freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课
报告 专辑
行业服务
政 府
CNCERT CNNVD
会员体系(甲方) 会员体系(厂商) 产品名录 企业空间
知识大陆

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

Windows ALPC解码:(二)
  • 关注
Windows ALPC解码:(二)
2022-04-28 13:14:06
所属地 北京

不得不承认,ALPC是我目前见过最棘手、最麻烦的东西,而且他还被非常多的应用所使用,如RPC、WMI、COM组件、打印机等每个组件都或多或少带漏洞.对于EDR的开发者来说,简直就是公共厕所。因此这篇文章会介绍如何正确的清理公共厕所。

继上次ALPC拦截的文章后,我们遇到了一个问题:
如何解码ALPC的包?
ALPC的传输机制类似于windows的TCP
分为几个阶段:

  1. 握手
  2. 交换数据
  3. 拿到channel
  4. 根据channel发送执行请求

(个人感觉,alpc设计中考虑到了TCP链接的问题,因为抽象出来的RPC是可以远程发RPC的,当然要先建立ipc$链接)

我们上次只拿到了portmessage,其实在portmesaage后面接着raw buffer,获取代码如下:

if (portMessage == nullptr) {
        return;
    }
    size_t msgLength = portMessage->u1.s1.TotalLength;
    PUCHAR msgBuffer = (PUCHAR)(portMessage + 1);
    if (msgBuffer == nullptr)
    {
        return;
    }

握手与交换信息

握手包长这样:

MessageId: 0 Type: 0 direction: 0
0000 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 02 00 10 00 00 00 00 00 00 00 10 00 00 00 ................
0050 57 00 69 00 6e 00 53 00 74 00 61 00 30 00 5c 00 W.i.n.S.t.a.0.\.
0060 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 00 00 D.e.f.a.u.l.t...
0070 04 00 02 00 37 00 00 00 00 00 00 00 37 00 00 00 ....7.......7...
0080 43 00 3a 00 5c 00 55 00 73 00 65 00 72 00 73 00 C.:.\.U.s.e.r.s.
0090 5c 00 68 00 75 00 6f 00 6a 00 69 00 5c 00 44 00 \.h.u.o.j.i.\.D.
00a0 65 00 73 00 6b 00 74 00 6f 00 70 00 5c 00 43 00 e.s.k.t.o.p.\.C.
00b0 6f 00 6d 00 54 00 65 00 73 00 74 00 5c 00 78 00 o.m.T.e.s.t.\.x.
00c0 36 00 34 00 5c 00 52 00 65 00 6c 00 65 00 61 00 6.4.\.R.e.l.e.a.
00d0 73 00 65 00 5c 00 43 00 6f 00 6d 00 54 00 65 00 s.e.\.C.o.m.T.e.
00e0 73 00 74 00 2e 00 65 00 78 00 65 00 00 00 00 00 s.t...e.x.e.....
00f0 00 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00                                     ....

