Regsrv32 exploit

[npocmaka_]

http://www.csoonline.com/article/306024 ... ocker.html

[jeb]

Nice, I tested it and it works

But I can't see a possibility to add parameters to the regsvr32 line.

As regsvr32 accepts a /c option, this could be useful for the FOR/F problem with autorun SO:How to specify /D in FOR command?.

Something like

Code: Select all

set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP% echo %TIME%') do echo #%%A

But the wrapper.sct doesn't see the DIR command (currently).

wrapper.sct

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
   
         var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c");   
   
      ]]>
</script>
</registration>
</scriptlet>

The problem is, that it expands to

Code: Select all

regsvr32.exe /s /n /u /i:file:///c:\temp\wrapper.sct scrobj.dll echo 17:55:00

But wrapper.sct will not see the "echo 17:55:00"

[npocmaka_]

Nice, I tested it and it works
...

The bad thing is that sct does not recognize WScript.Arguments nor can handle ('Scripting.FileSystemObject').GetStandardStream(1/0) because it is the regsrv that starts the file...

[npocmaka_]

But environment variables can be expanded in the sct file:

Code: Select all

set "wcom=pause"
set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP%') do echo #%%A

and the wrapper:

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
      var r = new ActiveXObject("WScript.Shell");
      var command=r.ExpandEnvironmentStrings("%wcom%");
      r.Run("cmd.exe /c " + command);   
   
      ]]>
</script>
</registration>
</scriptlet>

[npocmaka_]

If WScript.Shell Exec() method is used instead of Run() the out can be read:

Code: Select all

@echo off
set "wcom=echo --#--&pause"
::set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP%') do echo #%%A
regsvr32 /s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll |more

and the wrapper:

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
      var r = new ActiveXObject("WScript.Shell");
      var command=r.ExpandEnvironmentStrings("%wcom%");
      var res=r.Exec("cmd.exe /c " + command);
      
        new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(res.StdOut.ReadLine());   
   
      ]]>
</script>
</registration>
</scriptlet>

[jeb]

Nice work.

I changed the wrapper.sct to support more than one line of output.

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
      var r = new ActiveXObject("WScript.Shell");
      var command=r.ExpandEnvironmentStrings("%wcom%");
      var res=r.Exec("cmd.exe /c \"" + command + "\"");
      
        var stdout=new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1);
      while ( !res.StdOut.AtEndOfStream)
      {
         stdout.WriteLine(res.StdOut.ReadLine() );
      }
      ]]>
</script>
</registration>
</scriptlet>

[Sponge Belly]

Hi Guys!

Fascinating discovery, but not even MS can ignore a security hole that big. No doubt it will be patched in an upcoming update. I’m more concerned with the AUTORUN issue, which I was unaware of until now.

Short of querying the Registry to make sure the AUTORUN key is empty whenever I want to use a for /f loop, what can I do about it?

Any suggestions appreciated.

- SB

[npocmaka_]

Hi Guys!

Short of querying the Registry to make sure the AUTORUN key is empty whenever I want to use a for /f loop, what can I do about it?

Any suggestions appreciated.

- SB

What is this about?Can you give more info.

[Ed Dyreen]

It looks interesting but I don't understand this, what can a person do with this, how is this a security hole ?

[Sponge Belly]

Hi Vasil,

Sorry for the delay in replying. I was referring to the SO link Jeb mentioned in his reply to the OP. If I understand correctly, the following Registry keys are queried every time a for /f loop is executed:

Code: Select all

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

There is no way to prevent this short of using the wrapper developed by Jeb and yourself.

So my question is, how can I do the following?

• Check if the Registry keys have values.
• If true, save the values to temp variables, and delete the keys.
• Execute my for /f loops safely.
• Restore original values of keys.

Can a Batch file do this without triggering the UAC prompt? And finally, isn’t this an awful lot of work to handle a situation which will probably never arise?

Thanks!

- SB

[foxidrive]

Is this for your own use on your PC or is it to run on any persons PC?

Test this code to see if anything is printed to the screen above the 'press any key prompt'.
If reg query doesn't raise a UAC prompt then you can use it to set a variable to anything that is in these keys.

Code: Select all

@echo off
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor" /v AutoRun 2>nul
reg query "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun 2>nul
pause & goto :EOF

[Sponge Belly]

Hi Foxi,

Thanks for your helpful suggestion and sorry for not replying sooner. I’ve been wracking my brains over this and I haven’t been able to come up with a practical solution.

Ideally, I want to write robust code that will work on all versions of Windows and won’t be tripped up by gotchas like commands stored in the AutoRun keys. But it’s such an unlikely edge case that the cost of regularly checking for it isn’t worth the effort.

- SB

PS: Maybe this is something your sccript to gather information could check for?