Skip to content

Commit

Permalink
Adding MinecraftLauncher.exe hijackable DLLs (#56)
Browse files Browse the repository at this point in the history
  • Loading branch information
@wietze
wietze authored Jul 27, 2023
1 parent b79492d commit 73b09d1
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 0 deletions.
11 changes: 11 additions & 0 deletions yml/microsoft/built-in/cryptbase.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,12 +215,23 @@ VulnerableExecutables:
Type: Catalog
- Path: '%SYSTEM32%\wscadminui.exe'
Type: Sideloading
- Path: '%PROGRAMFILES%\Minecraft Launcher\MinecraftLauncher.exe'
Type: Sideloading
ExpectedSignatureInformation:
- Subject: CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Type: Authenticode
SHA256:
- 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
- https://twitter.com/AndrewOliveau/status/1682185200862625792
Acknowledgements:
- Name: Wietze
Twitter: '@wietze'
- Name: Chris Spehn
Twitter: '@ConsciousHacker'
- Name: Andrew Oliveau
Twitter: '@AndrewOliveau'
11 changes: 11 additions & 0 deletions yml/microsoft/built-in/iphlpapi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,16 +206,27 @@ VulnerableExecutables:
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Type: Catalog
- Path: '%PROGRAMFILES%\Minecraft Launcher\MinecraftLauncher.exe'
Type: Sideloading
ExpectedSignatureInformation:
- Subject: CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Type: Authenticode
SHA256:
- 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://wietze.github.io/blog/save-the-environment-variables
- https://twitter.com/SBousseaden/status/1550903546916311043
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
- https://twitter.com/AndrewOliveau/status/1682185200862625792
Acknowledgements:
- Name: Wietze
Twitter: '@wietze'
- Name: Samir
Twitter: '@sbousseaden'
- Name: Chris Spehn
Twitter: '@ConsciousHacker'
- Name: Andrew Oliveau
Twitter: '@AndrewOliveau'
26 changes: 26 additions & 0 deletions yml/microsoft/built-in/sensapi.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
Name: sensapi.dll
Author: Wietze Beukema
Created: 2023-07-27
Vendor: Microsoft
ExpectedLocations:
- '%SYSTEM32%'
- '%SYSWOW64%'
ExpectedSignatureInformation:
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Type: Catalog
VulnerableExecutables:
- Path: '%PROGRAMFILES%\Minecraft Launcher\MinecraftLauncher.exe'
Type: Sideloading
ExpectedSignatureInformation:
- Subject: CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Type: Authenticode
SHA256:
- 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
Resources:
- https://twitter.com/AndrewOliveau/status/1682185200862625792
Acknowledgements:
- Name: Andrew Oliveau
Twitter: '@AndrewOliveau'
11 changes: 11 additions & 0 deletions yml/microsoft/built-in/winhttp.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,23 @@ VulnerableExecutables:
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Type: Catalog
- Path: '%PROGRAMFILES%\Minecraft Launcher\MinecraftLauncher.exe'
Type: Sideloading
ExpectedSignatureInformation:
- Subject: CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Type: Authenticode
SHA256:
- 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
- https://twitter.com/AndrewOliveau/status/1682185200862625792
Acknowledgements:
- Name: Wietze
Twitter: '@wietze'
- Name: Chris Spehn
Twitter: '@ConsciousHacker'
- Name: Andrew Oliveau
Twitter: '@AndrewOliveau'

0 comments on commit 73b09d1

Please sign in to comment.