STRLCPY/Offensive-Rust

Added Get-Unquoted
winsecurity committed 1 year ago

798a7354

1 parent 0ca477e4

■ ■ ■ ■ ■ ■

Windows PrivEsc/Get-Unquoted/.gitignore

1 + /target
2 +

All occurrences

■ ■ ■ ■ ■ ■

Windows PrivEsc/Get-Unquoted/Cargo.lock

1	+	# This file is automatically @generated by Cargo.
2	+	# It is not intended for manual editing.
3	+	version = 3
4	+
5	+	[[package]]
6	+	name = "Get-Unquoted"
7	+	version = "0.1.0"
8	+	dependencies = [
9	+	"winapi",
10	+	]
11	+
12	+	[[package]]
13	+	name = "winapi"
14	+	version = "0.3.9"
15	+	source = "registry+https://github.com/rust-lang/crates.io-index"
16	+	checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
17	+	dependencies = [
18	+	"winapi-i686-pc-windows-gnu",
19	+	"winapi-x86_64-pc-windows-gnu",
20	+	]
21	+
22	+	[[package]]
23	+	name = "winapi-i686-pc-windows-gnu"
24	+	version = "0.4.0"
25	+	source = "registry+https://github.com/rust-lang/crates.io-index"
26	+	checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
27	+
28	+	[[package]]
29	+	name = "winapi-x86_64-pc-windows-gnu"
30	+	version = "0.4.0"
31	+	source = "registry+https://github.com/rust-lang/crates.io-index"
32	+	checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
33	+

■ ■ ■ ■ ■ ■

Windows PrivEsc/Get-Unquoted/Cargo.toml

1	+	[package]
2	+	name = "Get-Unquoted"
3	+	version = "0.1.0"
4	+	edition = "2021"
5	+
6	+	# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
7	+
8	+	[dependencies]
9	+	winapi = {version="0.3.9",features =[
10	+	"libloaderapi","memoryapi","processthreadsapi",
11	+	"handleapi","errhandlingapi","tlhelp32","winuser","winsvc"
12	+	]}

