Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/itm4n/UsoDllLoader

Windows - Weaponizing privileged file writes with the Update Session Orchestrator service
https://github.com/itm4n/UsoDllLoader

dll-hijacking windows-exploitation windows-privilege-escalation

Last synced: 3 months ago
JSON representation

Windows - Weaponizing privileged file writes with the Update Session Orchestrator service

Host: GitHub
URL: https://github.com/itm4n/UsoDllLoader
Owner: itm4n
Created: 2019-08-01T17:58:16.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2020-06-06T11:05:12.000Z (over 4 years ago)
Last Synced: 2024-04-12T19:38:46.527Z (7 months ago)
Topics: dll-hijacking, windows-exploitation, windows-privilege-escalation
Language: C++
Homepage:
Size: 3.44 MB
Stars: 371
Watchers: 13
Forks: 104
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - itm4n/UsoDllLoader - Windows - Weaponizing privileged file writes with the Update Session Orchestrator service (C++)

README

# UsoDllLoader

:warning: __2020-06-06 Update:__ this trick no longer works on the latest builds of __Windows 10 Insider Preview__. This means that, although __it still works on the mainstream version of Windows 10__, you should expect it to be _patched_ in the coming months.

## Description

This PoC shows __a technique__ that can be used to __weaponize privileged file write vulnerabilities__ on Windows. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. [@tiraniddo](https://twitter.com/tiraniddo)), which was fixed by Microsoft starting from build version 1903.

## TL;DR

Starting from Windows 10, Microsoft introduced the `Update Session Orchestrator` service. __As a regular user__, you can interact with this service using COM, and start an "update scan" (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called `usoclient.exe`, which serves that purpose.

From an attacker's standpoint, this service is interesting because it runs as `NT AUTHORITY\System` and it tries to load a __non-existent DLL__ (`windowscoredeviceinfo.dll`) __whenever an Update Session is created__.

This means that, if we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of `windowscoredeviceinfo.dll` into `C:\Windows\Sytem32\` and then have it loaded by the USO service to get arbitrary code execution as `NT AUTHORITY\System`.

For more information:
Part 1 - https://itm4n.github.io/usodllloader-part1/
Part 2 - https://itm4n.github.io/usodllloader-part2/

## Build the PoC

### Content

This solution is composed of two projects: __WindowsCoreDeviceInfo__ and __UsoDllLoader__.

- __WindowsCoreDeviceInfo__

It provides a PoC DLL that will start a bind shell on port 1337 (localhost only), whenever the `QueryDeviceInformation()` function is called. That's the name of the function used by the USO workers.

- __UsoDllLoader__ (optional)

It's a stripped-down version of `usoclient.exe`. It can be run as a regular user to interact with the USO service and have it load `windowscoredeviceinfo.dll`. Then, it will try to connect to the bind shell. In case of errors, please read the "Known issues" section.

### Build the solution

The solution is already preconfigured so compiling should be easy. I'm using __Visual Studio 2019__. It might not work with older versions.

1. Select `Release` config and `x64` architecure.
2. Build solution.
3. Output: the DLL `.\x64\Release\WindowsCoreDeviceInfo.dll` and the loader `.\x64\Release\UsoDllLoader.exe`.

## Test

### Usage 1 - UsoDllLoader

For testing purposes, you can:

1. __As an administrator__, copy `WindowsCoreDeviceInfo.dll` to `C:\Windows\System32\`.
2. Use the loader as a regular user.
3. Hopefully enjoy a shell as `NT AUTHORITY\SYSTEM`.

### Usage 2 - UsoClient

If `UsoDllLoader.exe` fails, you can do the above _manually_.

1. __As an administrator__, copy `WindowsCoreDeviceInfo.dll` to `C:\Windows\System32\`.
2. Use the command `usoclient StartInteractiveScan` as a regular user. Note that you won't get any feedback from the command.
3. Download netcat for Windows and use the command `nc.exe 127.0.0.1 1337` to connect to the bindshell.

## Known issues

- __Pending updates__

This method will probably fail if one or several updates are waiting to be installed, or if updates are being installed.

- __RPC errors__

Depending on the version of Windows, `UsoDllLoader.exe` might __fail with various error codes__. I didn't investigate these issues too much. The reason for this is that it's only a PoC, which I developped for convenience. __What matters the most is the DLL__, not the loader. See "Usage 2" for more details.