A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #26202  by EP_X0FF
 Mon Jun 29, 2015 6:59 am
10151.0.150617-1826.FBL_IMPRESSIVE - the changes made in 10147 is here too, which means they are not bugs or just a temporary workarounds. Anything else sucks as before.
 #26749  by EP_X0FF
 Thu Sep 17, 2015 7:37 am
UACME updated:

Added 13 method abusing MMC command and EventViewer missing dependency
You can now type application you want to elevate as second optional param, e.g. akagi64 3 c:\windows\system32\charmap.exe
 #26791  by EP_X0FF
 Wed Sep 23, 2015 5:27 pm
EP_X0FF wrote:In addition 10147 broke ISecurityEditor->SetSecurity method. It now returns E_INVALID_ARG. It could be method parameters change or internal reworking. This mean methods related to Simda are dead. Dead for a while (if it possible to recover new definition of interface) or completely (if this change was made for security reasons).
Windows 10 shell32!CSecurityEditor::SetSecurity redesigned to only work with SE_FILE_OBJECT, so Simda UAC bypass method is dead at 100%.

Before
Code: Select all
__int32 __stdcall CSecurityEditor::SetSecurity(int a1, LPWSTR pObjectName, SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo, LPCWSTR StringSecurityDescriptor)
{
  __int32 v5; // ebx@1
  unsigned __int32 v6; // eax@8
  __int32 v7; // eax@8
  BOOL bSaclPresent; // [sp+Ch] [bp-20h]@6
  PACL pSacl; // [sp+10h] [bp-1Ch]@4
  PSID psidOwner; // [sp+14h] [bp-18h]@4
  PSID psidGroup; // [sp+18h] [bp-14h]@4
  PACL pDacl; // [sp+1Ch] [bp-10h]@4
  BOOL bSaclDefaulted; // [sp+20h] [bp-Ch]@4
  PSECURITY_DESCRIPTOR hMem; // [sp+24h] [bp-8h]@3
  unsigned int v16; // [sp+28h] [bp-4h]@1
  int savedregs; // [sp+2Ch] [bp+0h]@1

  v16 = (unsigned int)&savedregs ^ __security_cookie;
  v5 = -2147467261;
  if ( pObjectName && StringSecurityDescriptor )
  {
    hMem = 0;
    if ( ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSecurityDescriptor, 1u, &hMem, 0) )
    {
      psidOwner = 0;
      psidGroup = 0;
      pDacl = 0;
      pSacl = 0;
      if ( GetSecurityDescriptorOwner(hMem, &psidOwner, &bSaclDefaulted)
        && GetSecurityDescriptorGroup(hMem, &psidGroup, &bSaclDefaulted)
        && GetSecurityDescriptorDacl(hMem, &bSaclPresent, &pDacl, &bSaclDefaulted)
        && GetSecurityDescriptorSacl(hMem, &bSaclPresent, &pSacl, &bSaclDefaulted) )
      {
        v6 = SetNamedSecurityInfoW(pObjectName, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl);
        v7 = ResultFromWin32(v6);
      }
      else
      {
        v7 = ResultFromKnownLastError();
      }
      v5 = v7;
      LocalFree(hMem);
    }
    else
    {
      v5 = ResultFromKnownLastError();
    }
  }
  return v5;
}
after uac bypass fix in Windows 10
Code: Select all
__int64 __fastcall CSecurityEditor::SetSecurity(CSecurityEditor *this, WCHAR *a2, int a3, SECURITY_INFORMATION a4, const unsigned __int16 *a5)
{
  SECURITY_INFORMATION v5; // esi@1
  WCHAR *v6; // rdi@1
  unsigned int v7; // ebx@1
  DWORD v8; // eax@10
  void *v10; // [sp+40h] [bp-40h]@5
  ACL *v11; // [sp+48h] [bp-38h]@6
  ACL *v12; // [sp+50h] [bp-30h]@6
  void *v13; // [sp+58h] [bp-28h]@6
  void *v14; // [sp+60h] [bp-20h]@6
  char v15; // [sp+68h] [bp-18h]@6
  char v16; // [sp+6Ch] [bp-14h]@8

