7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.
7-Zip is a free and free file archiver. The Command Prompt version of 7-Zip is designed for Unix-like systems, including AmigaOS. It can also be run for DOS compatible Friendly Port or in Windows Command Prompt with HX-DOS extender.
I will write in Turkish and you learn some Turkish.
Actually, my aim was to get reverse-shell on the target computer after double-clicking on the extensions of compression technologies such as 7z, zip, rar etc. I was thinking if I could use the HTML Helper file in this. After long fuzzing processes with WinAFL, I discovered that there was heap-overflow on FzGM.exe, but it didn’t make any sense since my authority after heap overflow would be over the same user. That’s why I didn’t use CreateRemoteThread because I needed to call the API and I needed a chm file to be able to trigger this API. When I examined the source code, I noticed that there were erroneous operations, especially when calling the Windows API in two places, and this created a direct authorization problem. This discovery point creates a child process under FzGM.exe as seen in the picture below. Normally this process hh.
If the API was not included and there was a correct configuration through the function, I would expect it to create a child process under hh.exe, but the 7-zip.chm file calls it through itself. You can see a typical example if you edit the 7-zip.chm file and execute the command at that time. After the authorization problem of the API called after heap overflow, I took advantage of the misconfiguration in the 7z.dll file, which I have been dealing with for a long time. There’s no point in doing CreateRemoteThread() . What I need to run and call inside the payload is not the HTML Helper API itself, but the point where this API is hooked over 7-zip and I can execute that point, but this payload only works with hh.exe integration, so it’s like drag and drop. works with function. 7-zip. Calling the chm file with the HELP button over 7-zip and redirecting the “base pointer”, which has an authorization problem in the payload of the address called here, moves us to a higher user. The next step is to find psexec in the payload and raise it to system authority as nt authority/system with the psexec -s cmd.exe command.
ActiveXObject bypass hakkında
Most of the questions were about ActiveX warning. The most basic of this problem is you can fix it like this. Before Payload works;
<‘HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0’ -Name ‘1201’ -Value ‘0’ -PropertyType “DWord”> provides control if this value is 1, popup is displayed if 0 is new If a value is assigned, it is bypassed. But it should be noted that it affects whichever user payload is running at that moment.
I explained the necessary points to the developer and this was accepted by the CVE. I can’t understand the perception that people think they are the authority and I have to give them the exploit. Although I have already stated that I will publish after the update, I think this disrespect without the update is due to seeing yourself as an authority. I may never want to publish the poc code of the escalation attack, it’s my free will and I don’t care what anyone thinks about questioning the accuracy of this.
Method one: If the 7-zip update does not go through, the 7-zip.chm file can be deleted. Second method: All users in the program must access with read and execute permissions.
Related sigma rule