With this tool, you will be able to detect:
- Incorrect access control to a COM object (LaunchPermission , AccessPermission) - LPE through abusable COM methods, DCOM Authentication relaying. That's
PermissionHunter
. - Incorrect registry rights to a COM object - LPE through COM Hijacking. That's
ComDiver
. - Find new Elevation Moniker - UAC Bypass. That's
MonikerHound
. - Get detailed information about a specific CLSID - Inspect COM object to find abusable COM Methods. That's
ClsidExplorer
. - Check Cross-Session Activation on behalf of a low-privileged user - Attempting to instantiate an object in someone else's session for LPE. That's
ComTraveller
.
If we had published this tool a couple months ago (e.g. Spring 2024), you would have discovered CVE-2024-38100 (FakePotato) and CVE-2024-38061 (SilverPotato).
Start using this tool and you can find more ways to elevate privilege on Windows systems. It's like an automated OleViewDotnet :)
PermissionHunter is a tool that allows you to examine LaunchPermission and ActivatePermission on all COM objects on the system.
PS A:\mzhmo> .\PermissionHunter.exe -h
,
`-. \ .-'
,-"`````""-\__ | /
'-.._ _.-'` '-o,
_>--:{{< ) |)
.-'' '-.__.-o`
'-._____..-/` | \
,-' / `-.
`
PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
PermissionHunter.exe
Small tool that allows you to find vulnerable COM objects with incorrect LaunchPermission and ActivatePermission
[OPTIONS]
-outfile : output filename
-outformat : output format. Accepted 'csv' and 'xlsx'
-h/--help : shows this windows
There are only two arguments here:
-outfile
- name of the file with the rights report;-outformat
- format of the file with the report, you can output both in csv and xlsx. It is better to output in csv, because if you do not have Excel, you will not be able to output in xlsx format.
Example:
PS A:\mzhmo> .\PermissionHunter -outfile result -outformat xlsx
,
`-. \ .-'
,-"`````""-\__ | /
'-.._ _.-'` '-o,
_>--:{{< ) |)
.-'' '-.__.-o`
'-._____..-/` | \
,-' / `-.
`
PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
[+] Result will be in result, format xlsx
[+] Success
After that you will get a file result.xlsx, which will list all rights to existing COM objects.
I output the following columns:
ApplicationID
- ApplicationID of a specific COM object. Ex:{69AD4AEE-51BE-439b-A92C-86AE490E8B30}
;ApplicationName
- ApplicationName of a specific COM object. Ex:Background Intelligent Transfer Service
;RunAs
- RunAs registry key of a COM object. Ex:Interactive User
;LaunchAccess
,LaunchType
,LaunchPrincipal
,LaunchSid
- LaunchPermission registry key. LaunchPrincipal specifies the user who has LaunchAccess rights to the COM object. LaunchType - type of ACE: enabling or disabling. LaunchSID - SID of LaunchPrincipal. Ex:
LocalLaunch. RemoteLaunch. LocalActivation. RemoteActivation AccessAllowed NT AUTHORITY\SYSTEM S-1-5-18
This means that the system has LocalLaunch, RemoteLaunch, LocalActivation, RemoteActivation permissions on this COM object;
AccessAccess
,AccessType
,AccessPrincipal
,AccessSID
- fields have the same meaning as LaunchPermissions, only in the context of AccessPermission;AuthLevel
,ImpLevel
- Authentication Level and Impersonation Level. By default they are set toRPC_C_AUTHN_LEVEL_CONNECT
andRPC_C_IMP_LEVEL_IDENTIFY
;CLSIDs
- COM object CLSIDs.
If you find a COM object that you can access on behalf of a low-privileged user, for example, you can abuse it as follows:
- Create an instance and call the methods of that COM object to, for example, write an arbitrary file on behalf of the system. For example, you have found a COM object with a
DeployCmdShell()
method that runs on behalf of theNT AUTHORITY\SYSTEM
account and you haveLaunchPermissions
andAccessPermissions
. You can start this COM object, call theDeployCmdShell()
method, and get code execution on behalf of the system. You can view the available methods usingClsidExplorer
. - Abuse DCOM authentication. For this, see RemoteKrbRelay
All information about COM objects is in the registry. But what if the registration was incorrect? In such a case we have a possibility to override COM settings, for example, to hijack the executable file.
This tool allows you to detect such vulnerabilities, and it scans the registry according to the priority of keys that are viewed when searching for COM objects. In this way, you can even find Shadow COM Hijacking. The priority is as follows:
1. HKCU\Software\Classes\(GUID)\TreatAs
2. HKLM\Software\Classes\(GUID)\TreatAs
3. HKCU\Software\Classes\(GUID)\InprocServer32
4. HKLM\Software\Classes\(GUID)\InprocServer32
5. HKCU\Software\Classes\(GUID)\LocalServer32
6. HKLM\Software\Classes\(GUID)\LocalServer32
Thus at least two vectors of privilege escalation emerge:
- If we have write permissions to
HKCU...TreatAs
, and the original COM executable is inHKCU...LocalServer32
, then we can do Shadow COM Hijacking by writing our executable toHKCU..TreatAs
. - If the COM object lies in
HKCU..LocalServer32
and we can write toHKCU..LocalServer32
, then we can do COM Hijacking
Let's take a closer look at the tool:
PS A:\ssd\gitrepo\COMThanasia\ComDiver\x64\Debug> .\ComDiver.exe -h
\ /
\ o ^ o /
\ ( ) /
____________(%%%%%%%)____________
( / / )%%%%%%%( \ \ )
(___/___/__/ \__\___\___)
( / /(%%%%%%%)\ \ )
(__/___/ (%%%%%%%) \___\__)
/( )\
/ (%%%%%) \
(%%%)
!