MessageId: 40360 Type: 2 direction: 1
0000 03 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
0010 00 00 00 00 00 00 00 00 00 00 00 00 fc cb 73 28 ..............s(
0020 64 66 75 4c 92 f1 49 64 8a d1 fb a8 68 01 00 00 dfuL..Id....h...
0030 00 00 02 00 57 00 00 00 57 00 41 00 07 00 44 00 ....W...W.A...D.
0040 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 46 00 E.S.K.T.O.P.-.F.
0050 37 00 38 00 54 00 46 00 45 00 54 00 00 00 07 00 7.8.T.F.E.T.....
0060 31 00 39 00 32 00 2e 00 31 00 36 00 38 00 2e 00 1.9.2...1.6.8...
0070 31 00 31 00 31 00 2e 00 31 00 38 00 31 00 00 00 1.1.1...1.8.1...
0080 07 00 31 00 39 00 32 00 2e 00 31 00 36 00 38 00 ..1.9.2...1.6.8.
0090 2e 00 31 00 32 00 36 00 2e 00 31 00 00 00 07 00 ..1.2.6...1.....
00a0 31 00 39 00 32 00 2e 00 31 00 36 00 38 00 2e 00 1.9.2...1.6.8...
00b0 32 00 34 00 35 00 2e 00 31 00 00 00 00 00 09 00 2.4.5...1.......
00c0 ff ff 00 00 1e 00 ff ff 00 00 10 00 ff ff 00 00 ................
00d0 0a 00 ff ff 00 00 16 00 ff ff 00 00 1f 00 ff ff ................
00e0 00 00 0e 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................
00f0 79 92 bf 1e 5a 3f 84 d4 0a 00 00 00 00 00 00 00 y...Z?..........
0100 19 7d 4c 7b f5 dd a1 ba cc 01 c1 34 e8 b3 f8 c0 .}L{.......4....
0110 77 ba 7d 31 88 9e d6 26 70 f7 5f 80 fc 65 7a a5 w.}1...&p._..ez.
0120 c8 de 3d a3 4b 66 31 15 c8 20 b5 4f 06 16 fd b3 ..=.Kf1.. .O....
0130 60 a1 3f 1b 18 88 01 e5 35 1f 92 34 63 4a 0a 6e `.?.....5..4cJ.n
0140 f5 e4 6b 2c 45 f0 b0 5e 8a 4c b8 44 0c d1 0c 44 ..k,E..^.L.D...D
0150 0a 00 00 00 51 00 00 00 00 00 00 00 00 00 00 00 ....Q...........
0160 00 00 00 00 02 00 00 00 02 00 00 00 07 00 00 00 ................
0170 04 00 02 00 07 00 00 00 09 00 1e 00 10 00 0a 00 ................
0180 16 00 1f 00 0e 00 00 00 07 00 00 00 08 00 02 00 ................
0190 07 00 00 00 0c 00 02 00 09 00 00 00 10 00 02 00 ................
01a0 1e 00 00 00 14 00 02 00 10 00 00 00 18 00 02 00 ................
01b0 0a 00 00 00 1c 00 02 00 16 00 00 00 20 00 02 00 ............ ...
01c0 1f 00 00 00 24 00 02 00 0e 00 00 00 0a 00 00 00 ....$...........
01d0 00 00 00 00 0a 00 00 00 4e 00 65 00 67 00 6f 00 ........N.e.g.o.
01e0 74 00 69 00 61 00 74 00 65 00 00 00 0d 00 00 00 t.i.a.t.e.......
01f0 00 00 00 00 0d 00 00 00 4e 00 65 00 67 00 6f 00 ........N.e.g.o.
0200 45 00 78 00 74 00 65 00 6e 00 64 00 65 00 72 00 E.x.t.e.n.d.e.r.
0210 00 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 ................
0220 4b 00 65 00 72 00 62 00 65 00 72 00 6f 00 73 00 K.e.r.b.e.r.o.s.
0230 00 00 00 00 05 00 00 00 00 00 00 00 05 00 00 00 ................
0240 4e 00 54 00 4c 00 4d 00 00 00 00 00 06 00 00 00 N.T.L.M.........
0250 00 00 00 00 06 00 00 00 54 00 53 00 53 00 53 00 ........T.S.S.S.
0260 50 00 00 00 06 00 00 00 00 00 00 00 06 00 00 00 P...............
0270 70 00 6b 00 75 00 32 00 75 00 00 00 09 00 00 00 p.k.u.2.u.......
0280 00 00 00 00 09 00 00 00 53 00 63 00 68 00 61 00 ........S.c.h.a.
0290 6e 00 6e 00 65 00 6c 00 00 00 00 00 00 00 00 00 n.n.e.l.........
02a0 00 00 00 00 69 69 01 00 78 05 00 00 00 00 00 00 ....ii..x.......
02b0 10 11 19 b0 d3 01 00 00 6f fa f3 da 3e bd a2 4d ........o...>..M
02c0 80 97 b3 a7 e7 04 be 85 7c 00 00 00 7c 00 00 00 ........|...|...
02d0 e8 00 00 00 e4 00 00 00 e4 00 00 00 a8 03 00 00 ................
02e0 28 00 02 00 a8 03 00 00 01 00 04 80 5c 00 00 00 (...........\...
02f0 6c 00 00 00 00 00 00 00 14 00 00 00 02 00 48 00 l.............H.
0300 03 00 00 00 00 00 18 00 1f 00 00 00 01 02 00 00 ................
0310 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 .... ... .......
0320 0b 00 00 00 01 01 00 00 00 00 00 05 04 00 00 00 ................
0330 00 00 14 00 0b 00 00 00 01 01 00 00 00 00 00 05 ................