■ ■ ■ ■ ■ ■

Windows PrivEsc/Get-Unquoted/src/main.rs

1	+	use std::collections::HashMap;
2	+	use std::fmt::Write;
3	+	use std::hash::Hash;
4	+	use std::io::Read;
5	+
6	+	use winapi::shared::minwindef::HINSTANCE;
7	+	use winapi::shared::windef::HWND__;
8	+	use winapi::um::errhandlingapi::GetLastError;
9	+	use winapi::um::handleapi::CloseHandle;
10	+	use winapi::um::processthreadsapi::*;
11	+	use winapi::um::memoryapi::*;
12	+	use winapi::um::libloaderapi::*;
13	+	use winapi::um::winnt::IMAGE_IMPORT_BY_NAME;
14	+	use winapi::um::winnt::SERVICE_WIN32;
15	+	use winapi::um::winuser::*;
16	+	use winapi::um::winuser::MessageBoxA;
17	+	use winapi::ctypes::*;
18	+	use winapi::um::tlhelp32::*;
19	+	use winapi::um::winsvc::*;
20	+
21	+
22	+
23	+
24	+	fn main() {
25	+
26	+
27	+	unsafe{
28	+
29	+
30	+	let schandle =OpenSCManagerA(
31	+	std::ptr::null(),
32	+	std::ptr::null() , SC_MANAGER_ENUMERATE_SERVICE);
33	+
34	+	println!("schandle: {:x?}",schandle);
35	+
36	+
37	+	let mut bytesneeded = 0;
38	+	let mut numofservices = 0;
39	+	EnumServicesStatusExA(
40	+	schandle,
41	+	SC_ENUM_PROCESS_INFO,
42	+	SERVICE_WIN32,
43	+	SERVICE_STATE_ALL,
44	+	std::ptr::null_mut(),
45	+	0,
46	+	&mut bytesneeded,
47	+	&mut numofservices,
48	+	std::ptr::null_mut(),
49	+	std::ptr::null_mut());
50	+
51	+
52	+	println!("bytes needed: {}",bytesneeded);
53	+	println!("number of services : {}",numofservices);
54	+
55	+	let baseptr = VirtualAlloc(std::ptr::null_mut(), bytesneeded as usize, 0x1000\|0x2000, 0x40);
56	+
57	+	EnumServicesStatusExA(
58	+	schandle,
59	+	SC_ENUM_PROCESS_INFO,
60	+	SERVICE_WIN32,
61	+	SERVICE_STATE_ALL,
62	+	baseptr as *mut u8,
63	+	bytesneeded,
64	+	&mut bytesneeded,
65	+	&mut numofservices,
66	+	std::ptr::null_mut(),
67	+	std::ptr::null_mut());
68	+
69	+	println!("bytes needed: {}",bytesneeded);
70	+	println!("number of services : {}",numofservices);
71	+
72	+
73	+	//let mut enumservices = std::mem::zeroed::<ENUM_SERVICE_STATUS_PROCESSA>();
74	+	for i in 0..numofservices{
75	+
76	+
77	+	let mut enumservices = (((baseptr as isize + (i as isize std::mem::size_of::<ENUM_SERVICE_STATUS_PROCESSA>() as isize)) as *mut ENUM_SERVICE_STATUS_PROCESSA));
78	+
79	+	let dname = ReadStringFromMemory(GetCurrentProcess(), enumservices.lpDisplayName as *mut c_void);
80	+	let sname = ReadStringFromMemory(GetCurrentProcess(), enumservices.lpServiceName as *mut c_void);
81	+	//println!(" service display name: {}",dname);
82	+	println!("service name: {}, pid: {}",sname,enumservices.ServiceStatusProcess.dwProcessId);
83	+
84	+	let servicehandle = OpenServiceA(schandle,
85	+	enumservices.lpServiceName, SERVICE_QUERY_CONFIG);
86	+
87	+
88	+	let mut sbytes = 0;
89	+	QueryServiceConfigA(
90	+	servicehandle,
91	+	std::ptr::null_mut(),
92	+	0, &mut sbytes);
93	+
94	+	let sbase =VirtualAlloc(std::ptr::null_mut(), sbytes as usize, 0x1000\|0x2000, 0x40);
95	+
96	+
97	+	QueryServiceConfigA(
98	+	servicehandle,
99	+	sbase as *mut QUERY_SERVICE_CONFIGA,
100	+	sbytes, &mut sbytes);
101	+
102	+
103	+	let sconfig = ((sbase as mut QUERY_SERVICE_CONFIGA));
104	+
105	+	let binpath = ReadStringFromMemory(GetCurrentProcess(), sconfig.lpBinaryPathName as *mut c_void);
106	+
107	+	if !binpath.contains("\""){
108	+
109	+	println!("binary path: {}",binpath);
110	+	}
111	+
112	+
113	+	VirtualFree(sbase, 0, 0x8000);
114	+
115	+
116	+	}
117	+	VirtualFree(baseptr, 0, 0x8000);
118	+
119	+
120	+	/*let mut bytesneeded = 0;
121	+
122	+	let res = QueryServiceConfigA(schandle,
123	+	std::ptr::null_mut(),
124	+	0, &mut bytesneeded);
125	+
126	+	println!("res: {}",res);
127	+	println!("getlasterror: {}",GetLastError());
128	+	println!("bytes needed: {}",bytesneeded );
129	+	*/
130	+
131	+
132	+	}
133	+	}
134	+
135	+
136	+
137	+	pub fn FillStructureFromArray<T, U>(base: &mut T, arr: &[U]) -> usize {
138	+	unsafe {
139	+	//println!("{}",std::mem::size_of::<T>());
140	+	//println!("{}",std::mem::size_of_val(arr));
141	+	if std::mem::size_of::<T>() != std::mem::size_of_val(arr) {
142	+	println!("{}", std::mem::size_of::<T>());
143	+	println!("{}", std::mem::size_of_val(arr));
144	+	panic!("sizes are not equal to copy");
145	+	}
146	+
147	+	let mut handle = GetCurrentProcess();
148	+	let mut byteswritten = 0;
149	+	let res = WriteProcessMemory(
150	+	handle,
151	+	base as mut _ as mut c_void,
152	+	arr as const _ as const c_void,
153	+	std::mem::size_of::<T>(),
154	+	&mut byteswritten,
155	+	);
156	+
157	+	return byteswritten;
158	+	}
159	+	}
160	+
161	+	pub fn FillStructureFromMemory<T>(
162	+	dest: &mut T,
163	+	src: *const c_void,
164	+	prochandle: *mut c_void,
165	+	) -> usize {
166	+	unsafe {
167	+	let bytestoread: usize = std::mem::size_of::<T>();
168	+	//println!("size of structure is {}",bytestoread);
169	+	let mut buffer: Vec<u8> = vec![0; bytestoread];
170	+	let mut byteswritten = 0;
171	+
172	+	let res = ReadProcessMemory(
173	+	prochandle,
174	+	src,
175	+	buffer.as_mut_ptr() as *mut c_void,
176	+	bytestoread,
177	+	&mut byteswritten,
178	+	);
179	+	//println!("array being filled: {:x?}",&buffer);
180	+	FillStructureFromArray(dest, &buffer);
181	+
182	+	return byteswritten;
183	+	}
184	+	}
185	+
186	+
187	+	pub fn ReadStringFromMemory(prochandle: mut c_void, base: const c_void) -> String {
188	+	unsafe {
189	+	let mut i: isize = 0;
190	+	let mut s = String::new();
191	+	loop {
192	+	let mut a: [u8; 1] = [0];
193	+	ReadProcessMemory(
194	+	prochandle,
195	+	(base as isize + i) as *const c_void,
196	+	a.as_mut_ptr() as *mut c_void,
197	+	1,
198	+	std::ptr::null_mut(),
199	+	);
200	+
201	+	if a[0] == 0 \|\| i == 256 {
202	+	return s;
203	+	}
204	+	s.push(a[0] as char);
205	+	i += 1;
206	+	}
207	+	}
208	+	}
209	+
210	+

	1	+	/target
	2	+

Added Get-Unquoted