A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.
Presented at Black Hat Asia 2024 under the title – MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces
For a deeper understanding of the research, read this blog post – MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces
MagicDot Python Package
Implements MagicDot’s rootkit-like techniques:
- Files/Directories named with dots only
- Bonus – Such Directories prevent any shadow copy restoration of any parent directory of the inoperable directory
- Inoperable Files/Directories
- Impersonated Files/Directories
- Impersonated Process
- Process Explorer DoS Vulnerability –
CVE-2023-42757
- Hidden files in ZIP archives
MagicDot Python Package Installation
- Clone the repo
- Install it locally:
pip install <cloned repo path>
MagicDot Tools
Inside the tools
folder you’ll find the magic_dot_cli
tool (dependent on the MagicDot Python package) along with 3 different solo scripts that implement the exploits for vulnerabilities CVE-2023-36396
, CVE-2023-32054
, and a third unfixed Deletion EoP vulnerability.
During the installation of the MagicDot Python package, the requirements for these scripts are installed as well.
For convenience purposes, it is recommended to pack magic_dot_cli into an executable using Pyinstaller:
cd tools\magic_dot_cli\
pyinstaller --onefile magic_dot_cli.py
magic_dot_cli Usage
python .\magic_dot_cli.py -h
usage: magic_dot_cli.py [-h]
{CREATE_IMPERSONATED_PROCESS,CREATE_INOPERABLE_FILE,CREATE_INOPERABLE_DIR,CREATE_DOTS_FILE,CREATE_DOTS_DIR,CREATE_IMPERSONATED_FILE,CREATE_IMPERSONATED_DIR,ADD_INVISIBLE_FILE_INTO_ZIP,DISABLE_PROCEXP}
...
An unprivileged rootkit-like tool
optional arguments:
-h, --help show this help message and exit
command:
{CREATE_IMPERSONATED_PROCESS,CREATE_INOPERABLE_FILE,CREATE_INOPERABLE_DIR,CREATE_DOTS_FILE,CREATE_DOTS_DIR,CREATE_IMPERSONATED_FILE,CREATE_IMPERSONATED_DIR,ADD_INVISIBLE_FILE_INTO_ZIP,DISABLE_PROCEXP}
CREATE_IMPERSONATED_PROCESS
Create a process that impersonates a different process. Both Task Manager and Process Explorer will display
information about the target process to impersonate to
CREATE_INOPERABLE_FILE
Create an inoperable file
CREATE_INOPERABLE_DIR
Create an inoperable directory
CREATE_DOTS_FILE Create a dots file
CREATE_DOTS_DIR Create a dots directory
CREATE_IMPERSONATED_FILE
Create a file that impersonates a different file
CREATE_IMPERSONATED_DIR
Create a directory that impersonates a different directory
ADD_INVISIBLE_FILE_INTO_ZIP
Inserts a file into a zip. The file is inserted with a name that prevents Windows' ZIP archiver from being
able to list it in the ZIP.
DISABLE_PROCEXP Exploits a DOS vulnerability in ProcExp. Creates a process that runs forever and does nothing. The process
has a certain name that crashes ProcExp whenever it runs. Valid against all ProcExp versions under version
17.04 (released in April 3rd 2023).
For more information click here.