0340 12 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 ............ ...
0350 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00  ........... ...
0360 20 02 00 00 01 00 04 80 5c 00 00 00 6c 00 00 00  .......\...l...
0370 00 00 00 00 14 00 00 00 02 00 48 00 03 00 00 00 ..........H.....
0380 00 00 14 00 07 00 00 00 01 01 00 00 00 00 00 05 ................
0390 0a 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 ................
03a0 00 00 00 05 12 00 00 00 00 00 18 00 07 00 00 00 ................
03b0 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
03c0 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
03d0 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
03e0 01 00 04 80 c8 00 00 00 d8 00 00 00 00 00 00 00 ................
03f0 14 00 00 00 02 00 b4 00 06 00 00 00 00 00 18 00 ................
0400 1f 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 ............ ...
0410 20 02 00 00 00 00 14 00 0b 00 00 00 01 01 00 00  ...............
0420 00 00 00 01 00 00 00 00 00 00 18 00 1f 00 00 00 ................
0430 01 02 00 00 00 00 00 05 20 00 00 00 32 02 00 00 ........ ...2...
0440 00 00 18 00 1f 00 00 00 01 02 00 00 00 00 00 05 ................
0450 20 00 00 00 2f 02 00 00 00 00 18 00 0b 00 00 00  .../...........
0460 01 02 00 00 00 00 00 0f 02 00 00 00 01 00 00 00 ................
0470 00 00 38 00 0b 00 00 00 01 0a 00 00 00 00 00 0f ..8.............
0480 03 00 00 00 00 04 00 00 a1 27 60 8f 9a bb 18 34 .........'`....4
0490 63 b6 77 ff 9d d5 b6 6c e7 32 1a 68 08 52 43 92 c.w....l.2.h.RC.
04a0 86 a6 1f d8 98 17 1b 3b 01 02 00 00 00 00 00 05 .......;........
04b0 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05  ... ...........
04c0 20 00 00 00 20 02 00 00 01 00 04 80 c4 00 00 00  ... ...........
04d0 d4 00 00 00 00 00 00 00 14 00 00 00 02 00 b0 00 ................
04e0 06 00 00 00 00 00 14 00 07 00 00 00 01 01 00 00 ................
04f0 00 00 00 01 00 00 00 00 00 00 14 00 03 00 00 00 ................
0500 01 01 00 00 00 00 00 05 07 00 00 00 00 00 18 00 ................
0510 07 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 ............ ...
0520 32 02 00 00 00 00 18 00 07 00 00 00 01 02 00 00 2...............
0530 00 00 00 05 20 00 00 00 2f 02 00 00 00 00 18 00 .... .../.......
0540 03 00 00 00 01 02 00 00 00 00 00 0f 02 00 00 00 ................
0550 01 00 00 00 00 00 38 00 03 00 00 00 01 0a 00 00 ......8.........
0560 00 00 00 0f 03 00 00 00 00 04 00 00 a1 27 60 8f .............'`.
0570 9a bb 18 34 63 b6 77 ff 9d d5 b6 6c e7 32 1a 68 ...4c.w....l.2.h
0580 08 52 43 92 86 a6 1f d8 98 17 1b 3b 01 02 00 00 .RC........;....
0590 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 .... ... .......
05a0 00 00 00 05 20 00 00 00 20 02 00 00 01 00 04 80 .... ... .......
05b0 c4 00 00 00 d4 00 00 00 00 00 00 00 14 00 00 00 ................
05c0 02 00 b0 00 06 00 00 00 00 00 14 00 07 00 00 00 ................
05d0 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 ................
05e0 03 00 00 00 01 01 00 00 00 00 00 05 07 00 00 00 ................
05f0 00 00 18 00 07 00 00 00 01 02 00 00 00 00 00 05 ................
0600 20 00 00 00 32 02 00 00 00 00 18 00 07 00 00 00  ...2...........
0610 01 02 00 00 00 00 00 05 20 00 00 00 2f 02 00 00 ........ .../...
0620 00 00 18 00 03 00 00 00 01 02 00 00 00 00 00 0f ................
0630 02 00 00 00 01 00 00 00 00 00 38 00 03 00 00 00 ..........8.....
0640 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 ................
0650 a1 27 60 8f 9a bb 18 34 63 b6 77 ff 9d d5 b6 6c .'`....4c.w....l
0660 e7 32 1a 68 08 52 43 92 86 a6 1f d8 98 17 1b 3b .2.h.RC........;
0670 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
0680 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
06f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