  v5 = a4;
  v6 = a2;
  v7 = 0x80004003;
  if ( a3 == 1 )
  {
    if ( a2 && a5 )
    {
      v10 = 0i64;
      if ( ConvertStringSecurityDescriptorToSecurityDescriptorW(a5, 1u, &v10, 0i64) )
      {
        v14 = 0i64;
        v13 = 0i64;
        v12 = 0i64;
        v11 = 0i64;
        if ( GetSecurityDescriptorOwner(v10, &v14, (LPBOOL)&v15)
          && GetSecurityDescriptorGroup(v10, &v13, (LPBOOL)&v15)
          && GetSecurityDescriptorDacl(v10, (LPBOOL)&v16, &v12, (LPBOOL)&v15)
          && GetSecurityDescriptorSacl(v10, (LPBOOL)&v16, &v11, (LPBOOL)&v15) )
        {
          v8 = SetNamedSecurityInfoW(v6, SE_FILE_OBJECT, v5, v14, v13, v12, v11);
          v7 = v8;
          if ( (signed int)v8 > 0 )
            v7 = (unsigned __int16)v8 | 0x80070000;
        }
        else
        {
          v7 = ResultFromKnownLastError();
        }
        LocalFree(v10);
      }
      else
      {
        v7 = ResultFromKnownLastError();
      }
    }
  }
  else
  {
    v7 = -2147024809;
  }
  return v7;
}
P.S.
I'm bit slow I know but I found spare time to look on it deeply only now.
 #26891  by EP_X0FF
 Tue Oct 06, 2015 4:08 pm
WinNT/Pitou aka Backboot elevation method through autoelevated OOBE service is no longer available starting from 1055x builds of Windows 10 TH2.

Additionally, starting from 1054x builds AppInfo whitelisting logic has been changed almost like suggested in this post under (6) step -> http://www.kernelmode.info/forum/viewto ... 995#p25995. Method used by H1N1 loader will no longer work.
 #26909  by EP_X0FF
 Fri Oct 09, 2015 4:39 pm
tyro post removed. This is very tiny program with complete source code available. If you are unable to figure out what doesn't work for you - it is your problem.
 #26940  by EP_X0FF
 Wed Oct 14, 2015 6:16 am
Microsoft fixed UACMe Method 12 in latest TH2 builds. Didn't tried if there any workaround ways are left for sysprep.
 #27167  by EP_X0FF
 Fri Nov 06, 2015 9:15 am
Some thought about upcoming Windows 10 Fall update aka "Fail update".

Starting from earlier TH2 builds (I don't really document all changes), probably from 1054x UAC service AppInfo has been updated with countermeasures against UAC bypass method implemented in malware known as Zlader/H1N1 loader which main idea you can find implemented in UACMe as Method 10. This and some other changes related to UAC strengthening - the biggest update to UAC since Windows 7 release. You will never read about this anywhere in Microsoft "changelogs" - they all full of fuck about Start button and "nobodycares" Edge (no joke).

Now before autoelevating UAC examines application full path to include trusted directory (system32/syswow64) with two exceptions:
Code: Select all
sysprep.exe  
inetmgr.exe (part of IIS)
they both are special cases and hardcoded with their path
Code: Select all
system32\sysprep\sysprep.exe
system32\inetsrv\inetmgr.exe
inetmgr.exe doesn't exists in default setup (this application exist only when IIS component installed).

Windows 10 TH2 comfortable UAC bypass
Requrements:

1) AutoElevated application must be MS and signed. Lot of candidates inside Windows 10 itself.
2) User must be an Admin. Default setup gives you it.
3) IIS not installed. Just like with default setup.

And we have a lot of candidates. But I like GWXUXWorker.exe backdoor from "Get Windows 10" crapware advertising. It is signed by embedded signature, it is autoelevated and it is not protected by manifest.

1) Copy GWXUXWorker.exe under name inetmgr.exe to system32\inetsrv folder.
2) Put payload SLC.dll near it.
3) Start inetmgr.exe

P.S.

Some Bonus:

Microsoft design of OS.

