A bit of a qUACkery – how to elevate… w/o doing a single thing ;)

Posted on by

Update

After I posted it a number of helpful netizens tried to repro and they found issues, so unless we figure it out treat the below as a subject to unknown conditions that may render it useless a.k.a. non-working trick 🙂

You can follow the twitter convos here. I’ll update the post once I know more.

Old Post

I recently discovered a really funny way to bypass UAC and launch any process with High Mandatory Level.

This is how to reproduce it:

  • As a regular user launch cmd.exe.
  • Confirm the integrity level:

C:\test>WHOAMI /Groups | FIND "S-1-16"
Mandatory Label\Medium Mandatory Level Label S-1-16-8192

  • Launch: sdclt /configure

  • The sdclt.exe program is auto-elevated
  • Walk through the wizard and back up some files; in my case I created a dummy folder c:\test with a small number of files and backed it up
  • Let it finish

  • Now that we have a backup, let’s go to the list of Backups so we can restore some files

  • Choose the backup, then search for c:\test and tick it so you can restore it (it’s all about a small set so we can do it quickly, but you can choose any backup & restore really)

  • Restore files; you should be presented with a panel; it is important that at least _some_ files are restored so we can see the logs

  • Click View Log file
  • This will launch Notepad.exe with elevated privileges
  • In Notepad, go to menu File -> Open -> c:\windows\system32
  • Type cmd*.* so we can see cmd.exe on the list
  • Right click on cmd.exe, hit Open
  • cmd.exe will open –
  • it has S-1-16-12288/High Mandatory Level/A high integrity level.
    C:\Windows\System32>WHOAMI /Groups | FIND "S-1-16"
    Mandatory Label\High Mandatory Level Label S-1-16-12288
  • Launch any program you want – it will be on a High Mandatory integrity level

Beyond good ol’ Run key, Part 87

Posted on by

How many ntdll does it take to change a light bulb?

For 32-bit processes on 32-bit systems – 1.

For 32-bit processes on 64-bit systems – 2.

But… are you sure?

Turns out that newer versions of Windows allow one more. It’s called a Delegated NTDLL.

When I discovered it during one of my Procmon sessions:

… I immediately googled it and found out that redplait was the first one to describe this mechanism in detail, and then there was also an article on StackOverflow about it; still, since it’s not very well-known I decided to include it in this series anyway.

How to use it?

  • Build a DLL that exports the export functions as listed in redplait’s post:
    • KiRaiseUserExceptionDispatcher
    • KiUserApcDispatcher
    • KiUserCallbackDispatcher
    • KiUserExceptionDispatcher
    • LdrInitializeThunk
    • LdrParentInterlockedPopEntrySList
    • LdrParentRtlInitializeNtUserPfn
    • LdrParentRtlResetNtUserPfn
    • LdrParentRtlRetrieveNtUserPfn
    • LdrpChildNtdll
    • LdrSystemDllInitBlock (this one is actually a pointer that must point to a dword storing a value identical with the one stored in the ntdll the delegated ntdll is for and equal e.g. 224 /0xE0/)
    • RtlDispatchAPC
    • RtlUserThreadStart
  • Drop it in the system32 directory.
  • Set up the respective IFEO key for the victim application of choice:
    • HKLM\SOFTWARE\Microsoft\Windows NT\
      CurrentVersion\Image File Execution Options\
      <filename>\DelegatedNtdll=<filenameonly>

and you are set. Next time the program is ran it will load the dll.

Note that the DLL must include the exports otherwise it won’t be executed (not even DllMain) – this is because the ntdll loads it not via LdrLoadDll, but via NtCreateSection/ZwMapViewOfSection/RtlImageNtHeader and then walks through a list of exports that it tries to resolve using LdrpGetProcedureAddress.