当服务器和客户端互相确认对方是想握手后,客户端会把自己的exe的路径塞给服务端(不确定网络的是不是会塞其他的东西)
服务端也会吐出疑似域相关的东西.不确定这是啥

之后这些信息还会交换几次,如下:

MessageId: 0 Type: 0 direction: 0
0000 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 ................
0010 02 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 fc cb 73 28 64 66 75 4c 92 f1 49 64 ......s(dfuL..Id
0050 8a d1 fb a8 00 00 02 00 10 00 00 00 00 00 00 00 ................
0060 10 00 00 00 57 00 69 00 6e 00 53 00 74 00 61 00 ....W.i.n.S.t.a.
0070 30 00 5c 00 44 00 65 00 66 00 61 00 75 00 6c 00 0.\.D.e.f.a.u.l.
0080 74 00 00 00 00 00 00 00 44 00 00 00 44 00 00 00 t.......D...D...
0090 09 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ...............F
00a0 48 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 H..............F
00b0 02 00 00 00 c6 af ab ec 19 7f d2 11 97 8e 00 00 ................
00c0 f8 75 7e 2a f9 c7 5f 3e 51 9a 67 43 90 63 a1 20 .u~*.._>Q.gC.c.
00d0 24 4f be c7 00 00 00 00 00 00 00 00 00 00 00 00 $O..............
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

MessageId: 109504 Type: 2 direction: 1
0000 03 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 ................
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 e3 01 04 80 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 ...............F
00b0 02 00 00 00 c6 af ab ec 19 7f d2 11 97 8e 00 00 ................
00c0 f8 75 7e 2a f9 c7 5f 3e 51 9a 67 43 90 63 a1 20 .u~*.._>Q.gC.c.
00d0 24 4f be c7                                     $O..

有意思的,计算机名字也吐出来了,理论上也可以截取:

MessageId: 0 Type: 0 direction: 0
0000 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................
0010 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 fc cb 73 28 64 66 75 4c 92 f1 49 64 ......s(dfuL..Id
0050 8a d1 fb a8 14 00 00 00 00 00 00 00 04 a5 00 00 ................
0060 02 00 00 00 05 00 07 00 03 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 ................
0080 04 a5 00 00 b7 17 be 58 31 fa 0a 84 00 00 00 01 .......X1.......
0090 00 00 00 00 6f fa f3 da 3e bd a2 4d 80 97 b3 a7 ....o...>..M....
00a0 e7 04 be 85 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 55 73 65 72 55 73 65 72 55 73 65 72 ....UserUserUser
00c0 00 00 00 00 00 00 00 00 01 00 00 00 04 a5 ff ff ................
00d0 0e d6 7e 1c d1 35 1f c1 57 64 74 50 00 00 00 00 ..~..5..WdtP....
00e0 57 64 74 50 00 00 00 00 57 64 74 50 00 00 00 00 WdtP....WdtP....
00f0 2d 00 00 00 2d 00 2b 00 6e 00 63 00 61 00 6c 00 -...-.+.n.c.a.l.
0100 72 00 70 00 63 00 3a 00 5b 00 4f 00 4c 00 45 00 r.p.c.:.[.O.L.E.
0110 44 00 41 00 33 00 32 00 46 00 32 00 41 00 45 00 D.A.3.2.F.2.A.E.
0120 35 00 36 00 39 00 43 00 32 00 34 00 34 00 33 00 5.6.9.C.2.4.4.3.
0130 41 00 37 00 37 00 31 00 37 00 42 00 42 00 32 00 A.7.7.1.7.B.B.2.
0140 37 00 45 00 39 00 43 00 5d 00 00 00 00 00 00 00 7.E.9.C.].......
0150 00 00 00 00 1b 00 00 00 1b 00 02 00 00 00 00 00 ................
0160 0a 00 ff ff 44 00 45 00 53 00 4b 00 54 00 4f 00 ....D.E.S.K.T.O.
0170 50 00 2d 00 46 00 37 00 38 00 54 00 46 00 45 00 P.-.F.7.8.T.F.E.
0180 54 00 5c 00 68 00 75 00 6f 00 6a 00 69 00 00 00 T.\.h.u.o.j.i...
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0 00 00 00 00 00 00 00 00 00 00                   ..........

