88 88
88 88
88 88
8b d8 8b, ,d8 88 88 8b,dPPYba, ,adPPYb,88 ,adPPYba, 8b,dPPYba, ,adPPYb,d8 8b,dPPYba, ,adPPYba, 88 88 8b,dPPYba, ,adPPYb,88
`8b d8' `Y8, ,8P' aaaaaaaa 88 88 88P' `"8a a8" `Y88 a8P_____88 88P' "Y8 a8" `Y88 88P' "Y8 a8" "8a 88 88 88P' `"8a a8" `Y88
`8b d8' )888( """""""" 88 88 88 88 8b 88 8PP""""""" 88 8b 88 88 8b d8 88 88 88 88 8b 88
`8b,d8' ,d8" "8b, "8a, ,a88 88 88 "8a, ,d88 "8b, ,aa 88 "8a, ,d88 88 "8a, ,a8" "8a, ,a88 88 88 "8a, ,d88
"8" 8P' `Y8 `"YbbdP'Y8 88 88 `"8bbdP"Y8 `"Ybbd8"' 88 `"YbbdP"Y8 88 `"YbbdP"' `"YbbdP'Y8 88 88 `"8bbdP"Y8
aa, ,88
"Y8bbdP"
-------------------------------------------------------------------------------------------------------------------------------
Exploring the possibility of abusing Google Chrome COM Interfaces for file execution or ... social engineering?
tl;dr exploring COM interfaces, I discovered Google Chrome's updater has a few interesting interefaces exposed.
I'm wondering if it's possible to abuse these COM interfaces for proxied file execution. I'm not sure if the LaunchCmdElevated
displays a UAC prompt. If it doesn't its a UAC bypass. If it does prompt it... maybe the user will think its a Google update?:)
[Guid("128c2da6-2bc0-44c0-b3f6-4ec22e647964")]
interface IProcessLauncher
{
/* Methods */
void LaunchCmdLine(string cmd_line);
void LaunchBrowser(uint browser_type, string url);
void LaunchCmdElevated(string app_guid, string cmd_id, uint caller_proc_id, [Out] UInt32& proc_handle);
}
[Guid("d106ab5f-a70e-400e-a21b-96208c1d8dbb")]
interface IProcessLauncher2
{
/* Methods */
void LaunchCmdLine(string cmd_line);
void LaunchBrowser(uint browser_type, string url);
void LaunchCmdElevated(string app_guid, string cmd_id, uint caller_proc_id, [Out] UInt32& proc_handle);
void LaunchCmdLineEx(string cmd_line, [Out] UInt32& server_proc_id, [Out] UInt32& proc_handle, [Out] UInt32& stdout_handle);
}
[Guid("6430040a-5ebd-4e63-a56f-c71d5990f827")]
interface IProcessLauncher2System
{
/* Methods */
void LaunchCmdLine(string cmd_line);
void LaunchBrowser(uint browser_type, string url);
void LaunchCmdElevated(string app_guid, string cmd_id, uint caller_proc_id, [Out] UInt32& proc_handle);
void LaunchCmdLineEx(string cmd_line, [Out] UInt32& server_proc_id, [Out] UInt32& proc_handle, [Out] UInt32& stdout_handle);
}
[Guid("f4fe76bc-62b9-49fc-972f-c81fc3a926db")]
interface IProcessLauncherSystem
{
/* Methods */
void LaunchCmdLine(string cmd_line);
void LaunchBrowser(uint browser_type, string url);
void LaunchCmdElevated(string app_guid, string cmd_id, uint caller_proc_id, [Out] UInt32& proc_handle);
}
[Guid("dd42475d-6d46-496a-924e-bd5630b4cbba")]
interface IAppBundleWeb
{
/* Methods */
void createApp(string app_guid, string brand_code, string language, string ap);
void createInstalledApp(string app_id);
void createAllInstalledApps();
void initialize();
void checkForUpdate();
void download();
void install();
void pause();
void resume();
void cancel();
void downloadPackage(string app_id, string package_name);
/* Properties */
string displayLanguage { get; set; }
uint parentHWND { set; }
int length { get; }
object appWeb(int index) { get; }
object currentState { get; }
}
-smelly