MagicDot : Harnessing DOT-To-NT Path Conversion For Rootkit-Like Capabilities

A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.

Presented at Black Hat Asia 2024 under the title – MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces

For a deeper understanding of the research, read this blog post – MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces

MagicDot Python Package

Implements MagicDot’s rootkit-like techniques:

Files/Directories named with dots only
- Bonus – Such Directories prevent any shadow copy restoration of any parent directory of the inoperable directory
Inoperable Files/Directories
Impersonated Files/Directories
Impersonated Process
Process Explorer DoS Vulnerability – CVE-2023-42757
Hidden files in ZIP archives

MagicDot Python Package Installation

Clone the repo
Install it locally:

pip install <cloned repo path>

MagicDot Tools

Inside the tools folder you’ll find the magic_dot_cli tool (dependent on the MagicDot Python package) along with 3 different solo scripts that implement the exploits for vulnerabilities CVE-2023-36396, CVE-2023-32054, and a third unfixed Deletion EoP vulnerability.

During the installation of the MagicDot Python package, the requirements for these scripts are installed as well.

For convenience purposes, it is recommended to pack magic_dot_cli into an executable using Pyinstaller:

cd tools\magic_dot_cli\
pyinstaller --onefile magic_dot_cli.py

magic_dot_cli Usage

python .\magic_dot_cli.py -h
usage: magic_dot_cli.py [-h]
                        {CREATE_IMPERSONATED_PROCESS,CREATE_INOPERABLE_FILE,CREATE_INOPERABLE_DIR,CREATE_DOTS_FILE,CREATE_DOTS_DIR,CREATE_IMPERSONATED_FILE,CREATE_IMPERSONATED_DIR,ADD_INVISIBLE_FILE_INTO_ZIP,DISABLE_PROCEXP}
                        ...

An unprivileged rootkit-like tool

optional arguments:
  -h, --help            show this help message and exit

command:
  {CREATE_IMPERSONATED_PROCESS,CREATE_INOPERABLE_FILE,CREATE_INOPERABLE_DIR,CREATE_DOTS_FILE,CREATE_DOTS_DIR,CREATE_IMPERSONATED_FILE,CREATE_IMPERSONATED_DIR,ADD_INVISIBLE_FILE_INTO_ZIP,DISABLE_PROCEXP}
    CREATE_IMPERSONATED_PROCESS
                        Create a process that impersonates a different process. Both Task Manager and Process Explorer will display    
                        information about the target process to impersonate to
    CREATE_INOPERABLE_FILE
                        Create an inoperable file
    CREATE_INOPERABLE_DIR
                        Create an inoperable directory
    CREATE_DOTS_FILE    Create a dots file
    CREATE_DOTS_DIR     Create a dots directory
    CREATE_IMPERSONATED_FILE
                        Create a file that impersonates a different file
    CREATE_IMPERSONATED_DIR
                        Create a directory that impersonates a different directory
    ADD_INVISIBLE_FILE_INTO_ZIP
                        Inserts a file into a zip. The file is inserted with a name that prevents Windows' ZIP archiver from being     
                        able to list it in the ZIP.
    DISABLE_PROCEXP     Exploits a DOS vulnerability in ProcExp. Creates a process that runs forever and does nothing. The process     
                        has a certain name that crashes ProcExp whenever it runs. Valid against all ProcExp versions under version     
                        17.04 (released in April 3rd 2023).

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.