之后客户端会带一个GUID请求发给服务端,服务端则返回一个channel id,并且带一些这个GUID的信息 后续的通讯都是依据这个channel id来的:

Get Guid
MessageId: 0 Type: 0 direction: 0
0000 00 00 00 00 00 00 00 00 04 00 00 00 08 00 00 00 ................
0010 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 70 18 00 00 00 00 00 00 58 de 39 9b 11 00 00 00 p.......X.9.....
0050 5a 74 2a ab f9 7f 00 00 7c 8d 90 77 2e 01 00 00 Zt*.....|..w....
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Get Guid

MessageId: 63556 Type: 2 direction: 1
0000 03 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 ................
0010 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 02 00 88 03 00 00 ................
0040 88 03 00 00 4d 45 4f 57 04 00 00 00 a3 01 00 00 ....MEOW........
0050 00 00 00 00 c0 00 00 00 00 00 00 46 39 03 00 00 ...........F9...
0060 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 ...........F....
0070 60 03 00 00 50 03 00 00 00 00 00 00 01 10 08 00 `...P...........
0080 cc cc cc cc 60 00 00 00 00 00 00 00 50 03 00 00 ....`.......P...
0090 70 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 p...............
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 02 00 04 00 02 00 00 00 00 00 02 00 00 00 ................
00c0 39 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 9..............F
00d0 b6 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ...............F
00e0 02 00 00 00 90 00 00 00 50 02 00 00 01 10 08 00 ........P.......
00f0 cc cc cc cc 80 00 00 00 00 00 00 00 01 00 00 00 ................
0100 00 00 02 00 04 00 02 00 08 00 02 00 01 00 00 00 ................
0110 74 6d dd 6e 07 c0 75 4e b7 6a e5 74 09 95 e2 4c tm.n..uN.j.t...L
0120 01 00 00 00 00 00 00 00 01 00 00 00 0c 00 02 00 ................
0130 44 00 00 00 44 00 00 00 4d 45 4f 57 01 00 00 00 D...D...MEOW....
0140 74 6d dd 6e 07 c0 75 4e b7 6a e5 74 09 95 e2 4c tm.n..uN.j.t...L
0150 00 00 00 00 05 00 00 00 13 83 81 71 3f c2 9a 54 ...........q?..T
0160 c2 63 78 12 52 a6 85 f5 06 90 00 00 c0 3a bc 9d .cx.R........:..
0170 df fb f4 6a 8a 44 cb 14 00 00 00 00 01 10 08 00 ...j.D..........
0180 cc cc cc cc 10 02 00 00 00 00 00 00 00 00 02 00 ................
0190 00 00 00 00 13 83 81 71 3f c2 9a 54 04 00 02 00 .......q?..T....
01a0 00 00 00 00 bc 9d 00 00 c0 3a 00 00 05 00 00 00 .........:......
01b0 05 00 07 00 03 00 00 00 00 00 00 00 00 00 00 00 ................
01c0 00 00 00 00 00 00 00 00 02 50 00 00 c0 3a bc 9d .........P...:..
01d0 da 44 82 24 5f 96 8a e6 00 00 00 04 08 00 02 00 .D.$_...........
01e0 bf 4d 7a 35 47 79 33 43 b9 ee 16 29 d5 0c e8 92 .Mz5Gy3C...)....
01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0200 55 73 65 72 55 73 65 72 55 73 65 72 37 72 53 3a UserUserUser7rS:
0210 f4 0b a0 31 01 08 00 00 c0 3a ff ff a7 d0 81 2b ...1.....:.....+
0220 c3 8d 11 33 79 92 bf 1e 5a 3f 84 d4 00 00 00 00 ...3y...Z?......
0230 00 00 00 00 00 00 00 00 57 00 00 00 57 00 41 00 ........W...W.A.
0240 07 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 ..D.E.S.K.T.O.P.
0250 2d 00 46 00 37 00 38 00 54 00 46 00 45 00 54 00 -.F.7.8.T.F.E.T.
0260 00 00 07 00 31 00 39 00 32 00 2e 00 31 00 36 00 ....1.9.2...1.6.
0270 38 00 2e 00 31 00 31 00 31 00 2e 00 31 00 38 00 8...1.1.1...1.8.
0280 31 00 00 00 07 00 31 00 39 00 32 00 2e 00 31 00 1.....1.9.2...1.
0290 36 00 38 00 2e 00 31 00 32 00 36 00 2e 00 31 00 6.8...1.2.6...1.
02a0 00 00 07 00 31 00 39 00 32 00 2e 00 31 00 36 00 ....1.9.2...1.6.
02b0 38 00 2e 00 32 00 34 00 35 00 2e 00 31 00 00 00 8...2.4.5...1...
02c0 00 00 09 00 ff ff 00 00 1e 00 ff ff 00 00 10 00 ................
02d0 ff ff 00 00 0a 00 ff ff 00 00 16 00 ff ff 00 00 ................
02e0 1f 00 ff ff 00 00 0e 00 ff ff 00 00 00 00 00 00 ................
02f0 44 00 00 00 44 00 2b 00 6e 00 63 00 61 00 6c 00 D...D.+.n.c.a.l.
0300 72 00 70 00 63 00 3a 00 5b 00 4f 00 4c 00 45 00 r.p.c.:.[.O.L.E.
0310 31 00 37 00 44 00 46 00 36 00 45 00 33 00 32 00 1.7.D.F.6.E.3.2.
0320 35 00 38 00 38 00 42 00 46 00 35 00 39 00 32 00 5.8.8.B.F.5.9.2.
0330 33 00 30 00 35 00 39 00 44 00 38 00 35 00 30 00 3.0.5.9.D.8.5.0.
0340 46 00 30 00 37 00 41 00 5d 00 00 00 00 00 0a 00 F.0.7.A.].......
0350 ff ff 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 ..D.E.S.K.T.O.P.
0360 2d 00 46 00 37 00 38 00 54 00 46 00 45 00 54 00 -.F.7.8.T.F.E.T.
0370 5c 00 68 00 75 00 6f 00 6a 00 69 00 00 00 00 00 \.h.u.o.j.i.....
0380 00 00 00 00 57 64 74 50 00 00 00 00 57 64 74 50 ....WdtP....WdtP
0390 00 00 00 00 57 64 74 50 00 00 00 00 00 00 00 00 ....WdtP........
03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03f0 00 00 00 00 00 00 00 00 00 00 00 00             ............