----------- COM DIVER --------------
[?] Small tool to check insecure registry and disk permissions on com objects
[?] ARGS
-h/--help <- show this message
--from <CLSID> <- analyze CLSIDs from this clsid
--target <CLSID> <- analyze one target clsid
--no-context <- dont check another COM-server context. Only registry analyzing.
--no-create <- dont create target COM object. This is the fastest mode
It accepts the following arguments:
--from
- there are a lot of CLSIDs on a Windows system. If you do not want the tool to look at all CLSIDs starting from the first, you can specify the CLSID to start with, for example,--from {50FDBB99-5C92-495E-9E81-E2C2F48CDDA}
--target
- analyze specific clsid;--no-context
- do not check the name of the user on whose behalf the COM object is launched;--no-create
- not to create a COM object that has been detected. This limits the information you can get about it. However, this is the fastest way to examine only the registry rights.
Example:
.\ComDiver.exe --no-create
In this case we can see that there are no keys inside HKCU and we have write permissions to those keys. Accordingly, if we write our own value to this path, we will do COM Hijacking.
There is a built-in way to bypass UAC on a Windows system, this is done through Elevation Moniker. You can read more about it here. This kind of UAC Bypass requires a non-standard way of registering the COM object in the registry, which is fairly easy to trace. So you can use my tool to find new ways of UAC Bypass.
There are some examples:
Example:
PS A:\ssd\gitrepo\COMThanasia\MonikerHound\x64\Debug> .\MonikerHound.exe
,_ _ _,
\o-o/
,(.-.),
_/ |) (| \_
/\=-=/\
,| \=/ |,
_/ \ | / \_
\_!_/
MonikerHound - find your own UAC Bypass!
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
[+] Potential COM server for elevation moniker found!
Name: CEIPLuaElevationHelper
CLSID: {01D0A625-782D-4777-8D4E-547E6457FAD5}
LocalizedString: @%systemroot%\system32\werconcpl.dll,-351
Enabled: 1
IconReference: @%systemroot%\system32\werconcpl.dll,-6
Activate: Success
PID: 15800
DllHost.exe
[+]........................[+]
[+] Potential COM server for elevation moniker found!
Name: CTapiLuaLib Class
CLSID: {03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}
LocalizedString: @%systemroot%\system32\tapiui.dll,-1
Enabled: 1
IconReference: @%systemroot%\system32\tapiui.dll,-201
Activate: Success
PID: 440
DllHost.exe
[+]........................[+]
Once you have discovered potential candidates for UAC Bypass, you can start checking them out. As a great template for running Elevation Moniker, you can take this function, or this program.
ClsidExplorer allows you to retrieve information about a specific CLSID. The program outputs the following data:
AppID
- ApplicationID of a specific COM Object;ProgID
- ProgID of a specific COM Object;PID
- PID in which this COM Object is running;Process Name
- the name of the PID process;Username
- name of the user on whose behalf the process is running;Methods
- available methods of the COM Object. Made by parsing TypeLib.
PS A:\ssd\gitrepo\COMThanasia\ClsidExplorer\x64\Debug> .\CLSIDExplorer.exe -h
CLSIDExplorer.exe - identify all info by clsid
Usage:
.\CLSIDExplorer.exe --clsid "{00000618-0000-0010-8000-00aa006d2ea4}"
The program accepts only one argument:
--clsid
- target CLSID to analyze
PS A:\ssd\gitrepo\COMThanasia\ClsidExplorer\x64\Debug> .\CLSIDExplorer.exe --clsid "{00000618-0000-0010-8000-00aa006d2ea4}"
[{00000618-0000-0010-8000-00aa006d2ea4}]
AppID: Unknown
ProgID: Unknown
PID: 1572
Process Name: CLSIDExplorer.exe
Username: WINPC\\Michael
Methods:
[0] __stdcall void QueryInterface(IN GUID*, OUT void**)
[1] __stdcall unsigned long AddRef()
[2] __stdcall unsigned long Release()
[3] __stdcall void GetTypeInfoCount(OUT unsigned int*)
[4] __stdcall void GetTypeInfo(IN unsigned int, IN unsigned long, OUT void**)
[5] __stdcall void GetIDsOfNames(IN GUID*, IN char**, IN unsigned int, IN unsigned long, OUT long*)
[6] __stdcall void Invoke(IN long, IN GUID*, IN unsigned long, IN unsigned short, IN DISPPARAMS*, OUT VARIANT*, OUT EXCEPINFO*, OUT unsigned int*)
[7] __stdcall BSTR Name()
[8] __stdcall void Name(IN BSTR)
[9] __stdcall RightsEnum GetPermissions(IN VARIANT, IN ObjectTypeEnum, IN VARIANT)
[10] __stdcall void SetPermissions(IN VARIANT, IN ObjectTypeEnum, IN ActionEnum, IN RightsEnum, IN InheritTypeEnum, IN VARIANT)
[11] __stdcall void ChangePassword(IN BSTR, IN BSTR)
[12] __stdcall Groups* Groups()
[13] __stdcall Properties* Properties()
[14] __stdcall _Catalog* ParentCatalog()
[15] __stdcall void ParentCatalog(IN _Catalog*)
[16] __stdcall void ParentCatalog(IN _Catalog*)
[END]
This program is great for checking a COM class discovered with ComTraveller
or PermissionHunter
or MonikerHound
for interesting methods that can be abused.