6/27/2023 0 Comments Smartscreen exe![]() The exe imports DLL ‘FirewallAPI.dll’ not in the ‘Known DLL’ registry key. NET exe too! This is a bit of a ‘0day’, but Telerik doesn’t have a bug bounty and they didn’t seem interested when I reached out, so screw em. For this I am choosing a program that comes with Fiddler named EnableLoopback.exe and its a. Bonus points if it requires elevation as this ensures our code is run with admin privileges. So now what we need is an exe that’s in the good boy list that’s vulnerable to DLL Side loading. Now lets utilize DLL side loading to bypass smart screen. Ok, so enough about that, and save that for another blog post. This check however is poorly documented and I rarely ever see it used anywhere (including on Windows binaries). The other entry I brought up was the dependency check under the exe manifest. This means any exe that is importing entries from these DLL files (and others) are vulnerable to side loading attacks. Things like vcruntime140.dl, winmm.dll, comctl32.dll, and wintrust.dll are missing. An amateur windows programmer may notice that this list is missing a number of DLL files used all the damned time. ![]() This may seem like an end all to our side loading exploitation, but not really. Its located under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs So what do I mean when I say known DLL? There exists a registry entry on windows that contains a list of DLL’s that are considered ‘known’ and are loaded from the windows and system32 folders first. Am I in the environment variable ‘PATH’?.Am I in the folder where I was launched?.Am I defined a dependency in the exe manifest file? If so, load from there. ![]() Am I a known DLL? If so, then load from system folders.It’s not always cut and dry, and there are a number of mitigations that have been put in place to prevent this.ĭll files are loaded in a particular order. By dropping our own DLL, we can exploit this. DLL Side LoadingĭLL Side Loading is a what happens when an exe starts searching the current directory for a DLL file, then loading an export from the DLL. What we are taking advantage of is something called ‘Dll Side Loading’. Anything easier? What about DLL’s? Those work fantastically and the vulnerabilities for exploiting them are everywhere. This is hard to do, but not impossible, however I rarely encounter untrusted execution. So to bypass Smart Screen, we need to exploit the trust issue of either a bad CreateProcess, ShellExec, WinExec, etc call where we can specify our own executable name / path. Does it only apply to process creation? NO! Dynamic link libraries work in the same manner! So programs spawned from trusted programs are trusted. Programs that aren’t signed that are run by programs that are signed are given the same trust. Signed executables have an inherit trust issue. The answer lies in the fundamental flaw in how Windows does its signing and code running. “But Joe”, you may ask, “how the fuck are we supposed to run our code when these trusted exes have a signed check that breaks once you modify them?”. ![]() We exploit a program in the ‘good boy’ list to run our code. Even then if the certificate authority isn’t in the Microsoft ‘good boy’ list, then smart screen will still alert. OK, so how the hell do you bypass this? Well you could sign your exe, but that costs money. Here we have it popping Smart Screen, upset that my binary doesn’t pass its ‘background check’. What makes them so special?Īnyways, here we have an unsigned, untrusted exe written by me that does nothing. Ever wondered why when you attempt to open a microsoft tool downloaded from the internet that Smart Screen doesn’t say shit? This is because some certs are in the ‘good boy’ list. The ‘good boy’ list I am referring to is a list of certificates that are trusted by Microsoft no questions asked. Is the signing authority in our ‘good boy’ list?.Is there a malware signature in this binary?.Microsoft Smart Screen works on executables by checking: Kind of annoying when you’re writing malware or exploits when Windows Defender detects your payloads, but that’s a topic for another post. It pops up a warning if you attempt to run a binary that is unsigned and / or untrusted. OK, so Smart Screen is a windows defender utility that comes with Windows 10. Feels like the last time I updated this blog I figured if I was to make an update after more than a year’s absence, it better damned well be a good fucking update. God, its been forever since I made an update.
0 Comments
Leave a Reply. |