你可以看到微软有个彩蛋,叫 MEOW
通过reclass,我们能算出这些结构:

struct ALPC_RECEIVE_PACK_COMELVEATIONUACBYPASS
{
    uint64_t type; //0x0000
    uint32_t unk; //0x0008
    uint32_t mabyId; //0x000C
    uint64_t unk2; //0x0010
    uint64_t unk3; //0x0018
    uint8_t unk4[24]; //0x0020
    uint32_t unk5; //0x0038
    uint32_t unk6; //0x003C
    uint32_t unk7; //0x0040
    uint32_t sigMEOW; //0x0044
    uint8_t unk8[240]; //0x0048
    uint32_t sigMEOW2; //0x0138
    uint8_t unk9[36]; //0x013C
    uint64_t unk10; //0x0160
    uint8_t checkSum; //0x0168
    uint64_t ChannelGuid; //0x0169
}; //Size: 0x0171

执行

一旦服务端准备就绪,客户端就可以发一个执行的包并且带上了channel id、要执行的IID:

MessageId: 0 Type: 16384 direction: 0
0000 01 00 00 00 00 00 00 00 00 00 00 00 74 6d dd 6e ............tm.n
0010 07 c0 75 4e b7 6a e5 74 09 95 e2 4c 00 00 00 00 ..uN.j.t...L....
0020 03 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 16 62 fa 28 00 00 00 00 00 00 00 00 00 00 00 00 .b.(............
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

当服务端做出反应之后,客户端就会发送真正要执行的id:

