Added ymls for setupupc.exe and xpsrchvw.exe#498
Open
karminang wants to merge 6 commits intoLOLBAS-Project:masterfrom
Open
Added ymls for setupupc.exe and xpsrchvw.exe#498karminang wants to merge 6 commits intoLOLBAS-Project:masterfrom
karminang wants to merge 6 commits intoLOLBAS-Project:masterfrom
Conversation
Contribute to lolbas project by submitting a new microsoft binary named setupugc.exe (Setup Unattend Generic Command Processor) which reads command entries from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ UnattendSettings\Setup-Unattend-Settings\RunSynchronous\<N>\Path and executes them via CreateProcessW when invoked with a Windows setup pass argument (e.g. specialize).
Contribute to the LOLBAS project by submitting a new Microsoft-signed binary: xpsrchvw.exe (Windows XPS Viewer). xpsrchvw.exe is vulnerable to DLL search order hijacking. When copied from C:\Windows\System32\ to a user-writable directory and executed, it resolves DLLs from its application directory before falling back to System32. Placing a malicious WINMM.dll in the same directory as the copied binary causes it to be loaded and executed under the context of the Microsoft-signed process, allowing an attacker to proxy code execution and mask process parentage. This technique requires only User-level privileges and abuses legitimate Windows DLL resolution behaviour (MITRE T1574.001). A proof-of-concept demonstrating DLL construction for this sideload is available at: https://github.com/karminang/poc/blob/main/x64-sideload-DLL-WINMM.py
karminang
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
setupugc.exe(Setup Unattend Generic Command Processor) can be abused to execute arbitrary commands. By modifying the registry atHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Setup-Unattend-Settings\RunSynchronous\<N>\Path, an attacker can define a command path. Whensetupugc.exeis executed with a valid Windows setup pass argument (e.g.,specialize), it reads the registry value and launches the specified process viaCreateProcessW.Detection
Monitor for unauthorized modifications to the
UnattendSettingsregistry key or unexpected execution ofsetupugc.exein association with setup operations.