From 63fe050810fac79c25abb5bdbc90580791cf2672 Mon Sep 17 00:00:00 2001 From: FreySolarEye Date: Wed, 5 Jul 2023 13:48:11 +0300 Subject: [PATCH 1/2] Razer Synapse --- yml/Desktop_App/razersynapse.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 yml/Desktop_App/razersynapse.yml diff --git a/yml/Desktop_App/razersynapse.yml b/yml/Desktop_App/razersynapse.yml new file mode 100644 index 0000000..fcfeea9 --- /dev/null +++ b/yml/Desktop_App/razersynapse.yml @@ -0,0 +1,18 @@ +--- +Name: Razer 7.1 SURROUND SOUND +Description: Razer 7.1 SURROUND SOUND is a software for superior positional audio and a lifelike gaming experience +Author: 'Georgios Tsimpidas' +Created: 2023-07-05 +Usage: + - Steps: Attach ProcMon and start the Razer 7.1 SURROUND SOUND application. Filter for the values "ProcessName Contains rzappengine.exe", "Result contains NOT FOUND" and "path ends with .dll" to check for viable abuse candidates. Generate a malicious DLL, and use a tool like Invoke-DLLClone to copy the export address table from your target dll, to your malicious one. Place the newly created DLL into the appropriate application folder, and start Razer 7.1 SURROUND SOUND. + Description: Steps to sideload a malicious dll + Usecase: Sideloading a Malicious DLL + Category: DLL Hijacking + Privileges: User interaction/User + Limitations: You must start Razer 7.1 SURROUND SOUND, Potential guesswork on which native DLLs are "missing" or you can hijack this one "ncrypt.dll" which loads under "C:\Users\currentuser\AppData\Local\Razer\RzAppEngine\User Data\Apps\SurroundSound\ncrypt.dll" + MitreID: T1574.002 +Resources: + - Link: https://github.com/FreySolarEye/CVE/blob/master/Razer%207.1%20SURROUND%20SOUND%20Ver.1.1.85%20-%20DLL%20Hijacking +Acknowledgement: + - Person: 'Georgios Tsimpidas' + Handle: '@freysolareye' From 377fc99f73198b05e3795b31628252cf335ad300 Mon Sep 17 00:00:00 2001 From: FreySolarEye Date: Thu, 6 Jul 2023 15:43:32 +0300 Subject: [PATCH 2/2] Pulse Secure Desktop Client DLL Hijacking --- yml/Desktop_App/pulsesecure.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 yml/Desktop_App/pulsesecure.yml diff --git a/yml/Desktop_App/pulsesecure.yml b/yml/Desktop_App/pulsesecure.yml new file mode 100644 index 0000000..f637319 --- /dev/null +++ b/yml/Desktop_App/pulsesecure.yml @@ -0,0 +1,18 @@ +--- +Name: Pulse Secure Desktop Client +Description: Pulse Secure Desktop Client (Pulse Client) is an extensible multi-service network client that supports integrated connectivity and secure location-aware network access. +Author: 'Georgios Tsimpidas' +Created: 2023-07-06 +Usage: + - Steps: Attach ProcMon and start the Pulse Secure Desktop Client application. Filter for the values "ProcessName Contains Pulse.exe", "Result contains NOT FOUND" and "path ends with .dll" to check for viable abuse candidates. Generate a malicious DLL, and use a tool like Invoke-DLLClone to copy the export address table from your target dll, to your malicious one. Place the newly created DLL into the appropriate application folder, and start Pulse Secure Desktop Client. + Description: Steps to sideload a malicious dll + Usecase: Sideloading a Malicious DLL + Category: DLL Hijacking + Privileges: User interaction/User + Limitations: You must start Pulse Secure Desktop Client, Potential guesswork on which native DLLs are "missing" or you can hijack this one "dwmapi.dll" which loads under "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\dwmapi.dll" + MitreID: T1574.002 +Resources: + - Link: https://github.com/FreySolarEye/CVE/blob/master/Razer%207.1%20SURROUND%20SOUND%20Ver.1.1.85%20-%20DLL%20Hijacking +Acknowledgement: + - Person: 'Georgios Tsimpidas' + Handle: '@freysolareye'