0000 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
0010 01 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 06 90 00 00 c0 3a bc 9d df fb f4 6a 8a 44 cb 14 .....:.....j.D..
0040 05 00 07 00 01 00 00 00 00 00 00 00 4d 1d 9f 72 ............M..r
0050 62 6a b3 40 91 b7 fb 20 0a 69 4c 6e 00 00 00 00 bj.@... .iLn....
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 23 76 30 81 d3 a2 b1 40 ........#v0....@
0080 ad a6 e3 ed cd 5b 19 52 00 00 00 00 00 00 00 00 .....[.R........
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 &...............
00d0 26 00 00 00 00 00 00 00 43 00 3a 00 5c 00 77 00 &.......C.:.\.w.
00e0 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 73 00 i.n.d.o.w.s.\.s.
00f0 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 y.s.t.e.m.3.2.\.
0100 63 00 6d 00 64 00 2e 00 65 00 78 00 65 00 31 00 c.m.d...e.x.e.1.
0110 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
0120 31 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 1...............
0130 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 13 00 00 00 00 00 00 00 2f 00 63 00 20 00 77 00 ......../.c. .w.
0150 68 00 6f 00 61 00 6d 00 69 00 31 00 31 00 31 00 h.o.a.m.i.1.1.1.
0160 31 00 31 00 31 00 31 00 31 00 31 00 00 00 00 00 1.1.1.1.1.1.....
0170 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00                         ........

很明显,在这个例子里,我使用了臭名昭著的CMLuaUtil的UAC bypass提权

#define T_CLSID_CMSTPLUA L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define T_IID_ICMLuaUtil L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"

根据reclass 我们能很容易的推测出结构:

struct ALPC_SEND_PACK_COMELVEATIONUACBYPASS
{
    uint64_t type; //0x0000
    uint32_t id; //0x0008
    uint32_t packId; //0x000C
    uint32_t unk2; //0x0010
    uint32_t unk3; //0x0014
    uint8_t unk4[24]; //0x0018
    uint8_t checkSum; //0x0030
    uint64_t ChannelGuid; //0x0031
    char unk5[18][8]; //0x0039
    uint64_t buffSize; //0x00D0
}; //Size: 0x00D8

解析

现在,让我们解析他
我们需要知道几个前置条件:

  1. alpc的句柄不可靠,因为建立握手和发送实际运行代码的句柄是两个句柄
  2. aplc中channel id最可靠,以上两个句柄都是走同一个channel id

那么 这就是一个简单的一对多关系:

handle
     handle  -> alpcId
     handle

一旦我们确定了这个关系,我们的思路很简单:
定位channel id,然后绑定这个channel id到句柄上
然后就解析结构体
这是部分关键代码:

void alpc::comelveation::work(_ALPC_Direction pDirection, PUCHAR msgBuffer, size_t msgLength) {
    if (pDirection == _ALPC_Direction::_ALPC_RECEIVE && savedChannelGuid == 0 && checkSum == 0xff) {
        if (msgLength > sizeof(ALPC_RECEIVE_PACK_COMELVEATIONUACBYPASS)) {
            ALPC_RECEIVE_PACK_COMELVEATIONUACBYPASS* pAlpcPack = (ALPC_RECEIVE_PACK_COMELVEATIONUACBYPASS*)msgBuffer;
            if (pAlpcPack->type == 0x3 && pAlpcPack->sigMEOW == 0x574F454D && pAlpcPack->sigMEOW2 == 0x574F454D) {
                savedChannelGuid = pAlpcPack->ChannelGuid;
                checkSum = pAlpcPack->checkSum;
            }
        }
    }
    if (pDirection == _ALPC_Direction::_ALPC_SEND && savedChannelGuid != 0 && checkSum != 0xff) {
        if (msgLength >= sizeof(ALPC_SEND_PACK_COMELVEATIONUACBYPASS)) {
            ALPC_SEND_PACK_COMELVEATIONUACBYPASS* alpcPack = (ALPC_SEND_PACK_COMELVEATIONUACBYPASS*)msgBuffer;
            if (alpcPack->type == 0 && alpcPack->id == 1 && alpcPack->checkSum == checkSum && alpcPack->ChannelGuid == savedChannelGuid) {

                PVOID startAddress = (alpcPack + 1);
                uint64_t cmdPathSize = alpcPack->buffSize * sizeof(wchar_t);
                wchar_t* copyPath = (wchar_t*)HeapAlloc(cmdPathSize + 1);
                if (copyPath) {
                    memset(copyPath, 0x0, cmdPathSize + sizeof(wchar_t));
                    memcpy(copyPath, startAddress, cmdPathSize);
                    DbgPrint("cmd path: %ws \n", copyPath);
                    HeapFree(copyPath);
                }
            }
        }
    }
    .....
}

POC:

# 系统安全 # RPC # ALPC
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录
  • 握手与交换信息
  • 执行
  • 解析