Explore the intricacies of exploiting DCOM in Windows 2003 through this Black Hat conference talk. Delve into the DCOM runtime, Windows built-in DCOM applications, and demonstration environments. Learn about exploit code techniques, including stealing Internet Explorer data, activating ShellWindows, and manipulating browsing behaviors. Understand component activation procedures, authentication steps, and logon audits for both local and remote PCs. Examine event handling models, reverse authentication, and classic security model implementation. Discover methods for creating Trojan Office applications and strategies for DCOM exploit prevention. Gain valuable insights into Windows security vulnerabilities and countermeasures in this comprehensive presentation by Yoshiaki Komoriya and Hidenobu Seki.
Overview
Syllabus
Intro
BIACK HAT
DCOM runtime
Windows Built-in DCOM Apps
Demonstration environment
Exploit code
Stealing IE's data
Activate ShellWindows
Get IDispatch
Get browsing URL strings
Incoming data
Navigation events
Change browsing pages
Create new windows
Component activation procedure 1. NEGOTIATE
Two steps of authentication
Logon audit 1/2
Logon audit 2/2 Remote PC
DCOM authentication Remote PC
Default setting of DCOM authentication
Event handling model
Reverse authentication Local PC
1. Set account on local PC
Use classic security model 1/2
Use classic security model 2/2
Trojan Office
DCOM exploit prevention
Conclusion
Taught by
Black Hat
