques for abusing a hijack, please refer to the presentation given at Derbycon 9, COM Hijacking Techniques.

Slides: https://www.slideshare.net/DavidTulis1/com-hijacking-techniques-derbycon-2019
Presentation: https://www.youtube.com/watch?v=pH14BvUiTLY

Project

COMHijackToolkit: Powershell script containing helper scripts for dealing with COM hijacks. Quick highlights:
- Extract-HijackableKeysFromProcmonCSV: parses a Procmon CSV export for hijackable objects
- Hijack-CLSID: Hijacks a CLSID with a given DLL
- Hijack-MultipleKeys: Hijacks multiple CLSDs concurrently with a given DLL. This is useful for finding CLSIDs which are activated often
InjectionTemplates: 3 templates demoed at Derbycon presentation
- Create a new process with CreateProcess
- Inject into an existing process with CreateRemoteThread
- Measure thread lifetimes in current process using CreateThread
COMinject: Proof of concept demonstrating how COM hijacks can be used to accomplish process injections/migrations
masterkeys.csv: Some keys for you to play with
procmon-filters: Filters for Procmon to aid in hijack identification and exploitation

Examples

COMHijackToolkit

Powershell script containing helper scripts for dealing with COM hijacks. Highlights:

Show all COM object CLSIDs and the location of the implementation on disk

$keys = Get-CLSIDRegistryKeys -RegHive HKCR
$results = $keys | % {$guid = Extract-GUIDFromText $_; Map-GUIDToDLL -guid $guid 2> $null }

Conduct a survey of CLSIDs on a system

$HKCR_keys = Get-CLSIDRegistryKeys -RegHive HKCR
$HKCR_keys | where-object {$_ -like "*inprocserver"} | Measure-Object
$HKCR_keys | where-object {$_ -like "*inprocserver32"} | Measure-Object
$HKCR_keys | where-object {$_ -like "*localserver"} | Measure-Object
$HKCR_keys | where-object {$_ -like "*localserver32"} | Measure-Object

$HKLM_keys = Get-CLSIDRegistryKeys -RegHive HKLM
$HKLM_keys | Measure-Object
$HKCU_keys = Get-CLSIDRegistryKeys -RegHive HKCU
$HKCU_keys | Measure-Object

explorer:{69486DD6-C19F-42e8-B508-A53F9F8E67B8}
explorer:{9E175B6D-F52A-11D8-B9A5-505054503030}
explorer:{30CC9D06-7E62-4966-9777-BC3442E788BD}
explorer:{3eef301f-b596-4c0b-bd92-013beafce793}
explorer:{682159d9-c321-47ca-b3f1-30e36b2ec8b9}
explorer:{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
explorer:{9aa46009-3ce0-458a-a354-715610a075e6}
explorer:{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
explorer:{AC36A05C-FB95-4C7A-868C-A43CC8D2D926}
explorer:{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
explorer:{c2f03a33-21f5-47fa-b4bb-156362a2f239}

Find CLSIDs referencing a DLL which does not exist on the system:

Find-MissingLibraries

InjectionTemplates

3 proof-of-concept templates for COM hijack abuse, as demonstrated in the Derbycon 9 presentation:

HijackDLL-Process: Create a new process when DLL is loaded
HijackDLL-CreateRemoteThread: Perform thread injection technique using CreateRemoteThread API call when DLL is loaded
HijackDLL-Threads: Useful for measuring lifetime of a threads started in the DLL after a hijack

COMinject

Proof of concept to show how COM hijacking can be used for process injections:

COMInjectDotNet: Proof of concept client which will inject a DLL into a supported process via COM hijack
COMInjectTarget: The target library to inject into a process

The first step is to perform the hijack:

COMInjectDotNet.exe chrome.exe C:\COM\COMInjectTarget.dll

The hijack won't trigger immediately, and may require the application to be started (if not currently running), or some basic application actions. There are probably some better CLSIDs that trigger more often, but these are good enough.

The COMInjectTarget.dll will log its progress to a log file in C:\COM. This appears more stable than using something like AllocConsole from within another process and just printing to the console.

The following shows the injected DLL running from within the main chrome.exe process:

[*] chrome pid=9104 ppid=4900 (count 0)
[*] chrome pid=9104 ppid=4900 (count 1)
[*] chrome pid=9104 ppid=4900 (count 2)
[*] chrome pid=9104 ppid=4900 (count 3)
[*] chrome pid=9104 ppid=4900 (count 4)
[*] chrome pid=9104 ppid=4900 (count 5)

The currently supported processes are:

explorer (default)
chrome
excel
word
outlook

References and credits

To learn more about COM and COM hijacks:

Leo Loobeek (@leoloobeek):
- COMProxy, which I borrowed code heavily from
- Proxying COM For Stable Hijacks
Matt Nelson (@enigma0x3):
- Userland Persistence with Scheduled Tasks and COM Handler Hijacking
The @bohops series on COM hijacks:
- Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
- Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques
James Forshaw (@tiraniddo):
Casey Smith (@subtee) + @enimga0x3:
- Windows Operating System Archaeology (slides, code)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 190

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