During 8/8.1 development process sysprep.exe got update for it manifest - to counteract dll hijacking used for UAC bypass, a LoadFrom instruction for the Windows loader. However they were unable to block dll hijacking completely and starting from Windows 10 moved some of required and shared dlls to the KnownDll -> bcryptPrimitives.dll, shcore.dll ... and with 10240 release added another uncontrolled dependency to the sysprep.exe -> dbgcore.dll. Yep fixing one bypass they added new. During Windows 10 TH2 development circle they seems finally managed to figure out what they did and updated sysprep manifest again - to include this new dependency - dbgcore.dll.

Now look on the manifest
Code: Select all
  <!--
      Specifically load these DLLs from the specified path. This
      is done as a defence-in-depth approach to closing a known UAC
      exploit related to Sysprep.exe being auto-elevated. The list
      need not contain KnownDlls since those are always loaded
      by the loader from the system directory.
  -->
  <file
      loadFrom="%systemroot%\system32\actionqueue.dll"
      name="actionqueue.dll"
      />
  <file
      loadFrom="%systemroot%\system32\bcryptprimitives.dll"
      name="bcryptprimitives.dll"
      />
  <file
      loadFrom="%systemroot%\system32\cryptbase.dll"
      name="cryptbase.dll"
      />
  <file
      loadFrom="%systemroot%\system32\dbgcore.dll"
      name="dbgcore.dll"
      />
  <file
      loadFrom="%systemroot%\system32\unattend.dll"
      name="unattend.dll"
      />
  <file
      loadFrom="%systemroot%\system32\wdscore.dll"
      name="wdscore.dll"
      />
"The list need not contain KnownDlls since those are always loaded"
Wasn't bcryptprimitives.dll in Windows 10 KnownDlls?

Image

Yes it is.

I don't really know how they manage this now, but I see it as "oh fuck lets write some line here and forget about it".

Next one example is ISecurityEditor - undocumented inteface which was used by malware Simda for about 4+ years to bypass UAC. They key feature of this interface - it is autoelevated and contain methods that can be used to set security of objects. For example you can change access for the registry keys inside HKLM doing this from middle integrity level - simple running from desktop without elevation. SecurityEditor itself implemented inside shell32 and key methods of it GetSecurity/SetSecurity are wrappers for SetNamedSecurityInfoW/GetNamedSecurityInfoW. Starting from 10136 Microsoft broke this interface design logic, however leaving it declaration unchanged. As you can guess they added one line of code fix - an "IF" and changed SetNamedSecurityInfoW call parameter, forcing this wrapper work only with file objects.

And you can see such attitude almost for EVERYTHING in this OS, starting from GUI design and ending kernel mode components. Do not like our recyclebin icon made in pbrush? Ok - we have refreshed Windows 98 recyclebin icon for you.

In 10061 they introduced new kernel object named "Silo" - sort of process isolation feature. They implemented user mode support for it - set of native API functions to create and manipulate Silo objects. But it turned out that this feature is insecure, for example see https://code.google.com/p/google-securi ... ail?id=459. And in 10240 release this API set was removed from ntdll, however kernel object still exist, now with TH2 release Silo object removed too. So this feature is strictly kernel mode implemented part of Windows.

Despite the fact this OS version will bring the most "secured" UAC version since Vista time I wouldn't recommend install or use it.
 #27243  by EP_X0FF
 Mon Nov 16, 2015 3:33 pm
Tool updated to 2.0.0, GWX method added, both 32/64, 32 with renewed certificate (from July 2015 ninja gwx update), MSE/WinDefender signature and emulation removed. I would like to "thanks" this idiot who copy-pasted source without ANY fucking change in their crapware bundle, you even don't bothered to remove debug output which is used for AV signature. Download link the same https://github.com/hfiref0x/UACME
 #27780  by EP_X0FF
 Fri Jan 29, 2016 1:30 pm
Complete copy-paste from UACME without any credit.

_https://github.com/xsysvermin/BypassUAC

Warning: I've no idea what exactly this "xsysvermin" added inside.

P.S.

Also consider these two twitter accounts as a shit retwetting machines.

_https://twitter.com/netbiosX
_https://twitter.com/binitamshah
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 14