Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Microsoft Windows 10 (17763.379) - Install DLL

 Share


HACK1949

Recommended Posts

edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to trigger rollback (i.e through installer api, injecting into medium IL msiexec etc)

## Installer - capturing rolback scripts - patch bypass #2

There is still a race condition in the installer.

So there is a really small timing window to win a race, where if we set a junction after the check but before it writes the DACL we can still get our original PoC to work.

Again, it's a really small timing window, and while it appears to reliably reproduce on my setup.. I don't know if it will for yours. I've attached a procmon.exe log.

How to reproduce:

1. Run polarbear.exe (make sure to copy test.rbf and test.rbs in the same directory)

2. Open a cmd and run an installer (has to be an autoelevating installer in c:\windows\insatller) this way "msiexec /fa c:\windows\installer\123123213.msi"
When we pass the repair flag, it usually gives us a little more time to press the cancel button and trigger rollback. 
polarbear.exe will print out when you have to press cancel. So you don't press it too early!

3. If all is successful it will write oops.dll to system32. If failed.. make sure to delete the following folders: config.msi, new, new2, new3.
Use the included video demo as guide... as the process is kind of complicated!

Filter I used in procmon:

You should see this on a successful run:

The mount point on c:\config.msi has to be create after querynetworkfile and before setsecurityfile.



EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46916.zip

            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...